httpd vhost:80 configuration

Redirect Foreman http -> https
Allow pulp for http and https

Author: stejskalleos

src/roles/httpd/tasks/main.yml

@@ -43,6 +43,14 @@
     - src: "{{ httpd_server_key }}"
       dest: "private/katello-apache.key"
 
+- name: Configure foreman vhost
+  ansible.builtin.template:
+    src: foreman-vhost.conf.j2
+    dest: /etc/httpd/conf.d/foreman.conf
+    mode: "0644"
+  notify:
+    - Restart httpd
+
 - name: Configure foreman-ssl vhost
   ansible.builtin.template:
     src: foreman-ssl-vhost.conf.j2

src/roles/httpd/templates/foreman-vhost.conf.j2

@@ -0,0 +1,71 @@
+<VirtualHost *:80>
+  ServerName {{ ansible_facts['fqdn'] }}
+
+  ## Load additional static includes
+  IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf"
+
+  ## Logging
+  ErrorLog "/var/log/httpd/foreman_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/httpd/foreman_access.log" combined
+
+  ## Redirect to HTTPS (except for pulp services)
+  RewriteEngine On
+  RewriteCond %{REQUEST_URI} !^/pulp
+  RewriteCond %{REQUEST_URI} !^/pulpcore_registry
+  RewriteCond %{REQUEST_URI} !^/pulp_ansible
+  RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+
+  ## Request header rules
+  ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
+  RequestHeader set X-FORWARDED-PROTO "http"
+  RequestHeader set SSL-CLIENT-S-DN ""
+  RequestHeader set SSL-CLIENT-CERT ""
+  RequestHeader set SSL-CLIENT-VERIFY ""
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER
+
+  ProxyPass /pulp_ansible/galaxy/ {{ httpd_pulp_api_backend }}/pulp_ansible/galaxy/
+  ProxyPassReverse /pulp_ansible/galaxy/ {{ httpd_pulp_api_backend }}/pulp_ansible/galaxy/
+
+  <Location "/pulpcore_registry/v2/">
+    RequestHeader unset REMOTE_USER
+    RequestHeader unset REMOTE-USER
+    RequestHeader set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == '{{ ansible_facts['fqdn'] }}'"
+    ProxyPass {{ httpd_pulp_api_backend }}/v2/
+    ProxyPassReverse {{ httpd_pulp_api_backend }}/v2/
+  </Location>
+
+  ProxyPass /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
+  ProxyPassReverse /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
+
+  <Location "/pulp/content">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/api/v3">
+    RequestHeader unset REMOTE_USER
+    RequestHeader unset REMOTE-USER
+    RequestHeader set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == '{{ ansible_facts['fqdn'] }}'"
+    ProxyPass {{ httpd_pulp_api_backend }}/pulp/api/v3 timeout=600
+    ProxyPassReverse {{ httpd_pulp_api_backend }}/pulp/api/v3
+  </Location>
+
+  ProxyPass /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/
+  ProxyPassReverse /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/
+
+  ## Proxy rules
+  ProxyRequests Off
+  ProxyPreserveHost On
+  ProxyAddHeaders On
+  ProxyPass /pulp !
+  ProxyPass /icons !
+  ProxyPass /server-status !
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
+  ProxyPassReverse / {{ httpd_foreman_backend }}/
+
+  AddDefaultCharset UTF-8
+</VirtualHost>

tests/httpd_test.py

@@ -41,3 +41,18 @@ def test_https_pulp_auth(server, certificates, server_fqdn):
     cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
     assert cmd.succeeded
     assert cmd.stderr == '200'
+
+def test_http_foreman_redirect(server, server_fqdn):
+    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}")
+    assert cmd.succeeded
+    assert cmd.stdout == '301'
+
+def test_http_pulp_status(server, server_fqdn):
+    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'
+
+def test_http_pulp_content(server, server_fqdn):
+    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pulp/content/")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'