Just got an update from Amazon support, "ELB only supports adding the X-Forwarded-For and X-Forwarded-Proto. It does not support adding other custom headers and there is no way for ELB to do so."
Cheers On Thursday, 22 August 2013 12:14:11 UTC+12, Bency Tharakan wrote: > > Hi, > > I'm trying to do ssl offload on amazon ELB for my puppetmaster servers, it > seems amazon ELB is not sending ssl_client_header & client_verify_header > > puppetmaster > > Listen 8141 > > <VirtualHost *:8141> > SSLEngine off > DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/ > RackBaseURI / > <Directory /etc/puppet/rack/puppetmaster_8141/> > PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > SetEnvIf X-Forwarded-Proto "https" HTTPS=1 > > > SSLProxyEngine On > # Proxy all requests that start with things like /production/certificate > to the CA > ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*. > co.nz:8141/$1 > Errorlog /var/log/httpd/puppetmaster.error.log > CustomLog /var/log/httpd/puppetmaster.access.log combined > </VirtualHost> > > > > puppetca > > Listen 8140 > > <VirtualHost *:8140> > SSLEngine off > # Obtain Authentication Information from Client Request Headers > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 > > DocumentRoot /etc/puppet/rack/puppetca_8140/public/ > <Directory /etc/puppet/rack/puppetca_8140/> > # PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > Errorlog /var/log/httpd/puppetca.error.log > CustomLog /var/log/httpd/puppetca.access.log combined > </VirtualHost> > > > > The error I'm getting on the backend node > > [root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test > --no-daemonize > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) > access to /node/ip-10-250-1-152.aws.*.co.nz [find] at :125 > Info: Retrieving plugin > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using 'eval_generate: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins > [search] at :125 > Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on > SERVER: Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access > to /file_metadata/plugins [find] at :125 Could not retrieve file metadata > for puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden > request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /file_metadata/plugins [find] at :125 > Error: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /catalog/ip-10-250-1-152.aws.*co.nz [find] at :125 > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > Error: Could not send report: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /report/ip-10-250-1-152.aws.*.co.nz [save] at :125 > > > Thanks > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
