Re: [Puppet Users] How to modify client authentication in passenger based puppet master behind ssl proxy
319 views
Skip to first unread message
Calvin Walton
Aug 19, 2012, 1:05:42 AM8/19/12
to puppet...@googlegroups.com
On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:
> I've configured our DMZ apache webserver to proxy connections from our
> roaming users into our internal puppet master running under
> passenger/apache. Everything is pretty much working but because I am using
> SSL between the proxy server and the puppet master, the master treats the
> connection as authenticated as the proxy. My current work around is to
> allow access to all catalog and node items to the proxy server in
> auth.conf. I'd like to try to get the master to use the ssl authentication
> information passed by the proxy as the authentication for the connection
> but so far have been completely unsuccessful. Does anyone know how this
> can be done? I've been poking around the code a bit but I haven't been
> able to find out where the authenticated host information comes from, and
> I've unable to modify anything in the apache configuration to change this.
To start with, I'm going to assume that the passenger/apache
configuration looks something like this:
http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x
and that your proxy server apache configuration probably looks something
like this:
http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration
If you read through, you note that the authenticated host information
gets passed to puppet through the three headers that are set by apache:
X-SSL-Subject, X-Client-DN, X-Client-Verify.
The trick to getting your case to work is to edit the puppet master's
passenger/apache configuration to pass through the values of these three
headers when receiving a request from the proxy server, instead of
filling them in from the ssl certificate. I'm not familiar enough with
apache to know the exact syntax for this.
Do note that you want to make sure to *only* pass through these headers
when receiving a request from the proxy server! Otherwise any client
could connect, even on unsecured HTTP, and pretend to be authenticated
as whomever it wants by just adding headers to the request.
--
Calvin Walton <calvin...@kepstin.ca>
> I've configured our DMZ apache webserver to proxy connections from our
> roaming users into our internal puppet master running under
> passenger/apache. Everything is pretty much working but because I am using
> SSL between the proxy server and the puppet master, the master treats the
> connection as authenticated as the proxy. My current work around is to
> allow access to all catalog and node items to the proxy server in
> auth.conf. I'd like to try to get the master to use the ssl authentication
> information passed by the proxy as the authentication for the connection
> but so far have been completely unsuccessful. Does anyone know how this
> can be done? I've been poking around the code a bit but I haven't been
> able to find out where the authenticated host information comes from, and
> I've unable to modify anything in the apache configuration to change this.
To start with, I'm going to assume that the passenger/apache
configuration looks something like this:
http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x
and that your proxy server apache configuration probably looks something
like this:
http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration
If you read through, you note that the authenticated host information
gets passed to puppet through the three headers that are set by apache:
X-SSL-Subject, X-Client-DN, X-Client-Verify.
The trick to getting your case to work is to edit the puppet master's
passenger/apache configuration to pass through the values of these three
headers when receiving a request from the proxy server, instead of
filling them in from the ssl certificate. I'm not familiar enough with
apache to know the exact syntax for this.
Do note that you want to make sure to *only* pass through these headers
when receiving a request from the proxy server! Otherwise any client
could connect, even on unsecured HTTP, and pretend to be authenticated
as whomever it wants by just adding headers to the request.
--
Calvin Walton <calvin...@kepstin.ca>
opoplawski
Aug 20, 2012, 12:03:18 PM8/20/12
to puppet...@googlegroups.com
'
Yes, my config is very much as described. However, I do not believe that puppet does anything with the X-* headers in this case. I can set them to something completely non-sensical in the apache config (or at least try to) and puppet still sees the ssl client as the authenticating host. The comments above setting those headers mention "Pound", so I suspect they are not used in this configuration. Unfortunately I'm not familiar enough with the application framework to confirm where the authentication stuff is coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears that it may be impossible to change those variables with SetEnv in the apache config or perhaps even in another apache module.
Yes, my config is very much as described. However, I do not believe that puppet does anything with the X-* headers in this case. I can set them to something completely non-sensical in the apache config (or at least try to) and puppet still sees the ssl client as the authenticating host. The comments above setting those headers mention "Pound", so I suspect they are not used in this configuration. Unfortunately I'm not familiar enough with the application framework to confirm where the authentication stuff is coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears that it may be impossible to change those variables with SetEnv in the apache config or perhaps even in another apache module.
opoplawski
Aug 20, 2012, 1:09:21 PM8/20/12
to puppet...@googlegroups.com
What I ended up doing is setting up a second passenger config that only accepts connections from the proxy. This config does *not* set "SSLOption +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy headers. It also is configured to only accept authenticated connections from the proxy.
On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:
On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:
I've configured our DMZ apache webserver to proxy connections from our roaming users into our internal puppet master running under passenger/apache. Everything is pretty much working but because I am using SSL between the proxy server and the puppet master, the master treats the connection as authenticated as the proxy. My current work around is to allow access to all catalog and node items to the proxy server in auth.conf. I'd like to try to get the master to use the ssl authentication information passed by the proxy as the authentication for the connection but so far have been completely unsuccessful. Does anyone know how this can be done? I've been poking around the code a bit but I haven't been able to find out where the authenticated host information comes from, and I've unable to modify anything in the apache configuration to change this.
TIA,
Orion
kp-v
Aug 20, 2012, 2:17:08 PM8/20/12
to puppet...@googlegroups.com
I think the best starting point is to read this article: http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/
It explains the entire process. You could use squid to intercept incoming requests, decrypt, then reencrypt with backend headers.
Reply all
Reply to author
Forward
0 new messages