FAQ
I've configured our DMZ apache webserver to proxy connections from our
roaming users into our internal puppet master running under
passenger/apache. Everything is pretty much working but because I am using
SSL between the proxy server and the puppet master, the master treats the
connection as authenticated as the proxy. My current work around is to
allow access to all catalog and node items to the proxy server in
auth.conf. I'd like to try to get the master to use the ssl authentication
information passed by the proxy as the authentication for the connection
but so far have been completely unsuccessful. Does anyone know how this
can be done? I've been poking around the code a bit but I haven't been
able to find out where the authenticated host information comes from, and
I've unable to modify anything in the apache configuration to change this.

TIA,

Orion

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/o_ybNHvek7AJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Calvin Walton at Aug 19, 2012 at 5:05 am

    On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:
    I've configured our DMZ apache webserver to proxy connections from our
    roaming users into our internal puppet master running under
    passenger/apache. Everything is pretty much working but because I am using
    SSL between the proxy server and the puppet master, the master treats the
    connection as authenticated as the proxy. My current work around is to
    allow access to all catalog and node items to the proxy server in
    auth.conf. I'd like to try to get the master to use the ssl authentication
    information passed by the proxy as the authentication for the connection
    but so far have been completely unsuccessful. Does anyone know how this
    can be done? I've been poking around the code a bit but I haven't been
    able to find out where the authenticated host information comes from, and
    I've unable to modify anything in the apache configuration to change this.
    To start with, I'm going to assume that the passenger/apache
    configuration looks something like this:
    http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x
    and that your proxy server apache configuration probably looks something
    like this:
    http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration

    If you read through, you note that the authenticated host information
    gets passed to puppet through the three headers that are set by apache:
    X-SSL-Subject, X-Client-DN, X-Client-Verify.

    The trick to getting your case to work is to edit the puppet master's
    passenger/apache configuration to pass through the values of these three
    headers when receiving a request from the proxy server, instead of
    filling them in from the ssl certificate. I'm not familiar enough with
    apache to know the exact syntax for this.

    Do note that you want to make sure to *only* pass through these headers
    when receiving a request from the proxy server! Otherwise any client
    could connect, even on unsecured HTTP, and pretend to be authenticated
    as whomever it wants by just adding headers to the request.

    --
    Calvin Walton <calvin.walton@kepstin.ca>

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Opoplawski at Aug 20, 2012 at 4:03 pm

    On Saturday, August 18, 2012 11:05:42 PM UTC-6, Calvin Walton wrote:
    On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:
    I've configured our DMZ apache webserver to proxy connections from our
    roaming users into our internal puppet master running under
    passenger/apache. Everything is pretty much working but because I am using
    SSL between the proxy server and the puppet master, the master treats the
    connection as authenticated as the proxy. My current work around is to
    allow access to all catalog and node items to the proxy server in
    auth.conf. I'd like to try to get the master to use the ssl
    authentication
    information passed by the proxy as the authentication for the connection
    but so far have been completely unsuccessful. Does anyone know how this
    can be done? I've been poking around the code a bit but I haven't been
    able to find out where the authenticated host information comes from, and
    I've unable to modify anything in the apache configuration to change
    this.

    To start with, I'm going to assume that the passenger/apache
    configuration looks something like this:

    http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x
    and that your proxy server apache configuration probably looks something
    like this:

    http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration

    If you read through, you note that the authenticated host information
    gets passed to puppet through the three headers that are set by apache:
    X-SSL-Subject, X-Client-DN, X-Client-Verify.

    The trick to getting your case to work is to edit the puppet master's
    passenger/apache configuration to pass through the values of these three
    headers when receiving a request from the proxy server, instead of
    filling them in from the ssl certificate. I'm not familiar enough with
    apache to know the exact syntax for this.

    Do note that you want to make sure to *only* pass through these headers
    when receiving a request from the proxy server! Otherwise any client
    could connect, even on unsecured HTTP, and pretend to be authenticated
    as whomever it wants by just adding headers to the request.
    '
    Yes, my config is very much as described. However, I do not believe that
    puppet does anything with the X-* headers in this case. I can set them to
    something completely non-sensical in the apache config (or at least try to)
    and puppet still sees the ssl client as the authenticating host. The
    comments above setting those headers mention "Pound", so I suspect they are
    not used in this configuration. Unfortunately I'm not familiar enough with
    the application framework to confirm where the authentication stuff is
    coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or
    SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears
    that it may be impossible to change those variables with SetEnv in the
    apache config or perhaps even in another apache module.


    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/_82LUZbn3a4J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Opoplawski at Aug 20, 2012 at 5:09 pm
    What I ended up doing is setting up a second passenger config that only
    accepts connections from the proxy. This config does *not* set "SSLOption
    +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy
    headers. It also is configured to only accept authenticated connections
    from the proxy.
    On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:

    I've configured our DMZ apache webserver to proxy connections from our
    roaming users into our internal puppet master running under
    passenger/apache. Everything is pretty much working but because I am using
    SSL between the proxy server and the puppet master, the master treats the
    connection as authenticated as the proxy. My current work around is to
    allow access to all catalog and node items to the proxy server in
    auth.conf. I'd like to try to get the master to use the ssl authentication
    information passed by the proxy as the authentication for the connection
    but so far have been completely unsuccessful. Does anyone know how this
    can be done? I've been poking around the code a bit but I haven't been
    able to find out where the authenticated host information comes from, and
    I've unable to modify anything in the apache configuration to change this.

    TIA,

    Orion
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/OXmTdhRtYasJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Kp-v at Aug 20, 2012 at 6:17 pm
    I think the best starting point is to read this article:
    http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/

    It explains the entire process. You could use squid to intercept incoming
    requests, decrypt, then reencrypt with backend headers.
    On Monday, August 20, 2012 10:09:21 AM UTC-7, opoplawski wrote:

    What I ended up doing is setting up a second passenger config that only
    accepts connections from the proxy. This config does *not* set "SSLOption
    +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy
    headers. It also is configured to only accept authenticated connections
    from the proxy.
    On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:

    I've configured our DMZ apache webserver to proxy connections from our
    roaming users into our internal puppet master running under
    passenger/apache. Everything is pretty much working but because I am using
    SSL between the proxy server and the puppet master, the master treats the
    connection as authenticated as the proxy. My current work around is to
    allow access to all catalog and node items to the proxy server in
    auth.conf. I'd like to try to get the master to use the ssl authentication
    information passed by the proxy as the authentication for the connection
    but so far have been completely unsuccessful. Does anyone know how this
    can be done? I've been poking around the code a bit but I haven't been
    able to find out where the authenticated host information comes from, and
    I've unable to modify anything in the apache configuration to change this.

    TIA,

    Orion
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/hoFU_yD0aYIJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedAug 17, '12 at 11:02p
activeAug 20, '12 at 6:17p
posts5
users3
websitepuppetlabs.com

3 users in discussion

Opoplawski: 3 posts Kp-v: 1 post Calvin Walton: 1 post

People

Translate

site design / logo © 2022 Grokbase