httpd configuration

[stejskalleos]

No description provided.

[stejskalleos]

@ekohl Removed the unnecessary SSL options.

One thing I noticed is that the Rails app does not enforce HTTPS. With current changes I can browse and make API calls via http without any problems, no redirect or enforcing https.

[evgeni]

I think it'd be good to add a test that port 80 works as expected, e.g.

• GET /unattended/public/foreman_raw_ca returns something that looks like a cert
• GET /pulp/content/ contains Index of /pulp/content/ in the returned body
• GET /users/login redirects to HTTPs (once require_ssl: true is set, not sure it belongs in this PR or not)

[stejskalleos]

Updated & added tests, the require_ssl: true will be handled in a separate PR.

[evgeni]

For comparison, here's a /etc/httpd/conf.d/05-foreman.conf from a nightly box

# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************
# 
<VirtualHost *:80>
  ServerName centos9-stream-katello-nightly.juuni.example.com

  ## Vhost docroot
  DocumentRoot "/usr/share/foreman/public"

  ## Directories, there should at least be a declaration for /usr/share/foreman/public

  <Directory "/usr/share/foreman/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Load additional static includes
  IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf"

  ## Logging
  ErrorLog "/var/log/httpd/foreman_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/foreman_access.log" combined 

  ## Request header rules
  ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
  RequestHeader set X-FORWARDED-PROTO "http"
  RequestHeader set SSL-CLIENT-S-DN ""
  RequestHeader set SSL-CLIENT-CERT ""
  RequestHeader set SSL-CLIENT-VERIFY ""
  RequestHeader unset REMOTE-USER
  RequestHeader unset REMOTE_USER
  RequestHeader unset REMOTE-USER-EMAIL
  RequestHeader unset REMOTE-USER_EMAIL
  RequestHeader unset REMOTE_USER-EMAIL
  RequestHeader unset REMOTE_USER_EMAIL
  RequestHeader unset REMOTE-USER-FIRSTNAME
  RequestHeader unset REMOTE-USER_FIRSTNAME
  RequestHeader unset REMOTE_USER-FIRSTNAME
  RequestHeader unset REMOTE_USER_FIRSTNAME
  RequestHeader unset REMOTE-USER-LASTNAME
  RequestHeader unset REMOTE-USER_LASTNAME
  RequestHeader unset REMOTE_USER-LASTNAME
  RequestHeader unset REMOTE_USER_LASTNAME
  RequestHeader unset REMOTE-USER-GROUPS
  RequestHeader unset REMOTE-USER_GROUPS
  RequestHeader unset REMOTE_USER-GROUPS
  RequestHeader unset REMOTE_USER_GROUPS

  <Location "/pulp/deb">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content disablereuse=on timeout=600
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content
  </Location>

  <Location "/pulp/isos">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content disablereuse=on timeout=600
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content
  </Location>

  <Location "/pulp/repos">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content disablereuse=on timeout=600
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content
  </Location>
Alias /pub /var/www/html/pub

<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
  Require all granted
</Location>

  <Location "/pulp/content">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME}
    ProxyPass unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content disablereuse=on timeout=600
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://pulpcore-content/pulp/content
  </Location>

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyAddHeaders On
  ProxyPass /pulp !
  ProxyPass /pub !
  ProxyPass /icons !
  ProxyPass /images !
  ProxyPass /server-status !
  ProxyPass /webpack !
  ProxyPass /assets !
  ProxyPass / unix:///run/foreman.sock|http://foreman/ retry=0 timeout=900 upgrade=websocket
  ProxyPassReverse / unix:///run/foreman.sock|http://foreman/

  ## Server aliases
  ServerAlias foreman

  ## Custom fragment
  # Set headers for all possible assets which are compressed
<FilesMatch \.css\.gz$>
  ForceType text/css
  Header set Content-Encoding gzip
  SetEnv no-gzip
</FilesMatch>
<FilesMatch \.js\.gz$>
  ForceType text/javascript
  Header set Content-Encoding gzip
  SetEnv no-gzip
</FilesMatch>
<FilesMatch \.svg\.gz$>
  ForceType image/svg+xml
  Header set Content-Encoding gzip
  SetEnv no-gzip
</FilesMatch>

<LocationMatch "^/(assets|webpack)">
  Options SymLinksIfOwnerMatch
  AllowOverride None
  Require all granted

  # Use standard http expire header for assets instead of ETag
  <IfModule mod_expires.c>
    Header unset ETag
    FileETag None
    ExpiresActive On
    ExpiresDefault "access plus 1 year"
  </IfModule>

  # Return compressed assets if they are precompiled
  RewriteEngine On
  # Make sure the browser supports gzip encoding and file with .gz added
  # does exist on disc before we rewrite with the extension
  RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
  RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
  RewriteCond %{REQUEST_FILENAME}.gz -s
  RewriteRule ^(.+) $1.gz [L]
</LocationMatch>


  AddDefaultCharset UTF-8
</VirtualHost>

not sure we need the whole assets blurb at the end -- we don't serve the UI via http-only, but thought it's nice to compare

[ekohl]

GET /users/login redirects to HTTPs (once require_ssl: true is set, not sure it belongs in this PR or not)

I think it does. Prior to this PR it was secure over HTTPS, without it we would regress.

[evgeni]

#316 was merged, so you can include /pub here now too (and tests for it)

[stejskalleos]

@ekohl @evgeni ready for review

[evgeni]

See inline comments.
Also, can you add http versions of test_pub_ca_certificate_downloadable and test_pub_directory_accessible?

[stejskalleos]

Rebased, updated tests & added new: http/https test_pub_ca_certificate_downloadable & test_pub_directory_accessible

[evgeni]

two tiny comments on the tests, but these are cosmetic

[shubhamsg199]

Ack, Only issue is the assets not being served for eg: https://foreman.example.com/pulp/api/v3 , which is expected for now and a low priority issue as discussed on slack thread

[ekohl]

Ack, Only issue is the assets not being served for eg: https://foreman.example.com/pulp/api/v3 , which is expected for now and a low priority issue as discussed on slack thread

We didn't serve them before this PR either so it's not a regression.

[ekohl]

Nit: Python convention is to have 2 empty lines here and my linter is unhappy about this.

[ekohl]

[evgeni]

Yeah, we wanted the test not to rely on Apache :)

[ekohl]

Suggested change

	cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pub/katello-server-ca.crt")
	cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/pub/katello-server-ca.crt")

[evgeni]

dang, I merged w/o seeing @ekohl's last comments. feel free to open a follow up

[stejskalleos]

@evgeni #350