Puppet users - Jun 2007 - puppetmaster through HTTP proxy

I have a test area network that is not routed to the production network 
because of IP address space re-use between the two networks.  I would 
like the puppetmaster to serve both the production and test area 
networks.  The puppetmaster is on the production network.  I understand 
the puppet to puppetmaster connect to be HTTP using SSL.

Can I somehow setup the puppet clients to use an HTTP CONNECT command to 
tunnel through a squid proxy on the box that''s on both networks to talk
with the puppet master?

If not, if I setup the box on both networks as a proxy for puppetmaster 
in the sense that it would be if I were setting up Mongrel, does that 
affect the cert signing process when the client connects for the first time?

-- 
David R. Sowder
Linux Systems Administrator (Software Systems Specialist II)
Office of Information Technology
University of Texas at Arlington
    Work: 817-272-1081  davids@uta.edu    http://www.uta.edu/
Personal:               david@sowder.com  http://david.sowder.com/

On Jun 20, 2007, at 3:24 PM, David Sowder wrote:
> I have a test area network that is not routed to the production  
> network
> because of IP address space re-use between the two networks.  I would
> like the puppetmaster to serve both the production and test area
> networks.  The puppetmaster is on the production network.  I  
> understand
> the puppet to puppetmaster connect to be HTTP using SSL.
Yep.
> Can I somehow setup the puppet clients to use an HTTP CONNECT  
> command to
> tunnel through a squid proxy on the box that''s on both networks to
> talk
> with the puppet master?
Um... I doubt it?  I don''t really know much about http proxies.
> If not, if I setup the box on both networks as a proxy for  
> puppetmaster
> in the sense that it would be if I were setting up Mongrel, does that
> affect the cert signing process when the client connects for the  
> first time?
As long as your proxy can handle the ssl for you, or it''s between  
your SSL termination and the puppet master.

For instance, you could set up an Apache server as the SSL end point,  
then have Apache talk to your http proxy and have your proxy talk to  
the puppet master instances (running Mongrel).

I''m not all that much up on proxies, as I mentioned, but Puppet  
basically has two modes:  Running with webrick, and thus must be an  
ssl endpoint, or running with mongrel, and thus expects a certain cgi  
parameter to be set.  If you can meet either of those criteria, you  
should be fine.

  --
  He is indebted to his memory for his jests and to his imagination for
  his facts.                   --Richard Brinsley Sheridan
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Luke Kanies wrote:
> On Jun 20, 2007, at 3:24 PM, David Sowder wrote:
>> Can I somehow setup the puppet clients to use an HTTP CONNECT
>> command to
>> tunnel through a squid proxy on the box that''s on both
networks to
>> talk
>> with the puppet master?
>
> Um... I doubt it? I don''t really know much about http proxies.
 From what I had been able to gather from reading over the docs and 
searching the wiki before asking here, I thought that would be the 
answer.  I''ve just taken a first crack at adding this functionality, 
which seems to work for me.  Here''s the patch against the Subversion 
repository.  Hopefully it''s not too ugly as this my first attempt at 
both Ruby and Puppet hacking.


Index: network/xmlrpc/client.rb
==================================================================---
network/xmlrpc/client.rb    (revision 2641)
+++ network/xmlrpc/client.rb    (working copy)
@@ -99,7 +99,14 @@
             hash[:Path] ||= "/RPC2"
             hash[:Server] ||= Puppet[:server]
             hash[:Port] ||= Puppet[:masterport]
+            hash[:HTTPProxyHost] ||= Puppet[:http_proxy_host]
+            hash[:HTTPProxyPort] ||= Puppet[:http_proxy_port]
 
+            if "none" == hash[:HTTPProxyHost]
+                hash[:HTTPProxyHost] = nil
+                hash[:HTTPProxyPort] = nil
+            end
+
             @puppet_server = hash[:Server]
             @puppet_port = hash[:Port]
 
@@ -107,8 +114,8 @@
                 hash[:Server],
                 hash[:Path],
                 hash[:Port],
-                nil, # proxy_host
-                nil, # proxy_port
+                hash[:HTTPProxyHost], # proxy_host
+                hash[:HTTPProxyPort], # proxy_port
                 nil, # user
                 nil, # password
                 true, # use_ssl
Index: configuration.rb
==================================================================---
configuration.rb    (revision 2641)
+++ configuration.rb    (working copy)
@@ -339,6 +339,11 @@
             :mode => 0640,
             :desc => "Where the puppetd web server logs."
         },
+        :http_proxy_host => ["none",
+            "The HTTP proxy host to use for outgoing connections.  
Note: You
+            may need to use a FQDN for the server hostname when using a 
proxy."],
+        :http_proxy_port => [3128,
+            "The HTTP proxy port to use for outgoing connections"],
         :server => ["puppet",
             "The server to which server puppetd should connect"],
         :ignoreschedules => [false,

On Jun 21, 2007, at 2:50 PM, David Sowder wrote:
> From what I had been able to gather from reading over the docs and
> searching the wiki before asking here, I thought that would be the
> answer.  I''ve just taken a first crack at adding this
functionality,
> which seems to work for me.  Here''s the patch against the
Subversion
> repository.  Hopefully it''s not too ugly as this my first attempt
at
> both Ruby and Puppet hacking.
Can you file this as an enhancement request with the attached patch?

Thanks.

  --
  Hegel was right when he said that we learn from history that man can
  never learn anything from history.      -- George Bernard Shaw
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Done.  http://reductivelabs.com/trac/puppet/ticket/701

On 6/26/07, Luke Kanies <luke@madstop.com> wrote:
>
> On Jun 21, 2007, at 2:50 PM, David Sowder wrote:
>
> > From what I had been able to gather from reading over the docs and
> > searching the wiki before asking here, I thought that would be the
> > answer.  I''ve just taken a first crack at adding this
functionality,
> > which seems to work for me.  Here''s the patch against the
Subversion
> > repository.  Hopefully it''s not too ugly as this my first
attempt at
> > both Ruby and Puppet hacking.
>
> Can you file this as an enhancement request with the attached patch?
>
> Thanks.
>
>   --
>   Hegel was right when he said that we learn from history that man can
>   never learn anything from history.      -- George Bernard Shaw
>   ---------------------------------------------------------------------
>   Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>


-- 
David R. Sowder
University of Texas at Arlington
Department of Modern Languages
Language Acquisition Center Supervisor
Work: davids@uta.edu
Personal: david@sowder.com
Lists: davidrsowder@gmail.com
http://david.sowder.com/


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users