Puppetnginx
架构图
优点
*性能:nginx因为精简,运行起来非常快速,许多人声称它的比pound更高效。
*日志,调试:在这两个方面,nginx比pound更简洁。
*灵活性:nginx的处理SSL客户端验证是在应用层上实现的,而不会终止SSL连接。
*nginx可以拿来即用, 不需要像pound打补丁,同时配置的语法也很直观。
缺点
一但在服务端使用puppetca进行sgin以后,无法主动在服务端撤销授权,
不过你可以在客户端删除ssl目录来取消授权,一般情况下没什么影响。
配置步骤
配置yum
用光盘iso在本地建个yum软件仓库,并配置好epel源
mount rhel54.iso /mnt -o loop,ro
vim /etc/yum.repos.d/local.repo 写入以下配置
[Server]
name=Red Hat Enterprise Linux $releasever - $basearch - Server
baseurl=file:///mnt/Server
enabled=1
gpgcheck=0
[epel]
name=Red Hat Enterprise Linux $releasever - $basearch - epel
baseurl=http://mirrors.sohu.com/fedora-epel/5Server/$basearch
enabled=1
gpgcheck=0
配置Mongrel
安装puppet软件包
yum install puppetmaster puppet rubygem-mongrel
编辑 /etc/sysconfig/puppetmaster添加以下两行
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
PUPPETMASTER_EXTRA_OPTS="—servertype=mongrel —ssl_client_header=HTTP_X_SSL_SUBJECT"
启动服务
service puppetmaster start
配置nginx
下面我们来配置nginx代替默认的webserver,我们可以用nginx来实现动静分离,
把静态的文件直接交给nginx来处理,比如files和modules模块中的files,
动态的再交给puppet,各扬所长,使其支持更多的节点
下载nginx-0.8.7或以上的源码包
wget http://nginx.org/download/nginx-0.8.47.tar.gz
tar zxf nginx-0.8.47.tar.gz
./configure —with-http_stub_status_module —with-http_ssl_module
make && make install
vim /usr/local/nginx/conf/nginx.conf 写入以下配置
user daemon daemon;
worker_processes 4;
worker_rlimit_nofile 65535;
error_log /var/log/nginx-puppet.log notice;
pid /var/run/nginx-puppet.pid;
events {
use epoll;
worker_connections 32768;
}
http {
sendfile on;
tcp_nopush on;
keepalive_timeout 300;
tcp_nodelay on;
upstream puppetmaster {
server 127.0.0.1:18140;
server 127.0.0.1:18141;
server 127.0.0.1:18142;
server 127.0.0.1:18143;
}
server {
listen 8140;
root /etc/puppet;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /opt/puppet/ssl/certs/puppet.example.com.cn.pem;
ssl_certificate_key /opt/puppet/ssl/private_keys/puppet.example.com.cn.pem;
ssl_client_certificate /opt/puppet/ssl/ca/ca_crt.pem;
ssl_crl /opt/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
# File sections
location /production/file_content/files/ {
types { }
default_type application/x-raw;
alias /etc/puppet/manifests/files/;
}
# Modules files sections
location ~ /production/file_content/modules/.+/ {
root /etc/puppet/modules;
types { }
default_type application/x-raw;
rewrite ^/production/file_content/modules/(.+)/(.+)$ /$1/files/$2 break;
}
# Ask the puppetmaster for everything else
location / {
proxy_pass http://puppetmaster;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
}
}#server end
}#http end
启动nginx
/usr/local/nginx/sbin/nginx
原文地址:http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel_Nginx
参考文档:http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
翻译整理:智弘