-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Neither Passenger, nor Mongrel, are that difficult to set up behind Apache but I will say that the Passenger instructions are quite user friendly.
I attempted to provide the capability to modify the cipher sets in Puppet for my own interest, but this is actually a limitation in the Webrick codebase itself and I wasn't quite up to modifying the Ruby guts when an Apache front-end was so simple to accomplish. That said, you could also use Webrick behind an Apache front end and it *should* work in passthrough mode but I haven't tested it since Passenger and Mongrel were so straightforward. Additionally, several distributions have both Passenger and Mongrel available as native package from various repositories and they are both relatively easy to package yourself. Good luck! Trevor On 12/22/2010 07:24 PM, Douglas Garstang wrote: > On Wed, Dec 22, 2010 at 2:30 PM, Nigel Kersten <ni...@puppetlabs.com > <mailto:ni...@puppetlabs.com>> wrote: > > On Wed, Dec 22, 2010 at 11:30 AM, Douglas Garstang > <doug.garst...@gmail.com <mailto:doug.garst...@gmail.com>> wrote: > > We're currently going through a PCI audit process, and an internal > scan by > > an auditor of our network came up with the following advisory on > port 8139 > > on all of our puppet servers. > > Resolution: Disable weak and medium ciphers in the http.conf or > ssl.conf > > configuration files: > > SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > > Obviously, it's a canned response assuming that a web server is > listening on > > that port. Is there any way to disable the 'weak and medium > ciphers' on the > > default webrick server? > > We actually had a feature request in about this recently that > shouldn't be too hard to find if you do a search. More people caring > about this will lead us to prioritize it more, however... > > You really should move away from Webrick for production for several > reasons, including this one. It's not suggested for production use. > > If you move to Mongrel or Passenger with Apache, our two most common > deployment methods, you can fully specify the strong ciphers. > > > > Nigel, > > Well, I can go back and give Passenger another shot, but I didn't pursue > it originally because I wasn't able to get the perfect combination of > ruby, rack etc etc to make it work. It involves a lot of magic voodoo. > Passenger is also installed from ruby gems which, as an ops person, > makes my skin crawl. > > Also... I'm not sure if I understand this issue correctly, but the > client itself runs the WEBrick server, correct? What is this for? Is > this to allow puppetrun to be run from the server? If that's the case, I > would also have to move every client to Passenger or Mongrel was well. > I'm not sure about Mongrel, but that means a rather complicated update > on the clients, given passengers voodoo install magic. > > Doug. > > > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) pgp: 0x6C701E94 - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJNErcrAAoJECNCGV1OLcypjEQIAIARU754ebOWL96ewjP0C92v PD0vOW8YJFyx2C5ODbJesb0Mr8Y7cXFE5QeKca1N4q/bPlGTouumdGCJlv1cF2WY C99UB24TFvfeD0CqKtQUVDYNYUwyz+e1juZ+nPtBAvIq8pA+oMbmV7P3NSQSftJl pxR6M2syMi5Oq9YF4MAKGq1lH9WA7Df8y9kaAjbnP9QKWAGnVwOqFhuBlUcuvmjC h7kXY65//nub2V97KWBTkVE6ZG28geuXThunjb3zrYsyZro43FjZ3b9DU0A9DkAI Go7z3rzO4x68CczmXzVbCza46xUceXs846Ldb5oGFNI8JgClDXMG5/imyD1rbMQ= =3tO9 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<<attachment: tvaughan.vcf>>
