:443 & :80 conf updated

added rails require: true
skipped /pub configuration (handled in different PR)

Author: stejskalleos

src/roles/foreman/templates/settings.yaml.j2

@@ -6,7 +6,6 @@
 :ssl_priv_key: /etc/foreman/client_key.pem
 
 :require_ssl: true
-:unattended: true
 
 :rails_cache_store:
   :type: redis

src/roles/httpd/templates/foreman-ssl-vhost.conf.j2

@@ -15,8 +15,24 @@
   RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
   RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
-  RequestHeader unset REMOTE_USER
   RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
 
   ## SSL directives
   SSLEngine on
@@ -45,6 +61,27 @@
   ProxyPass /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
   ProxyPassReverse /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
 
+  <Location "/pulp/deb">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/isos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/repos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
+
   <Location "/pulp/content">
     RequestHeader unset X-CLIENT-CERT
     RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
@@ -76,10 +113,52 @@
   ProxyAddHeaders On
   ProxyPass /pulp !
   ProxyPass /pub !
-  ProxyPass /icons !
-  ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
+  {# ProxyPass /icons ! #}
+  {# ProxyPass /images ! #}
+  {# ProxyPass /server-status ! #}
+  {# ProxyPass /webpack ! #}
+  {# ProxyPass /assets ! #}
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 
+  <FilesMatch \.css\.gz$>
+    ForceType text/css
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.js\.gz$>
+    ForceType text/javascript
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.svg\.gz$>
+    ForceType image/svg+xml
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+
+  <LocationMatch "^/(assets|webpack)">
+    Options SymLinksIfOwnerMatch
+    AllowOverride None
+    Require all granted
+
+    # Use standard http expire header for assets instead of ETag
+    <IfModule mod_expires.c>
+      Header unset ETag
+      FileETag None
+      ExpiresActive On
+      ExpiresDefault "access plus 1 year"
+    </IfModule>
+
+    # Return compressed assets if they are precompiled
+    RewriteEngine On
+    # Make sure the browser supports gzip encoding and file with .gz added
+    # does exist on disc before we rewrite with the extension
+    RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+    RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+    RewriteCond %{REQUEST_FILENAME}.gz -s
+    RewriteRule ^(.+) $1.gz [L]
+</LocationMatch>
+
   AddDefaultCharset UTF-8
 </VirtualHost>

src/roles/httpd/templates/foreman-vhost.conf.j2

@@ -15,43 +15,118 @@
   RequestHeader set SSL-CLIENT-S-DN ""
   RequestHeader set SSL-CLIENT-CERT ""
   RequestHeader set SSL-CLIENT-VERIFY ""
-  RequestHeader unset REMOTE_USER
   RequestHeader unset REMOTE-USER
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE-USER-EMAIL
+  RequestHeader unset REMOTE-USER_EMAIL
+  RequestHeader unset REMOTE_USER-EMAIL
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE-USER-FIRSTNAME
+  RequestHeader unset REMOTE-USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER-FIRSTNAME
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE-USER-LASTNAME
+  RequestHeader unset REMOTE-USER_LASTNAME
+  RequestHeader unset REMOTE_USER-LASTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE-USER-GROUPS
+  RequestHeader unset REMOTE-USER_GROUPS
+  RequestHeader unset REMOTE_USER-GROUPS
+  RequestHeader unset REMOTE_USER_GROUPS
 
-  ProxyPass /pulp_ansible/galaxy/ {{ httpd_pulp_api_backend }}/pulp_ansible/galaxy/
-  ProxyPassReverse /pulp_ansible/galaxy/ {{ httpd_pulp_api_backend }}/pulp_ansible/galaxy/
+  <Location "/pulp/deb">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
 
-  <Location "/pulpcore_registry/v2/">
-    RequestHeader unset REMOTE_USER
-    RequestHeader unset REMOTE-USER
-    ProxyPass {{ httpd_pulp_api_backend }}/v2/
-    ProxyPassReverse {{ httpd_pulp_api_backend }}/v2/
+  <Location "/pulp/isos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
   </Location>
 
-  ProxyPass /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
-  ProxyPassReverse /pulp/container/ {{ httpd_pulp_content_backend }}/pulp/container/
+  <Location "/pulp/repos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
+  </Location>
 
   <Location "/pulp/content">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME}
     ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600
     ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
   </Location>
 
-  <Location "/pulp/api/v3">
-    RedirectPermanent /pulp/api/v3 https://{{ ansible_facts['fqdn'] }}/pulp/api/v3
-  </Location>
+  Alias /pub /var/www/html/pub
 
