|
优点 *性能:nginx因为精简,运行起来非常快速,许多人声称它的比pound更高效。 *日志,调试:在这两个方面,nginx比pound更简洁。 *灵活性:nginx的处理SSL客户端验证是在应用层上实现的,而不会终止SSL连接。 *nginx可以拿来即用, 不需要像pound打补丁,同时配置的语法也很直观。
缺点 一但在服务端使用puppetca进行sgin以后,无法主动在服务端撤销授权, 不过你可以在客户端删除ssl目录来取消授权,一般情况下没什么影响。
配置步骤
配置yum 用光盘iso在本地建个yum软件仓库,并配置好epel源 mount rhel54.iso /mnt -o loop,ro vi /etc/yum.repos.d/local.repo 写入以下配置
[Server] name=Red Hat Enterprise Linux $releasever - $basearch - Server baseurl=file:///mnt/Server enabled=1 gpgcheck=0 [epel] name=Red Hat Enterprise Linux $releasever - $basearch - epel baseurl=http://mirrors.sohu.com/fedora-epel/5Server/$basearch enabled=1 gpgcheck=0
配置Mongrel 安装puppet软件包 yum install puppetmaster puppet rubygem-mongrel
编辑 /etc/sysconfig/puppetmaster添加以下两行 PUPPETMASTER_PORTS=( 18140 18141 18142 18143 ) PUPPETMASTER_EXTRA_OPTS="—servertype=mongrel —ssl_client_header=HTTP_X_SSL_SUBJECT"
启动服务 service puppetmaster start
配置nginx 下面我们来配置nginx代替默认的webserver,我们可以用nginx来实现动静分离, 把静态的文件直接交给nginx来处理,比如files和modules模块中的files, 动态的再交给puppet,各扬所长,使其支持更多的节点
下载nginx-0.8.7或以上的源码包 wget http://nginx.org/download/nginx-0.8.47.tar.gz tar zxf nginx-0.8.47.tar.gz ./configure —with-http_stub_status_module —with-http_ssl_module make && make install
vim /usr/local/nginx/conf/nginx.conf 写入以下配置 user daemon daemon; worker_processes 4; worker_rlimit_nofile 65535;
error_log /var/log/nginx-puppet.log notice; pid /var/run/nginx-puppet.pid;
events { use epoll; worker_connections 32768; }
http { sendfile on; tcp_nopush on;
keepalive_timeout 300; tcp_nodelay on;
upstream puppetmaster { server 127.0.0.1:18140; server 127.0.0.1:18141; server 127.0.0.1:18142; server 127.0.0.1:18143; }
server { listen 8140; root /etc/puppet;
ssl on; ssl_session_timeout 5m; ssl_certificate /opt/puppet/ssl/certs/puppet.example.com.cn.pem; ssl_certificate_key /opt/puppet/ssl/private_keys/puppet.example.com.cn.pem; ssl_client_certificate /opt/puppet/ssl/ca/ca_crt.pem; ssl_crl /opt/puppet/ssl/ca/ca_crl.pem; ssl_verify_client optional;
# File sections location /production/file_content/files/ { types { } default_type application/x-raw; alias /etc/puppet/manifests/files/; }
# Modules files sections location ~ /production/file_content/modules/.+/ { root /etc/puppet/modules; types { } default_type application/x-raw; rewrite ^/production/file_content/modules/(.+)/(.+)$ /$1/files/$2 break; }
# Ask the puppetmaster for everything else location / { proxy_pass http://puppetmaster; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-SSL-Subject $ssl_client_s_dn; proxy_set_header X-SSL-Issuer $ssl_client_i_dn; proxy_buffer_size 16k; proxy_buffers 8 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_read_timeout 65; } }#server end }#http end
启动nginx /usr/local/nginx/sbin/nginx
原文地址:http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel_Nginx 参考文档:http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/ (责任编辑:IT) |
