External SSL/TLS termination on a dedicated port?
46 views
Skip to first unread message
garg
Jul 2, 2021, 11:19:42 AM7/2/21
to Puppet Users
I'm working on configuring External TLS/SSL termination using an nginx reverse proxy following instructions here: https://puppet.com/docs/puppet/6/server/external_ssl_termination.html I'm running opensource puppetserver 6.
Has anyone set up two separate webservers on the same puppetserver (example: http: 8141; https: 8140) and successfully configured separate auth.conf for each port?
My use-case is that my existing agents are talking to the default puppetserver at 8140. But I want some of my systems existing outside the local network, to connect to the nginx reverse proxy on 443 which gets forwarded to puppetserver:8141.
Currently the nginx reverse proxy is authenticating the agents, and then forwarding the traffic and headers to http 8141 that I configured on puppetserver/conf.d/webserver.conf. The trapperkeeper servers start fine on 8140(default) and 8141. But 8141 doesn't appear to have the routes or an auth.conf. When configuring the routes in web-routes.conf, I can't seem to set identical routes but for different servers. It gives either a default: key missing or not route-id error.
My envisioned configuration is .. connect to 443 -> get forwarded to 8141 w/ authenticated headers, and external systems get the puppet instructions. Internally agents still connect to 8140 over https and all works without any changes. Is this supported or doable using the same puppetserver in this way?
Has anyone set up two separate webservers on the same puppetserver (example: http: 8141; https: 8140) and successfully configured separate auth.conf for each port?
My use-case is that my existing agents are talking to the default puppetserver at 8140. But I want some of my systems existing outside the local network, to connect to the nginx reverse proxy on 443 which gets forwarded to puppetserver:8141.
Currently the nginx reverse proxy is authenticating the agents, and then forwarding the traffic and headers to http 8141 that I configured on puppetserver/conf.d/webserver.conf. The trapperkeeper servers start fine on 8140(default) and 8141. But 8141 doesn't appear to have the routes or an auth.conf. When configuring the routes in web-routes.conf, I can't seem to set identical routes but for different servers. It gives either a default: key missing or not route-id error.
My envisioned configuration is .. connect to 443 -> get forwarded to 8141 w/ authenticated headers, and external systems get the puppet instructions. Internally agents still connect to 8140 over https and all works without any changes. Is this supported or doable using the same puppetserver in this way?
Reply all
Reply to author
Forward
0 new messages