服务端安装插件：

yum install -y ruby-devel ruby-libs rubygems libcurl-devel httpd httpd-devel apr-util-devel apr-devel mod_ssl gcc-c++ gcc openssl-devel
gem sources --add https://gems.ruby-china.com/ --remove https://rubygems.org/

安装passenger

gem install rake -v 10.4.2
gem install daemon_controller -v 1.2.0
gem install passenger -v 4.0.56
passenger-install-apache2-module

回车，选择ruby

image.png

配置httpd

mkdir -p /etc/puppet/rack/puppetmaster/{public,tmp}
cp /usr/share/puppet/ext/rack/config.ru /etc/puppet/rack/puppetmaster/
chown puppet. /etc/puppet/rack/puppetmaster/config.ru

修改passenger.conf

vi /etc/httpd/conf.d/passenger.conf
LoadModule passenger_module /usr/local/share/gems/gems/passenger-4.0.56/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/local/share/gems/gems/passenger-4.0.56
PassengerDefaultRuby /usr/bin/ruby
</IfModule>

保存退出

修改puppetmaster.conf配置

vi /etc/httpd/conf.d/puppetmaster.conf

This Apache 2 virtual host config shows how to use Puppet as a Rack

application via Passenger. See

http://docs.puppetlabs.com/guides/passenger.html for more information.

You can also use the included config.ru file to run Puppet with other Rack

servers instead of Passenger.

you probably want to tune these settings

PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500

PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
SSLHonorCipherOrder on

    SSLCertificateFile      /var/lib/puppet/ssl/certs/puppetmaster.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppetmaster.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    # If Apache complains about invalid signatures on the CRL, you can try disabling
    # CRL checking by commenting the next line, but this is not recommended.
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
    # which effectively disables CRL checking; if you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.
    # SSLCARevocationCheck chain
    SSLVerifyClient optional
    SSLVerifyDepth  1
    # The `ExportCertData` option is needed for agent certificate expiration warnings
    SSLOptions +StdEnvVars +ExportCertData

    # This header needs to be set if using a loadbalancer or proxy
    RequestHeader unset X-Forwarded-For

   RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
   RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /etc/puppet/rack/puppetmaster/public
    RackBaseURI /
    <Directory /etc/puppet/rack/puppetmaster/>
      AllowOverride all
     Options -MultiViews
     Require all granted
    </Directory>

</VirtualHost>

保存退出，重启httpd

service puppetmaster stop
chkconfig puppetmaster off
service httpd restart