Nginx SSL headers for unicorn and puppet
April 26, 2011 01:34PM
I am struggling to set up a puppet master server in NginX with a Unicorn backend. The standalone puppet server is working properly, and so is the nginx -> unicorn -> puppet configuration without the default certificate authentication (that is with path / auth no allow * directive set in puppet's auth.conf). But the standard model of authenticating via .pem certificates gives me 403 errors:

*err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: ipx-x-x-x.no.no.cox.net(x.x.x.x) access to /catalog/x.no.cox.net [find] at line 93

This is my nginx config for this:

#################################
upstream puppetmaster_unicorn {
server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;
}

server {
listen 8140;

ssl on;
ssl_session_timeout 5m;
ssl_certificate /etc/puppet/ssl/certs/srv2.vladgh.com.pem;
ssl_certificate_key /etc/puppet/ssl/private_keys/srv2.vladgh.com.pem;
ssl_client_certificate /etc/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_verify_client optional;

root /usr/share/empty;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 120;

location / {
proxy_pass http://puppetmaster_unicorn;
proxy_redirect off;
}
}
#################################

Does anyone know a better way to do this, and to set the right headers in nginx?

Thank you in advance,
Vlad.

http://VladGh.com
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 168
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready