I am struggling to set up a puppet master server in NginX with a Unicorn backend. The standalone puppet server is working properly, and so is the nginx -> unicorn -> puppet configuration without the default certificate authentication (that is with path / auth no allow * directive set in puppet's auth.conf). But the standard model of authenticating via .pem certificates gives me 403 errors:
*err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: ipx-x-x-x.no.no.cox.net(x.x.x.x) access to /catalog/x.no.cox.net [find] at line 93
This is my nginx config for this:
#################################
upstream puppetmaster_unicorn {
server unix:/var/run/puppet/puppetmaster_unicorn.sock fail_timeout=0;
}
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /etc/puppet/ssl/certs/srv2.vladgh.com.pem;
ssl_certificate_key /etc/puppet/ssl/private_keys/srv2.vladgh.com.pem;
ssl_client_certificate /etc/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_verify_client optional;
root /usr/share/empty;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_read_timeout 120;
location / {
proxy_pass http://puppetmaster_unicorn;
proxy_redirect off;
}
}
#################################
Does anyone know a better way to do this, and to set the right headers in nginx?
Thank you in advance,
Vlad.
http://VladGh.com