[Puppet Users] Re: Nginx + passenger + puppetmaster
On Monday, 22 October 2012 11:03:06 UTC+1, Geert Booster wrote: > > Hello, > > Op donderdag 7 juni 2012 08:44:54 UTC+2 schreef vulzscht het volgende: >> >> i will dig into it a bit more and provide my results here in case of >> success >> >> > Did you found any solution? I am looking at the same problems, after a > fresh puppetmaster install with passenger, getting: > > err: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: FQDN(IP.Addr) access to /catalog/fqdn [find] at line 93 > > ./ssl/certs/ca.pem is available... > > Regards, > > Geert > > Hi Geert, I'm not sure if you are still having this problem but I was suffering from it myself. I finally found that the problem was due to the following two lines in my puppet.conf. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY Once removed puppet works fine under nginx. I had noticed that they were absent in this set of instructions that I was following http://z0mbix.github.com/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/ but assumed that they needed to be there was the comment says to uncomment when using passenger. Hope this helps. Regards, Greg -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aKHa4HPZArkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Nginx + passenger + puppetmaster
Hello, Op donderdag 7 juni 2012 08:44:54 UTC+2 schreef vulzscht het volgende: > > i will dig into it a bit more and provide my results here in case of > success > > Did you found any solution? I am looking at the same problems, after a fresh puppetmaster install with passenger, getting: err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: FQDN(IP.Addr) access to /catalog/fqdn [find] at line 93 ./ssl/certs/ca.pem is available... Regards, Geert -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dLYkHC9sYxAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Nginx + passenger + puppetmaster
unfortunately this haven't helped me with auth.conf
even with your config it returns 403 error
i will dig into it a bit more and provide my results here in case of
success
On Jun 5, 4:35 pm, Rémi wrote:
> Ok. No problem for me with Nginx.
> So this is configuration, if you want to compare with yours :
>
> *nginx.conf :*
> worker_processes 4;
>
> events {
> worker_connections 1024;
>
> }
>
> http {
> passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11;
> passenger_ruby /usr/bin/ruby;
> passenger_use_global_queue on;
> passenger_max_pool_size 15;
> passenger_pool_idle_time 300;
>
> include mime.types;
> default_type application/octet-stream;
>
> sendfile on;
> tcp_nopush on;
>
> # KeepAlive
> keepalive_timeout 65;
> tcp_nodelay on;
>
> server {
> listen 8140 ssl;
> server_name puppetmaster.x.x;
>
> passenger_enabled on;
> passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> access_log /var/log/nginx/puppetmaster.access.log;
> error_log /var/log/nginx/puppetmaster.error.log;
>
> root /var/www/puppetmaster/public;
> ssl_certificate /var/lib/puppet/ssl/certs/puppet.x.x.pem;
> ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.x.x.pem;
> ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
> ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
> ssl_prefer_server_ciphers on;
> ssl_verify_client optional;
> ssl_verify_depth 1;
> ssl_session_cache shared:SSL:128m;
> ssl_session_timeout 5m;
> }
>
> }
>
> */etc/puppet/auth.conf :*
> # Allow authenticated nodes to retrieve their own catalogs:
>
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
>
> # Allow authenticated nodes to access any file services --- in practice,
> this results in fileserver.conf being consulted:
>
> path /file
> allow *
>
> # Allow authenticated nodes to access the certificate revocation list:
>
> path /certificate_revocation_list/ca
> method find
> allow *
>
> # Allow authenticated nodes to send reports:
>
> path /report
> method save
> allow *
>
> # Allow unauthenticated access to certificates:
>
> path /certificate/ca
> auth no
> method find
> allow *
>
> path /certificate/
> auth no
> method find
> allow *
>
> # Allow unauthenticated nodes to submit certificate signing requests:
>
> path /certificate_request
> auth no
> method find, save
> allow *
>
> # Exec Puppet
>
> path /run
> method save
> allow puppet.x.x
>
> # Facts
>
> path /facts
> auth any
> method find, search, save
> allow dashboard.x.x
>
> path /facts_search
> auth any
> method find, search, save
> allow dashbord.x.x
>
> # Deny all other requests:
>
> path /
> auth any
>
> I hope this helps.
