Puppet users - Jun 2010 - nginx + passenger + puppetmaster

Has anyone gotten puppetmaster running under nginx with passenger? I''ve
tried various permutations of setting headers in the nginx config file,
but am still getting "Forbidden request" errors from the client.

-- 
Dan Urist
durist@ucar.edu
303-497-2459

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 28 June 2010 23:03, Dan Urist <durist@ucar.edu>
wrote:
> Has anyone gotten puppetmaster running under nginx with passenger?
I''ve
> tried various permutations of setting headers in the nginx config file,
> but am still getting "Forbidden request" errors from the client.
I''ve had it working that way before but went back to Apache after
tinkering.

If you can paste your configuration that might be helpful.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 28 June 2010 23:03, Dan Urist <durist@ucar.edu> wrote:
> Has anyone gotten puppetmaster running under nginx with passenger?
I''ve
> tried various permutations of setting headers in the nginx config file,
> but am still getting "Forbidden request" errors from the client.
>
Sounds like this..

http://groups.google.com/group/puppet-users/msg/cae809c17a9acd8a

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I have this in my puppet.conf:

[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

I''ve tried various settings in my nginx config, but currently have
this:

    server {
        listen 8140;
        passenger_enabled on;

	ssl  on;
        ssl_certificate  /var/lib/puppet/ssl/certs/myserver.pem;
        ssl_certificate_key  /var/lib/puppet/ssl/private_keys/myserver.pem;
        ssl_protocols  SSLv3 TLSv1;
        ssl_ciphers  HIGH:+MEDIUM;
        ssl_prefer_server_ciphers   on;

        server_name tpuppet.ucar.edu;
        root /etc/puppet/rack/public;

        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For
        $proxy_add_x_forwarded_for; proxy_set_header
        X-Client_DN         $ssl_client_s_dn; proxy_set_header
        X-Client-Verify     $ssl_client_verify; 
     }

The error I''m getting is "Error 403 on SERVER: Forbidden
request".

FWIW, I have an apache config that works on the same server; I''d rather
use nginx if possible, though.

On Tue, 29 Jun 2010 17:10:28 +0100
Alex Howells <lists@howells.me> wrote:
> On 28 June 2010 23:03, Dan Urist <durist@ucar.edu> wrote:
> > Has anyone gotten puppetmaster running under nginx with passenger?
> > I''ve tried various permutations of setting headers in the
nginx
> > config file, but am still getting "Forbidden request" errors
from
> > the client.
> 
> I''ve had it working that way before but went back to Apache after
> tinkering.
> 
> If you can paste your configuration that might be helpful.
> 


-- 
Dan Urist
durist@ucar.edu
303-497-2459

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 29 June, 19:44, Dan Urist <dur...@ucar.edu>
wrote:
> I have this in my puppet.conf:
>
> [puppetmasterd]
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
> [..]
>         proxy_set_header    Host                $host;
>         proxy_set_header    X-Real-IP           $remote_addr;
>         proxy_set_header    X-Forwarded-For
Hi Dan,

I had the same problem, it looks like ''proxy_set_header''
option will
not have any effect with Passenger module.
I had to install Passenger 3 (beta) and use
''passenger_set_cgi_param''
options instead.

This seems to work for me:

nginx.conf:
    passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
    passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;

[puppetmasterd]
    ssl_client_header = HTTP_X_CLIENT_DN
    ssl_client_verify_header = HTTP_X_CLIENT_VERIFY

Kind regards,
Jakub


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I''ve switched to using nginx+unicorn, and haven''t had any
issues. The
only hassle for me is that I''m running it under Ubuntu, and unicorn
isn''t (yet) packaged by Debian/Ubuntu, so I had to install it via gems
and don''t have the advantage of automated updates. 

On Thu, 23 Sep 2010 07:40:21 -0700 (PDT)
Jakub Heichman <kuba.heichman@gmail.com> wrote:
> On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:
> > I have this in my puppet.conf:
> >
> > [puppetmasterd]
> > ssl_client_header = SSL_CLIENT_S_DN
> > ssl_client_verify_header = SSL_CLIENT_VERIFY
> > [..]
> >         proxy_set_header    Host                $host;
> >         proxy_set_header    X-Real-IP           $remote_addr;
> >         proxy_set_header    X-Forwarded-For
> 
> Hi Dan,
> 
> I had the same problem, it looks like ''proxy_set_header''
option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use
''passenger_set_cgi_param''
> options instead.
> 
> This seems to work for me:
> 
> nginx.conf:
>     passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
>     passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
> 
> [puppetmasterd]
>     ssl_client_header = HTTP_X_CLIENT_DN
>     ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
> 
> Kind regards,
> Jakub
> 
> 


-- 
Dan Urist
durist@ucar.edu
303-497-2459

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Sep 23, 2010 at 7:52 AM, Dan Urist <durist@ucar.edu>
wrote:
> I''ve switched to using nginx+unicorn, and haven''t had any
issues. The
> only hassle for me is that I''m running it under Ubuntu, and
unicorn
> isn''t (yet) packaged by Debian/Ubuntu, so I had to install it via
gems
> and don''t have the advantage of automated updates.
Unicorn FTW.  Here''s how I''ve configured it thus far:

https://devstructure.com/blueprints/rcrowley/puppet-master

Rich

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Sep 23, 2010 at 7:40 AM, Jakub Heichman <kuba.heichman@gmail.com>
wrote:
> On 29 June, 19:44, Dan Urist <dur...@ucar.edu> wrote:
>> I have this in my puppet.conf:
>>
>> [puppetmasterd]
>> ssl_client_header = SSL_CLIENT_S_DN
>> ssl_client_verify_header = SSL_CLIENT_VERIFY
>> [..]
>>         proxy_set_header    Host                $host;
>>         proxy_set_header    X-Real-IP           $remote_addr;
>>         proxy_set_header    X-Forwarded-For
>
> Hi Dan,
>
> I had the same problem, it looks like ''proxy_set_header''
option will
> not have any effect with Passenger module.
> I had to install Passenger 3 (beta) and use
''passenger_set_cgi_param''
> options instead.
This stanza in the front end  8140 server works for me when setting
the client headers in the HTTP request.

This is with nginx 0.7.67 and passenger 2.2.11:

  server {
    listen 8140 default ssl;
    ssl_certificate /var/lib/puppet/ssl/certs/chain.pem;
    ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
    ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:+MEDIUM;
    ssl_prefer_server_ciphers on;
    ssl_crl /var/lib/puppet/ssl/crl.pem;
    ssl_verify_client optional;
    ssl_verify_depth 1;
    ssl_session_cache   shared:SSL:8m;
    ssl_session_timeout 5m;
    server_name  puppet;
    location / {
      proxy_pass          http://puppet-production;
      proxy_redirect      off;
      proxy_set_header    Host             $host;
      proxy_set_header    X-Real-IP        $remote_addr;
      proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_set_header    X-Client-Verify  $ssl_client_verify;
      proxy_set_header    X-Client-DN      $ssl_client_s_dn;
      proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
      proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
      proxy_read_timeout  65;
    }
}

-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.