dimsua · May 27, 2019 09:35
diff --git a/puppet.nginx.conf b/puppet.nginx.conf
 proxy_cache_path /var/cache/nginx/puppetmedatada levels=1 keys_zone=puppetmedatada:10m max_size=500m inactive=60m;
 server {
    listen                     IP-ADDRESS:8140 ssl http2 reuseport;
    server_name                puppet PUPPET.DOMAIN;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
    proxy_set_header X-SSL-Subject $ssl_client_s_dn;
    proxy_set_header X-Client-DN $ssl_client_s_dn;
    proxy_set_header X-Client-Verify $ssl_client_verify;
    proxy_read_timeout 300s;
    proxy_send_timeout 300s;

    access_log                 /var/log/nginx/puppet_access.log main;
    error_log                  /var/log/nginx/puppet_error.log;

    ssl_certificate            /etc/puppetlabs/puppet/ssl/certs/PUPPET.DOMAIN.pem;
    ssl_certificate_key        /etc/puppetlabs/puppet/ssl/private_keys/PUPPET.DOMAIN.pem;
    ssl_crl                    /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem;
    ssl_client_certificate     /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem;
    ssl_verify_client          optional;
    ssl_verify_depth           1;
    ssl_session_timeout        5m;

    location ~ ^/puppet/v3/file_(metadata|metadatas)/ {
        proxy_cache_methods GET;
        access_log /var/log/nginx/puppet_metadata_access.log;
        if ($ssl_client_verify != SUCCESS) {
                return 400;
        }
        proxy_redirect             off;
        proxy_cache                puppetmedatada;
        proxy_cache_valid          200 60m;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 90s;
        proxy_cache_key "$request_method|$host|$uri?$args";
        proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
        proxy_ignore_headers "Cache-Control" "Expires";
        proxy_pass                 http://127.0.0.1:8140;
    }

    location / {
        proxy_pass http://127.0.0.1:8140;
        proxy_redirect off;
    }
 }
diff --git a/webserver.conf b/webserver.conf
 webserver: {
    access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
    client-auth: want
    host: 127.0.0.1
    port: 8140
    ssl-cert: /etc/puppetlabs/puppet/ssl/certs/PUPPET.DOMAIN.pem
    ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/PUPPET.DOMAIN.pem
    ssl-ca-cert: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
    ssl-crl-path: /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
    ssl-cert-chain: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
    idle-timeout-milliseconds: 30000
 }
	proxy_cache_path /var/cache/nginx/puppetmedatada levels=1 keys_zone=puppetmedatada:10m max_size=500m inactive=60m;
	server {
	listen IP-ADDRESS:8140 ssl http2 reuseport;
	server_name puppet PUPPET.DOMAIN;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
	proxy_set_header X-SSL-Subject $ssl_client_s_dn;
	proxy_set_header X-Client-DN $ssl_client_s_dn;
	proxy_set_header X-Client-Verify $ssl_client_verify;
	proxy_read_timeout 300s;
	proxy_send_timeout 300s;

	access_log /var/log/nginx/puppet_access.log main;
	error_log /var/log/nginx/puppet_error.log;

	ssl_certificate /etc/puppetlabs/puppet/ssl/certs/PUPPET.DOMAIN.pem;
	ssl_certificate_key /etc/puppetlabs/puppet/ssl/private_keys/PUPPET.DOMAIN.pem;
	ssl_crl /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem;
	ssl_client_certificate /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem;
	ssl_verify_client optional;
	ssl_verify_depth 1;
	ssl_session_timeout 5m;

	location ~ ^/puppet/v3/file_(metadata\|metadatas)/ {
	proxy_cache_methods GET;
	access_log /var/log/nginx/puppet_metadata_access.log;
	if ($ssl_client_verify != SUCCESS) {
	return 400;
	}
	proxy_redirect off;
	proxy_cache puppetmedatada;
	proxy_cache_valid 200 60m;
	proxy_cache_lock on;
	proxy_cache_lock_timeout 90s;
	proxy_cache_key "$request_method\|$host\|$uri?$args";
	proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504;
	proxy_ignore_headers "Cache-Control" "Expires";
	proxy_pass http://127.0.0.1:8140;
	}

	location / {
	proxy_pass http://127.0.0.1:8140;
	proxy_redirect off;
	}
	}
	webserver: {
	access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
	client-auth: want
	host: 127.0.0.1
	port: 8140
	ssl-cert: /etc/puppetlabs/puppet/ssl/certs/PUPPET.DOMAIN.pem
	ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/PUPPET.DOMAIN.pem
	ssl-ca-cert: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
	ssl-crl-path: /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
	ssl-cert-chain: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
	idle-timeout-milliseconds: 30000
	}