Just got an update from Amazon support, "ELB only supports adding the X-Forwarded-For and X-Forwarded-Proto. It does not support adding other custom headers and there is no way for ELB to do so."
Cheers On Thursday, 22 August 2013 12:14:11 UTC+12, Bency Tharakan wrote: > > Hi, > > I'm trying to do ssl offload on amazon ELB for my puppetmaster servers, it > seems amazon ELB is not sending ssl_client_header & client_verify_header > > puppetmaster > > Listen 8141 > > <VirtualHost *:8141> > SSLEngine off > DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/ > RackBaseURI / > <Directory /etc/puppet/rack/puppetmaster_8141/> > PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > SetEnvIf X-Forwarded-Proto "https" HTTPS=1 > > > SSLProxyEngine On > # Proxy all requests that start with things like /production/certificate > to the CA > ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*. > co.nz:8141/$1 > Errorlog /var/log/httpd/puppetmaster.error.log > CustomLog /var/log/httpd/puppetmaster.access.log combined > </VirtualHost> > > > > puppetca > > Listen 8140 > > <VirtualHost *:8140> > SSLEngine off > # Obtain Authentication Information from Client Request Headers > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 > > DocumentRoot /etc/puppet/rack/puppetca_8140/public/ > <Directory /etc/puppet/rack/puppetca_8140/> > # PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > Errorlog /var/log/httpd/puppetca.error.log > CustomLog /var/log/httpd/puppetca.access.log combined > </VirtualHost> > > > > The error I'm getting on the backend node > > [root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test > --no-daemonize > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) > access to /node/ip-10-250-1-152.aws.*.co.nz [find] at :125 > Info: Retrieving plugin > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using 'eval_generate: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins > [search] at :125 > Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on > SERVER: Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access > to /file_metadata/plugins [find] at :125 Could not retrieve file metadata > for puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden > request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /file_metadata/plugins [find] at :125 > Error: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /catalog/ip-10-250-1-152.aws.*co.nz [find] at :125 > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > Error: Could not send report: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /report/ip-10-250-1-152.aws.*.co.nz [save] at :125 > > > Thanks > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
