# == Class: puppet::server::passenger # # Set up the puppet server using passenger and apache. # class puppet::server::passenger ( $app_root = $::puppet::server_app_root, $passenger_max_pool = $::puppet::server_passenger_max_pool, $port = $::puppet::server_port, $ssl_ca_cert = $::puppet::server::ssl_ca_cert, $ssl_ca_crl = $::puppet::server::ssl_ca_crl, $ssl_cert = $::puppet::server::ssl_cert, $ssl_cert_key = $::puppet::server::ssl_cert_key, $ssl_chain = $::puppet::server::ssl_chain, $ssl_dir = $::puppet::server_ssl_dir, $puppet_ca_proxy = $::puppet::server_ca_proxy, $user = $::puppet::server_user, $http = $::puppet::server_http, $http_port = $::puppet::server_http_port, $http_allow = $::puppet::server_http_allow, ) { include ::puppet::server::rack include ::apache include ::apache::mod::passenger case $::operatingsystem { 'Debian', 'Ubuntu': { file { '/etc/default/puppetmaster': content => "START=no\n", before => Class['puppet::server::install'], } } default: { # nothing to do } } $directory = { 'path' => "${app_root}/public/", 'passenger_enabled' => 'On', } $directories = [ $directory, ] # The following client headers allow the same configuration to work with Pound. $request_headers = [ 'set X-SSL-Subject %{SSL_CLIENT_S_DN}e', 'set X-Client-DN %{SSL_CLIENT_S_DN}e', 'set X-Client-Verify %{SSL_CLIENT_VERIFY}e', 'unset X-Forwarded-For', ] if $puppet_ca_proxy and $puppet_ca_proxy != '' { include ::apache::mod::proxy include ::apache::mod::proxy_http $custom_fragment = "ProxyPassMatch ^/([^/]+/certificate.*)$ ${puppet_ca_proxy}/\$1" $ssl_proxyengine = true } else { $custom_fragment = undef $ssl_proxyengine = false } $ssl_crl_check = $ssl_ca_crl ? { false => undef, undef => undef, default => 'chain', } apache::vhost { 'puppet': docroot => "${app_root}/public/", directories => $directories, port => $port, ssl => true, ssl_cert => $ssl_cert, ssl_key => $ssl_cert_key, ssl_ca => $ssl_ca_cert, ssl_crl => $ssl_ca_crl, ssl_crl_check => $ssl_crl_check, ssl_chain => $ssl_chain, ssl_protocol => 'ALL -SSLv2 -SSLv3', ssl_cipher => 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA', ssl_honorcipherorder => 'on', ssl_verify_client => 'optional', ssl_options => '+StdEnvVars +ExportCertData', ssl_verify_depth => '1', ssl_proxyengine => $ssl_proxyengine, custom_fragment => $custom_fragment, request_headers => $request_headers, options => ['None'], require => Class['::puppet::server::rack'], } if $http { # Order, deny and allow cannot be configured for Apache >= 2.4 using the Puppetlabs/Apache # module, but they can be set to false. So, set to false and configure manually via custom fragments. # We can't get rid of the 'Order allow,deny' directive and we need to support all Apache versions. # Best we can do is reverse the Order directive and add our own 'Deny from all' for good measure. $directories_http = [ merge($directory, { 'order' => false, 'deny' => false, 'allow' => false, 'custom_fragment' => join([ 'Order deny,allow', 'Deny from all', inline_template("<%- if @http_allow and Array(@http_allow).join(' ') != '' -%>Allow from <%= @http_allow.join(' ') %><%- end -%>"), ], "\n") }), ] apache::vhost { 'puppet-http': docroot => "${app_root}/public/", directories => $directories_http, port => $http_port, custom_fragment => join([ $custom_fragment ? { undef => '', default => $custom_fragment }, 'SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1', 'SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1', ], "\n"), options => ['None'], require => Class['::puppet::server::rack'], } } }