I finally got it. Lots of searching, poking and twiddling with apache
services :) Thank you so much!
Here are my config files. Remote proxy is SLES11, puppetmaster is RHEL5
with EPEL and Puppet repos. Note that SSLProxyMachineCertificateFile
/var/lib/puppet/ssl/certs/remote_proxy_host.combined is the private key and
cert for the remote proxy put in a single file
(/var/lib/puppet/ssl/certs/puppetmaster_host.pem
and /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem)
Apache conf.d/puppetmaster.conf:
PassengerMaxPoolSize 4
PassengerMaxRequests 1000
PassengerPoolIdleTime 600
Listen 8141
<VirtualHost *:8141>
SSLEngine on
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster_host.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
puppetmaster_host.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
PassengerStatThrottleRate 120
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>
Listen 8140
<VirtualHost *:8140>
SSLEngine On
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster_host.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/puppetmaster_host.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
PassengerStatThrottleRate 120
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>
/etc/puppet.conf:
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = puppetmaster_host
pluginsync = true
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
report = true
environment = production
[master]
reports = store,http,foreman,log
reporturl = http://puppetmaster_host:3000/reports/upload
storeconfigs = true
#async_storeconfigs = true
dbadapter = mysql
dbuser = puppet
dbpassword = f1rmwar3
dbserver = localhost
dbsocket = /var/lib/mysql/mysql.sock
dbconnections = 10
node_terminus = exec
facts_terminus = yaml
external_nodes = /usr/share/puppet/ext/susemanager_enc.rb
ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
Remote Proxy
LoadModule headers_module /usr/lib64/apache2/mod_headers.so
Listen 8140
<VirtualHost *:8140>
ServerName remote_proxy_host:8140
SSLEngine on
SSLProtocol All -SSLv2
SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/remote_proxy_host.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
LogLevel warn
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
RewriteEngine On
TraceEnable Off
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLProxyEngine on
SSLProxyVerify require
SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLProxyCheckPeerCN on
SSLProxyMachineCertificateFile
/var/lib/puppet/ssl/certs/remote_proxy_host.combined
ProxyPass / https://puppetmaster_host:8141/
ProxyPassReverse / https://puppetmaster_host:8141/
ProxyPreserveHost On
<Location />
Order deny,allow
allow from All
deny from all
</Location>
</VirtualHost>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e2931237-0f99-427e-a4c7-ba34ad407618%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
