On Dec 16, 2010, at 7:55 AM, Felix Frank wrote: > On 12/16/2010 10:28 AM, Patrick wrote: >> >> >> On Dec 16, 2010, at 1:04 AM, Brice Figureau wrote: >>>> My original error was that I didn't set: >>>> SSLProxyEngine on >>>> >>>> Now I'm just getting errors that say all requests are forbidden. I >>>> assume this is because the puppetmaster isn't seeing the headers from >>>> apache that have the SSL information. >>> >>> You must setup your file serving master exactly like your catalog (or >>> general) master. >> >> I did. The problem is that I don't know enough about apache so I'm doing >> something wrong. >> >> I think this is the problem: >> The first layer is stripping out the client's certificate. Then the second >> layer is stripping out the success headers leaving the puppetmaster with not >> authentication information. >> >> The real problem is that I don't know how to tell Apache to "send on the >> request and don't touch anything". > > Tough call. There is no such thing as a "transparent SSL proxy" afaik, > because without decrypting requests, the proxy cannot make any header > based decisions. > > This may well be a dead end then.
Ah. See below for a different idea then. > If such an approach is at all possible, the complete implementation > would include giving the proxy the means to recognize valid client > certificates. The proxy can and is recognizing valid certificates. The problem is passing that information on to the puppetmaster because I really don't know how to do that. I also don't know exactly which headers the puppetmaster uses. I'm thinking that if I do this, I need to remove the SSL from the file server VirtualHost and just pass the information directly through. > Even if this should work - is it work all that hassle? This is a much better question. I'm going to work on it a little more though. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
