[Puppet Users] Nginx + passenger + puppetmaster

vulzscht Mon, 04 Jun 2012 04:17:57 -0700

Hello!

Are there any success stories with nginx, passenger and puppetmaster?


I'm trying to setup mentioned scheme and have problems - client cannot
get its own catalog (removed only hostnames and domain names)

err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
puppethost [find] at line 93
info: Not using expired catalog for puppethost from cache; expired at
Fri Jun 01 17:33:24 +0000 2012
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: Error 403 on SERVER: Forbidden request:
puppethost(10.88.5.254) access to /report/puppethost [save] at line 93

on nginx side it looks this way
10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/
puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
"-"
10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/
puppethost HTTP/1.1" 403 107 "-" "-"

my nginx configs
# cat /etc/nginx/conf.d/passenger.conf
passenger_root /usr/lib/ruby/1.8/phusion_passenger;

# cat /etc/nginx/conf.d/puppet.conf
server {
  listen                     8140 ssl;
  server_name                puppetmaster.domain;
  default_type application/x-raw;
  ssl   on;

  root                       /etc/puppet/rack/public;
  passenger_enabled          on;
  passenger_set_cgi_param    HTTP_X_CLIENT_DN $ssl_client_s_dn;
  passenger_set_cgi_param    HTTP_X_CLIENT_VERIFY $ssl_client_verify;

  access_log                 /var/log/nginx/puppet_access.log;
  error_log                  /var/log/nginx/puppet_error.log;

  ssl_certificate            /var/lib/puppet/ssl/certs/
puppetmaster.domain.pem;
  ssl_certificate_key        /var/lib/puppet/ssl/private_keys/
puppetmaster.domain.pem;
  #ssl_crl                    /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_client_certificate     /var/lib/puppet/ssl/certs/ca.pem;
  ssl_protocols                   SSLv3 TLSv1;
  ssl_ciphers                HIGH:+MEDIUM;
  ssl_prefer_server_ciphers  on;
  ssl_verify_client          optional;
  ssl_verify_depth           1;
  ssl_session_cache          shared:SSL:128m;
  ssl_session_timeout        5m;

  proxy_redirect         off;
  proxy_set_header Host              $host;
  proxy_set_header X-Real-IP         $remote_addr;
  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header    X-Client-Verify  $ssl_client_verify;
  proxy_set_header    X-Client-DN $ssl_client_s_dn;
  proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
  proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
}

but it works fine with default puppetmaster startup script, i.e. on
webrick
also i have succesfully configured standalone puppetmaster and apache
+ passenger, but in this case i'm at a loss.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Nginx + passenger + puppetmaster

Reply via email to