Puppet the puppetmaster apache vhost

We need to slightly tweak the puppetmaster-passenger package's apache vhost file slightly for our environment. First we need to set a max requiests limit for passenger processes so that they are cycled out in order to avoid a memory leak. Second we enforce TLS and no SSL to prevent POODLE. Change-Id: I309d62866a7706be1ae3bedbf45ab9ffb8e04e50
2014-10-15 10:00:32 -07:00 · 2014-10-15 10:00:32 -07:00 · cce2a73ead
commit cce2a73ead
parent 7fff4e7e93
2 changed files with 69 additions and 0 deletions
--- a/modules/openstack_project/manifests/puppetmaster.pp
+++ b/modules/openstack_project/manifests/puppetmaster.pp
@ -124,6 +124,15 @@ class openstack_project::puppetmaster (
    ensure => present,
  }
  file { '/etc/apache2/sites-available/puppetmaster.conf':
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'),
    require => Package['puppetmaster-passenger'],
  }
 # To set LANG to utf8, otherwise we get charset errors on manifests
 # with non-ascii chars
  file { '/etc/apache2/envvars':
--- a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
+++ b/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
@ -0,0 +1,60 @@
 # This Apache 2 virtual host config shows how to use Puppet as a Rack
 # application via Passenger. See
 # http://docs.puppetlabs.com/guides/passenger.html for more information.
 # You can also use the included config.ru file to run Puppet with other Rack
 # servers instead of Passenger.
 # This file is basically the one shipped by puppet with changes annotated
 # below.
 # you probably want to tune these settings
 PassengerHighPerformance on
 PassengerMaxPoolSize 12
 PassengerPoolIdleTime 1500
 # This line is commented out by puppet and uncommented here to avoid a
 # memory leak.
 PassengerMaxRequests 1000
 PassengerStatThrottleRate 120
 Listen 8140
 <VirtualHost *:8140>
        SSLEngine on
        # This replaces puppet's default SSLProtocol spec to prevent POODLE
        SSLProtocol             ALL -SSLv2 -SSLv3
        SSLCipherSuite          ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
        SSLHonorCipherOrder     on
        SSLCertificateFile      /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
        SSLCARevocationCheck chain
        SSLVerifyClient optional
        SSLVerifyDepth  1
        # The `ExportCertData` option is needed for agent certificate expiration warnings
        SSLOptions +StdEnvVars +ExportCertData
        # This header needs to be set if using a loadbalancer or proxy
        RequestHeader unset X-Forwarded-For
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
 </VirtualHost>