On May 10, 9:14 am, Peter Meier <peter.me...@immerda.ch> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > >> I think about whats the best solution to havepuppet-proxysfor > >> systems without direct connection to the puppetmaster. > > >> - Route all the trafic with iptable forwarding to one puppetmaster. > >> - Build puppetmaster-proxy vm's installed from a puppetmaster. > >> - Using http-proxy services. > > >> Are there any experience or best practices for systems with indirect > >> access to a puppetmaster? > > > You can setup a nginx (or apache) as a front-end and then forward > > requests to upstream server(s). > > right, but then the traffic would have to be unencrypted to the upstream > servers or how would you implement the man in the middle that would be > needed for such a proxy-setup? > > iptables: > - --------- > might be the simplest setup
I think for now the fastes solution. > > puppetmaster-proxy vms: > - ----------------------- > > do you mean something like various puppetmasters synced from your > "true"-master? that would also be feasible. You would then have many > puppetmasters synced from one place. > Yes, simple a puppetmaster proxy modul served from the true master. > http-proxy services: > - -------------------- > > I see some difficulties as reverse-http-proxies usually terminate > ssl-traffic and play man in the middle. What would be easy is if you > could setup a proxy that it doesn't terminate the ssl connection. But > then at the end it would be easier and you would have less overhead to > setup an iptable rule to forward traffic on port 8140. > And handling with the puppet client certificate are more complex. Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