-  ProxyPass /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/
-  ProxyPassReverse /pulp/assets/ {{ httpd_pulp_api_backend }}/pulp/assets/
+  <Location /pub>
+    Options +FollowSymLinks +Indexes
+    Require all granted
+  </Location>
 
   ## Proxy rules
   ProxyRequests Off
   ProxyPreserveHost On
   ProxyAddHeaders On
   ProxyPass /pulp !
-  ProxyPass /icons !
-  ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
+  ProxyPass /pub !
+  {# ProxyPass /icons ! #}
+  {# ProxyPass /images ! #}
+  {# ProxyPass /server-status ! #}
+  {# ProxyPass /webpack ! #}
+  {# ProxyPass /assets ! #}
+  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 
+  ## Server aliases
+  ServerAlias foreman
+
+  ## Custom fragment
+  # Set headers for all possible assets which are compressed
+  <FilesMatch \.css\.gz$>
+    ForceType text/css
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.js\.gz$>
+    ForceType text/javascript
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+  <FilesMatch \.svg\.gz$>
+    ForceType image/svg+xml
+    Header set Content-Encoding gzip
+    SetEnv no-gzip
+  </FilesMatch>
+
+  <LocationMatch "^/(assets|webpack)">
+    Options SymLinksIfOwnerMatch
+    AllowOverride None
+    Require all granted
+
+    # Use standard http expire header for assets instead of ETag
+    <IfModule mod_expires.c>
+      Header unset ETag
+      FileETag None
+      ExpiresActive On
+      ExpiresDefault "access plus 1 year"
+    </IfModule>
+
+    # Return compressed assets if they are precompiled
+    RewriteEngine On
+    # Make sure the browser supports gzip encoding and file with .gz added
+    # does exist on disc before we rewrite with the extension
+    RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+    RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+    RewriteCond %{REQUEST_FILENAME}.gz -s
+    RewriteRule ^(.+) $1.gz [L]
+  </LocationMatch>
+
   AddDefaultCharset UTF-8
 </VirtualHost>

tests/httpd_test.py

@@ -2,6 +2,7 @@
 HTTP_PORT = 80
 HTTPS_PORT = 443
 HTTPD_PUB_DIR = '/var/www/html/pub'
+CURL_CMD = "curl --silent --output /dev/null"
 
 def test_httpd_service(server):
     httpd = server.service("httpd")
@@ -16,25 +17,39 @@ def test_https_port(server):
     httpd = server.addr(HTTP_HOST)
     assert httpd.port(HTTPS_PORT).is_reachable
 
+def test_http_foreman_ping(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/api/v2/ping")
+    assert cmd.succeeded
+    assert cmd.stderr == '301'
+
 def test_https_foreman_ping(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
-def test_https_pulp_status(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
+def test_http_pulp_api_status(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/")
+    assert cmd.succeeded
+    assert cmd.stdout == '404'
+
+def test_https_pulp_api_status(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/")
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
+def test_http_pulp_content(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/pulp/content/")
+    assert cmd.succeeded
+    assert cmd.stderr == '200'
+
 def test_https_pulp_content(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/content/")
+    cmd = server.run(f"curl --silent --cacert {certificates['ca_certificate']} https://{server_fqdn}/pulp/content/")
     assert cmd.succeeded
-    assert cmd.stdout == '200'
+    assert "Index of /pulp/content/" in cmd.stdout
 
 def test_https_pulp_auth(server, certificates, server_fqdn):
-    cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/")
     assert cmd.succeeded
-    assert cmd.stderr == '200'
 
 def test_pub_directory_exists(server):
     pub_dir = server.file(HTTPD_PUB_DIR)
@@ -51,23 +66,14 @@ def test_pub_ca_certificate_downloadable(server, certificates, server_fqdn):
     cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/katello-server-ca.crt")
     assert cmd.succeeded
     assert cmd.stdout == '200'
-
-def test_http_foreman_login(server, server_fqdn):
-    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/users/login")
-    assert cmd.succeeded
     assert cmd.stdout == '200'
 
-def test_http_pulp_status(server, server_fqdn):
-    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/")
+def test_http_foreman_login(server, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/users/login")
     assert cmd.succeeded
     assert cmd.stdout == '301'
 
-def test_http_pulp_content(server, server_fqdn):
-    cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pulp/content/")
+def test_https_foreman_login(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login")
     assert cmd.succeeded
     assert cmd.stdout == '200'
-
-def test_http_pulp_content_response(server, server_fqdn):
-    cmd = server.run(f"curl --silent http://{server_fqdn}/pulp/content/")
-    assert cmd.succeeded
-    assert "Index of /pulp/content/" in cmd.stdout