3 files changed, 26 insertions, 8 deletions

diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/network/http/rack/httphandler.rb
index e14206850..31aa8371e 100644
--- a/lib/puppet/network/http/rack/httphandler.rb
+++ b/lib/puppet/network/http/rack/httphandler.rb
@@ -12,5 +12,23 @@ class Puppet::Network::HTTP::RackHttpHandler
         raise NotImplementedError, "Your RackHttpHandler subclass is supposed to override service(request)"
     end
 
+    def ssl_client_header(request)
+        env_or_request_env(Puppet[:ssl_client_header], request)
+    end
+
+    def ssl_client_verify_header(request)
+        env_or_request_env(Puppet[:ssl_client_verify_header], request)
+    end
+
+    # Older Passenger versions passed all Environment vars in app(env),
+    # but since 2.2.3 they (some?) are really in ENV.
+    # Mongrel, etc. may also still use request.env.
+    def env_or_request_env(var, request)
+        if ENV.include?(var)
+            ENV[var]
+        else
+            request.env[var]
+        end
+    end
 end
 
diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb
index 104751271..bdca651d1 100644
--- a/lib/puppet/network/http/rack/rest.rb
+++ b/lib/puppet/network/http/rack/rest.rb
@@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST < Puppet::Network::HTTP::RackHttpHandler
         result[:ip] = request.ip
 
         # if we find SSL info in the headers, use them to get a hostname.
-        # try this with :ssl_client_header, which defaults should work for
-        # Apache with StdEnvVars.
-        if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             result[:node] = dn_matchdata[1].to_str
-            result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+            result[:authenticated] = (ssl_client_verify_header(request) == 'SUCCESS')
         else
             result[:node] = resolve_node(result)
             result[:authenticated] = false
diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/network/http/rack/xmlrpc.rb
index 4fc9e82fc..9d0f486bc 100644
--- a/lib/puppet/network/http/rack/xmlrpc.rb
+++ b/lib/puppet/network/http/rack/xmlrpc.rb
@@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC < Puppet::Network::HTTP::RackHttpHandler
         ip = request.ip
 
         # if we find SSL info in the headers, use them to get a hostname.
-        # try this with :ssl_client_header, which defaults should work for
-        # Apache with StdEnvVars.
-        if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header.
+        # For Apache you need special configuration, see ext/rack/README.
+        if dn = ssl_client_header(request) and dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             node = dn_matchdata[1].to_str
-            authenticated = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS')
+            authenticated = (ssl_client_verify_header(request) == 'SUCCESS')
         else
             begin
                 node = Resolv.getname(ip)