ServerName foo.example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite -ALL:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA SSLHonorCipherOrder On SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem" SSLCertificateFile /var/lib/puppet/ssl/certs/foo.example.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/foo.example.com.pem SSLCACertificateFile /var/lib/puppet/server/ssl/certs/ca.pem SSLCertificateChainFile /var/lib/puppet/server/ssl/certs/ca.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. # NOTE: https://tickets.puppetlabs.com/browse/PUP-2310 says that CRL is not updated. Need to reevaluate this SSLCARevocationPath /crl SSLVerifyClient SSLVerifyDepth 1 SSLOptions +StdEnvVars # The connection to the backends is also SSL encrypted but by frontend and backends do not authenticate connections # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e SSLProxyEngine on # Tries to avoid the "error reading status line from server" error SetEnv proxy-initial-not-pooled 1 # Certificates requests should only be in the master. ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetmaster:8141 ProxyPassMatch ^/(puppet-ca/.*)$ https://puppetmaster:8141 # File buckets should only be in one place. Choosing the frontend by default for simplicity ProxyPassMatch ^/([^/]+/file_bucket_file/md5/.*)$ https://foo.example.com:8141 ProxyPassMatch ^/(puppet/v3/file_bucket_file/md5/.*)$ https://foo.example.com:8141 # Volatile should only be in one place. Choosing the master by default for simplicity ProxyPassMatch ^/([^/]+/file_metadata(s)?/volatile/.*)$ https://puppetmaster:8141 ProxyPassMatch ^/(puppet/v3/file_metadata(s)?/volatile.*)$ https://puppetmaster:8141 ProxyPassMatch ^/([^/]+/file_content/volatile/.*)$ https://puppetmaster:8141 ProxyPassMatch ^/(puppet/v3/file_content/volatile/.*)$ https://puppetmaster:8141 # The rest gets balanced # only add canary config if we have a canary host SetEnvIf Remote_Host canary1.example.com CANARY=yes SetEnvIf Remote_Host canary2.example.com CANARY=yes ProxyPass / balancer://canarybackend/ env=CANARY BalancerMember https://canary_load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20 BalancerMember https://canary_load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10 Require all granted ProxyPass / balancer://backend/ BalancerMember https://load20.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=20 BalancerMember https://load10.example.com:8141 ping=1 connectiontimeout=1 retry=500 timeout=900 loadfactor=10 Require all granted CustomLog /var/log/apache2/puppetmaster.foo.example.com.log wmf