Puppet users - Nov 2007 - Can I run puppetmasterd behind NAT (or Reverse Proxy)

Hi there

I would like to setup my puppetmasterd behind my ADSL modem and manage
the nodes on the hosting sites. I can imagine opening ports to the
puppetmasterd server will work. Am I right?

On the other hand an ideal configuration for me would be a Reverse
Proxy setup, so I don''t have to touch the ADSL router. Has anyone
setup a puppetmasterd behind a reverse proxy?

Any pointers, references appreciated.

Thanks in advance.

-ziya

On Nov 13, 2007 9:26 AM, Ziya Suzen <ziya@suzen.net>
wrote:
> Hi there
>
> I would like to setup my puppetmasterd behind my ADSL modem and manage
> the nodes on the hosting sites. I can imagine opening ports to the
> puppetmasterd server will work. Am I right?
There is no reason this wouldn''t work
>
> On the other hand an ideal configuration for me would be a Reverse
> Proxy setup, so I don''t have to touch the ADSL router. Has anyone
> setup a puppetmasterd behind a reverse proxy?
>
Not sure how this would allow you to avoid opening ports on your ADSL
router, but if the reverse proxy isn''t handling the ssl there is
nothing to stop this.  If you want the reverse proxy to handle the ssl
take a look at the docs for setting up apache and mongrel and you
might get some inspiration.

http://reductivelabs.com/trac/puppet/wiki/UsingMongrel
> Any pointers, references appreciated.
>
> Thanks in advance.
>
> -ziya
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>
Main thing to keep your eyes open for are the recent issues with the
latest release of ruby and the checking of the puppetmaster''s fqdn vs
the domain is was accessed by against the ssl cert.  Take a look at
the other threads currently on this list for more info.

Thanks
Brian

On Tue, Nov 13, 2007 at 05:26:16PM +0000, Ziya Suzen
wrote:
> I would like to setup my puppetmasterd behind my ADSL modem and manage
> the nodes on the hosting sites. I can imagine opening ports to the
> puppetmasterd server will work. Am I right?
Yes, that works nicely.
> On the other hand an ideal configuration for me would be a Reverse
> Proxy setup, so I don''t have to touch the ADSL router. Has anyone
> setup a puppetmasterd behind a reverse proxy?
In theory, there''s no massive difference between an Apache-Mongrel
proxy and
an Apache-Apache-Mongrel (or possibly even Apache-Webrick) proxy, but
considering the ridiculous contortions that people are going through to get
the Apache-Mongrel case working, I''d say your chances of getting your
more
complicated plan working are fairly slim, unless you''re an Apache guru.

That being said, I have this strange recollection of Pound being mentioned
in the wiki somewhere, which might be a workable alternative if it ever got
off the ground.  I''m not online at present so I can''t check,
but a 10 second
wiki search for Pound will probably give you an answer one way or another.

- Matt

-- 
I tend to think of "solution" as just a pretentious term for
"thingy".
Doing that word substitution in my head makes IT marketing literature
somewhat more tolerable.
		-- lutchann, in http://lwn.net/Articles/124703/

On Nov 13, 2007 6:56 PM, Brian Finney <y0gi636@gmail.com>
wrote:
> > setup a puppetmasterd behind a reverse proxy?
>
> Not sure how this would allow you to avoid opening ports on your ADSL
> router, but if the reverse proxy isn''t handling the ssl there is
I already have the mod_proxy setup in place both for HTTP and HTTPS traffic.
> nothing to stop this.  If you want the reverse proxy to handle the ssl
> take a look at the docs for setting up apache and mongrel and you
> might get some inspiration.
>
> http://reductivelabs.com/trac/puppet/wiki/UsingMongrel
Good one. Thanks. Apparently mod_proxy is passing the the client cert
in the HTTP headers. Mongrel must be respecting that.
>
> Main thing to keep your eyes open for are the recent issues with the
> latest release of ruby and the checking of the puppetmaster''s fqdn
vs
> the domain is was accessed by against the ssl cert.  Take a look at
> the other threads currently on this list for more info.
Thanks again.

-z

On Nov 13, 2007 12:01 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
>
>
> In theory, there''s no massive difference between an Apache-Mongrel
proxy
> and
> an Apache-Apache-Mongrel (or possibly even Apache-Webrick) proxy, but
> considering the ridiculous contortions that people are going through to
> get
> the Apache-Mongrel case working, I''d say your chances of getting
your more
> complicated plan working are fairly slim, unless you''re an Apache
guru.

So I wouldn''t say that Apache-Mongrel requires contortions :)

I''m just hitting a scalability issue, and the blame really
doesn''t seem to
lie with puppet itself.

At around 4000 clients checking in every half an hour we didn''t have
issues
at all, but we have increased the number of modules a fair bit since then.


-- 
Nigel Kersten
MacOps @ Google
"Two kinds of Kool-Aid"


_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Tue, Nov 13, 2007 at 02:01:42PM -0800, Nigel Kersten
wrote:
> On Nov 13, 2007 12:01 PM, Matt Palmer <mpalmer@hezmatt.org> wrote:
> > In theory, there''s no massive difference between an
Apache-Mongrel proxy
> > and
> > an Apache-Apache-Mongrel (or possibly even Apache-Webrick) proxy, but
> > considering the ridiculous contortions that people are going through
to
> > get
> > the Apache-Mongrel case working, I''d say your chances of
getting your more
> > complicated plan working are fairly slim, unless you''re an
Apache guru.
> 
> So I wouldn''t say that Apache-Mongrel requires contortions :)
The number of people I''ve seen on #puppet tying themselves in knots
over
this would suggest otherwise.  Perhaps your mod_proxy fu is stronger than
that of lesser mortals.

- Matt

-- 
A few minutes ago I attempted to give a flying fsck, but the best I could do
was to watch it skitter across the floor.
		-- Anthony de Boer, ASR