Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
trusted facts with apache/nginx and puppetmaster unicorn
running unicorn behind nginx or apache reverse proxy, the
$trusted facts are not available to puppet.
The supported the +ExportCertData from Apache, only works
with Passenger module, but not with thin rack behind reverse
proxy, and esp. not with nginx.
Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
However, that header is sent as single line from Apache to unicorn,
and not as valid PEM encoded certificate. Therefore the gsub!
manipulations to restore a valid PEM certificate again.
To make use of it with Apache add this to the vhost:
RequestHeader set X-SSL-Client-Cert %{SSL_CLIENT_CERT}e
With nginx, there is a bit more trouble. Nginx has $ssl_client_cert
variable aswell, but nginx passes that variable on as multi-line header. Doh!
Unicorn doesn't like that at all.
To make it work with nginx, you need lua in nginx, then you need
something like this in your vhost:
location / {
set_by_lua $client_cert "return ngx.var.ssl_client_raw_cert:gsub('\n',' ')";
proxy_set_header X-SSL-Client-Cert $client_cert;
}