Hi Karl,
here following are apache conf that work, afaik (any comment is welcomed):
- puppetserver: direct and indirect access
- proxy server
You can have direct and proxied clients:
clients
|
tcp/8140
|
Puppet Server
|
tcp/8141
-----------firewall
|
RP
|
tcp/8140
|
"remote" clients
Please note: (disclaimer) this setup, intended for internal networks, does
not have imho evident security issues, however you have to understand what
issues could arise if you do not manage a "trust chain", that is ensure
security on certificates, ssl, network communication, puppetserver access.
More:
- To operate this setup you must already have certificates generated by
Puppet CA.
- Certificates must contain all relevant DNS names used by servers, and
correct CN.
- Pay attention on header variables and tcp/8141 access restriction, to be
not vulnerable to "man-in-the-middle attacks".
- You should update CRL on proxy.
- (This setup does not have SSL client validation for RP when connecting to
puppetserver; SSLVerifyClient on VH 8141 recommended.)
Verify you have in your server's puppet.conf:
ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
(Change servernames and ACL as requested)
#------------Puppet server-----------
Listen 8141
<VirtualHost *:8141>
ServerName my_puppet_servername
ServerAlias my_puppet_servername
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# Passenger options that can be set in a virtual host configuration
block.
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
# X-Client variables required to verify client authentication
# Values are coming from (trusted) Reverse Proxy that verifies client
certificate
# For correct CA emission, and CRL status
SetEnvIf X-RP-Client-DN "(.*)" HTTP_X_PUPPET_CLIENT_DN=$1
SetEnvIf X-RP-Client-Verify "(.*)" HTTP_X_PUPPET_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
DocumentRoot /etc/puppet/rack/public
<Location />
Options None
Order deny,allow
# List IP address of your proxy
Allow from my_proxy_IP_address
Deny from all
</Location>
</VirtualHost>
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# Passenger options that can be set in a virtual host configuration
block.
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
#---------------END Puppet Server-----------------
#----------------RP---------------------
Listen 8140
<VirtualHost *:8140>
ServerName my_RP_servername:8140
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/my_RP_servername.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/my_RP_servername.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
ErrorLog logs/error_puppet_rp_log
TransferLog logs/access_puppet_rp_log
LogLevel warn
CustomLog logs/ssl_request_puppet_rp_log "%t %h %{SSL_PROTOCOL}x
%{SSL_CIPHER}x \"%r\" %b"
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
RewriteEngine On
TraceEnable Off
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLProxyEngine on
SSLProxyVerify require
SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLProxyCheckPeerCN on
# SSLProxyMachineCertificateFile
/var/lib/puppet/ssl/certs/my_RP_servername_pub_and_key.pem
ProxyPass / https://my_puppetserver_servername:8141/
ProxyPassReverse / https://my_puppetserver_servername:8141/
ProxyPreserveHost On
<Location />
Order deny,allow
allow from my_client_IP_network
deny from all
</Location>
</VirtualHost>
#------------END RP--------------------
Regards
Paolo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1b183fb7-3793-407d-abae-72417d11ce34%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
