Project

Profile

Help

Task #1190

Updated by jcline@redhat.com about 6 years ago

Part of the lazy component set is an Apache server that acts as an SSL termination point (since squid can't cache encrypted traffic) and enforces content protection. The client is redirected to this Apache server (by way of story #1180) when the content is missing from the Pulp server, but is part of a lazy-loaded repository. When a client connects Apache will need to check the presented client certificate (if any) to ensure they have access to the content. Apache will then keep the connection to the client open while it connects to Squid on localhost:3128 and requests the content on behalf of the client.

To achieve this, a
Two new Apache configuration file Location directives needs to be created that contains two Location directives: added: one for SSL and one for non-SSL. Both types need to be added to both the "Apache 2.2 and Apache 2.4":https://github.com/pulp/pulp/tree/master/server/etc/httpd/conf.d configuration files. These two new Location blocks will be commented out by default and will satisfy the following functional requirements:

* That it performs repo auth using WSGIAccessScript
* Requires SSL using "SSLRequireSSL" or something similar
* That it act as a reverse proxy to localhost:3128 using the ProxyPassReverse directive

The non-SSL Location block will be the same as the SSL one except that it cannot require SSL (obviously). This one is important too because squid is designed to be listening on localhost interface only and if the non-SSL location does not perform the repo auth then we would have a security hole. This is why exposing squid directly is not safe if you are also trying to have content protected and still serve at least one content type via HTTP.

The first two bullets above are likely very similar to "this config that protects content in RPM":https://github.com/pulp/pulp_rpm/blob/master/plugins/etc/httpd/conf.d/pulp_rpm.conf#L27-L32. This location is TBD, but likely will be at /pulp/content/ or some similar URL that is unprocessed by platform.

This will provide SSL termination with content protection, and keep the connection open while it connects to squid on localhost:3128.

Some inline documentation commented docs should surround this new location block identifying its role in the lazy loading use case. This directive is the handler that will be included formed by Pulp when it returns a HTTP 302 redirect in story #1180. This can also recommend to the configuration file explaining the purpose user they can use a default location of each directive / and any other settings the user may want to tweak or look into. use a different virtualhost listening on a different port (like 8080). A release note should be added for this change.

This new configuration file will be packaged as part of the pulp-streamer and is completely separate from the main Apache configuration for Pulp.

Back