Hi,
It seems that webrick cannot handle too much client and that luke is
making mongrel the ''default'' server to use so i wanted to
switch to
mongrel. Then i read that i cannot use directly mongrel like webrick
because it does not speak SSL.
So my issue is : how to be sure things stay secure in the way that the
proxy should be the one speaking ssl and making client ssl certificate
signature verification.
I read the pound and the ngnix wiki article and i am a bit confused
here. Lets see for nginx:
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem
(and ssl_verify_client on; in the server setting)
So here i took the debian default ssl config and added the last line
''ssl_client_certificate'' with the same cert used on the pound
wiki. Does
it make the things secure ?
Could anyone clarify the security risk and how i should setup this so
to keep secure settings of the puppet master ?
--
Cordialement,
Ghislain
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
hummm it seems debian etch have a non ssl version of nginx as it choke on "ssl" word, also the pound of etch says: pound: unknown directive " VerifyList /etc/puppet/ssl/ca/ca_crt.pem" - aborted (root)> pound -V Version 2.0 Exiting... hummm.. feels bad. I looked at perlbal also but it seems that it does not verify client ssl certs. -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Mon, 2007-12-17 at 12:37 +0100, ADNET Ghislain wrote:> hummm > > it seems debian etch have a non ssl version of nginx as it choke on > "ssl" word, also the pound of etch says:Debian Etch has a really old nginx version. You can install the testing or unstable package on etch without any issue (by the way of pin-pointing the package in /etc/apt/preferences for instance, which is what I''m doing). The testing/unstable version has full ssl support (and client cert verification). Hope that helps, -- Brice Figureau Days of Wonder http://www.daysofwonder.com/