支援更多用戶端，puppet之mongrel+nginx模式

優點

*性能：nginx因為精簡，運作起來非常快速，許多人聲稱它的比pound更高效。

*日志，調試：在這兩個方面，nginx比pound更簡潔。

*靈活性：nginx的處理SSL用戶端驗證是在應用層上實作的，而不會終止SSL連接配接。

*nginx可以拿來即用, 不需要像pound打更新檔，同時配置的文法也很直覺。

缺點

一但在服務端使用puppetca進行sgin以後，無法主動在服務端撤銷授權,

不過你可以在用戶端删除ssl目錄來取消授權，一般情況下沒什麼影響。

配置步驟

配置yum

用CD光牒iso在本地建個yum軟體倉庫，并配置好epel源

mount rhel54.iso /mnt -o loop,ro

vi /etc/yum.repos.d/local.repo 寫入以下配置

[Server]

name=Red Hat Enterprise Linux $releasever - $basearch - Server

baseurl=file:///mnt/Server

enabled=1

gpgcheck=0

[epel]

name=Red Hat Enterprise Linux $releasever - $basearch - epel

baseurl=http://mirrors.sohu.com/fedora-epel/5Server/$basearch

配置Mongrel

安裝puppet軟體包

yum install puppetmaster puppet rubygem-mongrel

編輯 /etc/sysconfig/puppetmaster添加以下兩行

PUPPETMASTER_PORTS=( 18140 18141 18142 18143 )

PUPPETMASTER_EXTRA_OPTS="—servertype=mongrel —ssl_client_header=HTTP_X_SSL_SUBJECT"

啟動服務

service puppetmaster start

配置nginx

下面我們來配置nginx代替預設的webserver，我們可以用nginx來實作動靜分離，

把靜态的檔案直接交給nginx來處理，比如files和modules子產品中的files,

動态的再交給puppet，各揚所長，使其支援更多的節點

下載下傳nginx-0.8.7或以上的源碼包

wget http://nginx.org/download/nginx-0.8.47.tar.gz

tar zxf nginx-0.8.47.tar.gz

./configure —with-http_stub_status_module —with-http_ssl_module

make && make install

vim /usr/local/nginx/conf/nginx.conf 寫入以下配置

user    daemon daemon;

worker_processes    4;

worker_rlimit_nofile 65535;

error_log             /var/log/nginx-puppet.log notice;

pid                         /var/run/nginx-puppet.pid;

events {

        use                                 epoll;

        worker_connections    32768;

}

http {

    sendfile                     on;

    tcp_nopush                 on;

    keepalive_timeout    300;

    tcp_nodelay                on;

    upstream puppetmaster {

         server 127.0.0.1:18140;

         server 127.0.0.1:18141;

         server 127.0.0.1:18142;

         server 127.0.0.1:18143;

    }

    server {

        listen 8140;

        root                                        /etc/puppet;

        ssl                                         on;

        ssl_session_timeout         5m;

        ssl_certificate                 /opt/puppet/ssl/certs/puppet.example.com.cn.pem;

        ssl_certificate_key         /opt/puppet/ssl/private_keys/puppet.example.com.cn.pem;

        ssl_client_certificate    /opt/puppet/ssl/ca/ca_crt.pem;

        ssl_crl                                 /opt/puppet/ssl/ca/ca_crl.pem;

        ssl_verify_client             optional;

        # File sections

        location /production/file_content/files/ {

                types { }

                default_type application/x-raw;

                alias /etc/puppet/manifests/files/;

        }

        # Modules files sections

        location ~ /production/file_content/modules/.+/ {

                root /etc/puppet/modules;

                rewrite ^/production/file_content/modules/([^/]+)/(.+)$ /$1/files/$2 break;

        # Ask the puppetmaster for everything else

        location / {

                proxy_pass                    http://puppetmaster;

                proxy_redirect            off;

        proxy_set_header        Host                         $host;

        proxy_set_header        X-Real-IP                $remote_addr;

        proxy_set_header        X-Forwarded-For    $proxy_add_x_forwarded_for;

        proxy_set_header        X-Client-Verify    $ssl_client_verify;

        proxy_set_header        X-SSL-Subject        $ssl_client_s_dn;

        proxy_set_header        X-SSL-Issuer         $ssl_client_i_dn;

        proxy_buffer_size                     16k;

        proxy_buffers                             8 32k;

        proxy_busy_buffers_size         64k;

        proxy_temp_file_write_size    64k;

        proxy_read_timeout                    65;

    }#server end

}#http end

啟動nginx

/usr/local/nginx/sbin/nginx

原文位址：http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel_Nginx

參考文檔：http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/