I recently learned a bit of a gotcha with PassengerHighPerformance if you’re thinking of running load balanced Puppet masters behind an Apache balancer. If you’re not thinking of doing this, then you should turn of your TV set now and save yourself the time and effort of reading on.

If you’re running a puppet master in passenger behind a balancer, you’ll be accepting authentication headers set by the front end proxy balancer. This means you really need to restrict which nodes can access the balancer. iptables is a reasonable choice for this, but given a layered security approach, setting the Allow from directives in the virtualhost is a good idea too.

So the configs for running behind a balancer run something like:

Listen 18140
<VirtualHost *:18140 >

    SSLEngine On
    ServerName thebackendpuppetmaster.you.first.thought.of.and.add.one
    PassengerHighPerformance on 
    PassengerEnabled On
    DocumentRoot /etc/puppet/rack/public
    <some SSL information snipped>
    SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
    SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
    <Directory /etc/puppet/rack/>
      Options None
      AllowOverride None
      # Apply the right behaviour depending on Apache version.
        Order allow,deny
        Allow from 192.168.1.1
        Allow from foo.bar.fish.donkey.fish.custard.wellyboots.thethingyoufirstthoughtof
    </Directory>

</VirtualHost>

It turns out that PassengerHighPerformance on disables, amongst other things, mod_authz_core which means those Allow froms won’t work and if you have it set, your access control won’t work. Of course, if you’ve firewalled the back end puppet master balancer members this isn’t so much of a problem.