diff --git a/src/roles/foreman/templates/settings.yaml.j2 b/src/roles/foreman/templates/settings.yaml.j2 index d39f7941..321426c6 100644 --- a/src/roles/foreman/templates/settings.yaml.j2 +++ b/src/roles/foreman/templates/settings.yaml.j2 @@ -5,6 +5,8 @@ :ssl_ca_file: /etc/foreman/katello-default-ca.crt :ssl_priv_key: /etc/foreman/client_key.pem +:require_ssl: true + :rails_cache_store: :type: redis :urls: diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml index cb3c567a..1ee492fd 100644 --- a/src/roles/httpd/tasks/main.yml +++ b/src/roles/httpd/tasks/main.yml @@ -58,6 +58,14 @@ remote_src: true mode: "0644" +- name: Configure foreman vhost + ansible.builtin.template: + src: foreman-vhost.conf.j2 + dest: /etc/httpd/conf.d/foreman.conf + mode: "0644" + notify: + - Restart httpd + - name: Configure foreman-ssl vhost ansible.builtin.template: src: foreman-ssl-vhost.conf.j2 diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index d8165ee4..3807529f 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -15,8 +15,24 @@ RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" - RequestHeader unset REMOTE_USER RequestHeader unset REMOTE-USER + RequestHeader unset REMOTE_USER + RequestHeader unset REMOTE-USER-EMAIL + RequestHeader unset REMOTE-USER_EMAIL + RequestHeader unset REMOTE_USER-EMAIL + RequestHeader unset REMOTE_USER_EMAIL + RequestHeader unset REMOTE-USER-FIRSTNAME + RequestHeader unset REMOTE-USER_FIRSTNAME + RequestHeader unset REMOTE_USER-FIRSTNAME + RequestHeader unset REMOTE_USER_FIRSTNAME + RequestHeader unset REMOTE-USER-LASTNAME + RequestHeader unset REMOTE-USER_LASTNAME + RequestHeader unset REMOTE_USER-LASTNAME + RequestHeader unset REMOTE_USER_LASTNAME + RequestHeader unset REMOTE-USER-GROUPS + RequestHeader unset REMOTE-USER_GROUPS + RequestHeader unset REMOTE_USER-GROUPS + RequestHeader unset REMOTE_USER_GROUPS ## SSL directives SSLEngine on @@ -77,8 +93,9 @@ ProxyPass /pulp ! ProxyPass /pub ! ProxyPass /icons ! + ProxyPass /images ! ProxyPass /server-status ! - ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 + ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket ProxyPassReverse / {{ httpd_foreman_backend }}/ AddDefaultCharset UTF-8 diff --git a/src/roles/httpd/templates/foreman-vhost.conf.j2 b/src/roles/httpd/templates/foreman-vhost.conf.j2 new file mode 100644 index 00000000..8cb52000 --- /dev/null +++ b/src/roles/httpd/templates/foreman-vhost.conf.j2 @@ -0,0 +1,65 @@ + + ServerName {{ ansible_facts['fqdn'] }} + + ## Load additional static includes + IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf" + + ## Logging + ErrorLog "/var/log/httpd/foreman_error.log" + ServerSignature Off + CustomLog "/var/log/httpd/foreman_access.log" combined + + ## Request header rules + ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader + RequestHeader set X-FORWARDED-PROTO "http" + RequestHeader set SSL-CLIENT-S-DN "" + RequestHeader set SSL-CLIENT-CERT "" + RequestHeader set SSL-CLIENT-VERIFY "" + RequestHeader unset REMOTE-USER + RequestHeader unset REMOTE_USER + RequestHeader unset REMOTE-USER-EMAIL + RequestHeader unset REMOTE-USER_EMAIL + RequestHeader unset REMOTE_USER-EMAIL + RequestHeader unset REMOTE_USER_EMAIL + RequestHeader unset REMOTE-USER-FIRSTNAME + RequestHeader unset REMOTE-USER_FIRSTNAME + RequestHeader unset REMOTE_USER-FIRSTNAME + RequestHeader unset REMOTE_USER_FIRSTNAME + RequestHeader unset REMOTE-USER-LASTNAME + RequestHeader unset REMOTE-USER_LASTNAME + RequestHeader unset REMOTE_USER-LASTNAME + RequestHeader unset REMOTE_USER_LASTNAME + RequestHeader unset REMOTE-USER-GROUPS + RequestHeader unset REMOTE-USER_GROUPS + RequestHeader unset REMOTE_USER-GROUPS + RequestHeader unset REMOTE_USER_GROUPS + + + RequestHeader unset X-CLIENT-CERT + RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT + RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME} + ProxyPass {{ httpd_pulp_content_backend }}/pulp/content disablereuse=on timeout=600 + ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content + + + Alias /pub /var/www/html/pub + + + Options +FollowSymLinks +Indexes + Require all granted + + + ## Proxy rules + ProxyRequests Off + ProxyPreserveHost On + ProxyAddHeaders On + ProxyPass /pulp ! + ProxyPass /pub ! + ProxyPass /icons ! + ProxyPass /images ! + ProxyPass /server-status ! + ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket + ProxyPassReverse / {{ httpd_foreman_backend }}/ + + AddDefaultCharset UTF-8 + diff --git a/tests/foreman_test.py b/tests/foreman_test.py index 9cdccd8e..f3cb51a7 100644 --- a/tests/foreman_test.py +++ b/tests/foreman_test.py @@ -2,9 +2,9 @@ import pytest - FOREMAN_HOST = 'localhost' FOREMAN_PORT = 3000 + RECURRING_INSTANCES = [ "reports-daily", "db-sessions-clear", @@ -16,10 +16,9 @@ "ldap-refresh_usergroups", ] - @pytest.fixture(scope="module") def foreman_status_curl(server): - return server.run(f"curl --silent --write-out '%{{stderr}}%{{http_code}}' http://{FOREMAN_HOST}:{FOREMAN_PORT}/api/v2/ping") + return server.run(f"curl --header 'X-FORWARDED-PROTO: https' --silent --write-out '%{{stderr}}%{{http_code}}' http://{FOREMAN_HOST}:{FOREMAN_PORT}/api/v2/ping") @pytest.fixture(scope="module") diff --git a/tests/httpd_test.py b/tests/httpd_test.py index 30e963d4..65fbe729 100644 --- a/tests/httpd_test.py +++ b/tests/httpd_test.py @@ -2,6 +2,7 @@ HTTP_PORT = 80 HTTPS_PORT = 443 HTTPD_PUB_DIR = '/var/www/html/pub' +CURL_CMD = "curl --silent --output /dev/null" def test_httpd_service(server): httpd = server.service("httpd") @@ -16,25 +17,40 @@ def test_https_port(server): httpd = server.addr(HTTP_HOST) assert httpd.port(HTTPS_PORT).is_reachable +def test_http_foreman_ping(server, server_fqdn): + cmd = server.run(f"{CURL_CMD} --write-out '%{{redirect_url}}' http://{server_fqdn}/api/v2/ping") + assert cmd.succeeded + assert cmd.stdout == f'https://{server_fqdn}/api/v2/ping' + def test_https_foreman_ping(server, certificates, server_fqdn): - cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping") + cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/api/v2/ping") assert cmd.succeeded assert cmd.stdout == '200' -def test_https_pulp_status(server, certificates, server_fqdn): - cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/") +def test_http_pulp_api_status(server, server_fqdn): + cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/pulp/api/v3/status/") + assert cmd.succeeded + assert cmd.stdout == '404' + +def test_https_pulp_api_status(server, certificates, server_fqdn): + cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/pulp/api/v3/status/") assert cmd.succeeded assert cmd.stdout == '200' +def test_http_pulp_content(server, server_fqdn): + cmd = server.run(f"{CURL_CMD} --write-out '%{{stderr}}%{{http_code}}' http://{server_fqdn}/pulp/content/") + assert cmd.succeeded + assert cmd.stderr == '200' + def test_https_pulp_content(server, certificates, server_fqdn): - cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pulp/content/") + cmd = server.run(f"curl --silent --cacert {certificates['ca_certificate']} https://{server_fqdn}/pulp/content/") assert cmd.succeeded - assert cmd.stdout == '200' + assert "Index of /pulp/content/" in cmd.stdout def test_https_pulp_auth(server, certificates, server_fqdn): - cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --write-out '%{{stderr}}%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/") + cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' --cert {certificates['client_certificate']} --key {certificates['client_key']} https://{server_fqdn}/pulp/api/v3/users/") assert cmd.succeeded - assert cmd.stderr == '200' + assert cmd.stdout == '200' def test_pub_directory_exists(server): pub_dir = server.file(HTTPD_PUB_DIR) @@ -42,12 +58,32 @@ def test_pub_directory_exists(server): assert pub_dir.is_directory assert pub_dir.mode == 0o755 -def test_pub_directory_accessible(server, certificates, server_fqdn): +def test_http_pub_directory_accessible(server, server_fqdn): + cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pub/") + assert cmd.succeeded + assert cmd.stdout == '200' + +def test_https_pub_directory_accessible(server, certificates, server_fqdn): cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/") assert cmd.succeeded assert cmd.stdout == '200' -def test_pub_ca_certificate_downloadable(server, certificates, server_fqdn): +def test_http_pub_ca_certificate_downloadable(server, server_fqdn): + cmd = server.run(f"curl --silent --output /dev/null --write-out '%{{http_code}}' http://{server_fqdn}/pub/katello-server-ca.crt") + assert cmd.succeeded + assert cmd.stdout == '200' + +def test_https_pub_ca_certificate_downloadable(server, certificates, server_fqdn): cmd = server.run(f"curl --cacert {certificates['ca_certificate']} --silent --output /dev/null --write-out '%{{http_code}}' https://{server_fqdn}/pub/katello-server-ca.crt") assert cmd.succeeded assert cmd.stdout == '200' + +def test_http_foreman_login(server, server_fqdn): + cmd = server.run(f"{CURL_CMD} --write-out '%{{http_code}}' http://{server_fqdn}/users/login") + assert cmd.succeeded + assert cmd.stdout == '301' + +def test_https_foreman_login(server, certificates, server_fqdn): + cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login") + assert cmd.succeeded + assert cmd.stdout == '200'