Tag-Archive for » nginx «

Monday, February 22nd, 2010 | Author:

Absolut_nginxAt $WORK I started using Nginx a while ago, first as a front end to my mongrel instances for puppet. Recently I began to use it for one of its most know features : reverse proxy (and caching too). Of course this work had to be puppetized !

This is a summary of what I’ve done :

  • Basic setup
  • Automatic setup of the status page, exploited by a munin plugin
  • An “include” directory, can be specific to a host through the usual $fqdn source selection system (as well as the nginx.conf file).
  • A “reverse proxy” specific class that uses a template embedding some ruby (see the previous post). My cache dir is under tmpfs, to speed up the whole thing.

This setup is mostly inspired by this post. I use a local dnsmasq setup to resolve both internal & external requests. This way I can manage vhosts being accessible from inside ou outside our network. It’s incredibly flexible and allows you to get the most from your infrastructure.

The puppet class :

# @name : nginx
# @desc : classe de base pour nginx
# @info : nil
class nginx
 package { "nginx":
 ensure => installed
 service { "nginx":
 ensure => running
 file { "nginx.conf":
 name => "/etc/nginx/nginx.conf",
 owner => root,
 group => root,
 source => [ "puppet://$fileserver/files/apps/nginx/$fqdn/nginx-rp-secure.conf", "puppet://$fileserver/files/apps/nginx/nginx-rp-secure.conf"],
 ensure => present,
 notify => Service["nginx"]
 # status is installed on all nginx boxens
 file { "nginx-status":
 name => "/etc/nginx/sites-enabled/nginx-status",
 owner => root,
 group => root,
 source => [ "puppet://$fileserver/files/apps/nginx/nginx-status", "puppet://$fileserver/files/apps/nginx/$fqdn/nginx-status"],
 ensure => present,
 notify => Service["nginx"]
 # include dir, get the freshness here
 file { "include_dir":
 name => "/etc/nginx/includes",
 owner => root,
 group => root,
 source => [ "puppet://$fileserver/files/apps/nginx/includes.$fqdn", "puppet://$fileserver/files/apps/nginx/includes"],
 ensure => directory,
 recurse => true,
 notify => Service["nginx"],
 ignore => ".svn*"
 # files managed by hand, no matter if it breaks
 file { "sites-managed":
 name => "/etc/nginx/sites-managed",
 owner => root,
 group => root,
 ensure => directory
# @name : nginx::reverseproxy
# @desc : config nginx pour reverse proxy
# @info : utilisée en conjonction avec dnsmasq local
class nginx::reverseproxy
 include nginx
 include dnsmasq::reverseproxy
 # Vars used by the template below
 file { "nginx-cachedir":
 name => "/dev/shm/nginx-cache",
 owner => www-data,
 group => www-data,
 ensure => directory
 file { "site_reverse-proxy":
 name => "/etc/nginx/sites-enabled/reverse-proxy",
 owner => root,
 group => root,
 content => template("nginx/$fqdn/reverse-proxy.erb"),
 ensure => present,
 notify => Service["nginx"],
 require => File["nginx-cachedir"]

This is the munin plugins that are automatically distributed with the box.

One of the generated graphs :


Category: BOFH Life, Puppet, SysAdmin  | Tags: , , ,  | One Comment
Wednesday, May 13th, 2009 | Author:

Mon puppetmaster au boulot a toujours été le bon vieux webrick fourni avec puppet. J’ai récemment atteint un nombre de machines qui ne permet plus de l’utiliser, il ne scale pas. Qu’à cela ne tienne, après avoir parcouru le wiki de puppet je me suis lancé : petit résumé et condensé orienté debian.

Tout d’abord les paquets nécessaires :

apt-get install mongrel nginx

Ensuite modifier la conf dans /etc/default/puppetmaster pour démarrer des serveurs de type mongrel en lieu et place de webrick :


Modifier la section puppetmasterd dans votre puppet.conf en ajoutant la ligne suivante :


et enfin le nginx.conf, copie quasi conforme de celui du wiki :

user root;
worker_processes 5;
error_log /var/log/nginx/error-puppet.log;
pid /var/run/nginx-puppet.pid;
events {
     worker_connections  1024;
http {
     default_type  application/octet-stream;
     access_log  /var/log/nginx/access.log;
     sendfile       on;
     tcp_nopush     on;
     keepalive_timeout  65;
     tcp_nodelay        on;
     ssl                     on;
     ssl_certificate         /var/lib/puppet/ssl/certs/puppet.XXXXX.pem;
     ssl_certificate_key     /var/lib/puppet/ssl/private_keys/puppet.XXXXXt.pem;
     ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
     ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
     ssl_session_cache       shared:SSL:8m;
     ssl_session_timeout     5m;
     upstream puppet-production {
     server {
          listen                  8140;
          ssl_verify_client       on;
          root                    /var/empty;
          access_log              /var/log/nginx/access-8140.log;
          rewrite_log             /var/log/nginx/rewrite-8140.log;
     location / {
          proxy_pass          http://puppet-production;
          proxy_redirect      off;
          proxy_set_header    Host             $host;
          proxy_set_header    X-Real-IP        $remote_addr;
          proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
          proxy_set_header    X-Client-Verify  SUCCESS;
          proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
          proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
     proxy_read_timeout  65;
    server {
        listen                  8141;
        ssl_verify_client       off;
        root                    /var/empty;
        access_log              /var/log/nginx/access-8141.log;
        rewrite_log             /var/log/nginx/rewrite-8141.log;
        location / {
            proxy_pass         http://puppet-production;
            proxy_redirect     off;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   X-Client-Verify  FAILURE;
            proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
            proxy_read_timeout  65;

Et OUI il tourne en root, à cause des certificats, flemme de gruiker sur les permissions.

Category: BOFH Life, Puppet, SysAdmin  | Tags: , ,  | Leave a Comment