Povisioning URL using HTTPS and not HTTP

Algol · February 14, 2020, 9:50pm

Problem:
Greetings,

I am having problems getting the provisioning templates proxy working over HTTP to support installers that don’t do HTTPS and at the same time keep communication between foreman and the proxy using HTTPS.
The URL returned by the ks=<%= foreman_url(‘provision’) %> call seems to always return the URL of the proxy but it does not seem to respect the setting :template_url from the configuration file.

All templates render the following URL https://pxe.internal.example.com:8443 instead of the expected
URL set in the configuration file for the proxy http://pxe.internal.example.com:8080

Is it possible to have foreman and foreman-proxy communicate over https and at the same time
have the foreman-proxy serve templates over http?

Is there anything I am missing on my config? I don’t understand why :template_url: is not being used.

Thank you in advance for your time and help.

A.

Expected outcome:

Communication between foreman and proxy done over https
Template URL used for rendering PXELinux kickstart uses http as set in :template_url config parameter.

Foreman and Proxy versions:
Foreman and Proxies are at version 1.24.2

Distribution and version:
CentOS 7.7.1908

Other relevant data:
The foreman-proxy has the following features enabled:
DHCP, HTTPBoot, TFTP, and Templates

cat /etc/foreman-proxy/settings.yml
---
:settings_directory: /etc/foreman-proxy/settings.d
:http_port: 8080
:https_port: 8443
:ssl_certificate: /etc/foreman-proxy/ssl/pxe.internal.example.com.pem
:ssl_ca_file: /etc/foreman-proxy/ssl/ca.pem
:ssl_private_key: /etc/foreman-proxy/ssl/pxe.internal.example.com.key
:trusted_hosts:
- foreman.internal.example.com
:foreman_url: https://foreman.internal.example.com

cat /etc/foreman-proxy/settings.d/templates.yml 
---
:enabled: http
:template_url: http://pxe.internal.example.com:8080

lzap · February 17, 2020, 12:25pm

Hello, we are aware of this limitation. I suggest to use gsub in those templates to replace http with https or vice versa. Feel free to create a patch:

lib/foreman/foreman_url_renderer.rb
 12:    def foreman_url(action = 'provision', params = {})

Introduce new param called “force_https” and “force_http” to override the behavior from templates. Or host parameter if you want this per host/hostgroup.

ekohl · February 17, 2020, 1:14pm

This should be :enabled: both. Then you may need to refresh the smart proxy features in Foreman.

The reason is that Foreman requests the template_url over HTTPS but actual clients (kickstarts) talk over HTTP. Also note that template_url is port 8080 and the http_port is 8000. This can also cause issues, unless you have a non-standard setup.

Algol · February 17, 2020, 2:58pm

Thank you both for the replies. I appreciate the help.
@lzap My ruby foo is not great but I will give it a shot.
@ekohl I did move the port from 8000 to 8080 I will try your suggestion and see what it does

Thank you again for your time and help

ekohl · February 17, 2020, 3:25pm

To be clear, I think this is expected to work if you configure it like I suggested.

Algol · February 18, 2020, 4:56pm

@ekohl Thank you for the help.
I did change my configuration (bellow) and it does in fact works as I expected.

Communication between foreman and foreman-proxy on 8443/tcp HTTPS
Templates being served to clients on 8080/tcp HTTP

Here is the configuration for
/etc/foreman-proxy/settings.d/templates.yml

---
:enabled: true
:template_url: http://pxe.internal.example.com:8080

Thanks again for the help