nginx + passenger + puppetmaster

[Dan Urist]

Has anyone gotten puppetmaster running under nginx with passenger? I've
tried various permutations of setting headers in the nginx config file,
but am still getting "Forbidden request" errors from the client.

--
Dan Urist
dur...@ucar.edu
303-497-2459

[Alex Howells]

On 28 June 2010 23:03, Dan Urist <dur...@ucar.edu> wrote:
> Has anyone gotten puppetmaster running under nginx with passenger? I've
> tried various permutations of setting headers in the nginx config file,
> but am still getting "Forbidden request" errors from the client.

I've had it working that way before but went back to Apache after tinkering.

If you can paste your configuration that might be helpful.

[Dan Carley]

On 28 June 2010 23:03, Dan Urist <dur...@ucar.edu> wrote:

Has anyone gotten puppetmaster running under nginx with passenger? I've
tried various permutations of setting headers in the nginx config file,
but am still getting "Forbidden request" errors from the client.

Sounds like this..

http://groups.google.com/group/puppet-users/msg/cae809c17a9acd8a 

[Dan Urist]

I have this in my puppet.conf:

[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

I've tried various settings in my nginx config, but currently have this:

server {
listen 8140;
passenger_enabled on;

ssl on;
ssl_certificate /var/lib/puppet/ssl/certs/myserver.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/myserver.pem;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

server_name tpuppet.ucar.edu;
root /etc/puppet/rack/public;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; proxy_set_header
X-Client_DN $ssl_client_s_dn; proxy_set_header
X-Client-Verify $ssl_client_verify;
}

The error I'm getting is "Error 403 on SERVER: Forbidden request".

FWIW, I have an apache config that works on the same server; I'd rather
use nginx if possible, though.

--
Dan Urist
dur...@ucar.edu
303-497-2459

[Dan Urist]

I've switched to using nginx+unicorn, and haven't had any issues. The
only hassle for me is that I'm running it under Ubuntu, and unicorn
isn't (yet) packaged by Debian/Ubuntu, so I had to install it via gems
and don't have the advantage of automated updates.

On Thu, 23 Sep 2010 07:40:21 -0700 (PDT)
Jakub Heichman <kuba.h...@gmail.com> wrote:

> On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:
> > I have this in my puppet.conf:
> >
> > [puppetmasterd]
> > ssl_client_header = SSL_CLIENT_S_DN
> > ssl_client_verify_header = SSL_CLIENT_VERIFY

> > [..]

> >         proxy_set_header    Host                $host;
> >         proxy_set_header    X-Real-IP           $remote_addr;
> >         proxy_set_header    X-Forwarded-For
>

> Hi Dan,
>
> I had the same problem, it looks like 'proxy_set_header' option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param'
> options instead.
>
> This seems to work for me:
>
> nginx.conf:
> passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> [puppetmasterd]
> ssl_client_header = HTTP_X_CLIENT_DN
> ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
>
> Kind regards,
> Jakub

[Jakub Heichman]

On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:

> I have this in my puppet.conf:
>
> [puppetmasterd]
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY

> [..]

>         proxy_set_header    Host                $host;
>         proxy_set_header    X-Real-IP           $remote_addr;
>         proxy_set_header    X-Forwarded-For

Hi Dan,

[Richard Crowley]

On Thu, Sep 23, 2010 at 7:52 AM, Dan Urist <dur...@ucar.edu> wrote:
> I've switched to using nginx+unicorn, and haven't had any issues. The
> only hassle for me is that I'm running it under Ubuntu, and unicorn
> isn't (yet) packaged by Debian/Ubuntu, so I had to install it via gems
> and don't have the advantage of automated updates.

Unicorn FTW. Here's how I've configured it thus far:

https://devstructure.com/blueprints/rcrowley/puppet-master

Rich

[Jeff McCune]

On Thu, Sep 23, 2010 at 7:40 AM, Jakub Heichman <kuba.h...@gmail.com> wrote:
> On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:
>> I have this in my puppet.conf:
>>
>> [puppetmasterd]
>> ssl_client_header = SSL_CLIENT_S_DN
>> ssl_client_verify_header = SSL_CLIENT_VERIFY
>> [..]
>>         proxy_set_header    Host                $host;
>>         proxy_set_header    X-Real-IP           $remote_addr;
>>         proxy_set_header    X-Forwarded-For
>
> Hi Dan,
>
> I had the same problem, it looks like 'proxy_set_header' option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param'
> options instead.

This stanza in the front end 8140 server works for me when setting
the client headers in the HTTP request.

This is with nginx 0.7.67 and passenger 2.2.11:

server {
listen 8140 default ssl;
ssl_certificate /var/lib/puppet/ssl/certs/chain.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

ssl_crl /var/lib/puppet/ssl/crl.pem;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
server_name puppet;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}

--
Jeff McCune
http://www.puppetlabs.com/