我正在使用 puppet install 中提供的标准 auth.conf 作为 puppet master,该 puppet master 在 Nginx 下通过 Passenger 运行。但是对于大多数目录、文件和证书请求,我都会收到 403 响应。
### Authenticated paths - these apply only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path ~ ^/certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# unconditionally allow access to all file services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.
# allow access to the master CA
path /certificate/ca
auth any
method find
allow *
path /certificate/
auth any
method find
allow *
path /certificate_request
auth any
method find, save
allow *
path /facts
auth any
method find, search
allow *
# this one is not stricly necessary, but it has the merit
# of showing the default policy, which is deny everything else
path /
auth any
然而,Puppet Master 似乎没有遵循这一点,因为我在客户端收到此错误
[amisr1@blramisr195602 ~]$ sudo puppet agent --no-daemonize --verbose --server bangvmpllda02.XXXXX.com
[sudo] password for amisr1:
Starting Puppet client version 3.0.1
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /certificate_revocation_list/ca [find] at :110
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_metadata/plugins [search] at :110
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_metadata/plugins [find] at :110 Could not retrieve file metadata for puppet://devops.XXXXX.com/plugins: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /file_metadata/plugins [find] at :110
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /catalog/blramisr195602.XXXXX.com [find] at :110
Using cached catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request: XX.XXX.XX.XX(XX.XXX.XX.XX) access to /report/blramisr195602.XXXXX.com [save] at :110
服务器日志显示
XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/certificate_revocation_list/ca? HTTP/1.1" 403 102 "-" "Ruby"
XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/file_metadatas/plugins?links=manage&recurse=true&&ignore=---+%0A++-+%22.svn%22%0A++-+CVS%0A++-+%22.git%22&checksum_type=md5 HTTP/1.1" 403 95 "-" "Ruby"
XX.XXX.XX.XX - - [10/Dec/2012:14:46:52 +0530] "GET /production/file_metadata/plugins? HTTP/1.1" 403 93 "-" "Ruby"
XX.XXX.XX.XX - - [10/Dec/2012:14:46:53 +0530] "POST /production/catalog/blramisr195602.XXXXX.com HTTP/1.1" 403 106 "-" "Ruby"
XX.XXX.XX.XX - - [10/Dec/2012:14:46:53 +0530] "PUT /production/report/blramisr195602.XXXXX.com HTTP/1.1" 403 105 "-" "Ruby"
文件服务器配置文件如下(按照 puppet 网站上的说法,最好在 auth.conf 中规范访问文件服务器的权限,然后允许文件服务器访问所有服务器)
[files]
path /apps/puppet/files
allow *
[private]
path /apps/puppet/private/%H
allow *
[modules]
allow *
我使用的服务器和客户端版本 3
Nginx 已使用以下选项进行编译
nginx version: nginx/1.3.9
built by gcc 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --conf-path=/apps/nginx/nginx.conf --pid-path=/apps/nginx/run/nginx.pid --error-log-path=/apps/nginx/logs/error.log --http-log-path=/apps/nginx/logs/access.log --with-http_ssl_module --with-http_gzip_static_module --add-module=/usr/lib/ruby/gems/1.8/gems/passenger-3.0.18/ext/nginx --add-module=/apps/Downloads/nginx/nginx-auth-ldap-master/
和标准 nginx puppet master 配置
server {
ssl on;
listen 8140 ssl;
server_name _;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
passenger_min_instances 5;
access_log logs/puppet_access.log;
error_log logs/puppet_error.log;
root /apps/nginx/html/rack/public;
ssl_certificate /var/lib/puppet/ssl/certs/bangvmpllda02.XXXXXX.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/bangvmpllda02.XXXXXX.com.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
Puppet 从上述文件中选取正确的设置,因为 config print 命令指向 /etc/puppet
[amisr1@bangvmpllDA02 puppet]$ sudo puppet config print | grep conf
async_storeconfigs = false
authconfig = /etc/puppet/namespaceauth.conf
autosign = /etc/puppet/autosign.conf
catalog_cache_terminus = store_configs
confdir = /etc/puppet
config = /etc/puppet/puppet.conf
config_file_name = puppet.conf
config_version = ""
configprint = all
configtimeout = 120
dblocation = /var/lib/puppet/state/clientconfigs.sqlite3
deviceconfig = /etc/puppet/device.conf
fileserverconfig = /etc/puppet/fileserver.conf
genconfig = false
hiera_config = /etc/puppet/hiera.yaml
localconfig = /var/lib/puppet/state/localconfig
name = config
rest_authconfig = /etc/puppet/auth.conf
storeconfigs = true
storeconfigs_backend = puppetdb
tagmap = /etc/puppet/tagmail.conf
thin_storeconfigs = false
我检查了此虚拟机上的防火墙规则;允许 80、443、8140、3000。我是否仍需要对 auth.conf 进行任何具体调整才能使其正常工作?
