Project

Profile

Help

Task #1190

Updated by jcline@redhat.com almost 6 years ago

Part of the lazy component set is an Apache server that acts as an SSL termination point (since squid can't cache encrypted traffic) and enforces content protection. The client is redirected to this Apache server (by way of story #1180) when the content is missing from the Pulp server, but is part of a lazy-loaded repository. When a client connects Apache will need to check the presented client certificate (if any) to ensure they have access to the content. Apache will then keep the connection to the client open while it connects to Squid on localhost:3128 and requests the content on behalf of the client.

To achieve this, a new Apache configuration file needs to be created. created that contains two Location directives: one for SSL and one for non-SSL. These two Location blocks will satisfy the following functional requirements:

* That it performs repo auth using WSGIAccessScript
* Requires SSL using "SSLRequireSSL" or something similar
* That it act as a reverse proxy to localhost:3128 using the ProxyPassReverse directive

The non-SSL Location block will be the same as the SSL one except that it cannot require SSL (obviously). This one is important too because squid is designed to be listening on localhost interface only and if the non-SSL location does not perform the repo auth then we would have a security hole. This is why exposing squid directly is not safe if you are also trying to have content protected and still serve at least one content type via HTTP.

The first two bullets above are likely very similar to "this config that protects content in RPM":https://github.com/pulp/pulp_rpm/blob/master/plugins/etc/httpd/conf.d/pulp_rpm.conf#L27-L32. This location is TBD, but likely will be at /pulp/content/ or some similar URL that is unprocessed by platform.


Some inline documentation should be included in the configuration file explaining the purpose of each directive and any other settings the user may want to tweak or look into. A release note should be added for this change.

This new configuration file will be packaged as part of the pulp-streamer and is completely separate from the main Apache configuration for Pulp.

Back