[Ach] Recommendation for PuppetDB / JDK
Akendo
akendo at akendo.eu
Wed Jan 21 14:30:36 CET 2015
I did test it on my environment and it worked without problem.
I would say you're good to go. Thanks for sharing it here!
so far
Akendo
On 01/21/15 13:38, Tim wrote:
>
> On 20.01.2015 21:26, Tim wrote:
>>
>> On 20.01.2015 20:34, Akendo wrote:
>>> You should not have this services (puppet master/ puppetdb ) expose
>>> directly. use a webservice like nginx/apache to proxy this.
>> Ah stupid me, I've got an nginx running for the puppet master, but never
>> thought about the puppetdb. Of course the nginx can work as a proxy for
>> that too. thanks!
>
> I've now the following configuration running, cloud you have a look at
> it (clients are all centos5 and centos6, nginx is at centos7):
> server {
> listen 10.111.2.250:8081 ssl;
> ssl on;
> ssl_certificate /var/lib/puppet/ssl/certs/puppet..de.pem;
> ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet..de.pem;
> ssl_verify_client on;
> ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
> ssl_ciphers
> 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
> add_header Strict-Transport-Security max-age=15768000;
> server_name puppet..de;
> charset utf-8;
> root /var/empty;
> access_log /var/log/nginx/puppetdbagents-access.log;
> error_log /var/log/nginx/puppetdbagents-error.log;
> location / {
> proxy_pass http://puppetdb;
> }
> }
>
> upstream puppetdb {
> server 127.0.0.1:8080;
> }
>>> There you
>>> can harden the SSL/TLS option.
>>>
>>> best regards
>>> Akendo
>>>
>>> On 11/21/2014 02:47 PM, Aaron Zauner wrote:
>>>> Hi Tim
>>>>
>>>> Tim wrote:
>>>>> Hey guys,
>>>>>
>>>>> first of all, thanks for your greate guide!
>>>>>
>>>>> I'm running PuppetDB which is a software running in a JVM. It supports
>>>>> SSL crypted connections
>>>>> (https://docs.puppetlabs.com/puppetdb/latest/configure.html#cipher-suites)
>>>>> and uses the JDK crypto provider
>>>>> (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
>>>>> ). Can anybody of you recommend secure settings for PuppetDB/JDK in general?
>>>> Is there anything that the recommendations in our paper do not reflect
>>>> w.r.t. PuppetDB? I use it myself, it's pretty much just setting the
>>>> proper JVM ciphersettings. If you use Java7-8 there should not be much
>>>> of an issue.
>>>>
>>>> Aaron
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ach mailing list
>>>> Ach at lists.cert.at
>>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>>
>>> _______________________________________________
>>> Ach mailing list
>>> Ach at lists.cert.at
>>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>>>
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
More information about the Ach
mailing list