[Ach] Recommendation for PuppetDB / JDK

Tim tim at bastelfreak.de
Wed Jan 21 13:38:44 CET 2015


On 20.01.2015 21:26, Tim wrote:
>
> On 20.01.2015 20:34, Akendo wrote:
>> You should not have this services (puppet master/ puppetdb ) expose
>> directly. use a webservice like nginx/apache to proxy this.
> Ah stupid me, I've got an nginx running for the puppet master, but never
> thought about the puppetdb. Of course the nginx can work as a proxy for
> that too. thanks!

I've now the following configuration running, cloud you have a look at
it (clients are all centos5 and centos6, nginx is at centos7):
server {
  listen                  10.111.2.250:8081 ssl;
  ssl                     on;
  ssl_certificate         /var/lib/puppet/ssl/certs/puppet..de.pem;
  ssl_certificate_key     /var/lib/puppet/ssl/private_keys/puppet..de.pem;
  ssl_verify_client       on;
  ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
  ssl_ciphers            
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
  add_header              Strict-Transport-Security max-age=15768000;
  server_name             puppet..de;
  charset                 utf-8;
  root                    /var/empty;
  access_log              /var/log/nginx/puppetdbagents-access.log;
  error_log               /var/log/nginx/puppetdbagents-error.log;
  location / {
    proxy_pass http://puppetdb;
  }
}

upstream puppetdb {
  server 127.0.0.1:8080;
}
>> There you
>> can harden the SSL/TLS option.
>>
>> best regards
>> Akendo
>>
>> On 11/21/2014 02:47 PM, Aaron Zauner wrote:
>>> Hi Tim
>>>
>>> Tim wrote:
>>>> Hey guys,
>>>>
>>>> first of all, thanks for your greate guide!
>>>>
>>>> I'm running PuppetDB which is a software running in a JVM. It supports
>>>> SSL crypted connections
>>>> (https://docs.puppetlabs.com/puppetdb/latest/configure.html#cipher-suites)
>>>> and uses the JDK crypto provider
>>>> (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
>>>> ). Can anybody of you recommend secure settings for PuppetDB/JDK in general?
>>> Is there anything that the recommendations in our paper do not reflect
>>> w.r.t. PuppetDB? I use it myself, it's pretty much just setting the
>>> proper JVM ciphersettings. If you use Java7-8 there should not be much
>>> of an issue.
>>>
>>> Aaron
>>>
>>>
>>>
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach




More information about the Ach mailing list