Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6366

trusted facts with apache/nginx and puppetmaster unicorn



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 3.8.7
    • PUP 4.6.0
    • Networking
    • None
    • node and master OpenBSD 6.0-beta, puppet 3.8.7, ruby 2.2.4, nginx-1.10.0, gunicorn 5.0.1

    • Not Needed
    • Community PR for a deprecated feature. Not worth documenting ¯\_(ツ)_/¯


      I have gunicorn running behind nginx, but want to make use of trusted facts, but that doesn't seem to work out of the box.

      Some debugging, I found the
      lib/puppet/network/http/rack/rest.rb, esp. the +ExportCertData
      comment in it. This is only available in Apache, so switched to use
      apache in front of unicorn, but still no luck.

      I figured that running unicorn behind apache reverse proxying, the
      environment variable is not available. Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
      However, that header is sent as single line from Apache to unicorn,
      and not as valid PEM encoded certificate. Therefore the gsub!
      manipulations to restore a valid PEM certificate again. (see the attached patch)

      With the attached patch, it works for Apache, just add this to the vhost configuration:
      RequestHeader set X-SSL-Client-Cert %



      With nginx, there is a bit more trouble. Nginx has $ssl_client_cert variable aswell, but nginx passes that variable on as multi-line header. Doh!
      Unicorn doesn't like that at all.

      Therefore have to use nginx lua module, and add this:

      location /

      { set_by_lua $client_cert "if gx.var.ssl_client_raw_cert then return ngx.var.ssl_client_raw_cert:gsub('\\n',' ') end"; proxy_set_header X-SSL-Client-Cert $client_cert; }

      So, that patch makes trusted facts available to the puppetmaster when running
      with unicorn behind apache or nginx.


        Issue Links



              Unassigned Unassigned
              buzzdeee Sebastian Reitenbach
              0 Vote for this issue
              4 Start watching this issue



                Zendesk Support