Background

Foreman has a separate unattended_url setting which refers to the HTTP URL the Foreman application is served with. This is needed to support provisioning on installers that don’t support HTTPS.

There is also a templates module in Foreman Proxy which can serve over HTTP if the Proxy is enabled over HTTP. When this is available and enabled for provisioning, the host doesn’t contact Foreman over HTTP. This module is enabled by default in the Katello scenario but not Foreman where Foreman Proxy only listens on HTTPS.

Not having to serve over HTTP means the installer can let Apache redirect the user to HTTPS rather than using a Ruby application to do so. This saves memory by not having to run an entire Ruby application. It will also be more secure. Considerations will need to be made for Katello where Pulp is also served within the same vhost.

It would be useful to have an overview of provisioning installers and their HTTP/HTTPS support.

Foreman bare-metal provisioning works with quite old OSes up to RHEL4 where HTTPS is not an option and I would like to stick with this as much as possible. I am open to simplifying this, so if there is a parameter which users can use (unattended_use_http) or some macro making use of it so users can continue provisioning of systems which don’t support HTTPS (e.g. switches etc) then sure - let’s remove it.