Hi,
  It seems that webrick cannot handle too much client and that luke is 
making mongrel the ''default'' server to use so i wanted to
switch to
mongrel. Then i read that i cannot use directly mongrel like webrick 
because it does not speak SSL.
  So my issue is : how to be sure things stay secure in the way that the 
proxy should be the one speaking ssl and making client ssl certificate 
signature verification.
  I read the pound and the ngnix  wiki article and i am a bit confused 
here. Lets see for nginx:
    ssl_certificate      cert.pem;
    ssl_certificate_key  cert.key;
    ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem
    (and ssl_verify_client       on;  in the server setting)
  So here i took the debian default ssl config and added the  last line 
''ssl_client_certificate'' with the same cert used on the pound
wiki. Does
it make the things secure ?
  Could anyone clarify the security risk and how i should setup this so 
to keep secure settings of the puppet master ?
-- 
Cordialement,
Ghislain
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
hummm it seems debian etch have a non ssl version of nginx as it choke on "ssl" word, also the pound of etch says: pound: unknown directive " VerifyList /etc/puppet/ssl/ca/ca_crt.pem" - aborted (root)> pound -V Version 2.0 Exiting... hummm.. feels bad. I looked at perlbal also but it seems that it does not verify client ssl certs. -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Mon, 2007-12-17 at 12:37 +0100, ADNET Ghislain wrote:> hummm > > it seems debian etch have a non ssl version of nginx as it choke on > "ssl" word, also the pound of etch says:Debian Etch has a really old nginx version. You can install the testing or unstable package on etch without any issue (by the way of pin-pointing the package in /etc/apt/preferences for instance, which is what I''m doing). The testing/unstable version has full ssl support (and client cert verification). Hope that helps, -- Brice Figureau Days of Wonder http://www.daysofwonder.com/