将CA组件从木偶主控制器中分离出来

我们以不同的方式处理这个问题，从长远来看似乎更加灵活和可靠。

我们创build了一个前端apache服务器，运行mod_proxy和mod_balancer。 然后，这识别传入的URL请求，并将与CA有关的请求路由到本地CA服务器，并且puppetmaster请求傀儡总pipe。 这还有一个好处，就是我们可以有一个单独的服务器来处理不同的环境。

puppetmasters必须被configuration，以便他们接受来自前端服务器的authentication信息。

定义平衡器（注意，600超时很重要）：

 <Proxy balancer://puppetmaster> BalancerMember http://pupappprd01.its.auckland.ac.nz:18140 timeout=600 BalancerMember http://pupappprd02.its.auckland.ac.nz:18140 timeout=600 BalancerMember http://pupappprd03.its.auckland.ac.nz:18140 timeout=600 </Proxy> # CA, facts and filebucket server <Proxy balancer://puppetmasterca> BalancerMember http://puprepprd01.its.auckland.ac.nz:18140 </Proxy> 

现在定义前端：

 Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.auckland.ac.nz.pem SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.auckland.ac.nz.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # Send info to downstream workers RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location / > SetHandler balancer-manager Order allow,deny Allow from all </Location> # The manifest can take up to 10min to build (default timeout is 2min) Timeout 600 ProxyTimeout 600 # This is required to prevent a race condition that can cause # the puppet agent to lock up SetEnv proxy-nokeepalive 1 SetEnv proxy-initial-not-pooled 1 ProxyPreserveHost On # CA - centralise the authentication # members of the puppetmasterca cluster will rsync the cert stores ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmasterca # Filebucket - this be on the central server to minimise duplication # members of the puppetmasterca cluster will rsync the file bucket ProxyPassMatch ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/file_bucket_file/(.*)$ balancer://puppetmasterca # ALL Report uploads handled by central servers # These will in turn upload reports to dashboard, depending on settings # in the puppet.conf for that environment ProxyPassMatch ^(/.*?)/report/(.*)$ balancer://puppetmasterca ProxyPassReverse ^(/.*?)/report/(.*)$ balancer://puppetmasterca # Production servers - catalogue, cache, facts, file metadata and fetch # These servers all synchronise with subversion every 15 min # Need the extended timeout because some manifest generation can # be slow. 5min should be sufficient. ProxyPassMatch ^/production/ balancer://puppetmaster timeout=600 ProxyPassReverse ^/production/ balancer://puppetmaster timeout=600 </VirtualHost> 

现在，我们可以定义处理CA服务器和Puppetmaster上的请求的puppetmaster。 请注意，我们如何在其他头字段中传递身份validation信息：

 Listen 18140 <VirtualHost *:18140> SSLEngine off # Obtain Authentication Information from Client Request headers SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 SetEnvIf X-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from 127.0.0.1 allow from puprepprd01.its.auckland.ac.nz deny from all </Directory> LogLevel warn ErrorLog /var/log/httpd/puppetmaster_error.log CustomLog /var/log/httpd/puppetmaster_access.log combined </VirtualHost> 

在puppet.conf中，您需要多行来从环境中提取authentication信息：

 [master] ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY 

这是更复杂的，但允许我们横向扩展，并尽可能多地将环境拆分到他们自己的puppetmaster服务器。 一个单独的服务器包含报告前端和CA（尽pipe如果您设置某种证书复制，可以将其拆分为多个CA后端）。