Ask Your Question
0

puppet master as reverse proxy in DMZ

asked 2015-04-01 04:42:26 -0500

confiq gravatar image

updated 2015-04-07 09:17:10 -0500

We have few nodes that are around the globe and they should be available to reach puppet master in the organization. The quick solution would be to create reverse proxy in DMZ and serve from there.

Here is my try:

nginx.conf in DMZ

server {
  listen *:8140;
  server_name           puppet.X.com;
  ssl                     on;
  ssl_certificate         /root/tmp/certs/master.x.com.pem;
  ssl_certificate_key     /root/tmp/private_keys/master.x.com.pem;
  ssl_client_certificate  /root/tmp/ca/ca_crt.pem; 
  ssl_crl                 /root/tmp/ca/ca_crl.pem;
  ssl_verify_client       optional;
  location / {
   proxy_pass            https://master.x.com:8140;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify  $ssl_client_verify;
        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
 }
}

simple as that. But when I run the following from DMZ node

curl -H 'Accept: yaml' https://puppet.x.com:8140/production/... --cert /var/lib/puppet/ssl/certs/dmz-hub.x.com.pem --key /var/lib/puppet/ssl/private keys/dmz-hub..com.pem --cacert /root/tmp/ca/cacrt.pem

I'm getting:

Forbidden request: dmz-hub.x.com(192.168.38.2) access to /catalog/dmz-hub.x.com [find] at :136

If I change DNS of puppet.x.com to be real master (without using proxy) then this CURL command works.

EDIT: If in auth.conf I configure

path /
auth no
allow_ip 192.168.38.2

it will work but if I change auth to yes it will not. For security reasons I must keep auth to yes either everybody would be able to use my puppet master and get facts. Any idea how I'm supposed to make this work? Cheers

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2015-04-01 11:40:24 -0500

GregLarkin gravatar image

updated 2015-04-02 09:19:12 -0500

csharpsteen gravatar image

It looks like you need to grant access to your DMZ host so it can access the HTTP endpoints on your Puppet master. Have a look at this page for how to configure the auth.conf file on your Puppet master to do that: https://docs.puppetlabs.com/guides/rest_auth_conf.html

edit flag offensive delete link more

Comments

Hi Greg, yes I tried that. I've update the question. As long auth=yes it will not work. If I change auth=no it will work but I have security breach...

confiq gravatar imageconfiq ( 2015-04-02 03:42:58 -0500 )edit

Before we go any further, did you follow the instructions here to reconfigure your Puppet master to allow nginx to handle SSL in the DMZ? https://docs.puppetlabs.com/puppetserver/latest/external_ssl_termination.html

GregLarkin gravatar imageGregLarkin ( 2015-04-08 21:37:00 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-04-01 04:42:26 -0500

Seen: 618 times

Last updated: Apr 07 '15