On 27/01/12 02:14, Ryan Bowlby wrote:
> Hi All,
> 
> I have a two puppet servers using Apache with mod_proxy as the
> frontend. Similar to what what's described in Pro Puppet.
> Unfortunately, Apache mod_proxy is passing the puppetca requests using
> the loopback IP instead of the original source IP.

You're not mentioning what stack your master are running.
But if they're running on Apache and Passenger, may I suggest using
mod_rpaf?

> This is a bit of a security concern when configuring auth.conf! An
> example stanza in auth.conf:
> 
> # allow certificate management on provisioning server without cert
> path ~ /cert*
> auth no
> allow localhost

If you instead make this a certname, then it's secure again.

> With that near the bottom of auth.conf ALL hosts can now perform any
> API calls matching that path. This is due to puppet using the
> 127.0.0.1 passed by Apache.
> 
> I need one of the following:
> 
> 1. A way to do IP passthrough in apache such that the correct
> originating IP is used.

Configure your mod_proxy to pass the IP in X-Forwarded-For.

> 2. Puppet to make use of the X-Forwarded-For header if it exists and
> to fallback in instances where it doesn't.

And mod_rpaf is what you need, running in your master apache.

> Likely the latter is the best method. Please feel free to correct me
> if I am missing something. I have verified that with the above
> auth.conf stanza ALL hosts can perform all /cert* related API calls.
> Additionally here is a log line:
> 
> 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/
> certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64-
> redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/
> 0.6.5"
> 
> That's a request from another server. Here are the Apache configs:
> 
> http://pastebin.com/rDKPSjjy
> 
> 
> Thanks everyone!
> Ryan Bowlby
> 


-- 
Brice Figureau
My Blog: http://www.masterzen.fr/

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to