Use unix socket for httpd -> Foreman communication

ekohl · ekohl · commit 19a28df86975 · 2025-03-13T19:14:57.000+01:00
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
@@ -33,7 +33,9 @@
     foreman_db_password: "CHANGEME"
     foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
     foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
+    foreman_listen_stream: /run/foreman.sock
     foreman_url: "https://{{ ansible_fqdn }}"
+    httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST/"
     httpd_server_ca_certificate: "{{ ca_certificate }}"
     httpd_client_ca_certificate: "{{ ca_certificate }}"
     httpd_server_certificate: "{{ server_certificate }}"
diff --git a/roles/foreman/templates/foreman.socket.j2 b/roles/foreman/templates/foreman.socket.j2
@@ -3,6 +3,12 @@ Description=Foreman socket
 
 [Socket]
 ListenStream={{ foreman_listen_stream }}
+SocketUser=apache
+SocketMode=0600
+
+NoDelay=false
+ReusePort=true
+Backlog=1024
 
 [Install]
 WantedBy=sockets.target
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml
@@ -1,4 +1,4 @@
 httpd_ssl_dir: /etc/pki/httpd
 httpd_pulp_api_backend: http://localhost:24817
 httpd_pulp_content_backend: http://localhost:24816
-httpd_foreman_backend: http://localhost:3000
+httpd_foreman_backend: http://localhost:3000/
diff --git a/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/roles/httpd/templates/foreman-ssl-vhost.conf.j2
@@ -70,8 +70,8 @@
   ProxyPass /pulp !
   ProxyPass /icons !
   ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
-  ProxyPassReverse / {{ httpd_foreman_backend }}/
+  ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900
+  ProxyPassReverse / {{ httpd_foreman_backend }}
 
   AddDefaultCharset UTF-8
 </VirtualHost>
