Thanks, Rémi But this is already this way # ls -l /etc/puppet/rack/config.ru -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/ config.ru
for me it solved with adding auth no allow * to every record in /etc/puppet/auth.conf but i'm sure this is not good idea. I still can't understand why it (permissions from auth.conf) works with apache, but not nginx. i would rather suppose that real ip address not available in ruby application (it sees it as ip of puppetmaster), but have no idea how to check it... any suggestion will be appreciated On Jun 4, 6:05 pm, Rémi <ere...@gmail.com> wrote: > Hi, > > Check file permission of /etc/puppet/rack/public/config.ru and restart > Nginx. The user/group must be "puppet". > Take a look > athttp://binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par... > (in french). > > Regards > > > > > > > > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I'm trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i'm at a loss. > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I'm trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i'm at a loss. > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I'm trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i'm at a loss. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