>
>
>
>
>
>
>
> On Tuesday, June 5, 2012 1:47:14 PM UTC+2, vulzscht wrote:
>
> > Thanks, Rémi
>
> > But this is already this way
> > # ls -l /etc/puppet/rack/config.ru
> > -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/
> > config.ru
>
> > for me it solved with adding
> > auth no
> > allow *
> > to every record in /etc/puppet/auth.conf
>
> > but i'm sure this is not good idea. I still can't understand why it
> > (permissions from auth.conf) works with apache, but not nginx.
> > i would rather suppose that real ip address not available in ruby
> > application (it sees it as ip of puppetmaster), but have no idea how
> > to check it...
> > any suggestion will be appreciated
>
> > On Jun 4, 6:05 pm, Rémi wrote:
> > > Hi,
>
> > > Check file permission of /etc/puppet/rack/public/config.ru and restart
> > > Nginx. The user/group must be "puppet".
> > > Take a look athttp://
> > binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par...
> > > (in french).
>
> > > Regards
>
> > > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
>
> > > > Hello!
>
> > > > Are there any success stories with nginx, passenger and puppetmaster?
>
> > > > I'm trying to setup mentioned scheme and have problems - client cannot
> > > > get its own catalog (removed only hostnames and domain names)
>
> > > > err: Could not retrieve catalog from remote server: Error 403 on
> > > > SERVER: Forbidden request: puppethost (10.88.5.254) access to
> > /catalog/
> > > > puppethost [find] at line 93
> > > > info: Not using expired catalog for puppethost from cache; expired at
> > > > Fri Jun 01 17:33:24 + 2012
> > > > notice: Using cached catalog
> > > > err: Could not retrieve catalog; skipping run
> > > > err: Could not send report: Error 403 on SERVER: Forbidden request:
> > > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
>
> > > > on nginx side it looks this way
> > > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> > > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> > > > "-"
> > > > 10.88.5.254 - - [0
[Puppet Users] Re: Nginx + passenger + puppetmaster
Ok. No problem for me with Nginx.
So this is configuration, if you want to compare with yours :
*nginx.conf :*
worker_processes 4;
events {
worker_connections 1024;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11;
passenger_ruby /usr/bin/ruby;
passenger_use_global_queue on;
passenger_max_pool_size 15;
passenger_pool_idle_time 300;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopushon;
# KeepAlive
keepalive_timeout 65;
tcp_nodelayon;
server {
listen 8140 ssl;
server_name puppetmaster.x.x;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
access_log /var/log/nginx/puppetmaster.access.log;
error_log /var/log/nginx/puppetmaster.error.log;
root /var/www/puppetmaster/public;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.x.x.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.x.x.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
}
*/etc/puppet/auth.conf :*
# Allow authenticated nodes to retrieve their own catalogs:
path ~ ^/catalog/([^/]+)$
method find
allow $1
# Allow authenticated nodes to access any file services --- in practice,
this results in fileserver.conf being consulted:
path /file
allow *
# Allow authenticated nodes to access the certificate revocation list:
path /certificate_revocation_list/ca
method find
allow *
# Allow authenticated nodes to send reports:
path /report
method save
allow *
# Allow unauthenticated access to certificates:
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
# Allow unauthenticated nodes to submit certificate signing requests:
path /certificate_request
auth no
method find, save
allow *
# Exec Puppet
path /run
method save
allow puppet.x.x
# Facts
path /facts
auth any
method find, search, save
allow dashboard.x.x
path /facts_search
auth any
method find, search, save
allow dashbord.x.x
# Deny all other requests:
path /
auth any
I hope this helps.
On Tuesday, June 5, 2012 1:47:14 PM UTC+2, vulzscht wrote:
>
> Thanks, Rémi
>
> But this is already this way
> # ls -l /etc/puppet/rack/config.ru
> -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/
> config.ru
>
> for me it solved with adding
> auth no
> allow *
> to every record in /etc/puppet/auth.conf
>
> but i'm sure this is not good idea. I still can't understand why it
> (permissions from auth.conf) works with apache, but not nginx.
> i would rather suppose that real ip address not available in ruby
> application (it sees it as ip of puppetmaster), but have no idea how
> to check it...
> any suggestion will be appreciated
>
>
> On Jun 4, 6:05 pm, Rémi wrote:
> > Hi,
> >
> > Check file permission of /etc/puppet/rack/public/config.ru and restart
> > Nginx. The user/group must be "puppet".
