On 27/01/12 02:14, Ryan Bowlby wrote: > Hi All, > > I have a two puppet servers using Apache with mod_proxy as the > frontend. Similar to what what's described in Pro Puppet. > Unfortunately, Apache mod_proxy is passing the puppetca requests using > the loopback IP instead of the original source IP.
You're not mentioning what stack your master are running. But if they're running on Apache and Passenger, may I suggest using mod_rpaf? > This is a bit of a security concern when configuring auth.conf! An > example stanza in auth.conf: > > # allow certificate management on provisioning server without cert > path ~ /cert* > auth no > allow localhost If you instead make this a certname, then it's secure again. > With that near the bottom of auth.conf ALL hosts can now perform any > API calls matching that path. This is due to puppet using the > 127.0.0.1 passed by Apache. > > I need one of the following: > > 1. A way to do IP passthrough in apache such that the correct > originating IP is used. Configure your mod_proxy to pass the IP in X-Forwarded-For. > 2. Puppet to make use of the X-Forwarded-For header if it exists and > to fallback in instances where it doesn't. And mod_rpaf is what you need, running in your master apache. > Likely the latter is the best method. Please feel free to correct me > if I am missing something. I have verified that with the above > auth.conf stanza ALL hosts can perform all /cert* related API calls. > Additionally here is a log line: > > 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ > certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- > redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ > 0.6.5" > > That's a request from another server. Here are the Apache configs: > > http://pastebin.com/rDKPSjjy > > > Thanks everyone! > Ryan Bowlby > -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
