Bency Tharakan
2013-Aug-22 00:14 UTC
[Puppet Users] ssl ofloading on amazon ELB for puppetmasters
Hi,
I''m trying to do ssl offload on amazon ELB for my puppetmaster servers,
it
seems amazon ELB is not sending ssl_client_header & client_verify_header
puppetmaster
Listen 8141
<VirtualHost *:8141>
SSLEngine off
DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/
RackBaseURI /
<Directory /etc/puppet/rack/puppetmaster_8141/>
PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Proto "https" HTTPS=1
SSLProxyEngine On
# Proxy all requests that start with things like /production/certificate to
the CA
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*.co.nz:8141/$1
Errorlog /var/log/httpd/puppetmaster.error.log
CustomLog /var/log/httpd/puppetmaster.access.log combined
</VirtualHost>
puppetca
Listen 8140
<VirtualHost *:8140>
SSLEngine off
# Obtain Authentication Information from Client Request Headers
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
DocumentRoot /etc/puppet/rack/puppetca_8140/public/
<Directory /etc/puppet/rack/puppetca_8140/>
# PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
Errorlog /var/log/httpd/puppetca.error.log
CustomLog /var/log/httpd/puppetca.access.log combined
</VirtualHost>
The error I''m getting on the backend node
[root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test
--no-daemonize
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/node/ip-10-250-1-152.aws.*.co.nz [find] at :125
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using ''eval_generate: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins
[search] at :125
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125 Could not retrieve file metadata for
puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden
request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125
Error: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/catalog/ip-10-250-1-152.aws.*co.nz [find] at :125
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/report/ip-10-250-1-152.aws.*.co.nz [save] at :125
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
Bency Tharakan
2013-Aug-27 19:40 UTC
[Puppet Users] Re: ssl ofloading on amazon ELB for puppetmasters
Just got an update from Amazon support, "ELB only supports adding the X-Forwarded-For and X-Forwarded-Proto. It does not support adding other custom headers and there is no way for ELB to do so." Cheers On Thursday, 22 August 2013 12:14:11 UTC+12, Bency Tharakan wrote:> > Hi, > > I''m trying to do ssl offload on amazon ELB for my puppetmaster servers, it > seems amazon ELB is not sending ssl_client_header & client_verify_header > > puppetmaster > > Listen 8141 > > <VirtualHost *:8141> > SSLEngine off > DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/ > RackBaseURI / > <Directory /etc/puppet/rack/puppetmaster_8141/> > PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > SetEnvIf X-Forwarded-Proto "https" HTTPS=1 > > > SSLProxyEngine On > # Proxy all requests that start with things like /production/certificate > to the CA > ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*. > co.nz:8141/$1 > Errorlog /var/log/httpd/puppetmaster.error.log > CustomLog /var/log/httpd/puppetmaster.access.log combined > </VirtualHost> > > > > puppetca > > Listen 8140 > > <VirtualHost *:8140> > SSLEngine off > # Obtain Authentication Information from Client Request Headers > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 > > DocumentRoot /etc/puppet/rack/puppetca_8140/public/ > <Directory /etc/puppet/rack/puppetca_8140/> > # PassengerEnabled on > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > Errorlog /var/log/httpd/puppetca.error.log > CustomLog /var/log/httpd/puppetca.access.log combined > </VirtualHost> > > > > The error I''m getting on the backend node > > [root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test > --no-daemonize > Warning: Unable to fetch my node definition, but the agent run will > continue: > Warning: Error 403 on SERVER: Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) > access to /node/ip-10-250-1-152.aws.*.co.nz [find] at :125 > Info: Retrieving plugin > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins > [search] at :125 > Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on > SERVER: Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access > to /file_metadata/plugins [find] at :125 Could not retrieve file metadata > for puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden > request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /file_metadata/plugins [find] at :125 > Error: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /catalog/ip-10-250-1-152.aws.*co.nz [find] at :125 > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog; skipping run > Error: Could not send report: Error 403 on SERVER: Forbidden request: > puppetmaster1.aws.*.co.nz(10.250.1.152) access to > /report/ip-10-250-1-152.aws.*.co.nz [save] at :125 > > > Thanks >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Reasonably Related Threads
- how to scale puppet with F5 load balancer?
- Problem with Load Balancing Puppet masters with Apache mod_proxy
- multiple puppetmasters (w/ Passenger) behind load balancer
- Running Icecast2 behind Amazon Elastic Load Balancer (ELB)
- Running Icecast2 behind Amazon Elastic Load Balancer (ELB)