> > Take a look athttp://
> binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par...
> > (in french).
> >
> > Regards
> >
> >
> >
> >
> >
> >
> >
> > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
> >
> > > Hello!
> >
> > > Are there any success stories with nginx, passenger and puppetmaster?
> >
> > > I'm trying to setup mentioned scheme and have problems - client cannot
> > > get its own catalog (removed only hostnames and domain names)
> >
> > > err: Could not retrieve catalog from remote server: Error 403 on
> > > SERVER: Forbidden request: puppethost (10.88.5.254) access to
> /catalog/
> > > puppethost [find] at line 93
> > > info: Not using expired catalog for puppethost from cache; expired at
> > > Fri Jun 01 17:33:24 + 2012
> > > notice: Using cached catalog
> > > err: Could not retrieve catalog; skipping run
> > > err: Could not send report: Error 403 on SERVER: Forbidden request:
> > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
> >
> > > on nginx side it looks this way
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> > > "-"
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "PUT /production/report/
> > > puppethost HTTP/1.1" 403 107 "-" "-"
> >
> > > my nginx configs
> > > # cat /etc/nginx/conf.d/passenger.conf
> > > passenger_root /usr/lib/ruby/1.8/phusion_passenger;
> >
> > > # cat /etc/nginx/conf.d/puppet.conf
> > > server {
> > > listen 8140 ssl;
> > > server_namepuppetmaster.domain;
> > > default_type a
[Puppet Users] Re: Nginx + passenger + puppetmaster
Thanks, Rémi
But this is already this way
# ls -l /etc/puppet/rack/config.ru
-rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/
config.ru
for me it solved with adding
auth no
allow *
to every record in /etc/puppet/auth.conf
but i'm sure this is not good idea. I still can't understand why it
(permissions from auth.conf) works with apache, but not nginx.
i would rather suppose that real ip address not available in ruby
application (it sees it as ip of puppetmaster), but have no idea how
to check it...
any suggestion will be appreciated
On Jun 4, 6:05 pm, Rémi wrote:
> Hi,
>
> Check file permission of /etc/puppet/rack/public/config.ru and restart
> Nginx. The user/group must be "puppet".
> Take a look
> athttp://binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par...
> (in french).
>
> Regards
>
>
>
>
>
>
>
> On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
>
> > Hello!
>
> > Are there any success stories with nginx, passenger and puppetmaster?
>
> > I'm trying to setup mentioned scheme and have problems - client cannot
> > get its own catalog (removed only hostnames and domain names)
>
> > err: Could not retrieve catalog from remote server: Error 403 on
> > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
> > puppethost [find] at line 93
> > info: Not using expired catalog for puppethost from cache; expired at
> > Fri Jun 01 17:33:24 + 2012
> > notice: Using cached catalog
> > err: Could not retrieve catalog; skipping run
> > err: Could not send report: Error 403 on SERVER: Forbidden request:
> > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
>
> > on nginx side it looks this way
> > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> > "-"
> > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "PUT /production/report/
> > puppethost HTTP/1.1" 403 107 "-" "-"
>
> > my nginx configs
> > # cat /etc/nginx/conf.d/passenger.conf
> > passenger_root /usr/lib/ruby/1.8/phusion_passenger;
>
> > # cat /etc/nginx/conf.d/puppet.conf
> > server {
> > listen 8140 ssl;
> > server_name puppetmaster.domain;
> > default_type application/x-raw;
> > ssl on;
>
> > root /etc/puppet/rack/public;
> > passenger_enabled on;
> > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> > access_log /var/log/nginx/puppet_access.log;
> > error_log /var/log/nginx/puppet_error.log;
>
> > ssl_certificate /var/lib/puppet/ssl/certs/
> > puppetmaster.domain.pem;
> > ssl_certificate_key /var/lib/puppet/ssl/private_keys/
> > puppetmaster.domain.pem;
> > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
> > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> > ssl_protocols SSLv3 TLSv1;
> > ssl_ciphers HIGH:+MEDIUM;
> > ssl_prefer_server_ciphers on;
> > ssl_verify_client optional;
> > ssl_verify_depth 1;
> > ssl_session_cache shared:SSL:128m;
> > ssl_session_timeout 5m;
>
> > proxy_redirect off;
> > proxy_set_header Host $host;
> > proxy_set_header X-Real-IP $remote_addr;
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header X-Client-Verify $ssl_client_verify;
> > proxy_set_header X-Client-DN $ssl_client_s_dn;
> > proxy_set_header X-SSL-Subject $ssl_client_s_dn;
> > proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
> > }
>
> > but it works fine with default puppetmaster startup script, i.e. on
> > webrick
> > also i have succesfully configured standalone puppetmaster and apache
> > + passenger, but in this case i'm at a loss.
