On Thu, Jul 2, 2015 at 9:51 PM, Nik Haldimann <n...@placemeter.com> wrote:
> However, my impression is that a puppet master is usually deployed within a > private networks (e.g., internal to a data center or as part of a private > VPC subnet on AWS). For my use case I would have to open the master to the > public internet. What are the implications of this? Is this recommended or > not? Are there specific settings I should be watching out for to make this > secure? I can't think of any reason why it would be a bad idea to run Puppet over a public network - The SSL features alone actually make it quite suitable for this type of set up. You can also tweak auth.conf to further secure it. Two things which I would advise though are 1) Don't autosign your certs, and 2) don't trust any facts from the agent, if using things like certname in hiera.yaml or elsewhere always source the value from a trusted facts (https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts) Craig Don't autosign your certs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CACxdKhH1EWerYfw6X%3D0JGYDDJ_pwHyxU6D6pPt2F%2BJYBtOfYGw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
