nginx proxy pass to puppetmaster

April 19, 2017 2.5k views
Nginx Ubuntu 16.04
snoop
By:
snoop

Hi,

want to use nginx to proxy_pass the clientrequest to my puppetmaster.

This is my config:

upstream puppetmaster  {
        server 192.168.3.10:8140; # 
}
server {
        listen       192.168.3.200:8140;
        server_name puppetmaster.mydom.de;
        ssl on;
        ssl_certificate         /etc/nginx/ssl/puppet.crt;
        ssl_certificate_key     /etc/nginx/ssl/puppet.key;
        ssl_client_certificate  /etc/nginx/ssl/puppet.ca-crt;
        ssl_crl                 /etc/nginx/ssl/puppet.ca_crl;
        ssl_verify_client       optional;

        access_log  /var/log/nginx/puppetmaster.ssl.log;
        error_log  /var/log/nginx/puppetmaster.ssl.err.log;

        root   /srv/www/htdocs;
        index  index.html index.htm;


        location / {

                proxy_pass  https://puppetmaster;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify  $ssl_client_verify;
        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
                proxy_redirect      off;
        }
}

I got this error:

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: {"message":"Not Authorized: Forbidden request: /puppet/v3/node/myhostname [find]","issue_kind":"RUNTIME_ERROR"}

I have no idea what the problem is.

thx

snoop

Log In to Comment
1 Answer
jtittle1 April 19, 2017

@snoop

The configuration of your server block is most likely why you're receiving errors.

With your current configuration, you're listening on the same port that your proxying, so the request doesn't actually get passed through to your application.

A standard setup would be to listen on ports 80 (HTTP) and 443 (HTTPS) and then proxy to request to your application.

If we modify your configuration to use that sort of setup, it'd look something like this:

upstream puppetmaster  {
    server 192.168.3.10:8140;
}

server {
    listen 80;
    server_name puppetmaster.mydom.de;

    return 301 https://$host$request_uri;
}

server {
    listen 443;
    server_name puppetmaster.mydom.de;

    ssl on;
    ssl_certificate         /etc/nginx/ssl/puppet.crt;
    ssl_certificate_key     /etc/nginx/ssl/puppet.key;
    ssl_client_certificate  /etc/nginx/ssl/puppet.ca-crt;
    ssl_crl                 /etc/nginx/ssl/puppet.ca_crl;
    ssl_verify_client       optional;

    access_log  /var/log/nginx/puppetmaster.ssl.log;
    error_log  /var/log/nginx/puppetmaster.ssl.err.log;

    root   /srv/www/htdocs;
    index  index.html index.htm;


    location / {
        proxy_pass  http://puppetmaster;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify  $ssl_client_verify;
        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
        proxy_redirect      off;
    }
}

What the above does is accept requests on Port 80 (standard HTTP port), redirect them to 443 (HTTPS), and once the request is received, proxies it to port 8140 (your application).

So what that boils down to is, requests to puppetmaster.mydom.de get redirected to https://puppetmaster.mydom.de which then proxies to your application.

https://puppetmaster.mydom.de will be the access point and your application would then handle the requests.

Of course, this is just an example using your configuration.

Reply
Have another answer? Share your knowledge.

Related Questions