Hi, I think about whats the best solution to have puppet-proxys for systems without direct connection to the puppetmaster. - Route all the trafic with iptable forwarding to one puppetmaster. - Build puppetmaster-proxy vm''s installed from a puppetmaster. - Using http-proxy services. Are there any experience or best practices for systems with indirect access to a puppetmaster? Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Le jeudi 06 mai 2010 à 13:49 -0700, Thomas von Steiger a écrit :> Hi, > > I think about whats the best solution to have puppet-proxys for > systems without direct connection to the puppetmaster. > > - Route all the trafic with iptable forwarding to one puppetmaster. > - Build puppetmaster-proxy vm''s installed from a puppetmaster. > - Using http-proxy services. > > Are there any experience or best practices for systems with indirect > access to a puppetmaster?You can setup a nginx (or apache) as a front-end and then forward requests to upstream server(s). Nico.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi>> I think about whats the best solution to have puppet-proxys for >> systems without direct connection to the puppetmaster. >> >> - Route all the trafic with iptable forwarding to one puppetmaster. >> - Build puppetmaster-proxy vm''s installed from a puppetmaster. >> - Using http-proxy services. >> >> Are there any experience or best practices for systems with indirect >> access to a puppetmaster? > > You can setup a nginx (or apache) as a front-end and then forward > requests to upstream server(s).right, but then the traffic would have to be unencrypted to the upstream servers or how would you implement the man in the middle that would be needed for such a proxy-setup? iptables: - --------- might be the simplest setup puppetmaster-proxy vms: - ----------------------- do you mean something like various puppetmasters synced from your "true"-master? that would also be feasible. You would then have many puppetmasters synced from one place. http-proxy services: - -------------------- I see some difficulties as reverse-http-proxies usually terminate ssl-traffic and play man in the middle. What would be easy is if you could setup a proxy that it doesn''t terminate the ssl connection. But then at the end it would be easier and you would have less overhead to setup an iptable rule to forward traffic on port 8140. anything else: - -------------- not that I''m personally really aware of. But I assume that other people so far also had to somehow get systems connected without direct connection to the puppetmaster. cheers pete -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvnslMACgkQbwltcAfKi38rKgCfcf2d2+/Zf7WbzcNbrjQHChTb ZeQAniK5dP0nPVU3duWI7WFJBNT/m2X+ =BZL5 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nicolas Szalay <nszalay@qualigaz.com> writes:> Le jeudi 06 mai 2010 à 13:49 -0700, Thomas von Steiger a écrit : >> >> I think about whats the best solution to have puppet-proxys for >> systems without direct connection to the puppetmaster. >> >> - Route all the trafic with iptable forwarding to one puppetmaster. >> - Build puppetmaster-proxy vm''s installed from a puppetmaster. >> - Using http-proxy services. >> >> Are there any experience or best practices for systems with indirect >> access to a puppetmaster? > > You can setup a nginx (or apache) as a front-end and then forward > requests to upstream server(s).Since we are starting to feel the pinch of traffic levels from running two sites over a WAN link with a single puppetmaster: Does this actually get any benefit of caching on the client, or would we need to deploy a second puppetmaster server to achieve that? Daniel -- ✣ Daniel Pittman ✉ daniel@rimspace.net ☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 10/05/2010 5:16 PM, Daniel Pittman wrote:> Nicolas Szalay<nszalay@qualigaz.com> writes: > >> Le jeudi 06 mai 2010 à 13:49 -0700, Thomas von Steiger a écrit : >> >>> I think about whats the best solution to have puppet-proxys for >>> systems without direct connection to the puppetmaster. >>> >>> - Route all the trafic with iptable forwarding to one puppetmaster. >>> - Build puppetmaster-proxy vm''s installed from a puppetmaster. >>> - Using http-proxy services. >>> >>> Are there any experience or best practices for systems with indirect >>> access to a puppetmaster? >>> >> You can setup a nginx (or apache) as a front-end and then forward >> requests to upstream server(s). >> > Since we are starting to feel the pinch of traffic levels from running two > sites over a WAN link with a single puppetmaster: > > Does this actually get any benefit of caching on the client, or would we need > to deploy a second puppetmaster server to achieve that? > > Daniel > >Daniel, Take a look at http://projects.puppetlabs.com/issues/3408 to help out with your WAN bandwidth issues. Ben -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thomas von Steiger
2010-May-15 10:38 UTC
[Puppet Users] Re: Best practices for puppet-proxys
On May 10, 9:14 am, Peter Meier <peter.me...@immerda.ch> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi > > >> I think about whats the best solution to havepuppet-proxysfor > >> systems without direct connection to the puppetmaster. > > >> - Route all the trafic with iptable forwarding to one puppetmaster. > >> - Build puppetmaster-proxy vm''s installed from a puppetmaster. > >> - Using http-proxy services. > > >> Are there any experience or best practices for systems with indirect > >> access to a puppetmaster? > > > You can setup a nginx (or apache) as a front-end and then forward > > requests to upstream server(s). > > right, but then the traffic would have to be unencrypted to the upstream > servers or how would you implement the man in the middle that would be > needed for such a proxy-setup? > > iptables: > - --------- > might be the simplest setupI think for now the fastes solution.> > puppetmaster-proxy vms: > - ----------------------- > > do you mean something like various puppetmasters synced from your > "true"-master? that would also be feasible. You would then have many > puppetmasters synced from one place. >Yes, simple a puppetmaster proxy modul served from the true master.> http-proxy services: > - -------------------- > > I see some difficulties as reverse-http-proxies usually terminate > ssl-traffic and play man in the middle. What would be easy is if you > could setup a proxy that it doesn''t terminate the ssl connection. But > then at the end it would be easier and you would have less overhead to > setup an iptable rule to forward traffic on port 8140. >And handling with the puppet client certificate are more complex. Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.