Use unix socket for httpd -> Foreman communication

Author: ekohl

playbooks/deploy.yaml

@@ -33,7 +33,9 @@
     foreman_db_password: "CHANGEME"
     foreman_oauth_consumer_key: abcdefghijklmnopqrstuvwxyz123456
     foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
+    foreman_listen_stream: /run/httpd.foreman.sock
     foreman_url: "https://{{ ansible_fqdn }}"
+    httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/"
     httpd_server_ca_certificate: "{{ ca_certificate }}"
     httpd_client_ca_certificate: "{{ ca_certificate }}"
     httpd_server_certificate: "{{ server_certificate }}"

roles/foreman/templates/foreman.socket.j2

@@ -3,6 +3,12 @@ Description=Foreman socket
 
 [Socket]
 ListenStream={{ foreman_listen_stream }}
+SocketUser=apache
+SocketMode=0600
+
+NoDelay=false
+ReusePort=true
+Backlog=1024
 
 [Install]
 WantedBy=sockets.target

roles/httpd/defaults/main.yml

@@ -1,4 +1,4 @@
 httpd_ssl_dir: /etc/pki/httpd
 httpd_pulp_api_backend: http://localhost:24817
 httpd_pulp_content_backend: http://localhost:24816
-httpd_foreman_backend: http://localhost:3000
+httpd_foreman_backend: http://localhost:3000/

roles/httpd/tasks/main.yml

@@ -12,6 +12,13 @@
     state: true
     persistent: true
 
+# TODO: probably not the right boolean
+- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets
+  ansible.posix.seboolean:
+    name: daemons_enable_cluster_mode
+    state: true
+    persistent: true
+
 - name: Disable welcome page
   ansible.builtin.file:
     path: /etc/httpd/conf.d/welcome.conf

roles/httpd/templates/foreman-ssl-vhost.conf.j2

@@ -70,8 +70,8 @@
   ProxyPass /pulp !
   ProxyPass /icons !
   ProxyPass /server-status !
-  ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900
-  ProxyPassReverse / {{ httpd_foreman_backend }}/
+  ProxyPass / {{ httpd_foreman_backend }} retry=0 timeout=900
+  ProxyPassReverse / {{ httpd_foreman_backend }}
 
   AddDefaultCharset UTF-8
 </VirtualHost>