trey85stang
2011-Jan-28 21:00 UTC
[Puppet Users] apache frontend not running puppetmaster.
Hey All, does anyone know how I would go about creating a front-end apache config for a set of 3 puppetmaster backend servers? Id rather not run puppetmaster on the apache front-end. How do I handle the clients? My though is the following for my setup: standalone Puppet CA server that will handle signing of certs only. An apache front end, to distribute load to 3-5 backend puppetmaster servers. Im just confused on how handle the ssl portion of this config based off the puppet.conf file in this link: http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel_On_Enterprise_Linux Any help would be appreciated. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2011-Feb-01 01:19 UTC
Re: [Puppet Users] apache frontend not running puppetmaster.
On Fri, Jan 28, 2011 at 4:00 PM, trey85stang <trey85stang@gmail.com> wrote:> Hey All, does anyone know how I would go about creating a front-end > apache config for a set of 3 puppetmaster backend servers? Id rather > not run puppetmaster on the apache front-end. > > How do I handle the clients?I recommend configuring a virtual host in Apache to handle this. This Apache virtual host will do three main things: 1: Terminate SSL connections using a certificate issued with the "puppet cert" command. 2: Set HTTP request headers if the client is authenticated. 3: Distribute requests to the back end workers. For the SSL portion, you can generate a certificate for Apache using something like: $ puppet cert --generate loadbalancer.mydomain.lan --certdnsnames puppet Then copy the CA certificate, certificate revocation list, SSL certificate and private key to the load balancer host. The Apache options to load these files are: SSLCertificateFile /path/to/ssl_cert.pem SSLCertificateKeyFile /path/to/ssl_cert_key.pem SSLCertificateChainFile /path/to/ssl_cert_chain.pem SSLCACertificateFile /path/to/ssl_ca_cert.pem SSLCARevocationFile /path/to/ssl_ca_crl.pem The SSLCertificateChainFile and SSLCACertificateFile may be identical if you''re using a self signed certificate authority (since we have a 1 link chain), which is the default when Puppet generates the CA certificate. Once you have the certificates configured, you need to set the verification policy: SSLVerifyClient ("optional" if you want the load balancer to handle certificate signing requests from the agent, "required" if you want to drop any connections that do not already have a signed certificate) SSLVerifyDepth 1 You also need to set the SSL options, but these are normally already set when Apache is installed. The following settings use strong ciphers. SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP For the second task of setting the authentication headers, you can use: SSLOptions +StdEnvVars RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e Finally, you need to distribute the requests some how. For this I recommend reading up on mod_proxy_balancer at: http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html I use something like this outside the vhost block: <Proxy balancer://puppetmaster/> BalancerMember http://1.2.3.4:8140/ loadfactor=10 BalancerMember http://1.2.3.5:8140/ loadfactor=10 BalancerMember http://1.2.3.6:8140/ loadfactor=10 </Proxy> And inside the vhost block: ProxyPass / balancer://puppetmaster/ ProxyPassReverse / balancer://puppetmaster/ Once you have the load balancer configured like this, the workers should be configured as per the Using Passenger document at http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger _except_ they shouldn''t be SSL enabled virtual hosts since the load balancer handles that. (NOTE! This is a huge security risk if you''re workers are exposed. The traffic from the LB to the workers is in the clear and client request headers can be forged! Beware! Protect your workers!)> My though is the following for my setup: > > standalone Puppet CA server that will handle signing of certs only.I recommend using ProxyPassMatch and ProxyPassReverse to direct all certificate requests to one worker. Something like this works well: ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmaster_ca/ ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmaster_ca/ Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
trey85stang
2011-Feb-01 20:19 UTC
[Puppet Users] Re: apache frontend not running puppetmaster.
Jeff, Thanks for answering this question in detail. It is greatly appreciated. I have everything working as is now but want to get the ssl signing corrected as I just point to a dedicated ca, if I can get this handled all through the mod_ssl proxy that would be ideal. Ill post back with any further questions that I may have after digesting the information you have provided me. Thanks, Trey On Jan 31, 7:19 pm, Jeff McCune <j...@puppetlabs.com> wrote:> On Fri, Jan 28, 2011 at 4:00 PM, trey85stang <trey85st...@gmail.com> wrote: > > Hey All, does anyone know how I would go about creating a front-end > > apache config for a set of 3 puppetmaster backend servers? Id rather > > not run puppetmaster on the apache front-end. > > > How do I handle the clients? > > I recommend configuring a virtual host in Apache to handle this. This > Apache virtual host will do three main things: > > 1: Terminate SSL connections using a certificate issued with the > "puppet cert" command. > 2: Set HTTP request headers if the client is authenticated. > 3: Distribute requests to the back end workers. > > For the SSL portion, you can generate a certificate for Apache using > something like: > $ puppet cert --generate loadbalancer.mydomain.lan --certdnsnames puppet > > Then copy the CA certificate, certificate revocation list, SSL > certificate and private key to the load balancer host. The Apache > options to load these files are: > > SSLCertificateFile /path/to/ssl_cert.pem > SSLCertificateKeyFile /path/to/ssl_cert_key.pem > SSLCertificateChainFile /path/to/ssl_cert_chain.pem > SSLCACertificateFile /path/to/ssl_ca_cert.pem > SSLCARevocationFile /path/to/ssl_ca_crl.pem > > The SSLCertificateChainFile and SSLCACertificateFile may be identical > if you''re using a self signed certificate authority (since we have a 1 > link chain), which is the default when Puppet generates the CA > certificate. > > Once you have the certificates configured, you need to set the > verification policy: > > SSLVerifyClient ("optional" if you want the load balancer to handle > certificate signing requests from the agent, "required" if you want to > drop any connections that do not already have a signed certificate) > SSLVerifyDepth 1 > > You also need to set the SSL options, but these are normally already > set when Apache is installed. The following settings use strong > ciphers. > > SSLEngine on > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > For the second task of setting the authentication headers, you can use: > > SSLOptions +StdEnvVars > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > Finally, you need to distribute the requests some how. For this I > recommend reading up on mod_proxy_balancer at:http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html > > I use something like this outside the vhost block: > <Proxy balancer://puppetmaster/> > BalancerMemberhttp://1.2.3.4:8140/loadfactor=10 > BalancerMemberhttp://1.2.3.5:8140/loadfactor=10 > BalancerMemberhttp://1.2.3.6:8140/loadfactor=10 > </Proxy> > > And inside the vhost block: > > ProxyPass / balancer://puppetmaster/ > ProxyPassReverse / balancer://puppetmaster/ > > Once you have the load balancer configured like this, the workers > should be configured as per the Using Passenger document athttp://projects.puppetlabs.com/projects/1/wiki/Using_Passenger > _except_ they shouldn''t be SSL enabled virtual hosts since the load > balancer handles that. (NOTE! This is a huge security risk if you''re > workers are exposed. The traffic from the LB to the workers is in the > clear and client request headers can be forged! Beware! Protect your > workers!) > > > My though is the following for my setup: > > > standalone Puppet CA server that will handle signing of certs only. > > I recommend using ProxyPassMatch and ProxyPassReverse to direct all > certificate requests to one worker. Something like this works well: > > ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmaster_ca/ > ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppetmaster_ca/ > > Hope this helps, > -- > Jeff McCunehttp://www.puppetlabs.com/-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.