Ask Your Question

puppet master as reverse proxy in DMZ

asked 2015-04-01 04:42:26 -0600

confiq gravatar image

updated 2015-04-07 09:17:10 -0600

We have few nodes that are around the globe and they should be available to reach puppet master in the organization. The quick solution would be to create reverse proxy in DMZ and serve from there.

Here is my try:

nginx.conf in DMZ

server {
  listen *:8140;
  server_name ;
  ssl                     on;
  ssl_certificate         /root/tmp/certs/;
  ssl_certificate_key     /root/tmp/private_keys/;
  ssl_client_certificate  /root/tmp/ca/ca_crt.pem; 
  ssl_crl                 /root/tmp/ca/ca_crl.pem;
  ssl_verify_client       optional;
  location / {
   proxy_pass  ;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify  $ssl_client_verify;
        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;

simple as that. But when I run the following from DMZ node

curl -H 'Accept: yaml' --cert /var/lib/puppet/ssl/certs/ --key /var/lib/puppet/ssl/private keys/ --cacert /root/tmp/ca/cacrt.pem

I'm getting:

Forbidden request: access to /catalog/ [find] at :136

If I change DNS of to be real master (without using proxy) then this CURL command works.

EDIT: If in auth.conf I configure

path /
auth no

it will work but if I change auth to yes it will not. For security reasons I must keep auth to yes either everybody would be able to use my puppet master and get facts. Any idea how I'm supposed to make this work? Cheers

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2015-04-01 11:40:24 -0600

GregLarkin gravatar image

updated 2015-04-02 09:19:12 -0600

csharpsteen gravatar image

It looks like you need to grant access to your DMZ host so it can access the HTTP endpoints on your Puppet master. Have a look at this page for how to configure the auth.conf file on your Puppet master to do that:

edit flag offensive delete link more


Hi Greg, yes I tried that. I've update the question. As long auth=yes it will not work. If I change auth=no it will work but I have security breach...

confiq gravatar imageconfiq ( 2015-04-02 03:42:58 -0600 )edit

Before we go any further, did you follow the instructions here to reconfigure your Puppet master to allow nginx to handle SSL in the DMZ?

GregLarkin gravatar imageGregLarkin ( 2015-04-08 21:37:00 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-04-01 04:42:26 -0600

Seen: 916 times

Last updated: Apr 07 '15