更新
我向 Puppet Master 添加了详细日志记录并重新启动了 nginx;以下是我在日志中看到的附加信息
Mon Dec 10 18:19:15 +0530 2012 Puppet (err): Could not resolve 10.209.47.31: no name for 10.209.47.31
Mon Dec 10 18:19:15 +0530 2012 access[/] (info): defaulting to no access for 10.209.47.31
Mon Dec 10 18:19:15 +0530 2012 Puppet (warning): Denying access: Forbidden request: 10.209.47.31(10.209.47.31) access to /file_metadata/plugins [find] at :111
Mon Dec 10 18:19:15 +0530 2012 Puppet (err): Forbidden request: 10.209.47.31(10.209.47.31) access to /file_metadata/plugins [find] at :111
10.209.47.31 - - [10/Dec/2012:18:19:15 +0530] "GET /production/file_metadata/plugins? HTTP/1.1" 403 93 "-" "Ruby"
在代理机器上,facter fqdn 和 hostname 都返回一个完全限定的主机名
[amisr1@blramisr195602 ~]$ sudo facter fqdn
blramisr195602.XXXXXXX.com
然后我更新了代理配置以添加
dns_alt_names = 10.209.47.31
清理主服务器和代理服务器上的所有证书,然后重新生成证书,并使用选项 --allow-dns-alt-names 在主服务器上对其进行签名
[amisr1@bangvmpllDA02 ~]$ sudo puppet cert sign blramisr195602.XXXXXX.com
Error: CSR 'blramisr195602.XXXXXX.com' contains subject alternative names (DNS:10.209.47.31, DNS:blramisr195602.XXXXXX.com), which are
disallowed. Use `puppet cert --allow-dns-alt-names sign blramisr195602.XXXXXX.com` to sign this request.
[amisr1@bangvmpllDA02 ~]$ sudo puppet cert --allow-dns-alt-names sign blramisr195602.XXXXXX.com
Signed certificate request for blramisr195602.XXXXXX.com
Removing file Puppet::SSL::CertificateRequest blramisr195602.XXXXXX.com at '/var/lib/puppet/ssl/ca/requests/blramisr195602.XXXXXX.com.pem'
但是,这也无济于事;我得到了和以前一样的错误。不知道为什么日志中显示比较的是 IP 访问规则而不是主机名。是否有任何 Nginx 配置可以更改此行为?
答案1
我将其与 nginx 上的另一个设置进行了比较;似乎问题是由于属性
ssl_client_header = SSL_CLIENT_S_D
ssl_client_verify_header = SSL_CLIENT_VERIFY
存在于 master 的 puppet.conf 中。从那里注释掉它们并保留 Nginx 中的配置即可解决问题。
答案2
如果你习惯在 Nginx/Passenger 下使用 Puppet,并且升级到 Passenger 5.0+,就会出现这种症状。我找到了解决方案这里。
Passenger 5.0 已将“passenger_set_cgi_param”替换为“passenger_set_header”,如果您已经读到这里,您已经明白了。但您可能忽略了“passenger_set_header”会自动将 HTTP_ 添加到值前面,因此您需要将其从 HTTP_X_CLIENT_S_DN 和 HTTP_X_CLIENT_VERIFY 行中删除。
答案3
您的机架是否config.ru
归用户/组 puppet:puppet 所有?摘自 Puppet Labs 文档:
Whatever you do, make sure your config.ru file is owned by the puppet user! Passenger will setuid to that user.
http://projects.puppetlabs.com/projects/1/wiki/using_passenger
另外,确保 /etc/puppet 和 /var/lib/puppet 也归 puppet:puppet 所有。
答案4
首先,我会检查 puppetmaster 的状态 - 可能是 selinux 配置,或者端口 8140 正在监听“httpd”。尝试检查netstat -anpl | grep 8140
在 Puppetmaster 上尝试运行sudo puppet master --verbose --no-daemonize
如果傀儡大师启动时没有任何错误,您可能需要关注傀儡代理。