On Saturday, August 18, 2012 11:05:42 PM UTC-6, Calvin Walton wrote:
On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:
I've configured our DMZ apache webserver to proxy connections from our
roaming users into our internal puppet master running under
passenger/apache. Everything is pretty much working but because I am using
SSL between the proxy server and the puppet master, the master treats the
connection as authenticated as the proxy. My current work around is to
allow access to all catalog and node items to the proxy server in
auth.conf. I'd like to try to get the master to use the ssl
information passed by the proxy as the authentication for the connection
but so far have been completely unsuccessful. Does anyone know how this
can be done? I've been poking around the code a bit but I haven't been
able to find out where the authenticated host information comes from, and
I've unable to modify anything in the apache configuration to change

To start with, I'm going to assume that the passenger/apache
configuration looks something like this:

and that your proxy server apache configuration probably looks something
like this:


If you read through, you note that the authenticated host information
gets passed to puppet through the three headers that are set by apache:
X-SSL-Subject, X-Client-DN, X-Client-Verify.

The trick to getting your case to work is to edit the puppet master's
passenger/apache configuration to pass through the values of these three
headers when receiving a request from the proxy server, instead of
filling them in from the ssl certificate. I'm not familiar enough with
apache to know the exact syntax for this.

Do note that you want to make sure to *only* pass through these headers
when receiving a request from the proxy server! Otherwise any client
could connect, even on unsecured HTTP, and pretend to be authenticated
as whomever it wants by just adding headers to the request.
Yes, my config is very much as described. However, I do not believe that
puppet does anything with the X-* headers in this case. I can set them to
something completely non-sensical in the apache config (or at least try to)
and puppet still sees the ssl client as the authenticating host. The
comments above setting those headers mention "Pound", so I suspect they are
not used in this configuration. Unfortunately I'm not familiar enough with
the application framework to confirm where the authentication stuff is
coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or
SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears
that it may be impossible to change those variables with SetEnv in the
apache config or perhaps even in another apache module.

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/_82LUZbn3a4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 5 | next ›
Discussion Overview
grouppuppet-users @
postedAug 17, '12 at 11:02p
activeAug 20, '12 at 6:17p

3 users in discussion

Opoplawski: 3 posts Kp-v: 1 post Calvin Walton: 1 post



site design / logo © 2022 Grokbase