FAQ
Hi Puppetmasters,
I have a working configuration of a "standard" passenger/puppet setup to
which I added a second virtual host to be accessed only via reverse proxy
(mod_proxy). Passenger and mod_proxy are on different servers.

The scenario is:
direct: client --(ssl)--> passenger:8140
proxied: client --(ssl)--> mod_proxy:8141 --ssl-->
passenger:8141-(accessible only from proxy IP)

I'm reviewing from a security stanpoint. AFAIK the setup should have the
same level of security of "standard" passenger and "standard" balanced
solutions.

Direct virtual host (8140) has:
     SSLOptions +StdEnvVars
     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

proxied VH (IP limited access) has:
     SetEnvIf X-Client-Verify "(.*)" HTTP_X_CLIENT_VERIFY=$1
     SetEnvIf X-Client-DN "(.*)" HTTP_X_CLIENT_DN=$1
     SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1

proxy has:
     SSLVerifyClient optional
     SSLVerifyDepth 1
     SSLOptions +StdEnvVars
     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

puppet.conf:
        ssl_client_header = HTTP_X_CLIENT_DN
        ssl_client_verify_header = HTTP_X_CLIENT_VERIFY

Do you have similar setups, or have any suggestion?

Thank you

Regards

Paolo

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJul 3, '13 at 10:37a
activeJul 3, '13 at 10:37a
posts1
users1
websitepuppetlabs.com

1 user in discussion

Pdpinfo: 1 post

People

Translate

site design / logo © 2021 Grokbase