--
Dan Urist
dur...@ucar.edu
303-497-2459
I've had it working that way before but went back to Apache after tinkering.
If you can paste your configuration that might be helpful.
Has anyone gotten puppetmaster running under nginx with passenger? I've
tried various permutations of setting headers in the nginx config file,
but am still getting "Forbidden request" errors from the client.
[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
I've tried various settings in my nginx config, but currently have this:
server {
listen 8140;
passenger_enabled on;
ssl on;
ssl_certificate /var/lib/puppet/ssl/certs/myserver.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/myserver.pem;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
server_name tpuppet.ucar.edu;
root /etc/puppet/rack/public;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; proxy_set_header
X-Client_DN $ssl_client_s_dn; proxy_set_header
X-Client-Verify $ssl_client_verify;
}
The error I'm getting is "Error 403 on SERVER: Forbidden request".
FWIW, I have an apache config that works on the same server; I'd rather
use nginx if possible, though.
--
Dan Urist
dur...@ucar.edu
303-497-2459
On Thu, 23 Sep 2010 07:40:21 -0700 (PDT)
Jakub Heichman <kuba.h...@gmail.com> wrote:
> On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:
> > I have this in my puppet.conf:
> >
> > [puppetmasterd]
> > ssl_client_header = SSL_CLIENT_S_DN
> > ssl_client_verify_header = SSL_CLIENT_VERIFY
> > [..]
> > proxy_set_header Host $host;
> > proxy_set_header X-Real-IP $remote_addr;
> > proxy_set_header X-Forwarded-For
>
> Hi Dan,
>
> I had the same problem, it looks like 'proxy_set_header' option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param'
> options instead.
>
> This seems to work for me:
>
> nginx.conf:
> passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> [puppetmasterd]
> ssl_client_header = HTTP_X_CLIENT_DN
> ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
>
> Kind regards,
> Jakub
Hi Dan,
Unicorn FTW. Here's how I've configured it thus far:
https://devstructure.com/blueprints/rcrowley/puppet-master
Rich
This stanza in the front end 8140 server works for me when setting
the client headers in the HTTP request.
This is with nginx 0.7.67 and passenger 2.2.11:
server {
listen 8140 default ssl;
ssl_certificate /var/lib/puppet/ssl/certs/chain.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
ssl_crl /var/lib/puppet/ssl/crl.pem;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
server_name puppet;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}
--
Jeff McCune
http://www.puppetlabs.com/