Open ehelms opened 1 month ago
The puppet-foreman_proxy_content module includes certs::foreman_proxy
in multiple locations (https://github.com/search?q=repo%3Atheforeman%2Fpuppet-foreman_proxy_content+certs%3A%3Aforeman_proxy&type=code) which from my early testing makes it difficult to include this change. As I need to switch to using class { 'certs::foreman_proxy:}
in order to set this new parameter somewhere and I encounter duplicate class declarations.
Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present.
I always had questions about this. Why is the reverse proxy configured with a private key? That just screams potential security holes to me.
Quoting https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile
This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers.
Why do we need that?
Why do we need that?
I believe this is used to perform re-encryption because SSL was being terminated in Apache on the Capsule and we then need to proxy the communication while preserving the SSL client certificate header (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62).
My expectation is that it would simply result in a different SSL client certificate header. The one belongs to the certificate & private key provided in the bundle.
My understanding is that without setting this, the proxy cannot present a valid certificate to the Apache on Foreman. While this appears to work without SSLProxyMachineCertificateFile, there are errors within the log:
AH02268: Proxy client certificate callback: (<hostname>:443) downstream server wanted client certificate but none are configured
In all cases, the client certificate information has to be extracted and put into a new header that is sent along, this line (https://github.com/theforeman/puppet-foreman_proxy_content/blob/master/manifests/reverse_proxy.pp#L62) because the client certificates cannot be passed along.
Currently we deploy this certificate in all deployments but it should only be deployed onto a foreman-proxy where reverse proxy is present. It is useless and unused on a Foreman deployment. This keeps the default behaviour by defaulting to 'present' but provides a way to set this to false in
puppet-foreman_proxy_content
(PR to follow).