I'm currently trying to offload some of the file serving puppet does using NGINX (As displayed here http://www.masterzen.fr/2010/03/21/more-puppet-offloading/), however I keep having 403 errors on both file and catalog retrieval.
One thing that did fix it was adding "auth any" to the first definition in my auth.conf yet as far as I'm aware that would disable client verification completely?
So am I not passing all the needed headers with NGINX or is there something else wrong? Config files follow.
/etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = Puppet.xServ
pluginsync=false
external_nodes = /usr/sbin/external_nodes
node_terminus = exec
[master]
certname = puppet.xserv
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
/etc/puppet/auth.conf
path ~ ^/catalog/([^/]+)$
method find
allow localhost
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
/etc/puppet/fileserver.conf
[modules]
allow *
/etc/nginx/sites.d/puppet.conf
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.xserv.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.xserv.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_verify_client optional;
root /etc/puppet;
# make sure we serve everything
# as raw
types { }
default_type application/x-raw;
# ask the puppetmaster for everything else
location / {
proxy_pass https://127.0.0.1:8141;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
}
}
Best Answer
Puppet authentication is based on the IP of origin, not on what a header file is saying. After all, header files are easily faked. I don't know if Puppet can be configured to take the IP it checks from a header file.