Hi Karl,
here following are apache conf that work, afaik (any comment is welcomed):
- puppetserver: direct and indirect access
- proxy server
You can have direct and proxied clients:
clients
|
tcp/8140
|
Puppet Server
|
tcp/8141
-----------firewall
|
RP
|
tcp/8140
|
"remote" clients
Please note: (disclaimer) this setup, intended for internal networks, does not have imho evident security issues, however you have to understand what issues could arise if you do not manage a "trust chain", that is ensure security on certificates, ssl, network communication, puppetserver access.
More:
- To operate this setup you must already have certificates generated by Puppet CA.
- Certificates must contain all relevant DNS names used by servers, and correct CN.
- Pay attention on header variables and tcp/8141 access restriction, to be not vulnerable to "man-in-the-middle attacks".
- You should update CRL on proxy.
- (This setup does not have SSL client validation for RP when connecting to puppetserver; SSLVerifyClient on VH 8141 recommended.)
Verify you have in your server's puppet.conf:
ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
(Change servernames and ACL as requested)
#------------Puppet server-----------
Listen 8141
<VirtualHost *:8141>
ServerName my_puppet_servername
ServerAlias my_puppet_servername
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Passenger options that can be set in a virtual host configuration block.
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
# X-Client variables required to verify client authentication
# Values are coming from (trusted) Reverse Proxy that verifies client certificate
# For correct CA emission, and CRL status
SetEnvIf X-RP-Client-DN "(.*)" HTTP_X_PUPPET_CLIENT_DN=$1
SetEnvIf X-RP-Client-Verify "(.*)" HTTP_X_PUPPET_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
DocumentRoot /etc/puppet/rack/public
<Location />
Options None
Order deny,allow
# List IP address of your proxy
Allow from my_proxy_IP_address
Deny from all
</Location>
</VirtualHost>
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# Passenger options that can be set in a virtual host configuration block.
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
#---------------END Puppet Server-----------------
#----------------RP---------------------
Listen 8140
<VirtualHost *:8140>
ServerName my_RP_servername:8140
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/my_RP_servername.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/my_RP_servername.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
ErrorLog logs/error_puppet_rp_log
TransferLog logs/access_puppet_rp_log
LogLevel warn
CustomLog logs/ssl_request_puppet_rp_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RewriteEngine On
TraceEnable Off
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLProxyEngine on
SSLProxyVerify require
SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLProxyCheckPeerCN on
# SSLProxyMachineCertificateFile /var/lib/puppet/ssl/certs/my_RP_servername_pub_and_key.pem
ProxyPass /
https://my_puppetserver_servername:8141/ ProxyPassReverse /
https://my_puppetserver_servername:8141/ ProxyPreserveHost On
<Location />
Order deny,allow
allow from my_client_IP_network
deny from all
</Location>
</VirtualHost>
#------------END RP--------------------
Regards
Paolo