add httpd

theforeman · Oct 7, 2024 · 27b4ccb · 27b4ccb
1 parent ebd186e
commit 27b4ccb
Show file tree

Hide file tree

Showing 5 changed files with 203 additions and 0 deletions.
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
@@ -23,6 +23,10 @@
     foreman_client_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}-client.key"
     foreman_client_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}-client.crt"
     foreman_db_password: "CHANGEME"
+    httpd_server_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+    httpd_client_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+    httpd_server_certificate: "{{ certificates_ca_directory }}/certs/{{ certificates_server }}.crt"
+    httpd_server_key: "{{ certificates_ca_directory }}/private/{{ certificates_server }}.key"
     postgresql_databases:
     - name: candlepin
       owner: candlepin
@@ -48,3 +52,4 @@
     - redis
     - foreman
     - pulp
+    - httpd
diff --git a/playbooks/setup.yaml b/playbooks/setup.yaml
@@ -16,6 +16,7 @@
       name:
       - podman
       - python3-cryptography
+      - python3-libsemanage
       - bash-completion
       - nmap
 

diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+- name: Install Apache httpd
+  ansible.builtin.package:
+    name:
+      - httpd
+      - mod_ssl
+    state: present
+
+- name: Set httpd_can_network_connect so Apache can connect to Puma and Gunicorn
+  ansible.posix.seboolean:
+    name: httpd_can_network_connect
+    state: true
+    persistent: true
+
+- name: Disable welcome page
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/welcome.conf
+    state: absent
+
+- name: Create cert directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+  loop:
+    - /etc/pki/katello/certs
+    - /etc/pki/katello/private
+
+- name: Deploy certificates
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: "/etc/pki/katello/{{ item.dest }}"
+    remote_src: true
+  loop:
+    - src: "{{ httpd_server_ca_certificate }}"
+      dest: "certs/katello-server-ca.crt"
+    - src: "{{ httpd_client_ca_certificate }}"
+      dest: "certs/katello-default-ca.crt"
+    - src: "{{ httpd_server_certificate }}"
+      dest: "certs/katello-apache.crt"
+    - src: "{{ httpd_server_key }}"
+      dest: "private/katello-apache.key"
+
+- name: Configure foreman-ssl vhost
+  ansible.builtin.template:
+    src: foreman-ssl-vhost.conf.j2
+    dest: /etc/httpd/conf.d/foreman-ssl.conf
+  vars:
+    pulp_api_backend: http://localhost:8080/
+    pulp_content_backend: http://localhost:8080/
+    foreman_backend: http://localhost:3000/
+
+- name: Start Apache httpd
+  ansible.builtin.service:
+    name: httpd
+    state: started
+    enabled: true
diff --git a/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/roles/httpd/templates/foreman-ssl-vhost.conf.j2
@@ -0,0 +1,104 @@
+<VirtualHost *:443>
+ServerName {{ ansible_fqdn }}
+
+  ## Load additional static includes
+  IncludeOptional "/etc/httpd/conf.d/05-foreman-ssl.d/*.conf"
+
+  ## Logging
+  ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log"
+  ServerSignature Off
+  CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined
+
+  ## Request header rules
+  ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
+  RequestHeader set X_FORWARDED_PROTO "https"
+  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
+  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
+  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset REMOTE_USER_EMAIL
+  RequestHeader unset REMOTE_USER_FIRSTNAME
+  RequestHeader unset REMOTE_USER_LASTNAME
+  RequestHeader unset REMOTE_USER_GROUPS
+
+  # SSL Proxy directives
