Puppet

HAProxy balancer for Puppet server?

the stone flower does not come out ((
you need to configure haproxy as a load balancer for puppet master n-servers.
haproxy must perform ssl authorization.
I tried apache as a balancer - everything is fine and in ssl authorization mode - too.
I suffer with haproxy for a long time - it does not work.
config :
global
daemon
user haproxy
group haproxy
maxconn 2048
log 127.0.0.1 local0
nbproc 1
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES :DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:tlsv10:tlsv11:tlsv12
ssl-default-bind-options no-sslv3
defaults
log global
option httplog
option httpclose
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn] ,%{+Q}[ssl_c_i_dn]}\ %{+Q}r
option forwardfor
option redispatch
option tcp-smart-accept
option tcp-smart-connect
maxconn 8000
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
frontend puppet-frontend
mode http
option httplog
bind 10.10.24.40:8140 ssl crt /etc/haproxy/ssl/cert_81.pem ca-file /etc/haproxy/ssl/ca.pem crl-file /etc/puppetlabs/puppet/ssl/crl.pem verify required
option forwardfor header X-Real-IP
default_backend puppet-backend
backend puppet-backend
balance roundrobin
mode http
option httpclose
option forwardfor
option httplog
log global
server null-1 10.10.24.40:18140 check
server null-2 10.10.24.50:18140 check
on Puppet agent connection -t :
# puppet agent -t --server=puppet --masterport=8140 --verbose
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/node/null-cli [find]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/pluginfacts [search]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/pluginfacts [find]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata/plugins [search]
Error : /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/file_metadata /plugins [find]
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/catalog/null-cli [find]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/report/null-cli [save]
i.e. : Warning: Error 403 on SERVER: Not Authorized: Forbidden request: /puppet/v3/node/null-0 [find]
on the haproxy side:
# /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -d
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Using epoll() as the polling mechanism.
00000000:puppet-frontend.accept(0004)=0006 from [10.10.24.40:14184]
00000000:puppet-frontend.clireq[0006:ffffffff]: GET /puppet/v3/node/null-cli?environment=production&transaction_uuid=e1d771f2-6557-4422-9a47-73a4133f0278&fail_on_404=true HTTP/1.1
000pclih.frontend [0006:ffffffff]: Accept: pson, binary 00000000 :
puppet-frontend.clihdr[0006:ffffffff]: X-Puppet-Version: 4.10.5 gzip;q=1.0, deflate
;q=0.6,identity;q=0.3
) 00000000:puppet-frontend.clihdr[ 0006 :
ffffffff]: Host: puppet:8140 Date: Thu, 03 Aug 2017 16:36:11 GMT
00000000 :puppet
- backend.srvhdr[0006:0008]: Content-Type: application/json
0006:0008]: Connection: close 00000000
:puppet-backend.srvhdr[0006:0008]: Server: Jetty(9.2.z-SNAPSHOT
)
[0006:0008]
00000000:puppet-backend.closed[0006:0008]
00000001:puppet-frontend.accept(0004)=0006 from [10.10.24.40:14185]
00000001:puppet-frontend.clireq[0006:ffffffff]: GET /puppet/v3/file_metadatas/pluginfacts?environment=production&links=follow&recurse=true&source_permissions=use&ignore=.svn&ignore=CVS&ignore=.git&ignore=.hg&checksum_type=md5 HTTP/1.1
00000001:puppet- frontend.clihdr [0006:
ffffffff ]: Accept: pson, binary
ffffffff]: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=
0.3 9-p490 (x86_64-linux)
00000001:puppet-frontend.clihdr[0006:ffffffff]: Host: puppet:8140
00000001:puppet-backend.srvrep[0006:0008]: HTTP/1.1 403 Forbidden
00000001:puppet-backend. srvhdr[0006:0008]: Date: Thu, 03 Aug 2017 16:36:11 GMT
00000001:puppet-backend.srvhdr[0006:0008]: Content-Type: application/json
00000001:puppet-backend.srvhdr[0006: 0008]: X-Puppet-Version: 4.10.4
00000001:puppet - backend.srvhdr[0006:0008]: Connection:
close ]
00000001:puppet-backend.clicls[0006:0008]
00000001:puppet-backend.closed[0006:0008]
etc.
I've searched all over Google for an answer.
Who can tell me what I'm doing wrong in the haproxy config? Let me remind you that if you run the balancer on apache, then everything works fine with the same puppet agents and puppet masters!