Restricting access to environments by IP or cert in puppetserver

[Michael Smith]

Hi,

I'm setting up a puppetserver that will be shared by multiple projects and would like to enforce some control over access to environment resources - particularly puppet:///modules/... file server URLs.

The environment name appears at the start of the URL, so with an Apache/Passenger setup I could put IP address-based access controls on an environment using a <Location> block so nodes in project A's subnet can't download files from project B's environment.

I'm looking for ideas to do the same in a puppetserver world. Really what I want to do is block access to puppet:///modules/... from nodes with no node definition in the current environment, and the IP address access control is just an easy way of doing this in Apache/Passenger.

I realize I could still put Apache in front of puppetserver and configure access controls there - modulo a couple of bugs like SERVER-213 and SERVER-217 - but maybe there's a better way using puppetserver.

Thanks,

Mike

[Luca Gervasi]

Hi Michael,

I would strongly suggest to put an httpd/mod_phusion in front of your puppet (this leads to the <Location> syntax as you suggested).

If, for whatever reason, your choice is to use webrick for your production, you could work on your "filesterver.conf". This file is strongly commentend.

Good luck.

[Michael Smith]

Hi Luca,

Yes, in a pre-puppetserver world I am using Apache and mod_passenger. But for scalability I'd really like to switch to puppetserver which is meant to do all its own SSL using Trapperkeeper. Putting APache in front of it will fail because of https://tickets.puppetlabs.com/browse/SERVER-213 and https://tickets.puppetlabs.com/browse/SERVER-217.

It actually looks like I might be able to do what I need in auth.conf, since it has a way to specify blocks specific to an environment. I'll give it a shot and see if it still works in puppetserver. A quick search turned up an issue (https://tickets.puppetlabs.com/browse/SERVER-111)

Thanks,

Mike