Snippet: Apache vHost to proxy to central CA and local puppet server
156 views
Skip to first unread message
Thomas Müller
Jun 9, 2015, 2:34:52 AM6/9/15
to puppet...@googlegroups.com
hi
If you have a centralized ca you can proxy the certificate traffic to the central puppet ca service (1).
And forward all the other traffic to the local puppet server (2, 3).
The snippet requires puppetlabs-apache module > 1.4.1 as it won't include the proxy template with $proxy_pass_match only (it's already fixed on github).
- Thomas
Docs:
1) https://docs.puppetlabs.com/guides/scaling_multiple_masters.html#option-2-proxy-certificate-traffic
3) https://docs.puppetlabs.com/puppetserver/2.1/external_ca_configuration.html (relevant: Disabling the Internal Puppet CA Service)
include '::apache'
apache::vhost { $::fqdn:
servername => "${::fqdn}:8140",
serveraliases => [ 'puppet', "puppet.${::domain}" ],
port => 8140,
docroot => '/var/www/html',
ssl => true,
ssl_ca => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
ssl_cert => "/etc/puppetlabs/puppet/ssl/certs/${::fqdn}.pem",
ssl_key => "/etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem",
ssl_crl => '/etc/puppetlabs/puppet/ssl/crl.pem',
ssl_verify_client => 'optional',
ssl_verify_depth => 1,
ssl_proxyengine => true,
ssl_options => ['+StdEnvVars', '+ExportCertData'],
proxy_pass_match => [
{ 'path' => '^/([^/]+/certificate.*)$',
'url' => 'https://puppetca:8140/$1' },
{ 'path' => '/(.*)',
'url' => 'http://localhost:18140/$1' },
],
request_headers => [
'set X-Client-Verify %{SSL_CLIENT_VERIFY}e',
'set X-Client-DN %{SSL_CLIENT_S_DN}e',
#'set X-Client-Cert %{SSL_CLIENT_CERT}e', # disabled because of bug SERVER-217
'edit X-Client-DN ^/(CN=.+)$ $1', # workaround for bug SERVER-213
]
}
Thomas Müller
Jun 16, 2015, 3:21:34 AM6/16/15
to puppet...@googlegroups.com
seems the URL schema of the certificate service is not the same as with puppet 3.
^/([^/]+/certificate.*)$ needs to be ^/(puppet-ca/.*)$- Thomas
Reply all
Reply to author
Forward
0 new messages