Puppet users - Jul 2009 - Toward a simple Nginx configuration for Puppet Mongrel

Hi,

I''ve created two Nginx patches (see at the end of this message) to
allow
a simpler Nginx configuration for your Mongrel puppetmasters.

The two main issues with Nginx in front of puppet were:
  * no CRL support
  * no optional certificate verification (and thus we''re forced to have
two separate configs on two different ports, and to use --ca_port).

Now, it is as simple as the following configuration:

upstream puppet-production {
   server 127.0.0.1:18140;
   server 127.0.0.1:18141;
}

server {
   listen 8140;

   ssl                     on;
   ssl_session_timeout     5m;
   ssl_certificate         /var/lib/puppet/ssl/certs/puppetmaster.pem;
   ssl_certificate_key 
/var/lib/puppet/ssl/private_keys/puppetmaster.pem;
   ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
   ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;

   # allow authenticated and client without certs
   ssl_verify_client       optional;

   # obey to the Puppet CRL
   ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

   root                    /var/tmp;

   location / {
     proxy_pass              http://puppet-production;
     proxy_redirect         off;
     proxy_set_header    Host             $host;
     proxy_set_header    X-Real-IP        $remote_addr;
     proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
     proxy_set_header    X-Client-Verify  $ssl_client_verify;
     proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
     proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
     proxy_read_timeout  65;
   }
}

I really hope those patches could be merged in the official Nginx 
distribution, meanwhile it is easy to patch and build your own nginx (or 
package of).

Please see the following blog post for more information and access to 
those patches:
http://www.masterzen.fr/2009/07/21/new-ssl-features-for-nginx/

Thanks,
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
> I''ve created two Nginx patches (see at the end of this message) to
allow
> a simpler Nginx configuration for your Mongrel puppetmasters.
> 
> The two main issues with Nginx in front of puppet were:
>   * no CRL support
>   * no optional certificate verification (and thus we''re forced to
have
> two separate configs on two different ports, and to use --ca_port).
awesome! thanks a lot!

cheers pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Peter,

On Tue, 2009-07-21 at 22:21 +0200, Peter Meier wrote:
> Hi
> 
> > I''ve created two Nginx patches (see at the end of this
message) to allow
> > a simpler Nginx configuration for your Mongrel puppetmasters.
> > 
> > The two main issues with Nginx in front of puppet were:
> >   * no CRL support
> >   * no optional certificate verification (and thus we''re
forced to have
> > two separate configs on two different ports, and to use --ca_port).
> 
> awesome! thanks a lot!
The really good news is that Igor (Nginx author) is going to merge the
patches (or variation of) in the very next Nginx version (0.8.7 or
something).
This way I won''t have to maintain my own nginx tree :-)
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---