server {
	listen                     8140 ssl;
	server_name                puppet ....HOSTNAME/ALIAS LIST (space separated)....;

	passenger_enabled          on;
	passenger_app_env          production;

	passenger_set_header       X-Client-Verify	$ssl_client_verify;
	passenger_set_header       X-Client-DN		$ssl_client_s_dn;
	passenger_set_header       X-SSL-Subject	$ssl_client_s_dn;
	passenger_set_header       X-SSL-Issuer		$ssl_client_i_dn;

	access_log                 /var/log/nginx/puppet_access.log;
	error_log                  /var/log/nginx/puppet_error.log;

	root                       /etc/puppet/rack/public;

	ssl_certificate            /var/lib/puppet/ssl/certs/HOSTNAME.pem;
	ssl_certificate_key        /var/lib/puppet/ssl/private_keys/HOSTNAME.pem;
	ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;
	ssl_client_certificate     /var/lib/puppet/ssl/certs/ca.pem;
	ssl_ciphers                'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
	ssl_prefer_server_ciphers  on;
	ssl_verify_client          optional;
	ssl_verify_depth           1;
	ssl_session_cache          shared:SSL:128m;
	ssl_session_timeout        5m;
}