我目前正在尝试使用 NGINX 卸载一些文件服务 puppet 所做的工作(如此处所示http://www.masterzen.fr/2010/03/21/more-puppet-offloading/),但是我在文件和目录检索时一直遇到 403 错误。
确实可以解决这个问题的一件事是在我的 auth.conf 中的第一个定义中添加“auth any”,但据我所知,这会完全禁用客户端验证吗?
那么,是不是我没有向 NGINX 传递所有需要的标头,还是有其他问题?配置文件如下。
/etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
server = Puppet.xServ
pluginsync=false
external_nodes = /usr/sbin/external_nodes
node_terminus = exec
[master]
certname = puppet.xserv
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
/etc/puppet/auth.conf
path ~ ^/catalog/([^/]+)$
method find
allow localhost
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
/etc/puppet/fileserver.conf
[modules]
allow *
/etc/nginx/sites.d/puppet.conf
server {
listen 8140;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.xserv.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.xserv.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_verify_client optional;
root /etc/puppet;
# make sure we serve everything
# as raw
types { }
default_type application/x-raw;
# ask the puppetmaster for everything else
location / {
proxy_pass https://127.0.0.1:8141;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
}
}
答案1
Puppet 身份验证基于原始 IP,而不是基于头文件的内容。毕竟,头文件很容易伪造。我不知道是否可以将 Puppet 配置为从头文件中获取它所检查的 IP。
答案2
看来我的配置有错误,我从其他人那里复制了一个工作配置并且它立即开始工作,而且我也切换到了 Unicorn,所以也可能与它有关。