Our support for TLS termination is messy and you need to use a reverse proxy in front of PE, We have a couple of Patterns surrounding multi region solutions using proxies and compilers which may be helpful
https://puppet.com/docs/pe/2021.7/installing_compilers.html#multi-region-load-balancing AWS Multi-region architectures for Puppet Enterprise <https://puppet.com/docs/patterns-and-tactics/latest/reference-architectures/aws-reference-architecture-guide.html#in-region-proxies-variation> PE Multi-region reference architectures (puppet.com) <https://puppet.com/docs/patterns-and-tactics/latest/reference-architectures/pe-multi-region-reference-architectures.html#in-region-proxies-variation> On Wednesday, October 19, 2022 at 5:49:29 PM UTC+1 [email protected] wrote: > Dear Puppet Users, > > until now, I have been using Puppet in firewalled environments only, where > agents were on the same trusted network as the server or connected through > VPN tunnels. > > Now there seem to be some good reaons for switching to a "perimeterless > security" approach, which would mean to drop the VPN and put the Puppet > Server on the public internet. In my special case, I could not even do any > IP-based filtering. > > I could not really find any good material or recommendations on this. Is > this a discouraged/dangerous practice, or is it more common than I was > assuming? > > The basic approach of mutual, certificate-based authentication in Puppet > seems to perfectly support this scenario, and comes with encryption built > in. And yes, of course I would _not_ enable certificate autosigning. > > Are there other risks to be aware of? Any recommendations on hardening the > setup? > > Maybe I am a bit sceptical because a component like Puppet Server has not > received the scrutinity as e. g. an Apache or Ngnix webserver regarding > potential attack surfaces and security issues. The sensitive information a > compromised Puppet Server might leak cannot be ignored. > > Would it make sense to place the Puppet Server behind a major > webserver/proxy (Apache, Varnish etc.)? Would it be possible to reject all > connections that do not provide client certificates and use some > out-of-band process for signing new client certs? > > Thank you for all suggestions! > -mp. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e723a8f1-1d44-4692-944e-18fc036e39afn%40googlegroups.com.
