Problem:
foreman-proxy’s trusted_hosts array requires hostnames to do reverse DNS lookups and verify certs.
In our case, foreman is in EC2, part of an autoscaling group, and behind a load balancer (ALB). That all works fine. The foreman instance’s fqdn is its instance id + domain. It gets dns_alt_names included in its puppet agent cert to ensure it has foreman.domain.edu as well.
The ALB has a valid TLS cert and DNS record. The backend Foreman instance has no DNS record and uses its puppet agent cert for SSL.
All of the foreman-proxy and foreman services are managed via puppet. The foreman_proxy module doesn’t seem to accept trusted_hosts in CIDR notation like the foreman module does for smart proxies.
The foreman-proxies are on-prem in data centers. Since the foreman front end is effectively ephemeral, how would you recommend defining the trusted_hosts?
Not defining trusted hosts at all does work, but this seems like not a great option. Is it the best option in this case?
Expected outcome:
Defining trusted_proxies for foreman-proxy hosts when Foreman itself doesn’t have a hostname registered in DNS.
Foreman and Proxy versions:
Foreman 3.9.3
foreman-proxy 3.9.3
Distribution and version:
Rocky 8.9