如何擴展master的SSL傳輸性能（nginx） · Puppet運維實戰

#### Puppet擴展篇4-如何擴展master的SSL傳輸性能（nginx） **描述：**puppet使用SSL(https)協議來進行通訊，默認情況下，puppet server端使用基于Ruby的WEBRick HTTP服務器。由于WEBRick HTTP服務器在處理agent端的性能方面并不是很強勁，因此需要擴展puppet，搭建nginx或者其他強勁的web服務器來處理客戶的https請求。 **需要解決的問題：** - 擴展傳輸方式：提高性能并增加Master和agent之間的并發連接數量。 - 擴展SSL：采用良好的SSL證書管理方法來加密Master和agent之間的通訊。 Nginx+Passenger方式： ### 1、安裝編譯nginx所需要的開發包 ~~~ [root@TKPUPT-M1 ~]# groupadd -g 3001 nginx [root@TKPUPT-M1 ~]# useradd -u 3001 -g 3001 nginx [root@TKPUPT-M1 ~]# yum install ruby-devel gcc make pcre-devel zlib-devel openssl-devel pam-devel curl-devel rpm-build ~~~ ### 2、安裝passenger（將gem軟件包copy到本地）備注：需要先將gem包下載到本地，當然也可以聯網安裝，會非常慢。 ~~~ [root@TKPUPT-M1 gem]# gem install --localhost rake rack passenger --no-rdoc --no-ri ~~~ ### 3、解壓nginx、pcre源碼包 ~~~ [root@TKPUPT-M1 gem]# tar xf pcre-8.32.tar.gz -C /usr/local/src/ [root@TKPUPT-M1 gem]# tar xf nginx-1.4.2.tar.gz -C /usr/local/src/ ~~~ ### 4、編譯并安裝nginx 備注：主要是為了將模塊passenger-config編譯進來。 ~~~ [root@TKPUPT-M1 ~]# cd /usr/local/src/nginx-1.4.2/ [root@TKPUPT-M1 nginx-1.4.2]# ./configure --user=nginx --group=nginx --prefix=/etc/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.32 --add-module=`passenger-config --root`/ext/nginx [root@TKPUPT-M1 nginx-1.4.2]# make && make install ~~~ ### 5、與passenger結合備注：注意config.ru的屬主和屬組應該為puppet ~~~ [root@TKPUPT-M1 nginx-1.4.2]# mkdir -p /etc/puppet/rack/public [root@TKPUPT-M1 nginx-1.4.2]# cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/ [root@TKPUPT-M1 nginx-1.4.2]# chown -R puppet. /etc/puppet/rack/ ~~~ ### 6、復制啟動腳本到 ~~~ [root@TKPUPT-M1 init.d]# cp /root/gem/nginx /etc/init.d/ [root@TKPUPT-M1 ~]# chmod a+x /etc/init.d/nginx ~~~ ### 7、配置nginx 備注：注意和puppet結合的證書名稱及路徑 ~~~ [root@TKPUPT-M1 gem]# vim /etc/nginx/conf/nginx.conf user nginx nginx; worker_processes 1; pid /var/run/nginx.pid; events { worker_connections 1024; } http { passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-4.0.19; passenger_ruby /usr/bin/ruby; include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 8140 ssl; server_name puppetmaster; passenger_enabled on; passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; proxy_buffer_size 4000k; proxy_buffering on; proxy_buffers 32 1280k; proxy_busy_buffers_size 17680k; client_max_body_size 10m; client_body_buffer_size 4096k; access_log /var/log/nginx/puppet_access.log; error_log /var/log/nginx/puppet_error.log; root /etc/puppet/rack/public; ssl off; ssl_session_timeout 5m; ssl_certificate /var/lib/puppet/ssl/certs/puppetmaster.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_verify_client optional; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; ssl_prefer_server_ciphers on; ssl_verify_depth 1; ssl_session_cache shared:SSL:128m; # File sections location /production/file_content/files/ { types { } default_type application/x-raw; alias /etc/puppet/files/; } } } ~~~ ### 8、配置puppet.conf ~~~ [root@TKPUPT-M1 ~]# vim /etc/puppet/puppet.conf [master] certname = puppetmaster ca = false ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_client_header = HTTP_X_CLIENT_DN ~~~ ### 8、啟動nginx ~~~ [root@TKPUPT-M1 gem]# mkdir /var/log/nginx/ [root@TKPUPT-M1 nginx-1.4.2]# /etc/init.d/puppetmaster stop [root@TKPUPT-M1 nginx-1.4.2]# chkconfig puppetmaster off [root@TKPUPT-M1 nginx-1.4.2]# /etc/init.d/nginx start [root@TKPUPT-M1 nginx-1.4.2]# chkconfig nginx on ~~~ ### 9、測試在多個節點發起puppet agent -t命令動作，查看nginx日志看nginx+passenger是否代理成功。 ~~~ [root@TKPUPT-CA ~]# puppet agent -t [root@TKPUPT-M1 ~]# tailf /var/log/nginx/puppet_access.log ~~~ **參考：**[http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger](http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger)