Bug #31851

Katello should be able to use only https even for unprotected pulp repos

Added by vi won over 1 year ago. Updated over 1 year ago.

Target version:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:


Right now, Katello uses the idea that all protected repos, which require client SSL cert authentication via subscription-manager are shared via https, and all unprotected repos which do not require client cert auth are shared via open unprotected http. This is typically done to share out kickstart repos used during the inital build, and the after the system is up and uses subscription-manager to subscribe, they are assigned a client ssl cert and switch to using the protected repos via https. However, there is no limitation in provisioning using https as long commercial certs are used. The kickstart repos could be shared over https as long as self-signed certs are not in use. And this option should be available to setup foreman to share unprotected(no client ssl cert auth required) repos over https as well as http.

In this day and age the use of any open http is extremely frowned on, and I believe that Foreman needs to be able to run without any open nonssl-http at all.

Today, the pulp_rpm.conf looks like this and uses the detection of HTTPS on/off to determine if a request will go to protected repos auth or unprotected:

<Location /pulp/repos/>
  RewriteEngine On
  RewriteCond %{HTTPS} on
  RewriteRule (.+/pulp/repos/)(.*) /pulp2/content/var/www/pub/yum/https/repos/$2 [DPI]
  RewriteCond %{HTTPS} off
  RewriteRule (.+/pulp/repos/)(.*) /pulp2/content/var/www/pub/yum/http/repos/$2 [DPI]
<Directory /var/www/pub/yum/https>*
*    WSGIAccessScript /usr/share/pulp/wsgi/repo_auth.wsgi*
    SSLVerifyClient require
    SSLVerifyDepth 9
    SSLOptions +StdEnvVars +ExportCertData +FakeBasicAuth
    Options FollowSymLinks Indexes

# -- HTTP Repositories ---------
*<Directory /var/www/pub/yum/http>*
    Options FollowSymLinks Indexes

This is a poor design because it:
a) assumes that ALL repos shared via https are protected and require client ssl certificates
b) the only way to share out repos without requiring client ssl cert auth is via http
c) provides no way to add https to the unprotected repos, because ALL https traffic will be redirected to the protected

What probably needs to happen is to replace the "%{HTTPS} on/off" logic with using a URL based system to seperate protected/unprotected repos, and eliminate the using /pulp2/content/var/www/pub/yum/{*http,https*} use in URL's and change the repos to something like /pulp2/content/var/www/pub/yum/{protected,unprotected}.

Then the user should have the option to enable/disable http/https sharing on the unprotected repos if they wish. Those who use self-signed certificates will need to use http, and those who have commercial certificates could have their unprotected repos all use https, and totally turn off port 80 on Foreman.

The other option is just to make the change and require commercial certificates to use Katello repos, which given we have encryptallthethings, getting a commercial certificate is not a significant burden anymore.

I feel that having Foreman/Katello no longer requiring the use of any unencrypted http if desired is a significantly important goal these days and this should be strongly considered.


#1 Updated by Ian Ballou over 1 year ago

  • Triaged changed from No to Yes
  • Status changed from New to Resolved

Hi Nix Fu,

This issue is fixed if you install Katello with Pulp 3, which was the default starting 3.16. Starting with Katello 4.0, Pulp 3 will be the only option.

#2 Updated by Ian Ballou over 1 year ago

  • Target version set to Katello Recycle Bin

Also available in: Atom PDF