opoplawski
2012-Aug-17 23:00 UTC
[Puppet Users] How to modify client authentication in passenger based puppet master behind ssl proxy
I''ve configured our DMZ apache webserver to proxy connections from our roaming users into our internal puppet master running under passenger/apache. Everything is pretty much working but because I am using SSL between the proxy server and the puppet master, the master treats the connection as authenticated as the proxy. My current work around is to allow access to all catalog and node items to the proxy server in auth.conf. I''d like to try to get the master to use the ssl authentication information passed by the proxy as the authentication for the connection but so far have been completely unsuccessful. Does anyone know how this can be done? I''ve been poking around the code a bit but I haven''t been able to find out where the authenticated host information comes from, and I''ve unable to modify anything in the apache configuration to change this. TIA, Orion -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/o_ybNHvek7AJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Calvin Walton
2012-Aug-19 05:05 UTC
Re: [Puppet Users] How to modify client authentication in passenger based puppet master behind ssl proxy
On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote:> I''ve configured our DMZ apache webserver to proxy connections from our > roaming users into our internal puppet master running under > passenger/apache. Everything is pretty much working but because I am using > SSL between the proxy server and the puppet master, the master treats the > connection as authenticated as the proxy. My current work around is to > allow access to all catalog and node items to the proxy server in > auth.conf. I''d like to try to get the master to use the ssl authentication > information passed by the proxy as the authentication for the connection > but so far have been completely unsuccessful. Does anyone know how this > can be done? I''ve been poking around the code a bit but I haven''t been > able to find out where the authenticated host information comes from, and > I''ve unable to modify anything in the apache configuration to change this.To start with, I''m going to assume that the passenger/apache configuration looks something like this: http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x and that your proxy server apache configuration probably looks something like this: http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration If you read through, you note that the authenticated host information gets passed to puppet through the three headers that are set by apache: X-SSL-Subject, X-Client-DN, X-Client-Verify. The trick to getting your case to work is to edit the puppet master''s passenger/apache configuration to pass through the values of these three headers when receiving a request from the proxy server, instead of filling them in from the ssl certificate. I''m not familiar enough with apache to know the exact syntax for this. Do note that you want to make sure to *only* pass through these headers when receiving a request from the proxy server! Otherwise any client could connect, even on unsecured HTTP, and pretend to be authenticated as whomever it wants by just adding headers to the request. -- Calvin Walton <calvin.walton@kepstin.ca> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
opoplawski
2012-Aug-20 16:03 UTC
Re: [Puppet Users] How to modify client authentication in passenger based puppet master behind ssl proxy
On Saturday, August 18, 2012 11:05:42 PM UTC-6, Calvin Walton wrote:> > On Fri, 2012-08-17 at 16:00 -0700, opoplawski wrote: > > I''ve configured our DMZ apache webserver to proxy connections from our > > roaming users into our internal puppet master running under > > passenger/apache. Everything is pretty much working but because I am > using > > SSL between the proxy server and the puppet master, the master treats > the > > connection as authenticated as the proxy. My current work around is to > > allow access to all catalog and node items to the proxy server in > > auth.conf. I''d like to try to get the master to use the ssl > authentication > > information passed by the proxy as the authentication for the connection > > but so far have been completely unsuccessful. Does anyone know how this > > can be done? I''ve been poking around the code a bit but I haven''t been > > able to find out where the authenticated host information comes from, > and > > I''ve unable to modify anything in the apache configuration to change > this. > > To start with, I''m going to assume that the passenger/apache > configuration looks something like this: > > http://docs.puppetlabs.com/guides/passenger.html#apache-configuration-for-puppet-024x > and that your proxy server apache configuration probably looks something > like this: > > http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel#Apache-Configuration > > If you read through, you note that the authenticated host information > gets passed to puppet through the three headers that are set by apache: > X-SSL-Subject, X-Client-DN, X-Client-Verify. > > The trick to getting your case to work is to edit the puppet master''s > passenger/apache configuration to pass through the values of these three > headers when receiving a request from the proxy server, instead of > filling them in from the ssl certificate. I''m not familiar enough with > apache to know the exact syntax for this. > > Do note that you want to make sure to *only* pass through these headers > when receiving a request from the proxy server! Otherwise any client > could connect, even on unsecured HTTP, and pretend to be authenticated > as whomever it wants by just adding headers to the request. >'' Yes, my config is very much as described. However, I do not believe that puppet does anything with the X-* headers in this case. I can set them to something completely non-sensical in the apache config (or at least try to) and puppet still sees the ssl client as the authenticating host. The comments above setting those headers mention "Pound", so I suspect they are not used in this configuration. Unfortunately I''m not familiar enough with the application framework to confirm where the authentication stuff is coming from. I believe it is coming from the SSL_CLIENT_S_DN_CN and/or SSL_CLIENT_S_DN environment variables set by mod_ssl. Also, it appears that it may be impossible to change those variables with SetEnv in the apache config or perhaps even in another apache module. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/_82LUZbn3a4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
opoplawski
2012-Aug-20 17:09 UTC
[Puppet Users] Re: How to modify client authentication in passenger based puppet master behind ssl proxy
What I ended up doing is setting up a second passenger config that only accepts connections from the proxy. This config does *not* set "SSLOption +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy headers. It also is configured to only accept authenticated connections from the proxy. On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote:> > I''ve configured our DMZ apache webserver to proxy connections from our > roaming users into our internal puppet master running under > passenger/apache. Everything is pretty much working but because I am using > SSL between the proxy server and the puppet master, the master treats the > connection as authenticated as the proxy. My current work around is to > allow access to all catalog and node items to the proxy server in > auth.conf. I''d like to try to get the master to use the ssl authentication > information passed by the proxy as the authentication for the connection > but so far have been completely unsuccessful. Does anyone know how this > can be done? I''ve been poking around the code a bit but I haven''t been > able to find out where the authenticated host information comes from, and > I''ve unable to modify anything in the apache configuration to change this. > > TIA, > > Orion >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/OXmTdhRtYasJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
kp-v
2012-Aug-20 18:17 UTC
[Puppet Users] Re: How to modify client authentication in passenger based puppet master behind ssl proxy
I think the best starting point is to read this article: http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ It explains the entire process. You could use squid to intercept incoming requests, decrypt, then reencrypt with backend headers. On Monday, August 20, 2012 10:09:21 AM UTC-7, opoplawski wrote:> > What I ended up doing is setting up a second passenger config that only > accepts connections from the proxy. This config does *not* set "SSLOption > +StdEnvVars" and instead sets the SSL_CLIENT* variables based on the proxy > headers. It also is configured to only accept authenticated connections > from the proxy. > > On Friday, August 17, 2012 5:00:08 PM UTC-6, opoplawski wrote: >> >> I''ve configured our DMZ apache webserver to proxy connections from our >> roaming users into our internal puppet master running under >> passenger/apache. Everything is pretty much working but because I am using >> SSL between the proxy server and the puppet master, the master treats the >> connection as authenticated as the proxy. My current work around is to >> allow access to all catalog and node items to the proxy server in >> auth.conf. I''d like to try to get the master to use the ssl authentication >> information passed by the proxy as the authentication for the connection >> but so far have been completely unsuccessful. Does anyone know how this >> can be done? I''ve been poking around the code a bit but I haven''t been >> able to find out where the authenticated host information comes from, and >> I''ve unable to modify anything in the apache configuration to change this. >> >> TIA, >> >> Orion >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/hoFU_yD0aYIJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.