Hi, I have some questions about Puppet client request through a reverse SSL proxy with pache and mod_ssl. It's about pure design and IP public adress. I want to use Puppet framework on distributed environnement through pulic network with NAT and so on.
We have already a reverse proxy which handle SSL termination for Web server publication. Site are publish with HTTPS with some wildcard cert and forward to HTTP on secure network We would like to use 443 port for communication from puppet client to server puppetmaster. And the last but not the least: be able to use as much as possible the same reverse proxy. Puppet has is own cert infrastructure. We have our own cert for reverse proxy. But there is a design problem with IP:port bind to only one SSL cert. So we can't publish it through the same reverse proxy (or the same Public IP). So we have to: * use an another IP for puppet * use same cert for puppet and other hosting : can we move cert management from puppet ? RFC 4346 ( http://www.ietf.org/rfc/rfc4366.txt ) define SNI for this purpose : hostname are passed on the SSL handshake thus apache + Open SSL 0.9.8f+ + mod_ssl can use multi cert virtual host. Good feature to add for puppet ? I have not really test this new feature with multi hosting with and without SNI requirement so i don't know if there is some form of drawback. I would like your through on the right design. By the way great piece of work ;) Best regards. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
