pdpinfo
2013-Jul-03 10:37 UTC
[Puppet Users] Passenger serving both direct and proxied clients (security standpoint)
Hi Puppetmasters,
I have a working configuration of a "standard" passenger/puppet setup
to
which I added a second virtual host to be accessed only via reverse proxy
(mod_proxy). Passenger and mod_proxy are on different servers.
The scenario is:
direct: client --(ssl)--> passenger:8140
proxied: client --(ssl)--> mod_proxy:8141 --ssl-->
passenger:8141-(accessible only from proxy IP)
I''m reviewing from a security stanpoint. AFAIK the setup should have
the
same level of security of "standard" passenger and
"standard" balanced
solutions.
Direct virtual host (8140) has:
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
proxied VH (IP limited access) has:
SetEnvIf X-Client-Verify "(.*)" HTTP_X_CLIENT_VERIFY=$1
SetEnvIf X-Client-DN "(.*)" HTTP_X_CLIENT_DN=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
proxy has:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
puppet.conf:
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
Do you have similar setups, or have any suggestion?
Thank you
Regards
Paolo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.