Merge pull request #122 from danieldreier/nginx_unicorn_fix

Fix broken nginx-unicorn support

Author: zachfi

manifests/server/rack.pp

@@ -20,7 +20,7 @@
 
   $run_template = $::puppetversion ? {
     /^2.7/      => 'puppet/config.ru/99-run-2.7.erb',
-    /^3.[0-6]/  => 'puppet/config.ru/99-run-3.0.erb',
+    /^3.[0-7]/  => 'puppet/config.ru/99-run-3.0.erb',
   }
 
   concat::fragment { 'run-puppet-master':

manifests/server/unicorn.pp

@@ -2,7 +2,7 @@
 
   include puppet::params
   include puppet::server::rack
-  class { 'nginx': }
+  include nginx
 
   class { 'puppet::server::standalone':
     enabled => false,
@@ -11,31 +11,63 @@
       Unicorn::App['puppetmaster'],
     ],
   }
+  Ini_setting {
+    ensure  => 'present',
+    section => 'master',
+    path    => $puppet::params::puppet_conf,
+  }
+  ini_setting {
+    'ssl_client_header':
+      ensure  => present,
+      setting => 'ssl_client_header',
+      value   => 'HTTP_X_CLIENT_DN';
+    'ssl_client_verify_header':
+      ensure  => present,
+      setting => 'ssl_client_verify_header',
+      value   => 'HTTP_X_CLIENT_VERIFY';
+  }
 
   $servername     = pick($::puppet::server::servername, $::clientcert, $::fqdn)
   $unicorn_socket = "unix:${puppet::params::puppet_rundir}/puppetmaster_unicorn.sock"
 
   nginx::resource::vhost { 'puppetmaster':
-    server_name           => [$servername],
-    ssl                   => true,
-    ssl_port              => '8140',
-    listen_port           => '8140', # force ssl_only by matching ssl_port
-    ssl_cert              => "${::puppet::ssldir}/certs/${servername}.pem",
-    ssl_key               => "${::puppet::ssldir}/private_keys/${servername}.pem",
-    ssl_ciphers           => $::puppet::server::ssl_ciphers,
-    ssl_protocols         => $::puppet::server::ssl_protocols,
-    proxy_read_timeout    => '300',
-    proxy                 => "http://puppetmaster_unicorn",
-    vhost_cfg_append      => {
+    server_name          => [$servername],
+    ssl                  => true,
+    ssl_port             => '8140',
+    listen_port          => '8140', # force ssl_only by matching ssl_port
+    ssl_cert             => "${::puppet::ssldir}/certs/${servername}.pem",
+    ssl_key              => "${::puppet::ssldir}/private_keys/${servername}.pem",
+    ssl_ciphers          => $::puppet::server::ssl_ciphers,
+    ssl_protocols        => $::puppet::server::ssl_protocols,
+    use_default_location => false,
+    vhost_cfg_append     => {
       ssl_crl                => "${::puppet::ssldir}/crl.pem",
       ssl_client_certificate => "${::puppet::ssldir}/certs/ca.pem",
       ssl_verify_client      => 'optional',
-      proxy_connect_timeout  => '300',
-      proxy_set_header       => [ 'Host $host', 'X-Real-IP $remote_addr', 'X-Forwarded-For $proxy_add_x_forwarded_for', 'X-Client-Verify $ssl_client_verify', 'X-Client-DN $ssl_client_s_dn', 'X-SSL-Issuer $ssl_client_i_dn'],
+      proxy_set_header       => [ 'Host $host',
+                                  'X-Real-IP $remote_addr',
+                                  'X-Forwarded-For $proxy_add_x_forwarded_for',
+                                  'X-Client-Verify $ssl_client_verify',
+                                  'X-Client-DN $ssl_client_s_dn',
+                                  'X-SSL-Issuer $ssl_client_i_dn'],
       root                   => '/usr/share/empty',
     }
   }
-
+  nginx::resource::location { 'unicorn_upstream':
+    ensure                => present,
+    location              => '/',
+    vhost                 => 'puppetmaster',
+    proxy_set_header      => [],
+    location_custom_cfg   => {
+      proxy_pass            => "http://puppetmaster_unicorn",
+      proxy_redirect        => 'off',
+      proxy_connect_timeout => '90',
+      proxy_read_timeout    => '300',
+    },
+    # this priority sets concat order so that the location is created inside
+    # the server block. This works around a possible bug in jfryman/nginx.
+    priority => 701,
+  }
   nginx::resource::upstream { 'puppetmaster_unicorn':
     members => [
       $unicorn_socket

spec/acceptance/server_spec.rb

@@ -94,6 +94,11 @@ class { "puppet::server":
       apply_manifest(pp, :catch_failures => true)
       expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
     end
+  describe command('puppet agent --test --server puppet') do
+    its(:exit_status) { should eq 0 }
+    its(:stderr) { should_not match /Forbidden request:/ }
+    its(:stderr) { should_not match /Error:/ }
+  end
 
     describe package('nginx') do
       it {

spec/spec_helper_acceptance.rb

@@ -33,6 +33,7 @@
   install_package host, 'rubygems'
   install_package host, 'git'
   on host, 'hash r10k || gem install r10k --no-ri --no-rdoc'
+  on host, 'echo "$(facter ipaddress) puppet" >> /etc/hosts'
 
   puppetfile = <<-EOS
 mod 'stdlib',         :git => 'git://github.com/puppetlabs/puppetlabs-stdlib.git'
@@ -47,7 +48,7 @@
 mod 'unicorn',        :git => 'git://github.com/puppetlabs-operations/puppet-unicorn.git'
 mod 'rack',           :git => 'git://github.com/puppetlabs-operations/puppet-rack.git'
 mod 'bundler',        :git => 'git://github.com/puppetlabs-operations/puppet-bundler.git'
-mod 'nginx',          :git => 'git://github.com/jfryman/puppet-nginx.git'
+mod 'nginx',          :git => 'git://github.com/jfryman/puppet-nginx.git', :ref => 'v0.0.10'
 mod 'inifile',        :git => 'git://github.com/puppetlabs/puppetlabs-inifile.git'
 mod 'apache',         :git => 'git://github.com/puppetlabs/puppetlabs-apache.git'
 mod 'portage',        :git => 'git://github.com/gentoo/puppet-portage.git'