passenger_set_header 对 Passenger 和 nginx 没有影响
passenger_set_header has no effect with Passenger and nginx
我的主要问题是让 puppet 与 nginx+passenger 一起工作,
只有当我直接执行 puppet master 而不是通过
nginx+乘客。然而我发现,那个乘客不
在我的设置中转发环境 headers。
为了验证这一点,我创建了一个简单的机架应用程序,它只打印
它从乘客那里得到的环境。 headers 我配置的是
此应用程序也缺少乘客转发的信息,因此
通用主题。
这是我的测试架应用程序:
require 'rack'
require 'rack/server'
class EnvApp
def call(env)
response = Rack::Response.new
response.write "**** ENV{} ***\n"
env.each do |key, val|
response.write key
response.write " => "
response.write val
response.write "\n"
end
response.status = 200
response.finish
end
end
run EnvApp.new
此应用的 nginx 配置:
server {
listen 8888 ssl;
server_name puppet puppet.scip.foo;
passenger_enabled on;
passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_S_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
root /tmp/scip/rack/public;
ssl_certificate /var/puppet/ssl/certs/puppet.scip.foo.pem;
ssl_certificate_key /var/puppet/ssl/private_keys/puppet.scip.foo.pem;
ssl_crl /var/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/puppet/ssl/certs/ca.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!\
MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
和 nginx 的 http 部分:
# log ssl_client vars as well
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'SSLDN:"$ssl_client_s_dn" SSLVR:"$ssl_client_verify"';
# Passenger needed for puppet
passenger_root /usr/local/lib/ruby/gems/2.3/gems/passenger-5.1.8;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
# passenger logging, 0=crit only, 3=default, 7=max
passenger_log_level 3;
passenger_log_file /var/log/passenger.log;
# Rack test app (that's the file posted below):
include /usr/local/etc/nginx/conf.d/env.conf;
我使用的是 Puppet 客户端使用的相同 CA 和证书,所以我离开了
这部分在这里。仅作记录:它们工作正常,因为
傀儡特工与傀儡大师 w/o 乘客合作得很好
那些证书。
所以,这是我访问上述应用程序的方式:
curl --cert /tmp/scip/srv2202.pem --cacert /tmp/scip/ca.pem -k https://127.0.0.1:8888
这是输出(虽然我打断了 rack.hijack 行):
**** ENV{} ***
REQUEST_URI => /
PATH_INFO => /
SCRIPT_NAME =>
QUERY_STRING =>
REQUEST_METHOD => GET
SERVER_NAME => 127.0.0.1
SERVER_PORT => 8888
SERVER_SOFTWARE => nginx/1.12.1 Phusion_Passenger/5.1.8
SERVER_PROTOCOL => HTTP/1.1
REMOTE_ADDR => 127.0.0.1
REMOTE_PORT => 57534
PASSENGER_CONNECT_PASSWORD => oJdXmatT3cTnKvJw
HTTPS => on
HTTP_USER_AGENT => curl/7.56.0
HTTP_ACCEPT => */*
HTTP_HOST => 127.0.0.1:8888
rack.version => [1, 2]
rack.input => #<PhusionPassenger::Utils::TeeInput:0x00000008033ac950>
rack.errors => #<IO:0x000000080317ab28>
rack.multithread => false
rack.multiprocess => true
rack.run_once => false
rack.url_scheme => https
rack.hijack? => true
rack.hijack => #<Proc:0x00000008033ac4f0@/usr/local/lib/ruby/gems/2.3/gems/\
passenger-5.1.8/src/ruby_supportlib/phusion_passenger/rack/\
thread_handler_extension.rb:84 (lambda)>
HTTP_VERSION => HTTP/1.1
可以看出,没有HTTP_X_CLIENT_VERIFY也没有
HTTP_X_CLIENT_DN。但是,我启用了这些变量的日志记录
在 nginx 中,上面的请求在我的访问日志中是这样的:
127.0.0.1 - - [07/Feb/2018:14:15:58 +0100] "GET / HTTP/1.1" 200 873 "-" \
"curl/7.56.0" "-" SSLDN:"CN=srv2202.scip.foo" SSLVR:"SUCCESS"
所以,我的问题是:我到底该如何让乘客转发
这两个变量要搁置?
