Project

Profile

Help

Task #1190

Updated by bmbouter about 6 years ago

Two A new Location directives directive needs to be added: one for SSL and one for non-SSL. Both types need to be added to in both the "Apache 2.2 and Apache 2.4":https://github.com/pulp/pulp/tree/master/server/etc/httpd/conf.d configuration files. These two This new Location blocks will be commented out by default and will satisfy the following functional requirements:

* That it performs repo auth using WSGIAccessScript
* Requires SSL using "SSLRequireSSL" or something similar
* That it act as a reverse proxy to localhost:3128 using the ProxyPassReverse directive

The non-SSL Location block will be the same as the SSL one except that it cannot require SSL (obviously). This one is important too because squid is designed to be listening on localhost interface only and if the non-SSL location does not perform the repo auth then we would have a security hole. This is why exposing squid directly is not safe if you are also trying to have content protected and still serve at least one content type via HTTP.


The first two bullets above are likely very similar to "this config that protects content in RPM":https://github.com/pulp/pulp_rpm/blob/master/plugins/etc/httpd/conf.d/pulp_rpm.conf#L27-L32. This location is TBD, but likely will be at /pulp/content/ or some similar URL that is unprocessed by platform.

This will provide SSL termination with content protection, and keep the connection open while it connects to squid on localhost:3128.

Some commented docs should surround this new location block identifying its role in the lazy loading use case. This directive is the handler that will be formed by Pulp when it returns a HTTP 302 redirect in story #1180. This can also recommend to the user they can use a default location of / and use a different virtualhost listening on a different port (like 8080). A release note should be added for this change.

Back