puppet连载三：服务端安装http、passenger

安装passenger

gem install rake -v 0.8.7
gem install rack -v 1.6.6
gem install daemon_controller -v 1.2.0
gem install passenger -v 4.0.56
passenger-install-apache2-module

回车，选择ruby

image.png

配置httpd

mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp}
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/puppetmaster/
chown puppet. /etc/puppet/rack/puppetmaster/config.ru

修改passenger.conf

vi /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/local/share/gems/gems/passenger-4.0.56/buildout/apache2/mod_passenger.so

PassengerRoot /usr/local/share/gems/gems/passenger-4.0.56
PassengerDefaultRuby /usr/bin/ruby

保存退出

修改puppetmaster.conf配置

vi /etc/httpd/conf.d/puppetmaster.conf

This Apache 2 virtual host config shows how to use Puppet as a Rack

application via Passenger. See

http://docs.puppetlabs.com/guides/passenger.html for more information.

You can also use the included config.ru file to run Puppet with other Rack

servers instead of Passenger.

you probably want to tune these settings

PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500

PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off

Listen 8140

SSLEngine on
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
SSLHonorCipherOrder on

    SSLCertificateFile      /var/lib/puppet/ssl/certs/puppetmaster.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppetmaster.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    # If Apache complains about invalid signatures on the CRL, you can try disabling
    # CRL checking by commenting the next line, but this is not recommended.
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
    # which effectively disables CRL checking; if you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.
    # SSLCARevocationCheck chain
    SSLVerifyClient optional
    SSLVerifyDepth  1
    # The `ExportCertData` option is needed for agent certificate expiration warnings
    SSLOptions +StdEnvVars +ExportCertData

    # This header needs to be set if using a loadbalancer or proxy
    RequestHeader unset X-Forwarded-For

   RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
   RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /etc/puppet/rack/puppetmaster/public
    RackBaseURI /
    
      AllowOverride all
     Options -MultiViews
     Require all granted
    

保存退出，重启httpd

service puppetmaster stop
chkconfig puppetmaster off
service httpd restart