Using puppet with Apache mod_disk_cache and passenger over SSL

[Brian Wilkins]

I have tried to setup Apache with passenger to host the puppetmaster but I also want to cache. I have no problems running puppet within Passenger with httpd. I also enabled mod_disk_cache within Apache. However, I still see my puppet client htting the puppetmaster and the puppetmaster compiles the manifest every time. In /var/cache/mod_cache, I can see that the data was properly cached.

What is wrong with my configuration that still allows httpd to serve up the request from the puppetmaster rather than using the cache? I was looking at lessening the load on the puppetmaster and have the cache handle common requests.

LoadModule ssl_module modules/mod_ssl.so

ServerName hostname

# RHEL/CentOS:
# And the passenger performance tuning settings:
PassengerHighPerformance On
PassengerUseGlobalQueue On
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 6
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
PassengerTempDir /var/run/passenger

# Add %D for "The time taken to serve the request, in microseconds."

LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" puppet

Listen 8140
<VirtualHost *:8140>
    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/hostname.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/hostname.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    RackAutoDetect On
    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    <Directory /usr/share/puppet/rack/puppetmasterd/>
        Options Indexes
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>

    <IfModule mod_expires.c>
       <Location /production/file_metadatas/>
          ExpiresActive On
          ExpiresDefault "access plus 30 minutes"
       </Location>
    </IfModule>
    <IfModule mod_disk_cache.c>
       CacheEnable disk /production/file_metadata/
       CacheEnable disk /production/file_metadatas/
       CacheRoot "/var/cache/mod_cache"
       CacheDefaultExpire 1800
       CacheIgnoreNoLastMod On
    </IfModule>

</VirtualHost>

mod_cache]# ls -la
total 40
drwxr-xr-x  10 apache apache 4096 Aug 29 12:37 .
drwxr-xr-x. 18 root   root   4096 Aug 29 12:36 ..
drwx------   3 apache apache 4096 Aug 29 12:37 Hk
drwx------   3 apache apache 4096 Aug 29 12:37 K5
drwx------   3 apache apache 4096 Aug 29 12:37 Q9
drwx------   3 apache apache 4096 Aug 29 12:37 Rl
drwx------   3 apache apache 4096 Aug 29 12:37 St
drwx------   3 apache apache 4096 Aug 29 12:37 ui
drwx------   3 apache apache 4096 Aug 29 12:37 wV
drwx------   3 apache apache 4096 Aug 29 12:37 _Z

[Wil Cooley]

On Fri, Aug 29, 2014 at 9:50 AM, Brian Wilkins <bwil...@gmail.com> wrote:

# RHEL/CentOS:
# And the passenger performance tuning settings:
PassengerHighPerformance On

The Passenger doc says that this bypasses several layers of Apache processing, so it is incompatible with mod_rewrite and others -- I would not be surprised if it also was the source of your trouble.

 

Wil

[Brian Wilkins]

I turned off high performance, but every request still hits the puppetmaster. Any more ideas?