4 files changed, 33 insertions, 12 deletions

diff --git a/ext/rack/README b/ext/rack/README
index 63b8fde7a..3bdcca53f 100644
--- a/ext/rack/README
+++ b/ext/rack/README
@@ -39,11 +39,11 @@ rackup is part of the rack gem. Make sure it's in your path.
 Apache with Passenger (aka mod_rails)
 -------------------------------------
 
-Make sure puppetmasterd ran at least once, so the SSL certificates
+Make sure puppetmasterd ran at least once, so the CA & SSL certificates
 got set up.
 
 Requirements:
-  Passenger version 2.2.2 or newer [1]
+  Passenger version 2.2.2 or newer***
   Rack version 1.0.0
   Apache 2.x
   SSL Module loaded
@@ -65,6 +65,9 @@ instead an implicit setuid will be done, to the user whom owns
 config.ru. Therefore, config.ru shall be owned by the puppet user.
 
 
-[1] http://www.modrails.com/install.html
-
+*** Important note about Passenger versions:
+    2.2.2 is known to work.
+    2.2.3-2.2.4 are known to *NOT* work.
+    2.2.5 (when it is released) is expected to work properly again.
+    Passenger installation doc: http://www.modrails.com/install.html
 
diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb
index e14206850..31aa8371e 100644
--- a/lib/puppet/network/http/rack/httphandler.rb
+++ b/lib/puppet/network/http/rack/httphandler.rb
@@ -12,5 +12,23 @@ class Puppet::Network::HTTP::RackHttpHandler
         raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)"
     end
 
+    def ssl_client_header(request)
+        env_or_request_env(Puppet[:ssl_client_header], request)
+    end
+
+    def ssl_client_verify_header(request)
+        env_or_request_env(Puppet[:ssl_client_verify_header], request)
+    end
+
+    # Older Passenger versions passed all Environment vars in app(env),
+    # but since 2.2.3 they (some?) are really in ENV.
+    # Mongrel, etc. may also still use request.env.
+    def env_or_request_env(var, request)
+        if ENV.include?(var)
+            ENV[var]
+        else
+            request.env[var]
+        end
+    end
 end
 
diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb
index 104751271..bdca651d1 100644
--- a/lib/puppet/network/http/rack/rest.rb
+++ b/lib/puppet/network/http/rack/rest.rb
@@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
         result[:ip] = request.ip
 
         # if we find SSL info in the headers, use them to get a hostname.
-        # try this with :ssl_client_header, which defaults should work for
-        # Apache with StdEnvVars.
-        if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             result[:node] = dn_matchdata[1].to_str
-            result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+            result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS')
         else
             result[:node] = resolve_node(result)
             result[:authenticated] = false
diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/network/http/rack/xmlrpc.rb
index 4fc9e82fc..9d0f486bc 100644
--- a/lib/puppet/network/http/rack/xmlrpc.rb
+++ b/lib/puppet/network/http/rack/xmlrpc.rb
@@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler
         ip = request.ip
 
         # if we find SSL info in the headers, use them to get a hostname.
-        # try this with :ssl_client_header, which defaults should work for
-        # Apache with StdEnvVars.
-        if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             node = dn_matchdata[1].to_str
-            authenticated = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+            authenticated = (ssl_client_verify_header(request) == 'SUCCESS')
         else
             begin
                 node = Resolv.getname(ip)