Thanks Brice, using mod_rpaf fixed the issue! I've also realized why puppet SHOULD NOT rely on the X-Forwarded-For for determining source information to authorize API access. As soon as I had it working with mod_rpaf I performed an API request with a hostname different than the actual machine:
malicious host root$ curl -k -H "X-Forwarded-For: trustedhost.domain" - H "Accept: pson" https://puppet.domain:8140/production/certificate_statuses/no_key Which worked, not too surprising. So while mod_rpaf DID fix the issue it also didn't secure anything. Alas, one should always make use of puppet client certificate based auth, especially when using a proxy that may or may not muddle with the origination information. Also, for those who find this later: On CentOS 6.x this is available as an RPM in atomic: rpm -Uvh http://www6.atomicorp.com/channels/atomic/centos/6/x86_64/RPMS/atomic-release-1.0-14.el6.art.noarch.rpm yum -y install mod_rpaf adding the following to the vhost: <VirtualHost *:18142> RPAFenable On RPAFsethostname On RPAFproxy_ips 127.0.0.1 Now that I know it works I'll likely build an RPM for the local repo, rather than rely on a lesser known repo. Thanks again, Ryan Bowlby On Jan 26, 11:37 pm, Brice Figureau <brice-pup...@daysofwonder.com> wrote: > On 27/01/12 02:14, Ryan Bowlby wrote: > > > Hi All, > > > I have a two puppet servers using Apache with mod_proxy as the > > frontend. Similar to what what's described in Pro Puppet. > > Unfortunately, Apache mod_proxy is passing the puppetca requests using > > the loopback IP instead of the original source IP. > > You're not mentioning what stack your master are running. > But if they're running on Apache and Passenger, may I suggest using > mod_rpaf? > > > This is a bit of a security concern when configuring auth.conf! An > > example stanza in auth.conf: > > > # allow certificate management on provisioning server without cert > > path ~ /cert* > > auth no > > allow localhost > > If you instead make this a certname, then it's secure again. > > > With that near the bottom of auth.conf ALL hosts can now perform any > > API calls matching that path. This is due to puppet using the > > 127.0.0.1 passed by Apache. > > > I need one of the following: > > > 1. A way to do IP passthrough in apache such that the correct > > originating IP is used. > > Configure your mod_proxy to pass the IP in X-Forwarded-For. > > > 2. Puppet to make use of the X-Forwarded-For header if it exists and > > to fallback in instances where it doesn't. > > And mod_rpaf is what you need, running in your master apache. > > > > > > > > > > > Likely the latter is the best method. Please feel free to correct me > > if I am missing something. I have verified that with the above > > auth.conf stanza ALL hosts can perform all /cert* related API calls. > > Additionally here is a log line: > > > 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ > > certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- > > redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ > > 0.6.5" > > > That's a request from another server. Here are the Apache configs: > > >http://pastebin.com/rDKPSjjy > > > Thanks everyone! > > Ryan Bowlby > > -- > Brice Figureau > My Blog:http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
