我迁移了我的 puppet master 设置以在 thin 下运行,文件由 nginx 提供。
模块文件服务很好,但插件文件似乎不起作用。日志认为代理正在请求类似的 url /production/file_content/plugins/puppet/provider/exec/powershell.rb,因此 nginx 抛出 404,因为不存在这样的路径。这在 WEBrick 上运行良好。
从理论上讲,这应该是编写类似于下面的模块规则的重写规则的简单情况。然而,很多这些提供者都在模块中,所以这个特定的提供者在/etc/puppet/modules/powershell/lib/puppet/provider/exec/powershell.rb.
当它们可能分散在各种模块目录中时,如何从请求 URL 映射到实际插件?
我的 nginx 配置如下所示:
upstream puppetmaster-thin {
server unix:/var/run/puppet/puppetmasterd.0.sock;
server unix:/var/run/puppet/puppetmasterd.1.sock;
server unix:/var/run/puppet/puppetmasterd.2.sock;
}
server {
listen 8140;
root /etc/puppet/rack;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/gcspuppet01.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/gcspuppet01.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
proxy_read_timeout 120;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client_DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
location /production/file_content/ {
location /production/file_content/extra_files/ {
alias /etc/puppet/files/;
}
rewrite ^/production/file_content/modules/([^/]+)/(.*) /$1/files/$2;
break;
root /etc/puppet/modules/;
}
location / {
proxy_pass http://puppetmaster-thin;
}
}
我想到了。问题在于 nginx 正在有效地尝试提供对
/production/file_content/. 这样做的问题是,虽然这对于从 下的模块提供文件很有用/production/file_content/modules/,但它会劫持/production/file_content/plugins.因为插件路径是“魔法”的,所以它们需要由 puppet master 守护进程处理,而不是由 nginx 处理。解决方案是编写一个更好的 nginx 配置文件: