On Tue, Jul 24, 2012 at 10:19 PM, Matt <mjbl...@gmail.com> wrote:
> The issue I ran into that caused problems was the following
>
> Puppet 2.7.14 for some reason on my environment sets the keylength by
> default to 4096. F5 LTM on at least 10.1 version can not support anything
> more than 2048 for both the cert on the F5 and the client cert for
> authentication the LTM will allow you to add the certificate but not apply
> to the SSL profile. The client ssl cert that each puppet agent sends if its
> greater than 2048 will instantly receive a TCP RST, the request to the
> puppet master will be still sent for catalog compile. More detail here
> http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12147.html on
> the SSL key issue and what is affected and not.
This was done because of #6663 security concerns, I think you can
modify the puppet keylength settings when generating keys.
> Additional changes were required but this is what my non-ssl (what the F5 is
> proxying requests) looks like:
>
> # Apache Configuration
> <VirtualHost *:18140>
> ServerName puppetmaster1.example.com
> DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
> RackBaseURI /
> <Directory /usr/share/puppet/rack/puppetmasterd/public/>
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
> SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
> SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
> SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
> SetEnvIf X-Forwarded-Proto "https" HTTPS=1
>
> LogLevel error
> ErrorLog "|/usr/sbin/cronolog
> /var/log/httpd/puppetmaster_error_log.%Y%m%d -l
> /var/log/httpd/puppetmaster_error_log"
> CustomLog "|/usr/sbin/cronolog
> /var/log/httpd/puppetmaster_access_log.%Y%m%d -l
> /var/log/httpd/puppetmaster_access_log" combined
> </VirtualHost>
>
> The SSL port (8140) is following the standard guide for apache passenger but
> with this three lines (like the non-ssl)
>
> SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
> SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
> SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
>
> Here is what the F5 specific configuration looks like, I substituted the IP
> addresses and some of the names because of my environment.
>
> pool puppet {
> lb method member least conn
> monitor all gateway_icmp
> members 192.168.1.10:18140 {}
> }
>
> virtual puppet {
> snat automap
> pool puppet
> destination 192.168.1.9:8140
> ip protocol tcp
> rules R_PUPPETMASTERS
> profiles {
> http {}
> puppet {
> clientside
> }
> tcp {}
> }
> }
>
> profile clientssl puppet {
> defaults from clientssl
> key "puppet.key"
> cert "puppet.crt"
> chain "puppetca.crt"
> ca file "puppetca.crt"
> client cert ca "puppetca.crt"
> renegotiate enable
> peer cert mode require
> authenticate always
> }
>
> # Slightly modified iRule based off of
> http://projects.puppetlabs.com/projects/puppet/wiki/Load_Balancing_F5
> rule R_PUPPETMASTERS {
> when HTTP_REQUEST {
> HTTP::header insert "X-Forwarded-Proto" "https"
> set cert_request 0
> set path2 [URI::path [HTTP::uri] 2 2 ]
>
> if { $path2 == "/certificate/" || $path2 == "/certificate_request/" } {
> set cert_request 1
> }
> }
>
> when HTTP_REQUEST_SEND {
> if { $cert_request == 0}{
> clientside {
> if {[SSL::verify_result] == 0} {
> HTTP::header insert "X-Client-Verify" "SUCCESS"
> }
> HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]]
> HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]]
> }
> }
> }
> }
> # end of F5 configuration
>
> Hopefully this helps people who had similar issues that I had.
This might be a bit meta, but would anyone be interested testing a
deployment using puppetlabs-f5 module so puppet can setup
load-balancing on F5? So far what your example doesn't seem too
complicated, and I put together a example gist (untested) and I think
we can get a puppet module to deploy loadbalancing for puppet masters:
https://gist.github.com/3174705
I know there was a suggestion on producing a deployment doc, but I
would be all for a puppet module instead.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
