Hi Luca, Yes, in a pre-puppetserver world I am using Apache and mod_passenger. But for scalability I'd really like to switch to puppetserver which is meant to do all its own SSL using Trapperkeeper. Putting APache in front of it will fail because of https://tickets.puppetlabs.com/browse/SERVER-213 and https://tickets.puppetlabs.com/browse/SERVER-217.
It actually looks like I might be able to do what I need in auth.conf, since it has a way to specify blocks specific to an environment. I'll give it a shot and see if it still works in puppetserver. A quick search turned up an issue (https://tickets.puppetlabs.com/browse/SERVER-111) Thanks, Mike On Sunday, March 15, 2015 at 6:20:08 AM UTC-4, Luca Gervasi wrote: > > Hi Michael, > > I would strongly suggest to put an httpd/mod_phusion in front of your > puppet (this leads to the <Location> syntax as you suggested). > If, for whatever reason, your choice is to use webrick for your > production, you could work on your "filesterver.conf". This file is > strongly commentend. > > Good luck. > > On Sunday, 15 March 2015 04:24:22 UTC+1, Michael Smith wrote: >> >> Hi, >> >> I'm setting up a puppetserver that will be shared by multiple projects >> and would like to enforce some control over access to environment resources >> - particularly puppet:///modules/... file server URLs. >> >> The environment name appears at the start of the URL, so with an >> Apache/Passenger setup I could put IP address-based access controls on an >> environment using a <Location> block so nodes in project A's subnet can't >> download files from project B's environment. >> >> I'm looking for ideas to do the same in a puppetserver world. Really what >> I want to do is block access to puppet:///modules/... from nodes with no >> node definition in the current environment, and the IP address access >> control is just an easy way of doing this in Apache/Passenger. >> >> I realize I could still put Apache in front of puppetserver and configure >> access controls there - modulo a couple of bugs like SERVER-213 and >> SERVER-217 - but maybe there's a better way using puppetserver. >> >> Thanks, >> Mike >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/676f9529-946f-4ffd-b2ea-80f100324c51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
