On 12/16/2010 10:28 AM, Patrick wrote: > > > On Dec 16, 2010, at 1:04 AM, Brice Figureau wrote: >>> My original error was that I didn't set: >>> SSLProxyEngine on >>> >>> Now I'm just getting errors that say all requests are forbidden. I >>> assume this is because the puppetmaster isn't seeing the headers from >>> apache that have the SSL information. >> >> You must setup your file serving master exactly like your catalog (or >> general) master. > > I did. The problem is that I don't know enough about apache so I'm doing > something wrong. > > I think this is the problem: > The first layer is stripping out the client's certificate. Then the second > layer is stripping out the success headers leaving the puppetmaster with not > authentication information. > > The real problem is that I don't know how to tell Apache to "send on the > request and don't touch anything".
Tough call. There is no such thing as a "transparent SSL proxy" afaik, because without decrypting requests, the proxy cannot make any header based decisions. This may well be a dead end then. Is it possible to have the fileserving subset of puppetmasters running without any SSL support? That's throwing security out of the windows of course, so the proxy should be able to determine (say, by IP rule?) what clients are allowed and which aren't. If such an approach is at all possible, the complete implementation would include giving the proxy the means to recognize valid client certificates. Even if this should work - is it work all that hassle? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