> On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
>
> > Hello!
>
> > Are there any success stories with nginx, passenger and puppetmaster?
>
> > I'm trying to setup mentioned scheme and have problems - client cannot
> > get its own catalog (removed only hostnames and domain names)
>
> > err: Could not retrieve catalog from remote server: Error 403 on
> > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
> > puppethost [find] at line 93
> > info: Not using expired catalog for puppethost from cache; expired at
> > Fri Jun 01 17:33:24 + 2012
> > notice: Using cached catalog
> > err: Could not retrieve catalog; skipping run
> > err: Could not send report: Error 403 on SERVER: Forbidden request:
> > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
>
> > on nginx side it looks this way
> > 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> > "-"
> > 10.88.5.254 - - [04/Jun
[Puppet Users] Re: Nginx + passenger + puppetmaster
Hi,
Check file permission of /etc/puppet/rack/public/config.ru and restart
Nginx. The user/group must be "puppet".
Take a look at
http://binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-partie-2/
(in french).
Regards
On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
>
> Hello!
>
> Are there any success stories with nginx, passenger and puppetmaster?
>
> I'm trying to setup mentioned scheme and have problems - client cannot
> get its own catalog (removed only hostnames and domain names)
>
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
> puppethost [find] at line 93
> info: Not using expired catalog for puppethost from cache; expired at
> Fri Jun 01 17:33:24 + 2012
> notice: Using cached catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: Error 403 on SERVER: Forbidden request:
> puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
>
> on nginx side it looks this way
> 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> "-"
> 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "PUT /production/report/
> puppethost HTTP/1.1" 403 107 "-" "-"
>
> my nginx configs
> # cat /etc/nginx/conf.d/passenger.conf
> passenger_root /usr/lib/ruby/1.8/phusion_passenger;
>
> # cat /etc/nginx/conf.d/puppet.conf
> server {
> listen 8140 ssl;
> server_namepuppetmaster.domain;
> default_type application/x-raw;
> sslon;
>
> root /etc/puppet/rack/public;
> passenger_enabled on;
> passenger_set_cgi_paramHTTP_X_CLIENT_DN $ssl_client_s_dn;
> passenger_set_cgi_paramHTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> access_log /var/log/nginx/puppet_access.log;
> error_log /var/log/nginx/puppet_error.log;
>
> ssl_certificate/var/lib/puppet/ssl/certs/
> puppetmaster.domain.pem;
> ssl_certificate_key/var/lib/puppet/ssl/private_keys/
> puppetmaster.domain.pem;
> #ssl_crl/var/lib/puppet/ssl/ca/ca_crl.pem;
> ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> ssl_protocols SSLv3 TLSv1;
> ssl_ciphersHIGH:+MEDIUM;
> ssl_prefer_server_ciphers on;
> ssl_verify_client optional;
> ssl_verify_depth 1;
> ssl_session_cache shared:SSL:128m;
> ssl_session_timeout5m;
>
> proxy_redirect off;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_headerX-Client-Verify $ssl_client_verify;
> proxy_set_headerX-Client-DN $ssl_client_s_dn;
> proxy_set_headerX-SSL-Subject$ssl_client_s_dn;
> proxy_set_headerX-SSL-Issuer $ssl_client_i_dn;
> }
>
> but it works fine with default puppetmaster startup script, i.e. on
> webrick
> also i have succesfully configured standalone puppetmaster and apache
> + passenger, but in this case i'm at a loss.
On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
>
> Hello!
>
> Are there any success stories with nginx, passenger and puppetmaster?
