server.conf
The server.conf
file configures how Puppet Server handles deprecated authorization methods for primary server endpoints. For an overview, see Puppet Server Configuration.
Deprecation Note: This file contains only the
allow-header-cert-info
parameter, and is deprecated as of Puppet Server 2.2 in favor of authorization settings that are configured in the newauth.conf
file. Because this setting is deprecated, a defaultserver.conf
file is no longer included in the Puppet Server package.
In server.conf
, the allow-header-cert-info
setting determines whether Puppet Server should use authorization info from the X-Client-Verify
, X-Client-DN
, and X-Client-Cert
HTTP headers. Its default value is false
.
The allow-header-cert-info
setting is used to enable external SSL termination. If the setting's value is set to true
, Puppet Server will ignore any certificate presented to the Jetty web server, and will rely on header data to authorize requests. This is very dangerous unless you've secured your network to prevent any untrusted access to Puppet Server.
When using the allow-header-cert-info
setting in server.conf
, you can change Puppet's ssl_client_verify_header
parameter to use another header name instead of X-Client-Verify
. The ssl_client_header
parameter can rename X-Client-DN
. The X-Client-Cert
header can't be renamed.
The allow-header-cert-info
parameter in server.conf
applies only to HTTP endpoints served by the "primary server" service. The applicable endpoints include those listed in Puppet V3 HTTP API. It does not apply to the endpoints listed in CA V1 HTTP API or to any Puppet Admin API endpoints.
Supported Authorization Workflow
If you instead enable the auth.conf
authorization method introduced in Puppet Server 2.2, the value of the allow-header-cert-info
parameter in auth.conf
controls how the user's identity is derived for authorization purposes. In this case, Puppet Server ignores the value of the allow-header-cert-info
parameter in server.conf
.
When using the allow-header-cert-info
parameter in auth.conf
, none of the X-Client
headers can be renamed. Identity must be specified through the X-Client-Verify
, X-Client-DN
, and X-Client-Cert
headers.
The allow-header-cert-info
parameter in auth.conf
, applies to all HTTP endpoints that Puppet Server handles, including those served by the "primary server" service, the CA API, and the Puppet Admin API.
For additional information on the allow-header-cert-info
parameter in auth.conf
, see Puppet Server Configuration Files: auth.conf
and Configuring the Authorization Service in the trapperkeeper-authorization
documentation.
HOCON auth.conf
Example
authorization: {
version: 1
# allow-header-cert-info: false
rules: [
{
# Allow nodes to retrieve their own catalog
match-request: {
path: "^/puppet/v3/catalog/([^/]+)$"
type: regex
method: [get, post]
}
allow: "$1"
sort-order: 500
name: "puppetlabs catalog"
},
...
]
}