diff --git a/ext/rack/example-passenger-vhost.conf b/ext/rack/example-passenger-vhost.conf index 860e6f373..c14f3cd98 100644 --- a/ext/rack/example-passenger-vhost.conf +++ b/ext/rack/example-passenger-vhost.conf @@ -1,52 +1,53 @@ # This Apache 2 virtual host config shows how to use Puppet as a Rack # application via Passenger. See # http://docs.puppetlabs.com/guides/passenger.html for more information. # You can also use the included config.ru file to run Puppet with other Rack # servers instead of Passenger. # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 SSLEngine on - SSLProtocol -ALL +SSLv3 +TLSv1 - SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP + SSLProtocol ALL -SSLv2 + SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP + SSLHonorCipherOrder on SSLCertificateFile /etc/puppet/ssl/certs/squigley.namespace.at.pem SSLCertificateKeyFile /etc/puppet/ssl/private_keys/squigley.namespace.at.pem SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 # The `ExportCertData` option is needed for agent certificate expiration warnings SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/public/ RackBaseURI / Options None AllowOverride None Order allow,deny allow from all