Fixes #36854 - Use HTTP/2 when proxying to Foreman

ekohl · ekohl · commit e7a38f3d5a3c · 2023-10-24T14:32:14.000+02:00
This aims to use mod_proxy_http2, which utilizes HTTP/2 to a backend
server. It depends on a feature released in puppetlabs-apache 10.1.1.

Overall testing shows the connection is much more stable and reliable
than with HTTP/1.1, especially in higher concurrency. It is recommended
to keep this on, but there is an option to disable it if for some reason
it doesn't work. In the future this same option can be used to support
HTTP/3 when Apache implements that.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -26,6 +26,8 @@
 #
 # $reverse_proxy_port::                        Reverse proxy listening port
 #
+# $reverse_proxy_backend_protocol::            Configure the protocol used by the reverse proxy to connect to Foreman
+#
 # $pulpcore_allowed_content_checksums::        List of checksums to use for pulpcore content operations
 #
 # $pulpcore_manage_postgresql::                Manage the Pulpcore PostgreSQL database.
@@ -81,6 +83,7 @@
 
   Boolean $reverse_proxy = false,
   Stdlib::Port $reverse_proxy_port = 8443,
+  Enum['h2', 'https'] $reverse_proxy_backend_protocol = 'h2',
 
   Boolean $enable_yum = true,
   Boolean $enable_file = true,
@@ -120,6 +123,7 @@
   $foreman_url = $foreman_proxy::foreman_base_url
   $foreman_host = foreman_proxy_content::host_from_url($foreman_url)
   $reverse_proxy_real = $pulpcore_mirror or $reverse_proxy
+  $proxy_foreman_url = $foreman_url.regsubst('https://', "${reverse_proxy_backend_protocol}://")
 
   # TODO: make it configurable
   # https://github.com/theforeman/puppet-foreman_proxy_content/issues/407
@@ -137,7 +141,7 @@
 
   if $reverse_proxy_real {
     foreman_proxy_content::reverse_proxy { "rhsm-pulpcore-https-${reverse_proxy_port}":
-      path_url_map => { '/' => "${foreman_url}/" },
+      path_url_map => { '/' => "${proxy_foreman_url}/" },
       port         => $reverse_proxy_port,
       priority     => '10',
       before       => Class['pulpcore::apache'],
@@ -150,8 +154,8 @@
     if $rhsm_port != $reverse_proxy_port {
       foreman_proxy_content::reverse_proxy { $pulpcore_https_vhost_name:
         path_url_map => {
-          $rhsm_path     => "${foreman_url}${rhsm_path}",
-          $insights_path => "${foreman_url}${insights_path}",
+          $rhsm_path     => "${proxy_foreman_url}${rhsm_path}",
+          $insights_path => "${proxy_foreman_url}${insights_path}",
         },
         port         => $rhsm_port,
         priority     => '10',
diff --git a/manifests/reverse_proxy.pp b/manifests/reverse_proxy.pp
@@ -15,7 +15,7 @@
 # @param priority
 #   Sets the relative load-order for Apache HTTPD VirtualHost configuration files. See Apache::Vhost
 define foreman_proxy_content::reverse_proxy (
-  Hash[Stdlib::Unixpath, Stdlib::Httpurl] $path_url_map = { '/' => "${foreman_proxy_content::foreman_url}/" },
+  Hash[Stdlib::Unixpath, String[1]] $path_url_map = { '/' => "${foreman_proxy_content::foreman_url}/" },
   Stdlib::Port $port = $foreman_proxy_content::reverse_proxy_port,
   Variant[Array[String], String, Undef] $ssl_protocol = undef,
   Hash[String, Any] $vhost_params = {},
@@ -31,7 +31,7 @@
 
   $vhost_name = $title
 
-  $proxy_pass = $path_url_map.map |Stdlib::Unixpath $path, Stdlib::Httpurl $url| {
+  $proxy_pass = $path_url_map.map |$path, $url| {
     {
       'path'         => $path,
       'url'          => $url,
diff --git a/metadata.json b/metadata.json
@@ -22,7 +22,7 @@
     },
     {
       "name": "puppetlabs/apache",
-      "version_requirement": ">= 2.0.0 < 12.0.0"
+      "version_requirement": ">= 10.1.1 < 12.0.0"
     },
     {
       "name": "theforeman/foreman_proxy",
diff --git a/spec/classes/foreman_proxy_content_spec.rb b/spec/classes/foreman_proxy_content_spec.rb
@@ -201,14 +201,14 @@
         end
         it do
           is_expected.to contain_foreman_proxy_content__reverse_proxy('rhsm-pulpcore-https-8443')
-            .with(path_url_map: {'/' => 'https://foo.example.com/'})
+            .with(path_url_map: {'/' => 'h2://foo.example.com/'})
             .with(port: 8443)
             .with(priority: '10')
             .that_comes_before('Class[pulpcore::apache]')
         end
         it do
           is_expected.to contain_foreman_proxy_content__reverse_proxy('rhsm-pulpcore-https-443')
-            .with(path_url_map: {'/rhsm' => 'https://foo.example.com/rhsm', '/redhat_access' => 'https://foo.example.com/redhat_access'})
+            .with(path_url_map: {'/rhsm' => 'h2://foo.example.com/rhsm', '/redhat_access' => 'h2://foo.example.com/redhat_access'})
             .with(port: 443)
             .with(priority: '10')
             .that_comes_before('Class[pulpcore::apache]')

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@`
`22`	`22`	`},`
`23`	`23`	`{`
`24`	`24`	`"name": "puppetlabs/apache",`
`25`		`- "version_requirement": ">= 2.0.0 < 12.0.0"`
	`25`	`+ "version_requirement": ">= 10.1.1 < 12.0.0"`
`26`	`26`	`},`
`27`	`27`	`{`
`28`	`28`	`"name": "theforeman/foreman_proxy",`