我的系统设置:
- FreeBSD 10.3
- ruby 2.3.5p376(2017-09-14 修订版 59905)[amd64-freebsd10]
- nginx/1.12.1
- Phusion_Passenger/5.1.8
事实证明,必须在变量定义中使用破折号,passenger 然后将它们翻译成下划线。此设置有效:
passenger_set_header X-CLIENT-DN $ssl_client_s_dn;
passenger_set_header X-CLIENT-VERIFY $ssl_client_verify;
然后在我的环境中我得到:
HTTP_X_CLIENT_DN => CN=srv2202.scip.foo
HTTP_X_CLIENT_VERIFY => SUCCESS
我想说,这需要在旅客文件中加以说明。
我的主要问题是让 puppet 与 nginx+passenger 一起工作, 只有当我直接执行 puppet master 而不是通过 nginx+乘客。然而我发现,那个乘客不 在我的设置中转发环境 headers。
为了验证这一点,我创建了一个简单的机架应用程序,它只打印 它从乘客那里得到的环境。 headers 我配置的是 此应用程序也缺少乘客转发的信息,因此 通用主题。
这是我的测试架应用程序:
require 'rack'
require 'rack/server'
class EnvApp
def call(env)
response = Rack::Response.new
response.write "**** ENV{} ***\n"
env.each do |key, val|
response.write key
response.write " => "
response.write val
response.write "\n"
end
response.status = 200
response.finish
end
end
run EnvApp.new
此应用的 nginx 配置:
server {
listen 8888 ssl;
server_name puppet puppet.scip.foo;
passenger_enabled on;
passenger_set_header X_CLIENT_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_S_DN $ssl_client_s_dn;
passenger_set_header X_CLIENT_VERIFY $ssl_client_verify;
root /tmp/scip/rack/public;
ssl_certificate /var/puppet/ssl/certs/puppet.scip.foo.pem;
ssl_certificate_key /var/puppet/ssl/private_keys/puppet.scip.foo.pem;
ssl_crl /var/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/puppet/ssl/certs/ca.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:!RC4:!\
MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
和 nginx 的 http 部分:
# log ssl_client vars as well
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'SSLDN:"$ssl_client_s_dn" SSLVR:"$ssl_client_verify"';
# Passenger needed for puppet
passenger_root /usr/local/lib/ruby/gems/2.3/gems/passenger-5.1.8;
passenger_ruby /usr/local/bin/ruby;
passenger_max_pool_size 15;
# passenger logging, 0=crit only, 3=default, 7=max
passenger_log_level 3;
passenger_log_file /var/log/passenger.log;
# Rack test app (that's the file posted below):
include /usr/local/etc/nginx/conf.d/env.conf;
我使用的是 Puppet 客户端使用的相同 CA 和证书,所以我离开了 这部分在这里。仅作记录:它们工作正常,因为 傀儡特工与傀儡大师 w/o 乘客合作得很好 那些证书。
所以,这是我访问上述应用程序的方式:
curl --cert /tmp/scip/srv2202.pem --cacert /tmp/scip/ca.pem -k https://127.0.0.1:8888
这是输出(虽然我打断了 rack.hijack 行):
**** ENV{} ***
REQUEST_URI => /
PATH_INFO => /
SCRIPT_NAME =>
QUERY_STRING =>
REQUEST_METHOD => GET
SERVER_NAME => 127.0.0.1
SERVER_PORT => 8888
SERVER_SOFTWARE => nginx/1.12.1 Phusion_Passenger/5.1.8
SERVER_PROTOCOL => HTTP/1.1
REMOTE_ADDR => 127.0.0.1
REMOTE_PORT => 57534
PASSENGER_CONNECT_PASSWORD => oJdXmatT3cTnKvJw
HTTPS => on
HTTP_USER_AGENT => curl/7.56.0
HTTP_ACCEPT => */*
HTTP_HOST => 127.0.0.1:8888
rack.version => [1, 2]
rack.input => #<PhusionPassenger::Utils::TeeInput:0x00000008033ac950>
rack.errors => #<IO:0x000000080317ab28>
rack.multithread => false
rack.multiprocess => true
rack.run_once => false
rack.url_scheme => https
rack.hijack? => true
rack.hijack => #<Proc:0x00000008033ac4f0@/usr/local/lib/ruby/gems/2.3/gems/\
passenger-5.1.8/src/ruby_supportlib/phusion_passenger/rack/\
thread_handler_extension.rb:84 (lambda)>
HTTP_VERSION => HTTP/1.1
可以看出,没有HTTP_X_CLIENT_VERIFY也没有
HTTP_X_CLIENT_DN。但是,我启用了这些变量的日志记录
在 nginx 中,上面的请求在我的访问日志中是这样的:
127.0.0.1 - - [07/Feb/2018:14:15:58 +0100] "GET / HTTP/1.1" 200 873 "-" \
"curl/7.56.0" "-" SSLDN:"CN=srv2202.scip.foo" SSLVR:"SUCCESS"
所以,我的问题是:我到底该如何让乘客转发 这两个变量要搁置?
我的系统设置:
- FreeBSD 10.3
- ruby 2.3.5p376(2017-09-14 修订版 59905)[amd64-freebsd10]
- nginx/1.12.1
- Phusion_Passenger/5.1.8
事实证明,必须在变量定义中使用破折号,passenger 然后将它们翻译成下划线。此设置有效:
passenger_set_header X-CLIENT-DN $ssl_client_s_dn;
passenger_set_header X-CLIENT-VERIFY $ssl_client_verify;
然后在我的环境中我得到:
HTTP_X_CLIENT_DN => CN=srv2202.scip.foo
HTTP_X_CLIENT_VERIFY => SUCCESS
我想说,这需要在旅客文件中加以说明。