Puppet users - Jul 2009 - [Infrastructure Design] Questions about Puppet behind SSL reverse proxy

Hi,

I have some questions about Puppet client request through a reverse
SSL proxy with pache and mod_ssl.
It''s about pure design and IP public adress. I want to use Puppet
framework on distributed environnement through pulic network with NAT
and so on.

We have already a reverse proxy which handle SSL termination for Web
server publication. Site are publish with HTTPS with some wildcard
cert and forward to HTTP on secure network

We would like to use 443 port for communication from puppet client to
server puppetmaster. And the last but not the least: be able to use as
much as possible the same reverse proxy.

Puppet has is own cert infrastructure.
We have our own cert for reverse proxy.

But there is a design problem with IP:port bind to only one SSL cert.
So we can''t publish it through the same reverse proxy (or the same
Public IP).

So we have to:

* use an another IP for puppet
* use same cert for puppet and other hosting : can we move cert
management from puppet ?

RFC 4346 ( http://www.ietf.org/rfc/rfc4366.txt ) define SNI for this
purpose : hostname are passed on the SSL handshake thus apache + Open
SSL 0.9.8f+ + mod_ssl can use multi cert virtual host. Good feature to
add for puppet ?

I have not really test this new feature with multi hosting with and
without SNI requirement so i don''t know if there is some form of
drawback.

I would like your through on the right design.

By the way great piece of work ;)

Best regards.






--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---