This is what my haproxy cfg is like. I'm doing tcp passthough.
global
chroot /var/lib/haproxy
daemon
group haproxy
log 10.0.2.15 local0
maxconn 4000
pidfile /var/run/haproxy.pid
stats socket /var/lib/haproxy/stats
user haproxy
defaults
log global
maxconn 8000
op
Neil,
I agree one CA is more than capable and the load balancing point here is
pretty much moot. I as well will have many nodes dispersed world wide
within DC's and with Hosting providers, like AWS and DO. Having a flexible
and simple setup which can operate independent of other sites is a
r
I did some testing and yes if you reinstall a host and don't perform puppet
cert clean on all the ca servers you will run into issue. But other than
this fact I haven't seen any issues with masters verifying a signed
certificate. Since running puppet cert clean is standard procedure I don't
s
Hello Trevor,
I put this in when we did a fairly big puppet upgrade. This meant I could
direct a few clients to the upgraded server upgrade the agents see how that
went then do all dev service before moving others.
I guess we could have done that in a number of other ways but this worked
well for
Hi Neil,
Thanks for sharing that config, it's quite useful.
Did you see any large benefit of this versus using DNS SRV records (yes, I
understand the actual load balancing implications).
I'm curious if the extra infrastructure was worth the effort.
I'm partial to a fan-out DNS SRV structure, bu
Hello
One extra thing to mention is I have got into issues with configuring the
loadbal itself through puppet, as broken loadbal config breaks the puppet
service which means the loadbal can;t be fixed via puppet, so admin login
is required on these servers.
Thanks
Neil
On 19 September 2016 at 1
Hello
Below is a slightly edited version of the haproxy.cfg
All the backends except the ca require a valid client cert 'http-request
deny unless { ssl_c_verify 0 }'
global
chroot /var/lib/haproxy
daemon
group haproxy
log 127.0.0.1 local4
log 127.0.0.1 local5 notice
maxconn 2000
On 17 September 2016 at 15:06, Neil - Puppet List
wrote:
> Hello
>
> I've run multiple puppet masters behind ha proxy for a few years now. I have
> multiple masters, with haproxy rules directing some clients to particular
> masters. I only have one puppet master as CA. I've about 600 clients.
>
>
Hello
I've run multiple puppet masters behind ha proxy for a few years now. I
have multiple masters, with haproxy rules directing some clients to
particular masters. I only have one puppet master as CA. I've about 600
clients.
Initially I was concerned about only having one CA. But all it does is
Serial numbers on SSL certificates are important, and your setup will
generate many duplicate serial numbers. Ergo, this is bad.
Related problem: Did you test revoking a client certificate? I suspect
not, because the above issue will bite you.
On 2016-09-12 12:48 AM, Ivan Arjune wrote:
Di
Did i figure out something new here, because I've been digging at this for
a week and don't see anyone doing it like this.
What i'm doing is running multiple puppetmasters behind haproxy. Each
puppetmaster is an active ca server and share a common certificate. It
works like a charm, in a la
11 matches
Mail list logo
