Very cool, thank you so much! I'll be reviewing this and will give it a try 
as soon as I can.


> Hi Karl,
> here following are apache conf that work, afaik (any comment is welcomed):
> - puppetserver: direct and indirect access
> - proxy server
> You can have direct and proxied clients:
> clients  
>    |
> tcp/8140
>    |
> Puppet Server
>    |
> tcp/8141 
> -----------firewall
>    |
>   RP
>    |
> tcp/8140                   
>    |              
> "remote" clients  
> Please note: (disclaimer) this setup, intended for internal networks, does 
> not have imho evident security issues, however you have to understand what 
> issues could arise if you do not manage a "trust chain", that is ensure 
> security on certificates, ssl, network communication, puppetserver access. 
> More:
> - To operate this setup you must already have certificates generated by 
> Puppet CA.
> - Certificates must contain all relevant DNS names used by servers, and 
> correct CN.
> - Pay attention on header variables and tcp/8141 access restriction, to be 
> not vulnerable to "man-in-the-middle attacks".
> - You should update CRL on proxy.
> - (This setup does not have SSL client validation for RP when connecting 
> to puppetserver; SSLVerifyClient on VH 8141 recommended.)
> Verify you have in your server's puppet.conf:
>     ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
>     ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
> (Change servernames and ACL as requested)
> #------------Puppet server-----------
> Listen 8141
> <VirtualHost *:8141>
>     ServerName my_puppet_servername
>     ServerAlias my_puppet_servername
>     SSLEngine on
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     # Passenger options that can be set in a virtual host configuration 
> block.
>     PassengerHighPerformance on
>     PassengerStatThrottleRate 120
>     PassengerUseGlobalQueue on
>     RackAutoDetect Off
>     RailsAutoDetect Off
>     RackBaseURI /
>     # X-Client variables required to verify client authentication
>     # Values are coming from (trusted) Reverse Proxy that verifies client 
> certificate
>     # For correct CA emission, and CRL status
>     SetEnvIf X-RP-Client-DN "(.*)" HTTP_X_PUPPET_CLIENT_DN=$1
>     SetEnvIf X-RP-Client-Verify "(.*)" HTTP_X_PUPPET_CLIENT_VERIFY=$1
>     SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
>     DocumentRoot /etc/puppet/rack/public
>     <Location />
>         Options None
>         Order deny,allow
>         # List IP address of your proxy
>         Allow from my_proxy_IP_address
>         Deny from all
>     </Location>
> </VirtualHost>
> Listen 8140
> <VirtualHost *:8140>
>     SSLEngine on
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth 1
>     SSLOptions +StdEnvVars
>     # Passenger options that can be set in a virtual host configuration 
> block.
>     PassengerHighPerformance on
>     PassengerStatThrottleRate 120
>     PassengerUseGlobalQueue on
>     RackAutoDetect Off
>     RailsAutoDetect Off
>     RackBaseURI /
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>     DocumentRoot /etc/puppet/rack/public
>     <Directory /etc/puppet/rack/>
>         Options None
>         AllowOverride None
>         Order allow,deny
>         Allow from all
>     </Directory>
> </VirtualHost>
> #---------------END Puppet Server-----------------
> #----------------RP---------------------
> Listen 8140
> <VirtualHost *:8140>
>     ServerName my_RP_servername:8140
>     SSLEngine on
>     SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_RP_servername.pem
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_RP_servername.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth 1
>     SSLOptions +StdEnvVars
>     ErrorLog logs/error_puppet_rp_log
>     TransferLog logs/access_puppet_rp_log
>     LogLevel warn
>     CustomLog logs/ssl_request_puppet_rp_log  "%t %h %{SSL_PROTOCOL}x 
> %{SSL_CIPHER}x \"%r\" %b"
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>     RewriteEngine On
>     TraceEnable Off
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>     SSLProxyEngine on
>     SSLProxyVerify require
>     SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLProxyCheckPeerCN on
>     # SSLProxyMachineCertificateFile 
> /var/lib/puppet/ssl/certs/my_RP_servername_pub_and_key.pem
>     ProxyPass / https://my_puppetserver_servername:8141/
>     ProxyPassReverse / https://my_puppetserver_servername:8141/
>     ProxyPreserveHost On
>     <Location />
>         Order deny,allow
>         allow from my_client_IP_network
>         deny from all
>    </Location>
> </VirtualHost>
> #------------END RP--------------------
> Regards
> Paolo

