I recently learned a bit of a gotcha with PassengerHighPerformance if you’re thinking of running load balanced Puppet masters behind an Apache balancer. If you’re not thinking of doing this, then you should turn of your TV set now and save yourself the time and effort of reading on.
If you’re running a puppet master in passenger behind a balancer, you’ll be accepting authentication headers set by the front end proxy balancer. This means you really need to restrict which nodes can access the balancer. iptables is a reasonable choice for this, but given a layered security approach, setting the Allow from directives in the virtualhost is a good idea too.
So the configs for running behind a balancer run something like:
Listen 18140 <VirtualHost *:18140 > SSLEngine On ServerName thebackendpuppetmaster.you.first.thought.of.and.add.one PassengerHighPerformance on PassengerEnabled On DocumentRoot /etc/puppet/rack/public <some SSL information snipped> SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 <Directory /etc/puppet/rack/> Options None AllowOverride None # Apply the right behaviour depending on Apache version. Order allow,deny Allow from 192.168.1.1 Allow from foo.bar.fish.donkey.fish.custard.wellyboots.thethingyoufirstthoughtof </Directory> </VirtualHost>
It turns out that
PassengerHighPerformance on disables, amongst other things,
mod_authz_core which means those
Allow froms won’t work and if you have it set, your access control won’t work. Of course, if you’ve firewalled the back end puppet master balancer members this isn’t so much of a problem.