Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
102 lines (83 sloc) 3.14 KB
user www-data;
worker_processes 40;
error_log /mnt/nginx_logs/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
access_log /mnt/nginx_logs/access.log;
upstream puppet-certs {
server 192.168.0.123:18140;
server 192.168.0.123:18141;
}
upstream puppet-production {
server 192.168.0.111:18140;
server 192.168.0.111:18141;
server 192.168.0.111:18142;
server 192.168.0.112:18140;
server 192.168.0.112:18141;
server 192.168.0.112:18142;
server 192.168.0.113:18140;
server 192.168.0.113:18141;
server 192.168.0.113:18142;
}
upstream puppet-devs {
server 192.168.0.41:18140;
server 192.168.0.41:18141;
}
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /etc/puppet/ssl/certs/puppet.example.com.pem;
ssl_certificate_key /etc/puppet/ssl/private_keys/puppet.example.com.pem;
ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem;
# choose any ciphers
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
# allow authenticated and client without certs
ssl_verify_client optional;
# obey to the Puppet CRL
ssl_crl /etc/puppet/ssl/ca/ca_crl.pem;
root /var/tmp;
access_log /mnt/nginx_logs/puppet_access.log;
# Redirect all certificate requests to the localhost
location ~* ^/production/certificate {
proxy_pass http://puppet-certs;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
# Redirect all certificate requests to the localhost
location ~* ^/(opsguya|opsguyb)/ {
proxy_pass http://puppet-devs;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}
}