Patch from PUP-6366 #4997
Closed
Patch from PUP-6366 #4997
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
CLA signed by all contributors. |
buzzdeee
force-pushed
the
unicorn_trusted_facts
branch
from
f941db7
to
8d4a087
Compare
trusted facts with apache/nginx and puppetmaster unicorn
running unicorn behind nginx or apache reverse proxy, the
$trusted facts are not available to puppet.
The supported the +ExportCertData from Apache, only works
with Passenger module, but not with thin rack behind reverse
proxy, and esp. not with nginx.
Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
However, that header is sent as single line from Apache to unicorn,
and not as valid PEM encoded certificate. Therefore the gsub!
manipulations to restore a valid PEM certificate again.
To make use of it with Apache add this to the vhost:
RequestHeader set X-SSL-Client-Cert %{SSL_CLIENT_CERT}e
With nginx, there is a bit more trouble. Nginx has $ssl_client_cert
variable aswell, but nginx passes that variable on as multi-line header. Doh!
Unicorn doesn't like that at all.
To make it work with nginx, you need lua in nginx, then you need
something like this in your vhost:
location / {
set_by_lua $client_cert "if ngx.var.ssl_client_raw_cert then return ngx.var.ssl_client_raw_cert:gsub('\\n',' ') end";
proxy_set_header X-SSL-Client-Cert $client_cert;
}
buzzdeee
force-pushed
the
unicorn_trusted_facts
branch
from
8d4a087
to
fa24851
Compare
|
Closing this one in favor of #5170 which has a reformatted commit message |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
trusted facts with apache/nginx and puppetmaster unicorn
running unicorn behind nginx or apache reverse proxy, the
$trusted facts are not available to puppet.
The supported the +ExportCertData from Apache, only works
with Passenger module, but not with thin rack behind reverse
proxy, and esp. not with nginx.
Therefore I added an additionalheader that gets passed to unicorn: X-SSL-Client-Cert.
However, that header is sent as single line from Apache to unicorn,
and not as valid PEM encoded certificate. Therefore the gsub!
manipulations to restore a valid PEM certificate again.
To make use of it with Apache add this to the vhost:
RequestHeader set X-SSL-Client-Cert %{SSL_CLIENT_CERT}e
With nginx, there is a bit more trouble. Nginx has $ssl_client_cert
variable aswell, but nginx passes that variable on as multi-line header. Doh!
Unicorn doesn't like that at all.
To make it work with nginx, you need lua in nginx, then you need
something like this in your vhost:
location / {
set_by_lua $client_cert "return ngx.var.ssl_client_raw_cert:gsub('\n',' ')";
proxy_set_header X-SSL-Client-Cert $client_cert;
}