我的主要问题是让木偶与nginx +乘客一起工作, 这只有在我直接执行puppet master而不是via时才有效 nginx的+乘客。然而,我发现乘客没有 我的设置中的转发环境标题。
为了验证这一点,我创建了一个简单的机架应用程序,只打印出来 它来自乘客的环境。我配置的标头 这个应用程序也错过了乘客转发,因此 通用主题。
这是我的测试架应用程序:
require 'rack'
require 'rack/server'
class EnvApp
def call(env)
response = Rack::Response.new
response.write "**** ENV{} ***\n"
env.each do |key, val|
response.write key
response.write " => "
response.write val
response.write "\n"
end
response.status = 200
response.finish
end
end
run EnvApp.new
此应用的nginx配置:
server {
listen 8888 ssl;
server_name puppet puppet.scip.foo;
passenger_enabled on;
passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_S_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
root /tmp/scip/rack/public;
ssl_certificate /var/puppet/ssl/certs/puppet.scip.foo.pem;
ssl_certificate_key /var/puppet/ssl/private_keys/puppet.scip.foo.pem;
ssl_crl /var/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/puppet/ssl/certs/ca.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!\
MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
nginx的http部分:
# log ssl_client vars as well
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'SSLDN:"$ssl_client_s_dn" SSLVR:"$ssl_client_verify"';
# Passenger needed for puppet
passenger_root /usr/local/lib/ruby/gems/2.3/gems/passenger-5.1.8;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
# passenger logging, 0=crit only, 3=default, 7=max
passenger_log_level 3;
passenger_log_file /var/log/passenger.log;
# Rack test app (that's the file posted below):
include /usr/local/etc/nginx/conf.d/env.conf;
我使用的是木偶客户使用的相同CA和证书,所以我离开了 这部分在这里。只是为了记录:他们工作并且没事,因为 傀儡代理人与傀儡大师一起工作很好 那些证书。
所以,这是我访问所述应用程序的方式:
curl --cert /tmp/scip/srv2202.pem --cacert /tmp/scip/ca.pem -k https://127.0.0.1:8888
这是输出(虽然我打破了rack.hijack线):
**** ENV{} ***
REQUEST_URI => /
PATH_INFO => /
SCRIPT_NAME =>
QUERY_STRING =>
REQUEST_METHOD => GET
SERVER_NAME => 127.0.0.1
SERVER_PORT => 8888
SERVER_SOFTWARE => nginx/1.12.1 Phusion_Passenger/5.1.8
SERVER_PROTOCOL => HTTP/1.1
REMOTE_ADDR => 127.0.0.1
REMOTE_PORT => 57534
PASSENGER_CONNECT_PASSWORD => oJdXmatT3cTnKvJw
HTTPS => on
HTTP_USER_AGENT => curl/7.56.0
HTTP_ACCEPT => */*
HTTP_HOST => 127.0.0.1:8888
rack.version => [1, 2]
rack.input => #<PhusionPassenger::Utils::TeeInput:0x00000008033ac950>
rack.errors => #<IO:0x000000080317ab28>
rack.multithread => false
rack.multiprocess => true
rack.run_once => false
rack.url_scheme => https
rack.hijack? => true
rack.hijack => #<Proc:0x00000008033ac4f0@/usr/local/lib/ruby/gems/2.3/gems/\
passenger-5.1.8/src/ruby_supportlib/phusion_passenger/rack/\
thread_handler_extension.rb:84 (lambda)>
HTTP_VERSION => HTTP/1.1
可以看出,没有HTTP_X_CLIENT_VERIFY而没有
HTTP_X_CLIENT_DN。但是,我已启用这些变量的日志记录
在nginx中,以上是我的访问日志中上述请求的样子:
127.0.0.1 - - [07/Feb/2018:14:15:58 +0100] "GET / HTTP/1.1" 200 873 "-" \
"curl/7.56.0" "-" SSLDN:"CN=srv2202.scip.foo" SSLVR:"SUCCESS"
所以,我的问题是:我如何在世界上让乘客前进 这两个变量要架好吗?
我的系统设置:
答案 0 :(得分:1)
事实证明,必须在变量定义中使用短划线,然后乘客将它们转换为下划线。此设置有效:
passenger_set_header X-CLIENT-DN $ssl_client_s_dn;
passenger_set_header X-CLIENT-VERIFY $ssl_client_verify;
然后在我的环境中,我得到:
HTTP_X_CLIENT_DN => CN=srv2202.scip.foo
HTTP_X_CLIENT_VERIFY => SUCCESS
我要说,这需要在乘客文件中加以澄清。