+  SSLProxyEngine On
+
+  ProxyPass /pulp_ansible/galaxy/ {{ pulp_api_backend }}/pulp_ansible/galaxy/
+  ProxyPassReverse /pulp_ansible/galaxy/ {{ pulp_api_backend }}/pulp_ansible/galaxy/
+
+  <Location "/pulpcore_registry/v2/">
+    RequestHeader unset REMOTE_USER
+    RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
+    ProxyPass {{ pulp_api_backend }}/v2/
+    ProxyPassReverse {{ pulp_api_backend }}/v2/
+  </Location>
+
+  ProxyPass /pulp/container/ {{ pulp_content_backend }}/pulp/container/
+  ProxyPassReverse /pulp/container/ {{ pulp_content_backend }}/pulp/container/
+
+  <Location "/pulp/isos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/repos">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/content">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    ProxyPass {{ pulp_content_backend }}/pulp/content disablereuse=on timeout=600
+    ProxyPassReverse {{ pulp_content_backend }}/pulp/content
+  </Location>
+
+  <Location "/pulp/api/v3">
+    RequestHeader unset REMOTE_USER
+    RequestHeader unset REMOTE-USER
+    RequestHeader set REMOTE-USER "admin" "expr=%{SSL_CLIENT_S_DN_CN} == '{{ ansible_fqdn }}'"
+    ProxyPass {{ pulp_api_backend }}/pulp/api/v3 timeout=600
+    ProxyPassReverse {{ pulp_api_backend }}/pulp/api/v3
+  </Location>
+
+  ProxyPass /pulp/assets/ {{ pulp_api_backend }}/pulp/assets/
+  ProxyPassReverse /pulp/assets/ {{ pulp_api_backend }}/pulp/assets/
+
+  ## Proxy rules
+  ProxyRequests Off
+  ProxyPreserveHost On
+  ProxyAddHeaders On
+  ProxyPass /pulp !
+  ProxyPass /icons !
+  ProxyPass /server-status !
+  ProxyPass / {{ foreman_backend }} retry=0 timeout=900
+  ProxyPassReverse / {{ foreman_backend }}
+
+  ## Rewrite rules
+  RewriteEngine On
+
+  #Upgrade Websocket connections
+  RewriteCond %{HTTP:Upgrade} =websocket [NC]
+  RewriteRule /(.*) unix:///run/foreman.sock|ws://foreman/$1 [P,L]
+
+
+  ## Server aliases
+  ServerAlias foreman
+
+  ## SSL directives
+  SSLEngine on
+  SSLCertificateFile      "/etc/pki/katello/certs/katello-apache.crt"
+  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
+  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
+  SSLVerifyClient         optional
+  SSLVerifyDepth          3
+  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
+  SSLOptions +StdEnvVars +ExportCertData
+
+  AddDefaultCharset UTF-8
+</VirtualHost>
diff --git a/tests/httpd_test.py b/tests/httpd_test.py
@@ -0,0 +1,37 @@
+HTTP_HOST = 'localhost'
+HTTP_PORT = 80
+HTTPS_PORT = 443
+
+
+def test_httpd_service(host):
+    httpd = host.service("httpd")
+    assert httpd.is_running
+    assert httpd.is_enabled
+
+
+def test_http_port(host):
+    httpd = host.addr(HTTP_HOST)
+    assert httpd.port(HTTP_PORT).is_reachable
+
+
+def test_https_port(host):
+    httpd = host.addr(HTTP_HOST)
+    assert httpd.port(HTTPS_PORT).is_reachable
+
+
+def test_https_foreman_ping(host):
+    cmd = host.run('curl --cacert /root/certificates/certs/ca.crt --silent --output /dev/null --write-out \'%{http_code}\' https://quadlet.example.com/api/v2/ping')
+    assert cmd.succeeded
+    assert cmd.stdout == '200'
+
+
+def test_https_pulp_cmd(host):
+    cmd = host.run('curl --cacert /root/certificates/certs/ca.crt --silent --output /dev/null --write-out \'%{http_code}\' https://quadlet.example.com/pulp/api/v3/status/')
+    assert cmd.succeeded
+    assert cmd.stdout == '200'
+
+
+def test_https_pulp_content(host):
+    cmd = host.run('curl --cacert /root/certificates/certs/ca.crt --silent --output /dev/null --write-out \'%{http_code}\' https://quadlet.example.com/pulp/content/')
+    assert cmd.succeeded
+    assert cmd.stdout == '200'