httpd configuration

* SSL & non-SSL configs for httpd
* Rails require_ssl: true
* Updated httpd tests

Author: stejskalleos

src/roles/foreman/templates/settings.yaml.j2

@@ -5,6 +5,8 @@
 :ssl_ca_file: /etc/foreman/katello-default-ca.crt
 :ssl_priv_key: /etc/foreman/client_key.pem
 
+:require_ssl: true
+
 :rails_cache_store:
   :type: redis
   :urls:

src/roles/httpd/tasks/main.yml

@@ -58,6 +58,14 @@
     remote_src: true
     mode: "0644"
 
+- name: Configure foreman vhost
+  ansible.builtin.template:
+    src: foreman-vhost.conf.j2
+    dest: /etc/httpd/conf.d/foreman.conf
+    mode: "0644"
+  notify:
+    - Restart httpd
+
 - name: Configure foreman-ssl vhost
   ansible.builtin.template:
     src: foreman-ssl-vhost.conf.j2

src/roles/httpd/templates/foreman-ssl-vhost.conf.j2

@@ -15,8 +15,24 @@
   RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
-  RequestHeader unset REMOTE_USER
   RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
 
   ## SSL directives
   SSLEngine on
@@ -45,6 +61,27 @@
   ProxyPass /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
   ProxyPassReverse /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
 
+  <Location "/pulp/deb">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/isos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/repos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
   <Location "/pulp/content">
     RequestHeader unset X-CLIENT-CERT
     RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
@@ -76,10 +113,52 @@
   ProxyAddHeaders On
   ProxyPass /pulp !
   ProxyPass /pub !
-  ProxyPass /icons !
-  ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
+  {# ProxyPass /icons ! #}
+  {# ProxyPass /images ! #}
+  {# ProxyPass /server-status ! #}
+  {# ProxyPass /webpack ! #}
+  {# ProxyPass /assets ! #}
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 
+  <FilesMatch \.css\.gz$>
+    ForceType text/css
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.js\.gz$>
+    ForceType text/javascript
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.svg\.gz$>
+    ForceType image/svg+xml
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+
+  <LocationMatch "^/(assets|webpack)">
+    Options SymLinksIfOwnerMatch
+    AllowOverride None
+    Require all granted
+
+    # Use standard http expire header for assets instead of ETag
+    <IfModule mod_expires.c>
+      Header unset ETag
+      FileETag None
+      ExpiresActive On
+      ExpiresDefault "access plus 1 year"
+    </IfModule>
+
+    # Return compressed assets if they are precompiled
+    RewriteEngine On
+    # Make sure the browser supports gzip encoding and file with .gz added
+    # does exist on disc before we rewrite with the extension
+    RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+    RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+    RewriteCond %{REQUEST_FILENAME}.gz -s
+    RewriteRule ^(.+) $1.gz [L]
+</LocationMatch>
+
   AddDefaultCharset UTF-8
 </VirtualHost>

src/roles/httpd/templates/foreman-vhost.conf.j2

@@ -0,0 +1,132 @@
+<VirtualHost *:80>
+  ServerName {{ ansible_facts['fqdn'] }}
+
+  ## Load additional static includes
+  IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf"
+
+  ## Logging
+  ErrorLog "/var/log/httpd/foreman_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/httpd/foreman_access.log" combined
+
+  ## Request header rules
+  ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
+  RequestHeader set X-FORWARDED-PROTO "http"
+  RequestHeader set SSL-CLIENT-S-DN ""
+  RequestHeader set SSL-CLIENT-CERT ""
+  RequestHeader set SSL-CLIENT-VERIFY ""
+  RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
+
+  <Location "/pulp/deb">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/isos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/repos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/content">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME}
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  Alias /pub /var/www/html/pub
+
+  <Location /pub>
+    Options +FollowSymLinks +Indexes
+    Require all granted
+  </Location>
+
+  ## Proxy rules
+  ProxyRequests Off
+  ProxyPreserveHost On
+  ProxyAddHeaders On
+  ProxyPass /pulp !
+  ProxyPass /pub !
+  {# ProxyPass /icons ! #}
+  {# ProxyPass /images ! #}
+  {# ProxyPass /server-status ! #}
+  {# ProxyPass /webpack ! #}
+  {# ProxyPass /assets ! #}
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
+  ProxyPassReverse / {{ httpd_foreman_backend }}/
+
+  ## Server aliases
+  ServerAlias foreman
+
+  ## Custom fragment
+  # Set headers for all possible assets which are compressed
+  <FilesMatch \.css\.gz$>
+    ForceType text/css
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.js\.gz$>
+    ForceType text/javascript
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.svg\.gz$>
+    ForceType image/svg+xml
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+
+  <LocationMatch "^/(assets|webpack)">
+    Options SymLinksIfOwnerMatch
+    AllowOverride None
+    Require all granted
+
+    # Use standard http expire header for assets instead of ETag
+    <IfModule mod_expires.c>
+      Header unset ETag
+      FileETag None
+      ExpiresActive On
+      ExpiresDefault "access plus 1 year"
+    </IfModule>
+
+    # Return compressed assets if they are precompiled
+    RewriteEngine On
+    # Make sure the browser supports gzip encoding and file with .gz added
+    # does exist on disc before we rewrite with the extension
+    RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+    RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+    RewriteCond %{REQUEST_FILENAME}.gz -s
+    RewriteRule ^(.+) $1.gz [L]
+  </LocationMatch>
+
+  AddDefaultCharset UTF-8
+</VirtualHost>

tests/httpd_test.py

@@ -2,6 +2,7 @@
 HTTP_PORT = 80
 HTTPS_PORT = 443
 HTTPD_PUB_DIR = '/var/www/html/pub'
+CURL_CMD = "curl --silent --output /dev/null"
 
 def test_httpd_service(server):
     httpd = server.service("httpd")
@@ -16,25 +17,39 @@ def test_https_port(server):
     httpd = server.addr(HTTP_HOST)
     assert httpd.port(HTTPS_PORT).is_reachable
 
+def test_http_foreman_ping(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/api/v2/ping")
+    assert cmd.succeeded
+    assert cmd.stderr == '301'
+
 def test_https_foreman_ping(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
-def test_https_pulp_status(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
+def test_http_pulp_api_status(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/")
+    assert cmd.succeeded
+    assert cmd.stdout == '404'
+
+def test_https_pulp_api_status(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
+def test_http_pulp_content(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/pulp/content/")
+    assert cmd.succeeded
+    assert cmd.stderr == '200'
+
 def test_https_pulp_content(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/content/")
+    cmd = server.run(f"curl --silent --cacert {certificates['ca_certificate']} https://{server_fqdn}/pulp/content/")
     assert cmd.succeeded
-    assert cmd.stdout == '200'
+    assert "Index of /pulp/content/" in cmd.stdout
 
 def test_https_pulp_auth(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
     assert cmd.succeeded
-    assert cmd.stderr == '200'
 
 def test_pub_directory_exists(server):
     pub_dir = server.file(HTTPD_PUB_DIR)
@@ -51,3 +66,14 @@ def test_pub_ca_certificate_downloadable(server, certificates, server_fqdn):
     cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/katello-server-ca.crt")
     assert cmd.succeeded
     assert cmd.stdout == '200'
+    assert cmd.stdout == '200'
+
+def test_http_foreman_login(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/users/login")
+    assert cmd.succeeded
+    assert cmd.stdout == '301'
+
+def test_https_foreman_login(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'