server {
    server_name puppet;
    listen 8140 default ssl;
    ssl_certificate <%= puppet_ssldir %>/certs/<%= homename %>.pem;
    ssl_certificate_key <%= puppet_ssldir %>/private_keys/<%= homename %>.pem;
    ssl_client_certificate <%= puppet_ssldir %>/certs/ca.pem;
    ssl_crl <%= puppet_ssldir %>/ca/ca_crl.pem;
    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers HIGH:+MEDIUM;
    ssl_prefer_server_ciphers on;
    ssl_verify_client optional;
    ssl_verify_depth 1;
    ssl_session_cache shared:SSL:8m;
    ssl_session_timeout 5m;

    passenger_enabled on;
    rails_env production;
    root /var/nginx/puppet/public;

    passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
    passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
}