>
> I'm trying to setup mentioned scheme and have problems - client cannot
> get its own catalog (removed only hostnames and domain names)
>
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
> puppethost [find] at line 93
> info: Not using expired catalog for puppethost from cache; expired at
> Fri Jun 01 17:33:24 + 2012
> notice: Using cached catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: Error 403 on SERVER: Forbidden request:
> puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
>
> on nginx side it looks this way
> 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "GET /production/catalog/
> puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-"
> "-"
> 10.88.5.254 - - [04/Jun/2012:08:44:58 +] "PUT /production/report/
> puppethost HTTP/1.1" 403 107 "-" "-"
>
> my nginx configs
> # cat /etc/nginx/conf.d/passenger.conf
> passenger_root /usr/lib/ruby/1.8/phusion_passenger;
>
> # cat /etc/nginx/conf.d/puppet.conf
> server {
> listen 8140 ssl;
> server_namepuppetmaster.domain;
> default_type application/x-raw;
> sslon;
>
> root /etc/puppet/rack/public;
> passenger_enabled on;
> passenger_set_cgi_paramHTTP_X_CLIENT_DN $ssl_client_s_dn;
> passenger_set_cgi_paramHTTP_X_CLIENT_VERIFY $ssl_client_verify;
>
> access_log /var/log/nginx/p
Re: [Puppet Users] Re: nginx + passenger + puppetmaster
On Thu, Sep 23, 2010 at 7:40 AM, Jakub Heichman wrote:
> On 29 June, 19:44, Dan Urist wrote:
>> I have this in my puppet.conf:
>>
>> [puppetmasterd]
>> ssl_client_header = SSL_CLIENT_S_DN
>> ssl_client_verify_header = SSL_CLIENT_VERIFY
>> [..]
>> proxy_set_header Host $host;
>> proxy_set_header X-Real-IP $remote_addr;
>> proxy_set_header X-Forwarded-For
>
> Hi Dan,
>
> I had the same problem, it looks like 'proxy_set_header' option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param'
> options instead.
This stanza in the front end 8140 server works for me when setting
the client headers in the HTTP request.
This is with nginx 0.7.67 and passenger 2.2.11:
server {
listen 8140 default ssl;
ssl_certificate /var/lib/puppet/ssl/certs/chain.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
ssl_crl /var/lib/puppet/ssl/crl.pem;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
server_name puppet;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP$remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerX-Client-Verify $ssl_client_verify;
proxy_set_headerX-Client-DN $ssl_client_s_dn;
proxy_set_headerX-SSL-Subject$ssl_client_s_dn;
proxy_set_headerX-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 65;
}
}
--
Jeff McCune
http://www.puppetlabs.com/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: nginx + passenger + puppetmaster
On Thu, Sep 23, 2010 at 7:52 AM, Dan Urist wrote: > I've switched to using nginx+unicorn, and haven't had any issues. The > only hassle for me is that I'm running it under Ubuntu, and unicorn > isn't (yet) packaged by Debian/Ubuntu, so I had to install it via gems > and don't have the advantage of automated updates. Unicorn FTW. Here's how I've configured it thus far: https://devstructure.com/blueprints/rcrowley/puppet-master Rich -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: nginx + passenger + puppetmaster
On 29 June, 19:44, Dan Urist wrote: > I have this in my puppet.conf: > > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > [..] > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For Hi Dan, I had the same problem, it looks like 'proxy_set_header' option will not have any effect with Passenger module. I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param' options instead. This seems to work for me: nginx.conf: passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; [puppetmasterd] ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY Kind regards, Jakub -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: nginx + passenger + puppetmaster
I've switched to using nginx+unicorn, and haven't had any issues. The only hassle for me is that I'm running it under Ubuntu, and unicorn isn't (yet) packaged by Debian/Ubuntu, so I had to install it via gems and don't have the advantage of automated updates. On Thu, 23 Sep 2010 07:40:21 -0700 (PDT) Jakub Heichman wrote: > On 29 June, 19:44, Dan Urist wrote: > > I have this in my puppet.conf: > > > > [puppetmasterd] > > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_header = SSL_CLIENT_VERIFY > > [..] > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For > > Hi Dan, > > I had the same problem, it looks like 'proxy_set_header' option will > not have any effect with Passenger module. > I had to install Passenger 3 (beta) and use 'passenger_set_cgi_param' > options instead. > > This seems to work for me: > > nginx.conf: > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > [puppetmasterd] > ssl_client_header = HTTP_X_CLIENT_DN > ssl_client_verify_header = HTTP_X_CLIENT_VERIFY > > Kind regards, > Jakub > > -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
