Hi All, I have a two puppet servers using Apache with mod_proxy as the frontend. Similar to what what's described in Pro Puppet. Unfortunately, Apache mod_proxy is passing the puppetca requests using the loopback IP instead of the original source IP.
This is a bit of a security concern when configuring auth.conf! An example stanza in auth.conf: # allow certificate management on provisioning server without cert path ~ /cert* auth no allow localhost With that near the bottom of auth.conf ALL hosts can now perform any API calls matching that path. This is due to puppet using the 127.0.0.1 passed by Apache. I need one of the following: 1. A way to do IP passthrough in apache such that the correct originating IP is used. 2. Puppet to make use of the X-Forwarded-For header if it exists and to fallback in instances where it doesn't. Likely the latter is the best method. Please feel free to correct me if I am missing something. I have verified that with the above auth.conf stanza ALL hosts can perform all /cert* related API calls. Additionally here is a log line: 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ 0.6.5" That's a request from another server. Here are the Apache configs: http://pastebin.com/rDKPSjjy Thanks everyone! Ryan Bowlby -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
