Puppetnginx 架构图

Puppetnginx

架构图

优点

*性能：nginx因为精简，运行起来非常快速，许多人声称它的比pound更高效。
*日志，调试：在这两个方面，nginx比pound更简洁。
*灵活性：nginx的处理SSL客户端验证是在应用层上实现的，而不会终止SSL连接。
*nginx可以拿来即用, 不需要像pound打补丁，同时配置的语法也很直观。

缺点

一但在服务端使用puppetca进行sgin以后，无法主动在服务端撤销授权,
不过你可以在客户端删除ssl目录来取消授权，一般情况下没什么影响。

---

配置步骤

配置yum

用光盘iso在本地建个yum软件仓库，并配置好epel源

mount rhel54.iso /mnt -o loop,ro

vim /etc/yum.repos.d/local.repo 写入以下配置

[Server]
name=Red Hat Enterprise Linux $releasever - $basearch - Server
baseurl=file:///mnt/Server
enabled=1
gpgcheck=0
[epel]
name=Red Hat Enterprise Linux $releasever - $basearch - epel
baseurl=http://mirrors.sohu.com/fedora-epel/5Server/$basearch
enabled=1
gpgcheck=0

配置Mongrel

安装puppet软件包

yum install puppetmaster puppet rubygem-mongrel

编辑 /etc/sysconfig/puppetmaster添加以下两行

PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )
PUPPETMASTER_EXTRA_OPTS="—servertype=mongrel —ssl_client_header=HTTP_X_SSL_SUBJECT"

启动服务

service puppetmaster start

配置nginx

下面我们来配置nginx代替默认的webserver，我们可以用nginx来实现动静分离，
把静态的文件直接交给nginx来处理，比如files和modules模块中的files,
动态的再交给puppet，各扬所长，使其支持更多的节点

下载nginx-0.8.7或以上的源码包

wget http://nginx.org/download/nginx-0.8.47.tar.gz

tar zxf nginx-0.8.47.tar.gz

./configure —with-http_stub_status_module —with-http_ssl_module

make && make install

vim /usr/local/nginx/conf/nginx.conf 写入以下配置

user  daemon daemon;
worker_processes  4;
worker_rlimit_nofile 65535;

error_log       /var/log/nginx-puppet.log notice;
pid             /var/run/nginx-puppet.pid;

events {
    use                 epoll;
    worker_connections  32768;
}

http {
  sendfile           on;
  tcp_nopush         on;

  keepalive_timeout  300;
  tcp_nodelay        on;

  upstream puppetmaster {
     server 127.0.0.1:18140;
     server 127.0.0.1:18141;
     server 127.0.0.1:18142;
     server 127.0.0.1:18143;
  }

  server {
    listen 8140;
    root                    /etc/puppet;

    ssl                     on;
    ssl_session_timeout     5m;
    ssl_certificate         /opt/puppet/ssl/certs/puppet.example.com.cn.pem;
    ssl_certificate_key     /opt/puppet/ssl/private_keys/puppet.example.com.cn.pem;
    ssl_client_certificate  /opt/puppet/ssl/ca/ca_crt.pem;
    ssl_crl                 /opt/puppet/ssl/ca/ca_crl.pem;
    ssl_verify_client       optional;

    # File sections
    location /production/file_content/files/ {
        types { }
        default_type application/x-raw;
        alias /etc/puppet/manifests/files/;
    }

    # Modules files sections
    location ~ /production/file_content/modules/.+/ {
        root /etc/puppet/modules;
        types { }
        default_type application/x-raw;
        rewrite ^/production/file_content/modules/(.+)/(.+)$ /$1/files/$2 break;
    }

    # Ask the puppetmaster for everything else
    location / {
        proxy_pass          http://puppetmaster;
        proxy_redirect      off;
    proxy_set_header    Host             $host;
    proxy_set_header    X-Real-IP        $remote_addr;
    proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header    X-Client-Verify  $ssl_client_verify;
    proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
    proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
    proxy_buffer_size           16k;
    proxy_buffers               8 32k;
    proxy_busy_buffers_size     64k;
    proxy_temp_file_write_size  64k;
    proxy_read_timeout          65;
    }
  }#server end
}#http end

启动nginx

/usr/local/nginx/sbin/nginx

---

原文地址：http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel_Nginx
参考文档：http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/
翻译整理：智弘