Hi All, I have a two puppet servers using Apache with mod_proxy as the frontend. Similar to what what''s described in Pro Puppet. Unfortunately, Apache mod_proxy is passing the puppetca requests using the loopback IP instead of the original source IP. This is a bit of a security concern when configuring auth.conf! An example stanza in auth.conf: # allow certificate management on provisioning server without cert path ~ /cert* auth no allow localhost With that near the bottom of auth.conf ALL hosts can now perform any API calls matching that path. This is due to puppet using the 127.0.0.1 passed by Apache. I need one of the following: 1. A way to do IP passthrough in apache such that the correct originating IP is used. 2. Puppet to make use of the X-Forwarded-For header if it exists and to fallback in instances where it doesn''t. Likely the latter is the best method. Please feel free to correct me if I am missing something. I have verified that with the above auth.conf stanza ALL hosts can perform all /cert* related API calls. Additionally here is a log line: 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ 0.6.5" That''s a request from another server. Here are the Apache configs: http://pastebin.com/rDKPSjjy Thanks everyone! Ryan Bowlby -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 27/01/12 02:14, Ryan Bowlby wrote:> Hi All, > > I have a two puppet servers using Apache with mod_proxy as the > frontend. Similar to what what''s described in Pro Puppet. > Unfortunately, Apache mod_proxy is passing the puppetca requests using > the loopback IP instead of the original source IP.You''re not mentioning what stack your master are running. But if they''re running on Apache and Passenger, may I suggest using mod_rpaf?> This is a bit of a security concern when configuring auth.conf! An > example stanza in auth.conf: > > # allow certificate management on provisioning server without cert > path ~ /cert* > auth no > allow localhostIf you instead make this a certname, then it''s secure again.> With that near the bottom of auth.conf ALL hosts can now perform any > API calls matching that path. This is due to puppet using the > 127.0.0.1 passed by Apache. > > I need one of the following: > > 1. A way to do IP passthrough in apache such that the correct > originating IP is used.Configure your mod_proxy to pass the IP in X-Forwarded-For.> 2. Puppet to make use of the X-Forwarded-For header if it exists and > to fallback in instances where it doesn''t.And mod_rpaf is what you need, running in your master apache.> Likely the latter is the best method. Please feel free to correct me > if I am missing something. I have verified that with the above > auth.conf stanza ALL hosts can perform all /cert* related API calls. > Additionally here is a log line: > > 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ > certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- > redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ > 0.6.5" > > That''s a request from another server. Here are the Apache configs: > > http://pastebin.com/rDKPSjjy > > > Thanks everyone! > Ryan Bowlby >-- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks Brice, using mod_rpaf fixed the issue! I''ve also realized why puppet SHOULD NOT rely on the X-Forwarded-For for determining source information to authorize API access. As soon as I had it working with mod_rpaf I performed an API request with a hostname different than the actual machine: malicious host root$ curl -k -H "X-Forwarded-For: trustedhost.domain" - H "Accept: pson" https://puppet.domain:8140/production/certificate_statuses/no_key Which worked, not too surprising. So while mod_rpaf DID fix the issue it also didn''t secure anything. Alas, one should always make use of puppet client certificate based auth, especially when using a proxy that may or may not muddle with the origination information. Also, for those who find this later: On CentOS 6.x this is available as an RPM in atomic: rpm -Uvh http://www6.atomicorp.com/channels/atomic/centos/6/x86_64/RPMS/atomic-release-1.0-14.el6.art.noarch.rpm yum -y install mod_rpaf adding the following to the vhost: <VirtualHost *:18142> RPAFenable On RPAFsethostname On RPAFproxy_ips 127.0.0.1 Now that I know it works I''ll likely build an RPM for the local repo, rather than rely on a lesser known repo. Thanks again, Ryan Bowlby On Jan 26, 11:37 pm, Brice Figureau <brice-pup...@daysofwonder.com> wrote:> On 27/01/12 02:14, Ryan Bowlby wrote: > > > Hi All, > > > I have a two puppet servers using Apache with mod_proxy as the > > frontend. Similar to what what''s described in Pro Puppet. > > Unfortunately, Apache mod_proxy is passing the puppetca requests using > > the loopback IP instead of the original source IP. > > You''re not mentioning what stack your master are running. > But if they''re running on Apache and Passenger, may I suggest using > mod_rpaf? > > > This is a bit of a security concern when configuring auth.conf! An > > example stanza in auth.conf: > > > # allow certificate management on provisioning server without cert > > path ~ /cert* > > auth no > > allow localhost > > If you instead make this a certname, then it''s secure again. > > > With that near the bottom of auth.conf ALL hosts can now perform any > > API calls matching that path. This is due to puppet using the > > 127.0.0.1 passed by Apache. > > > I need one of the following: > > > 1. A way to do IP passthrough in apache such that the correct > > originating IP is used. > > Configure your mod_proxy to pass the IP in X-Forwarded-For. > > > 2. Puppet to make use of the X-Forwarded-For header if it exists and > > to fallback in instances where it doesn''t. > > And mod_rpaf is what you need, running in your master apache. > > > > > > > > > > > Likely the latter is the best method. Please feel free to correct me > > if I am missing something. I have verified that with the above > > auth.conf stanza ALL hosts can perform all /cert* related API calls. > > Additionally here is a log line: > > > 127.0.0.1 - - [27/Jan/2012:00:32:00 +0000] "GET /production/ > > certificate_statuses/no_key HTTP/1.1" 200 343 "-" "curl/7.15.5 (x86_64- > > redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/ > > 0.6.5" > > > That''s a request from another server. Here are the Apache configs: > > >http://pastebin.com/rDKPSjjy > > > Thanks everyone! > > Ryan Bowlby > > -- > Brice Figureau > My Blog:http://www.masterzen.fr/-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.