From cce2a73ead0b0203b78baf9f46e5c14e8bfe2c79 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 15 Oct 2014 10:00:32 -0700 Subject: [PATCH] Puppet the puppetmaster apache vhost We need to slightly tweak the puppetmaster-passenger package's apache vhost file slightly for our environment. First we need to set a max requiests limit for passenger processes so that they are cycled out in order to avoid a memory leak. Second we enforce TLS and no SSL to prevent POODLE. Change-Id: I309d62866a7706be1ae3bedbf45ab9ffb8e04e50 --- .../manifests/puppetmaster.pp | 9 +++ .../puppetmaster/puppetmaster_vhost.conf.erb | 60 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp index 1e19ce20c9..2a52a61b43 100644 --- a/modules/openstack_project/manifests/puppetmaster.pp +++ b/modules/openstack_project/manifests/puppetmaster.pp @@ -124,6 +124,15 @@ class openstack_project::puppetmaster ( ensure => present, } + file { '/etc/apache2/sites-available/puppetmaster.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'), + require => Package['puppetmaster-passenger'], + } + # To set LANG to utf8, otherwise we get charset errors on manifests # with non-ascii chars file { '/etc/apache2/envvars': diff --git a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb b/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb new file mode 100644 index 0000000000..dab50901da --- /dev/null +++ b/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb @@ -0,0 +1,60 @@ +# This Apache 2 virtual host config shows how to use Puppet as a Rack +# application via Passenger. See +# http://docs.puppetlabs.com/guides/passenger.html for more information. + +# You can also use the included config.ru file to run Puppet with other Rack +# servers instead of Passenger. + +# This file is basically the one shipped by puppet with changes annotated +# below. + +# you probably want to tune these settings +PassengerHighPerformance on +PassengerMaxPoolSize 12 +PassengerPoolIdleTime 1500 +# This line is commented out by puppet and uncommented here to avoid a +# memory leak. +PassengerMaxRequests 1000 +PassengerStatThrottleRate 120 + +Listen 8140 + + + SSLEngine on + # This replaces puppet's default SSLProtocol spec to prevent POODLE + SSLProtocol ALL -SSLv2 -SSLv3 + SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP + SSLHonorCipherOrder on + + SSLCertificateFile /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem + SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem + SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem + SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem + # If Apache complains about invalid signatures on the CRL, you can try disabling + # CRL checking by commenting the next line, but this is not recommended. + SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem + # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none + # which effectively disables CRL checking; if you are using Apache 2.4+ you must + # specify 'SSLCARevocationCheck chain' to actually use the CRL. + SSLCARevocationCheck chain + SSLVerifyClient optional + SSLVerifyDepth 1 + # The `ExportCertData` option is needed for agent certificate expiration warnings + SSLOptions +StdEnvVars +ExportCertData + + # This header needs to be set if using a loadbalancer or proxy + RequestHeader unset X-Forwarded-For + + RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e + RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e + + DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ + RackBaseURI / + + Options None + AllowOverride None + Order allow,deny + allow from all + +