Implications of removed Smartproxy installer option on Katello

jakebr · June 16, 2025, 5:55pm

In version 3.13+ of Foreman, the --foreman-proxy-content-reverse-proxy installer option has been removed.

I was curious about the implications of the removal of this installer option as my configuration leverages this feature for host discovery

It seems as though the functionality has been integrated without explicitly requiring this option to be specified (which is no longer possible to do as it has been removed) however this is not clearly stated anywhere in the documentation or release notes (as far as I have read)

I was hoping to possibly get some clarification of what exactly has changed

evgeni · June 17, 2025, 7:27am

What part of the discovery process uses the (now disabled) reverse proxy on port 8443?

nadjaheitmann · June 17, 2025, 9:39am

It has been announced as part of 3.12 Release Notes, but I am also missing this information in the Foreman 3.13 release notes.

https://docs.theforeman.org/3.12/Release_Notes/index-katello.html#_port_8443_disabled_by_default

jakebr · June 17, 2025, 2:31pm

Host registration is one of the processes that utilized port 8443.

With usage of this port is being removed at the application level though, it seems like we would have to handle these processes on a different port (perhaps just on 443 with the rest of apache?)

evgeni · June 17, 2025, 2:32pm

Host registration uses 443, yes. You don’t have to do anything special for that.

jakebr · June 17, 2025, 2:55pm

My understanding is that process which previously ran through the reverse proxy on 8443 will work on 443. Is this correct?

I will need to do some validation of this on my systems as well of course but I was previously under the assumption that the reverse proxy functionality was simply being removed instead of being handled all under the same port

ehelms · June 17, 2025, 3:34pm

The reverse proxy on port 8443 handled two key aspects:

Host registration
Full reverse proxy for all APIs and the UI of Foreman

The reverse proxy on port 443 handles:

Host registration
Specifically identified or requested API endpoints

The reverse proxy on port 8443 is the aspect that is being removed and along with it the full reverse proxy for all APIs and the UI. Why did we make this change?

Aligning on port 443 allows users to reduce their firewall burden
Full reverse proxy access to the API and UI creates a large potential attack surface through the Apache reverse proxy.

Host registration works through port 443, and all elements such as Global Registration are updated to handle this. Endpoints that are not included in the specific list of API endpoints maintained for 443 can be requested. We ask that if you do request an endpoint that you provide that the workflow for needing that endpoint is.

jakebr · June 17, 2025, 3:49pm

Thanks, I really appreciate this clarification!

ekohl · June 17, 2025, 5:01pm

Actually, if you do this right then you use the Foreman Proxy for this, which in Katello runs on port 9090. You do need to enable the registration feature for this, but the foreman-proxy-content scenario does this by default:

github.com/theforeman/foreman-installer

config/foreman-proxy-content-answers.yaml

709a9e69f


      
          foreman_proxy:
            foreman_ssl_ca: /etc/foreman-proxy/foreman_ssl_ca.pem
            foreman_ssl_cert: /etc/foreman-proxy/foreman_ssl_cert.pem
            foreman_ssl_key: /etc/foreman-proxy/foreman_ssl_key.pem
            http: true
            manage_puppet_group: false
            ssl_ca: /etc/foreman-proxy/ssl_ca.pem
            ssl_cert: /etc/foreman-proxy/ssl_cert.pem
            ssl_key: /etc/foreman-proxy/ssl_key.pem
            ssl_port: '9090'
            registration: true
            templates: true
            puppet: false
            puppetca: false
          foreman_proxy::plugin::acd: false
          foreman_proxy::plugin::ansible: false
          foreman_proxy::plugin::dhcp::infoblox: false
          foreman_proxy::plugin::dhcp::remote_isc: false
          foreman_proxy::plugin::discovery: false
          foreman_proxy::plugin::dns::infoblox: false
          foreman_proxy::plugin::dns::powerdns: false

Otherwise you can make this explicit by passing --foreman-proxy-registration true to the installer.