Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6366

trusted facts with apache/nginx and puppetmaster unicorn

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 3.8.7
    • Fix Version/s: PUP 4.6.0
    • Component/s: Networking
    • Labels:
      None
    • Environment:

      node and master OpenBSD 6.0-beta, puppet 3.8.7, ruby 2.2.4, nginx-1.10.0, gunicorn 5.0.1

    • Template:
    • Release Notes:
      Not Needed
    • Release Notes Summary:
      Community PR for a deprecated feature. Not worth documenting ¯\_(ツ)_/¯

      Description

      I have gunicorn running behind nginx, but want to make use of trusted facts, but that doesn't seem to work out of the box.

      Some debugging, I found the
      lib/puppet/network/http/rack/rest.rb, esp. the +ExportCertData
      comment in it. This is only available in Apache, so switched to use
      apache in front of unicorn, but still no luck.

      I figured that running unicorn behind apache reverse proxying, the
      environment variable is not available. Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
      However, that header is sent as single line from Apache to unicorn,
      and not as valid PEM encoded certificate. Therefore the gsub!
      manipulations to restore a valid PEM certificate again. (see the attached patch)

      With the attached patch, it works for Apache, just add this to the vhost configuration:
      RequestHeader set X-SSL-Client-Cert %

      {SSL_CLIENT_CERT}

      e

      With nginx, there is a bit more trouble. Nginx has $ssl_client_cert variable aswell, but nginx passes that variable on as multi-line header. Doh!
      Unicorn doesn't like that at all.

      Therefore have to use nginx lua module, and add this:

      location /

      { set_by_lua $client_cert "if gx.var.ssl_client_raw_cert then return ngx.var.ssl_client_raw_cert:gsub('\\n',' ') end"; proxy_set_header X-SSL-Client-Cert $client_cert; }

      So, that patch makes trusted facts available to the puppetmaster when running
      with unicorn behind apache or nginx.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              buzzdeee Sebastian Reitenbach
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support