Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
PUP 3.8.7
-
None
-
node and master OpenBSD 6.0-beta, puppet 3.8.7, ruby 2.2.4, nginx-1.10.0, gunicorn 5.0.1
-
Not Needed
-
Community PR for a deprecated feature. Not worth documenting ¯\_(ツ)_/¯
Description
I have gunicorn running behind nginx, but want to make use of trusted facts, but that doesn't seem to work out of the box.
Some debugging, I found the
lib/puppet/network/http/rack/rest.rb, esp. the +ExportCertData
comment in it. This is only available in Apache, so switched to use
apache in front of unicorn, but still no luck.
I figured that running unicorn behind apache reverse proxying, the
environment variable is not available. Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
However, that header is sent as single line from Apache to unicorn,
and not as valid PEM encoded certificate. Therefore the gsub!
manipulations to restore a valid PEM certificate again. (see the attached patch)
With the attached patch, it works for Apache, just add this to the vhost configuration:
RequestHeader set X-SSL-Client-Cert %
e
With nginx, there is a bit more trouble. Nginx has $ssl_client_cert variable aswell, but nginx passes that variable on as multi-line header. Doh!
Unicorn doesn't like that at all.
Therefore have to use nginx lua module, and add this:
location /
{ set_by_lua $client_cert "if gx.var.ssl_client_raw_cert then return ngx.var.ssl_client_raw_cert:gsub('\\n',' ') end"; proxy_set_header X-SSL-Client-Cert $client_cert; }So, that patch makes trusted facts available to the puppetmaster when running
with unicorn behind apache or nginx.
Attachments
Issue Links
- relates to
-
-
- Closed
-
