httpd configuration

* SSL & non-SSL configs for httpd
* Rails require_ssl: true

Author: stejskalleos

src/roles/foreman/templates/settings.yaml.j2

@@ -5,6 +5,8 @@
 :ssl_ca_file: /etc/foreman/katello-default-ca.crt
 :ssl_priv_key: /etc/foreman/client_key.pem
 
+:require_ssl: true
+
 :rails_cache_store:
   :type: redis
   :urls:

src/roles/httpd/tasks/main.yml

@@ -58,6 +58,14 @@
     remote_src: true
     mode: "0644"
 
+- name: Configure foreman vhost
+  ansible.builtin.template:
+    src: foreman-vhost.conf.j2
+    dest: /etc/httpd/conf.d/foreman.conf
+    mode: "0644"
+  notify:
+    - Restart httpd
+
 - name: Configure foreman-ssl vhost
   ansible.builtin.template:
     src: foreman-ssl-vhost.conf.j2

src/roles/httpd/templates/foreman-ssl-vhost.conf.j2

@@ -15,8 +15,24 @@
   RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
-  RequestHeader unset REMOTE_USER
   RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
 
   ## SSL directives
   SSLEngine on
@@ -77,8 +93,9 @@
   ProxyPass /pulp !
   ProxyPass /pub !
   ProxyPass /icons !
+  ProxyPass /images !
   ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 
   AddDefaultCharset UTF-8

src/roles/httpd/templates/foreman-vhost.conf.j2

@@ -0,0 +1,65 @@
+<VirtualHost *:80>
+  ServerName {{ ansible_facts['fqdn'] }}
+
+  ## Load additional static includes
+  IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf"
+
+  ## Logging
+  ErrorLog "/var/log/httpd/foreman_error.log"
+  ServerSignature Off
+  CustomLog "/var/log/httpd/foreman_access.log" combined
+
+  ## Request header rules
+  ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
+  RequestHeader set X-FORWARDED-PROTO "http"
+  RequestHeader set SSL-CLIENT-S-DN ""
+  RequestHeader set SSL-CLIENT-CERT ""
+  RequestHeader set SSL-CLIENT-VERIFY ""
+  RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
+
+  <Location "/pulp/content">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME}
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  Alias /pub /var/www/html/pub
+
+  <Location /pub>
+    Options +FollowSymLinks +Indexes
+    Require all granted
+  </Location>
+
+  ## Proxy rules
+  ProxyRequests Off
+  ProxyPreserveHost On
+  ProxyAddHeaders On
+  ProxyPass /pulp !
+  ProxyPass /pub !
+  ProxyPass /icons !
+  ProxyPass /images !
+  ProxyPass /server-status !
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
+  ProxyPassReverse / {{ httpd_foreman_backend }}/
+
+  AddDefaultCharset UTF-8
+</VirtualHost>

tests/foreman_test.py

@@ -2,9 +2,9 @@
 
 import pytest
 
-
 FOREMAN_HOST = 'localhost'
 FOREMAN_PORT = 3000
+
 RECURRING_INSTANCES = [
     "reports-daily",
     "db-sessions-clear",
@@ -16,10 +16,9 @@
     "ldap-refresh_usergroups",
 ]
 
-
 @pytest.fixture(scope="module")
 def foreman_status_curl(server):
-    return server.run(f"curl --silent --write-out '%{{stderr}}%{{http_code}}' http://{FOREMAN_HOST}:{FOREMAN_PORT}/api/v2/ping")
+    return server.run(f"curl --header 'X-FORWARDED-PROTO: https' --silent --write-out '%{{stderr}}%{{http_code}}' http://{FOREMAN_HOST}:{FOREMAN_PORT}/api/v2/ping")
 
 
 @pytest.fixture(scope="module")

tests/httpd_test.py

@@ -2,6 +2,7 @@
 HTTP_PORT = 80
 HTTPS_PORT = 443
 HTTPD_PUB_DIR = '/var/www/html/pub'
+CURL_CMD = "curl --silent --output /dev/null"
 
 def test_httpd_service(server):
     httpd = server.service("httpd")
@@ -16,38 +17,73 @@ def test_https_port(server):
     httpd = server.addr(HTTP_HOST)
     assert httpd.port(HTTPS_PORT).is_reachable
 
+def test_http_foreman_ping(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{redirect_url}}' http://{server_fqdn}/api/v2/ping")
+    assert cmd.succeeded
+    assert cmd.stdout == f'https://{server_fqdn}/api/v2/ping'
+
 def test_https_foreman_ping(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
-def test_https_pulp_status(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
+def test_http_pulp_api_status(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/")
+    assert cmd.succeeded
+    assert cmd.stdout == '404'
+
+def test_https_pulp_api_status(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
+def test_http_pulp_content(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/pulp/content/")
+    assert cmd.succeeded
+    assert cmd.stderr == '200'
+
 def test_https_pulp_content(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/content/")
+    cmd = server.run(f"curl --silent --cacert {certificates['ca_certificate']} https://{server_fqdn}/pulp/content/")
     assert cmd.succeeded
-    assert cmd.stdout == '200'
+    assert "Index of /pulp/content/" in cmd.stdout
 
 def test_https_pulp_auth(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
     assert cmd.succeeded
-    assert cmd.stderr == '200'
+    assert cmd.stdout == '200'
 
 def test_pub_directory_exists(server):
     pub_dir = server.file(HTTPD_PUB_DIR)
     assert pub_dir.exists
     assert pub_dir.is_directory
     assert pub_dir.mode == 0o755
 
-def test_pub_directory_accessible(server, certificates, server_fqdn):
+def test_http_pub_directory_accessible(server, server_fqdn):
+    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pub/")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'
+
+def test_https_pub_directory_accessible(server, certificates, server_fqdn):
     cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
-def test_pub_ca_certificate_downloadable(server, certificates, server_fqdn):
+def test_http_pub_ca_certificate_downloadable(server, server_fqdn):
+    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pub/katello-server-ca.crt")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'
+
+def test_https_pub_ca_certificate_downloadable(server, certificates, server_fqdn):
     cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/katello-server-ca.crt")
     assert cmd.succeeded
     assert cmd.stdout == '200'
+
+def test_http_foreman_login(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/users/login")
+    assert cmd.succeeded
+    assert cmd.stdout == '301'
+
+def test_https_foreman_login(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login")
+    assert cmd.succeeded
+    assert cmd.stdout == '200'