|
8 | 8 | class { 'puppet::server::standalone': |
9 | 9 | enabled => false, |
10 | 10 | before => [ |
11 | | - Nginx::Resource::Vhost['puppetmaster'], |
| 11 | + Nginx::Resource::Server['puppetmaster'], |
12 | 12 | Unicorn::App['puppetmaster'], |
13 | 13 | ], |
14 | 14 | } |
15 | 15 |
|
16 | 16 | $unicorn_socket = "unix:${puppet::rundir}/puppetmaster_unicorn.sock" |
17 | 17 |
|
18 | | - nginx::resource::vhost { 'puppetmaster': |
| 18 | + nginx::resource::server { 'puppetmaster': |
19 | 19 | server_name => [$puppet::server::servername], |
20 | 20 | listen_ip => $puppet::server::bindaddress, |
21 | 21 | ssl => true, |
|
25 | 25 | ssl_key => "${puppet::ssldir}/private_keys/${puppet::server::servername}.pem", |
26 | 26 | ssl_ciphers => $puppet::server::ssl_ciphers, |
27 | 27 | ssl_protocols => $puppet::server::ssl_protocols, |
| 28 | + ssl_crl => "${puppet::ssldir}/crl.pem", |
| 29 | + ssl_client_cert => "${puppet::ssldir}/certs/ca.pem", |
| 30 | + ssl_verify_client => 'optional', |
28 | 31 | use_default_location => false, |
29 | | - vhost_cfg_append => { |
30 | | - ssl_crl => "${puppet::ssldir}/crl.pem", |
31 | | - ssl_client_certificate => "${puppet::ssldir}/certs/ca.pem", |
32 | | - ssl_verify_client => 'optional', |
33 | | - proxy_set_header => [ 'Host $host', |
34 | | - 'X-Real-IP $remote_addr', |
35 | | - 'X-Forwarded-For $proxy_add_x_forwarded_for', |
36 | | - 'X-Client-Verify $ssl_client_verify', |
37 | | - 'X-Client-DN $ssl_client_s_dn', |
38 | | - 'X-SSL-Issuer $ssl_client_i_dn'], |
39 | | - root => '/usr/share/empty', |
40 | | - } |
| 32 | + www_root => '/usr/share/empty', |
41 | 33 | } |
42 | 34 | nginx::resource::location { 'unicorn_upstream': |
43 | | - ensure => present, |
44 | | - location => '/', |
45 | | - vhost => 'puppetmaster', |
46 | | - proxy_set_header => [], |
47 | | - location_custom_cfg => { |
48 | | - proxy_pass => 'http://puppetmaster_unicorn', |
49 | | - proxy_redirect => 'off', |
50 | | - proxy_connect_timeout => '90', |
51 | | - proxy_read_timeout => '300', |
52 | | - }, |
53 | | - # this priority sets concat order so that the location is created inside |
54 | | - # the server block. This works around a possible bug in jfryman/nginx. |
55 | | - priority => 701, |
| 35 | + ensure => present, |
| 36 | + location => '/', |
| 37 | + server => 'puppetmaster', |
| 38 | + proxy => 'http://puppetmaster_unicorn', |
| 39 | + proxy_redirect => 'off', |
| 40 | + proxy_connect_timeout => '90', |
| 41 | + proxy_read_timeout => '300', |
| 42 | + proxy_set_header => ['Host $host', |
| 43 | + 'X-Real-IP $remote_addr', |
| 44 | + 'X-Forwarded-For $proxy_add_x_forwarded_for', |
| 45 | + 'X-Client-Verify $ssl_client_verify', |
| 46 | + 'X-Client-DN $ssl_client_s_dn', |
| 47 | + 'X-SSL-Issuer $ssl_client_i_dn'], |
| 48 | + ssl_only => true, |
56 | 49 | } |
57 | 50 | nginx::resource::upstream { 'puppetmaster_unicorn': |
58 | 51 | members => [ |
|
63 | 56 | if ! empty( $::puppet::server::external_ca ) |
64 | 57 | { |
65 | 58 | nginx::resource::location { 'external_certificate_authority_proxy': |
66 | | - ensure => present, |
67 | | - location => '~ ^/.*/certificate.*', |
68 | | - vhost => 'puppetmaster', |
69 | | - proxy_set_header => [], |
70 | | - location_custom_cfg => { |
71 | | - proxy_pass => $puppet::server::external_ca, |
72 | | - proxy_redirect => 'off', |
73 | | - proxy_connect_timeout => '90', |
74 | | - proxy_read_timeout => '300', |
75 | | - }, |
76 | | - # this priority sets concat order so that the location is created inside |
77 | | - # the server block. This works around a possible bug in jfryman/nginx. |
78 | | - priority => 701, |
| 59 | + ensure => present, |
| 60 | + location => '~ ^/.*/certificate.*', |
| 61 | + server => 'puppetmaster', |
| 62 | + proxy_set_header => [], |
| 63 | + proxy => $puppet::server::external_ca, |
| 64 | + proxy_redirect => 'off', |
| 65 | + proxy_connect_timeout => '90', |
| 66 | + proxy_read_timeout => '300', |
| 67 | + ssl_only => true, |
79 | 68 | } |
80 | 69 | } |
81 | 70 |
|
|
0 commit comments