Revision b39a2d0a
Added by William Hefter about 9 years ago
README.md | ||
---|---|---|
EOF
|
||
puppet apply install.pp --modulepath /path_to/extracted_tarball
|
||
|
||
# Advanced scenarios
|
||
|
||
An HTTP (non-SSL) puppetmaster instance can be set up (standalone or in addition to
|
||
the SSL instance) by setting the `server_http` parameter to `true`. This is useful for
|
||
reverse proxy or load balancer scenarios where the proxy/load balancer takes care of SSL
|
||
termination. The HTTP puppetmaster instance expects the `X-Client-Verify`, `X-SSL-Client-DN`
|
||
and `X-SSL-Subject` HTTP headers to have been set on the front end server.
|
||
|
||
The listening port can be configured by setting `server_http_port` (which defaults to 8139).
|
||
|
||
By default, this HTTP instance accepts no connection (`deny all` in the `<Directory>`
|
||
snippet). Allowed hosts can be configured by setting the `server_http_allow` parameter
|
||
(which expects an array).
|
||
|
||
** Note that running an HTTP puppetmaster is a huge security risk when improperly
|
||
configured. Allowed hosts should be tightly controlled; anyone with access to an allowed
|
||
host can access all client catalogues and client certificates. **
|
||
|
||
# Configure an HTTP puppetmaster vhost in addition to the standard SSL vhost
|
||
class { '::puppet':
|
||
server => true,
|
||
server_http => true,
|
||
server_http_port => 8130, # default: 8139
|
||
server_http_allow => ['10.20.30.1', 'puppetbalancer.my.corp'],
|
||
}
|
||
|
||
# Contributing
|
||
|
||
* Fork the project
|
manifests/init.pp | ||
---|---|---|
# $server_ca:: Provide puppet CA
|
||
# type:boolean
|
||
#
|
||
# $server_http:: Should the puppet master listen on HTTP as well as HTTPS.
|
||
# Useful for load balancer or reverse proxy scenarios. Note that
|
||
# the HTTP puppet master denies access from all clients by default,
|
||
# allowed clients must be specified with $server_http_allow.
|
||
# type:boolean
|
||
#
|
||
# $server_http_port:: Puppet master HTTP port; defaults to 8139.
|
||
# type:integer
|
||
#
|
||
# $server_http_allow:: Array of allowed clients for the HTTP puppet master. Passed
|
||
# to Apache's 'Allow' directive.
|
||
# type:array
|
||
#
|
||
# $server_reports:: List of report types to include on the puppetmaster
|
||
#
|
||
# $server_implementation:: Puppet master implementation, either "master" (traditional
|
||
... | ... | |
$server_dir = $puppet::params::dir,
|
||
$server_port = $puppet::params::port,
|
||
$server_ca = $puppet::params::server_ca,
|
||
$server_http = $puppet::params::server_http,
|
||
$server_http_port = $puppet::params::server_http_port,
|
||
$server_http_allow = $puppet::params::server_http_allow,
|
||
$server_reports = $puppet::params::server_reports,
|
||
$server_implementation = $puppet::params::server_implementation,
|
||
$server_passenger = $puppet::params::server_passenger,
|
||
... | ... | |
validate_bool($server)
|
||
validate_bool($allow_any_crl_auth)
|
||
validate_bool($server_ca)
|
||
validate_bool($server_http)
|
||
validate_bool($server_passenger)
|
||
validate_bool($server_git_repo)
|
||
validate_bool($server_service_fallback)
|
||
... | ... | |
if $server_puppetdb_host {
|
||
validate_string($server_puppetdb_host)
|
||
}
|
||
|
||
if $server_http {
|
||
validate_array($server_http_allow)
|
||
}
|
||
|
||
validate_string($service_name)
|
||
|
manifests/params.pp | ||
---|---|---|
$server_certname = $::clientcert
|
||
$server_strict_variables = false
|
||
$server_rack_arguments = []
|
||
$server_http = false
|
||
$server_http_port = 8139
|
||
$server_http_allow = []
|
||
|
||
# Need a new master template for the server?
|
||
$server_template = 'puppet/server/puppet.conf.erb'
|
manifests/server/passenger.pp | ||
---|---|---|
$ssl_chain = $::puppet::server::ssl_chain,
|
||
$ssl_dir = $::puppet::server_ssl_dir,
|
||
$puppet_ca_proxy = $::puppet::server_ca_proxy,
|
||
$user = $::puppet::server_user
|
||
$user = $::puppet::server_user,
|
||
$http = $::puppet::server_http,
|
||
$http_port = $::puppet::server_http_port,
|
||
$http_allow = $::puppet::server_http_allow,
|
||
) {
|
||
include ::puppet::server::rack
|
||
include ::apache
|
||
... | ... | |
}
|
||
}
|
||
|
||
$directory = {
|
||
'path' => "${app_root}/public/",
|
||
'passenger_enabled' => 'On',
|
||
}
|
||
|
||
$directories = [
|
||
{
|
||
'path' => "${app_root}/public/",
|
||
'passenger_enabled' => 'On',
|
||
},
|
||
$directory,
|
||
]
|
||
|
||
# The following client headers allow the same configuration to work with Pound.
|
||
... | ... | |
require => Class['::puppet::server::rack'],
|
||
}
|
||
|
||
if $http {
|
||
$directories_http = [
|
||
merge($directory, {
|
||
'custom_fragment' => join([
|
||
'Order deny,allow',
|
||
'Deny from all',
|
||
inline_template("<%- if @http_allow and Array(@http_allow).join(' ') != '' -%>Allow from <%= @http_allow.join(' ') %><%- end -%>"),
|
||
], "\n")
|
||
}),
|
||
]
|
||
|
||
apache::vhost { 'puppet-http':
|
||
docroot => "${app_root}/public/",
|
||
directories => $directories_http,
|
||
port => $http_port,
|
||
custom_fragment => join([
|
||
$custom_fragment ? {
|
||
undef => '',
|
||
default => $custom_fragment
|
||
},
|
||
'SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1',
|
||
'SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1',
|
||
], "\n"),
|
||
options => ['None'],
|
||
require => Class['::puppet::server::rack'],
|
||
}
|
||
}
|
||
}
|
Also available in: Unified diff
Add options to let the puppet master listen for HTTP connections too (load balancer/reverse proxy scenarios), protected by default Deny all.