nginx Passenger puppetmaster

Simple snippet of Nginx SSL configuration for running Puppetmaster as a rack app under passenger. Assumes a lot of defaults for RHEL and some paths may need to be adjusted.

July 15, 2012
default: 8140

vhost for nginx to listen on

server {

  listen       %{puppet_port}% ssl;
  server_name %{virtual_hostname}%;

    #charset koi8-r;
    access_log   /var/log/nginx/%{virtual_hostname}%.access.log;
    error_log     /var/log/nginx/%{virtual_hostname}%.error.log;

    root     /var/www/puppetmaster/public/;
        index  index.html index.htm;

    passenger_enabled on;
    passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; 
    passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
    ssl_certificate /var/lib/puppet/ssl/certs/%{virtual_hostname}%.pem;
    ssl_certificate_key /var/lib/puppet/ssl/private_keys/%{virtual_hostname}%.pem;
    #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
    ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
    ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
    ssl_prefer_server_ciphers on;
    ssl_verify_client optional;
    ssl_verify_depth 1;
    ssl_session_cache shared:SSL:128m;
    ssl_session_timeout 5m; 

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;