[Puppet Users] Re: Help with configuring Puppet Proxies using Apache

kschafer2598 Fri, 22 Nov 2013 10:52:19 -0800

Hi Paolo,

It took me a while but I finally got my puppetmaster setup to use passenger 
and apache.


I'm working on the remote proxy but had a question about the Puppet cert 
configuration. How are you keeping the SSL certs used on the RP in sync 
with the puppetmaster? Or are they a seperate set?

Regards,

Karl



On Wednesday, November 20, 2013 6:41:17 AM UTC-5, pdpinfo wrote:
>
> Hi Karl,
>
> here following are apache conf that work, afaik (any comment is welcomed):
> - puppetserver: direct and indirect access
> - proxy server
>
> You can have direct and proxied clients:
>
> clients  
>    |
> tcp/8140
>    |
> Puppet Server
>    |
> tcp/8141 
> -----------firewall
>    |
>   RP
>    |
> tcp/8140                   
>    |              
> "remote" clients  
>
> Please note: (disclaimer) this setup, intended for internal networks, does 
> not have imho evident security issues, however you have to understand what 
> issues could arise if you do not manage a "trust chain", that is ensure 
> security on certificates, ssl, network communication, puppetserver access. 
> More:
> - To operate this setup you must already have certificates generated by 
> Puppet CA.
> - Certificates must contain all relevant DNS names used by servers, and 
> correct CN.
> - Pay attention on header variables and tcp/8141 access restriction, to be 
> not vulnerable to "man-in-the-middle attacks".
> - You should update CRL on proxy.
> - (This setup does not have SSL client validation for RP when connecting 
> to puppetserver; SSLVerifyClient on VH 8141 recommended.)
>
> Verify you have in your server's puppet.conf:
>     ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
>     ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
>
> (Change servernames and ACL as requested)
> #------------Puppet server-----------
> Listen 8141
> <VirtualHost *:8141>
>     ServerName my_puppet_servername
>     ServerAlias my_puppet_servername
>     SSLEngine on
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>
>     # Passenger options that can be set in a virtual host configuration 
> block.
>     PassengerHighPerformance on
>     PassengerStatThrottleRate 120
>     PassengerUseGlobalQueue on
>     RackAutoDetect Off
>     RailsAutoDetect Off
>     RackBaseURI /
>
>     # X-Client variables required to verify client authentication
>     # Values are coming from (trusted) Reverse Proxy that verifies client 
> certificate
>     # For correct CA emission, and CRL status
>     SetEnvIf X-RP-Client-DN "(.*)" HTTP_X_PUPPET_CLIENT_DN=$1
>     SetEnvIf X-RP-Client-Verify "(.*)" HTTP_X_PUPPET_CLIENT_VERIFY=$1
>     SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
>
>     DocumentRoot /etc/puppet/rack/public
>     <Location />
>         Options None
>         Order deny,allow
>         # List IP address of your proxy
>         Allow from my_proxy_IP_address
>         Deny from all
>     </Location>
> </VirtualHost>
>
> Listen 8140
> <VirtualHost *:8140>
>     SSLEngine on
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_puppet_servername.pem
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_puppet_servername.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth 1
>     SSLOptions +StdEnvVars
>
>     # Passenger options that can be set in a virtual host configuration 
> block.
>     PassengerHighPerformance on
>     PassengerStatThrottleRate 120
>     PassengerUseGlobalQueue on
>
>     RackAutoDetect Off
>     RailsAutoDetect Off
>     RackBaseURI /
>
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>     DocumentRoot /etc/puppet/rack/public
>     <Directory /etc/puppet/rack/>
>         Options None
>         AllowOverride None
>         Order allow,deny
>         Allow from all
>     </Directory>
> </VirtualHost>
> #---------------END Puppet Server-----------------
>
>
> #----------------RP---------------------
> Listen 8140
>
> <VirtualHost *:8140>
>     ServerName my_RP_servername:8140
>     SSLEngine on
>     SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
>     SSLProtocol -ALL +SSLv3 +TLSv1
>     SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>     SSLCertificateFile /var/lib/puppet/ssl/certs/my_RP_servername.pem
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/my_RP_servername.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth 1
>     SSLOptions +StdEnvVars
>
>     ErrorLog logs/error_puppet_rp_log
>     TransferLog logs/access_puppet_rp_log
>     LogLevel warn
>     CustomLog logs/ssl_request_puppet_rp_log  "%t %h %{SSL_PROTOCOL}x 
> %{SSL_CIPHER}x \"%r\" %b"
>
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>     RewriteEngine On
>     TraceEnable Off
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>
>     SSLProxyEngine on
>     SSLProxyVerify require
>     SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLProxyCheckPeerCN on
>     # SSLProxyMachineCertificateFile 
> /var/lib/puppet/ssl/certs/my_RP_servername_pub_and_key.pem
>
>     ProxyPass / 
> https://my_puppetserver_servername:8141/<https://www.google.com/url?q=https%3A%2F%2Fmy_puppetserver_servername%3A8141%2F&sa=D&sntz=1&usg=AFQjCNErvZsbtUo3iOhp9fcAi9nhlK0ISA>
>     ProxyPassReverse / 
> https://my_puppetserver_servername:8141/<https://www.google.com/url?q=https%3A%2F%2Fmy_puppetserver_servername%3A8141%2F&sa=D&sntz=1&usg=AFQjCNErvZsbtUo3iOhp9fcAi9nhlK0ISA>
>     ProxyPreserveHost On
>
>     <Location />
>         Order deny,allow
>         allow from my_client_IP_network
>         deny from all
>    </Location>
>
> </VirtualHost>
> #------------END RP--------------------
>
> Regards
>
> Paolo
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/52af146b-c8c7-4848-a9c7-20abbaf98bce%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: Help with configuring Puppet Proxies using Apache

Reply via email to