Without firewalling you're asking for trouble though if you ask me. Take for example the certificate endpoint - the security model requires that the certificate request endpoint be open to unauthenticated access. There are obvious denial of service possibilities there (fill up the disk with crufty requests, for example).
I'd find some way of running without a master, or if I had to run one on the public internet, implement some security at the network to filter requests. On Friday, 3 July 2015 08:31:02 UTC+1, Craig Dunn wrote: > > On Thu, Jul 2, 2015 at 9:51 PM, Nik Haldimann <n...@placemeter.com > <javascript:>> wrote: > > > However, my impression is that a puppet master is usually deployed > within a > > private networks (e.g., internal to a data center or as part of a > private > > VPC subnet on AWS). For my use case I would have to open the master to > the > > public internet. What are the implications of this? Is this recommended > or > > not? Are there specific settings I should be watching out for to make > this > > secure? > > I can't think of any reason why it would be a bad idea to run Puppet > over a public network - The SSL features alone actually make it quite > suitable for this type of set up. You can also tweak auth.conf to > further secure it. Two things which I would advise though are 1) > Don't autosign your certs, and 2) don't trust any facts from the > agent, if using things like certname in hiera.yaml or elsewhere always > source the value from a trusted facts > ( > https://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html#trusted-facts) > > > > Craig > > Don't autosign your certs > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/89816714-4f6c-4e43-b97b-ca596a0226a2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
