I've configured our DMZ apache webserver to proxy connections from our roaming users into our internal puppet master running under passenger/apache. Everything is pretty much working but because I am using SSL between the proxy server and the puppet master, the master treats the connection as authenticated as the proxy. My current work around is to allow access to all catalog and node items to the proxy server in auth.conf. I'd like to try to get the master to use the ssl authentication information passed by the proxy as the authentication for the connection but so far have been completely unsuccessful. Does anyone know how this can be done? I've been poking around the code a bit but I haven't been able to find out where the authenticated host information comes from, and I've unable to modify anything in the apache configuration to change this.
On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:
> I've configured our DMZ apache webserver to proxy connections from our > roaming users into our internal puppet master running under > passenger/apache. Everything is pretty much working but because I am using > SSL between the proxy server and the puppet master, the master treats the > connection as authenticated as the proxy. My current work around is to > allow access to all catalog and node items to the proxy server in > auth.conf. I'd like to try to get the master to use the ssl authentication > information passed by the proxy as the authentication for the connection > but so far have been completely unsuccessful. Does anyone know how this > can be done? I've been poking around the code a bit but I haven't been > able to find out where the authenticated host information comes from, and > I've unable to modify anything in the apache configuration to change this.
If you read through, you note that the authenticated host information
gets passed to puppet through the three headers that are set by apache:
X-SSL-Subject, X-Client-DN, X-Client-Verify.
The trick to getting your case to work is to edit the puppet master's
passenger/apache configuration to pass through the values of these three
headers when receiving a request from the proxy server, instead of
filling them in from the ssl certificate. I'm not familiar enough with
apache to know the exact syntax for this.
Do note that you want to make sure to *only* pass through these headers
when receiving a request from the proxy server! Otherwise any client
could connect, even on unsecured HTTP, and pretend to be authenticated
as whomever it wants by just adding headers to the request.
On Saturday, August 18, 2012 11:05:42 PM UTC-6, Calvin Walton wrote:
> On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote: > > I've configured our DMZ apache webserver to proxy connections from our > > roaming users into our internal puppet master running under > > passenger/apache. Everything is pretty much working but because I am > using > > SSL between the proxy server and the puppet master, the master treats > the > > connection as authenticated as the proxy. My current work around is to > > allow access to all catalog and node items to the proxy server in > > auth.conf. I'd like to try to get the master to use the ssl > authentication > > information passed by the proxy as the authentication for the connection > > but so far have been completely unsuccessful. Does anyone know how this > > can be done? I've been poking around the code a bit but I haven't been > > able to find out where the authenticated host information comes from, > and > > I've unable to modify anything in the apache configuration to change > this.
> To start with, I'm going to assume that the passenger/apache > configuration looks something like this:
> If you read through, you note that the authenticated host information > gets passed to puppet through the three headers that are set by apache: > X-SSL-Subject, X-Client-DN, X-Client-Verify.
> The trick to getting your case to work is to edit the puppet master's > passenger/apache configuration to pass through the values of these three > headers when receiving a request from the proxy server, instead of > filling them in from the ssl certificate. I'm not familiar enough with > apache to know the exact syntax for this.
> Do note that you want to make sure to *only* pass through these headers > when receiving a request from the proxy server! Otherwise any client > could connect, even on unsecured HTTP, and pretend to be authenticated > as whomever it wants by just adding headers to the request.
' Yes, my config is very much as described. However, I do not believe that puppet does anything with the X-* headers in this case. I can set them to something completely non-sensical in the apache config (or at least try to) and puppet still sees the ssl client as the authenticating host. The comments above setting those headers mention "Pound", so I suspect they are not used in this configuration. Unfortunately I'm not familiar enough with the application framework to confirm where the authentication stuff is coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears that it may be impossible to change those variables with SetEnv in the apache config or perhaps even in another apache module.
What I ended up doing is setting up a second passenger config that only accepts connections from the proxy. This config does *not* set "SSLOption +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy headers. It also is configured to only accept authenticated connections from the proxy.
On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:
> I've configured our DMZ apache webserver to proxy connections from our > roaming users into our internal puppet master running under > passenger/apache. Everything is pretty much working but because I am using > SSL between the proxy server and the puppet master, the master treats the > connection as authenticated as the proxy. My current work around is to > allow access to all catalog and node items to the proxy server in > auth.conf. I'd like to try to get the master to use the ssl authentication > information passed by the proxy as the authentication for the connection > but so far have been completely unsuccessful. Does anyone know how this > can be done? I've been poking around the code a bit but I haven't been > able to find out where the authenticated host information comes from, and > I've unable to modify anything in the apache configuration to change this.
On Monday, August 20, 2012 10:09:21 AM UTC-7, opoplawski wrote:
> What I ended up doing is setting up a second passenger config that only > accepts connections from the proxy. This config does *not* set "SSLOption > +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy > headers. It also is configured to only accept authenticated connections > from the proxy.
> On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:
>> I've configured our DMZ apache webserver to proxy connections from our >> roaming users into our internal puppet master running under >> passenger/apache. Everything is pretty much working but because I am using >> SSL between the proxy server and the puppet master, the master treats the >> connection as authenticated as the proxy. My current work around is to >> allow access to all catalog and node items to the proxy server in >> auth.conf. I'd like to try to get the master to use the ssl authentication >> information passed by the proxy as the authentication for the connection >> but so far have been completely unsuccessful. Does anyone know how this >> can be done? I've been poking around the code a bit but I haven't been >> able to find out where the authenticated host information comes from, and >> I've unable to modify anything in the apache configuration to change this.
