Nginx – Puppet offloading using NGINX, 403 forbidden error

nginxpuppetssl

I'm currently trying to offload some of the file serving puppet does using NGINX (As displayed here http://www.masterzen.fr/2010/03/21/more-puppet-offloading/), however I keep having 403 errors on both file and catalog retrieval.

One thing that did fix it was adding "auth any" to the first definition in my auth.conf yet as far as I'm aware that would disable client verification completely?

So am I not passing all the needed headers with NGINX or is there something else wrong? Config files follow.

/etc/puppet/puppet.conf

[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = Puppet.xServ
pluginsync=false


    external_nodes = /usr/sbin/external_nodes
    node_terminus = exec

    [master]
    certname = puppet.xserv


[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig

/etc/puppet/auth.conf

path ~ ^/catalog/([^/]+)$
method find
allow localhost
allow $1

path /certificate_revocation_list/ca
method find
allow *

path /report
method save
allow *

path /file
allow *

path /certificate/ca
auth no
method find
allow *

path /certificate/
auth no
method find
allow *

path /certificate_request
auth no
method find, save
allow *

path /
auth any

/etc/puppet/fileserver.conf

[modules]
allow *

/etc/nginx/sites.d/puppet.conf

server {
    listen 8140;

    ssl on; 
    ssl_session_timeout 5m; 
    ssl_certificate /var/lib/puppet/ssl/certs/puppet.xserv.pem;
    ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.xserv.pem; 
    ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem; 
    ssl_verify_client optional; 

    root /etc/puppet;

    # make sure we serve everything
    # as raw 
    types { } 
    default_type application/x-raw;

    # ask the puppetmaster for everything else
    location / { 
        proxy_pass https://127.0.0.1:8141;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-SSL-Subject $ssl_client_s_dn;
        proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
        proxy_buffer_size 16k;
        proxy_buffers 8 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        proxy_read_timeout 65; 
    }   
}

Best Answer

Puppet authentication is based on the IP of origin, not on what a header file is saying. After all, header files are easily faked. I don't know if Puppet can be configured to take the IP it checks from a header file.

Related Topic