No description
d22402c404
Valid range changed to 401-599: vhost SSL header has priority 700. If $priority is set to 400 (which resolves to 400+300=700 for SSL locations), then it would conflict with the priority of the header. It must be 401 or higher to avoid this. Top end of range is limited to 599 to reflect documentation however it could be increased to 698 and still provide expected behavior. |
||
|---|---|---|
| .travis | ||
| manifests | ||
| spec | ||
| templates | ||
| tests | ||
| .fixtures.yml | ||
| .gitignore | ||
| .nodeset.yml | ||
| .travis.yml | ||
| ChangeLog | ||
| composer.json | ||
| Gemfile | ||
| LICENSE | ||
| Modulefile | ||
| Puppetfile | ||
| Puppetfile.lock | ||
| Rakefile | ||
| README.markdown | ||
NGINX Module
James Fryman james@frymanet.com
This module manages NGINX configuration.
Quick Start
Install and bootstrap an NGINX instance
class { 'nginx': }
Setup a new virtual host
nginx::resource::vhost { 'www.puppetlabs.com':
ensure => present,
www_root => '/var/www/www.puppetlabs.com',
}
Add a Proxy Server
nginx::resource::upstream { 'puppet_rack_app':
ensure => present,
members => [
'localhost:3000',
'localhost:3001',
'localhost:3002',
],
}
nginx::resource::vhost { 'rack.puppetlabs.com':
ensure => present,
proxy => 'http://puppet_rack_app',
}
Add a smtp proxy
class { 'nginx':
mail => true,
}
nginx::resource::mailhost { 'domain1.example':
ensure => present,
auth_http => 'server2.example/cgi-bin/auth',
protocol => 'smtp',
listen_port => 587,
ssl_port => 465,
starttls => 'only',
xclient => 'off',
ssl => 'true',
ssl_cert => '/tmp/server.crt',
ssl_key => '/tmp/server.pem',
}
Hiera Support
Defining nginx resources in Hiera.
nginx::nginx_upstreams:
'puppet_rack_app':
ensure: present
members:
- localhost:3000
- localhost:3001
- localhost:3002
nginx::nginx_vhosts:
'www.puppetlabs.com':
www_root: '/var/www/www.puppetlabs.com'
'rack.puppetlabs.com':
ensure: present
proxy: 'http://puppet_rack_app'
nginx::nginx_locations:
'static':
location: '~ "^/static/[0-9a-fA-F]{8}\/(.*)$"'
vhost: www.puppetlabs.com
'userContent':
location: /userContent
vhost: www.puppetlabs.com
www_root: /var/www/html
Nginx with precompiled Passenger
Currently this works only for Debian family.
class { 'nginx':
package_source => 'passenger',
http_cfg_append => {
'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini',
}
}
Package source passenger will add Phusion Passenger repository to APT sources.
For each virtual host you should specify which ruby should be used.
vhost_cfg_append => {
'passenger_enabled' => 'on',
'passenger_ruby' => '/usr/bin/ruby'
}
Puppet master served by Nginx and Passenger
Virtual host config for serving puppet master:
nginx::resource::vhost { 'puppet':
ensure => present,
server_name => ['puppet'],
listen_port => 8140,
ssl => true,
ssl_cert => '/var/lib/puppet/ssl/certs/example.com.pem',
ssl_key => '/var/lib/puppet/ssl/private_keys/example.com.pem',
ssl_port => 8140,
ssl_cache => 'shared:SSL:128m',
ssl_ciphers => 'SSLv2:-LOW:-EXPORT:RC4+RSA',
vhost_cfg_append => {
'passenger_enabled' => 'on',
'passenger_ruby' => '/usr/bin/ruby',
'ssl_crl' => '/var/lib/puppet/ssl/ca/ca_crl.pem',
'ssl_client_certificate' => '/var/lib/puppet/ssl/certs/ca.pem',
'ssl_verify_client' => 'optional',
'ssl_verify_depth' => 1,
},
www_root => '/etc/puppet/rack/public',
use_default_location => false,
access_log => '/var/log/nginx/puppet_access.log',
error_log => '/var/log/nginx/puppet_error.log',
passenger_cgi_param => {
'SSL_CLIENT_S_DN' => '$ssl_client_s_dn',
'SSL_CLIENT_VERIFY' => '$ssl_client_verify',
},
}