Use unix socket for httpd -> Foreman communication

ekohl · ekohl · commit dd7e7fbea4f7 · 2026-03-19T09:54:24.000+01:00
diff --git a/src/roles/foreman/templates/foreman.socket.j2 b/src/roles/foreman/templates/foreman.socket.j2
@@ -3,6 +3,12 @@ Description=Foreman socket
 
 [Socket]
 ListenStream={{ foreman_listen_stream }}
+SocketUser=apache
+SocketMode=0600
+
+NoDelay=false
+ReusePort=true
+Backlog=1024
 
 [Install]
 WantedBy=sockets.target
diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml
@@ -13,6 +13,13 @@
     persistent: true
   when: ansible_facts['selinux']['status'] == "enabled"
 
+# TODO: probably not the right boolean
+- name: Set daemons_enable_cluster_mode so Apache can connect to unix sockets
+  ansible.posix.seboolean:
+    name: daemons_enable_cluster_mode
+    state: true
+    persistent: true
+
 - name: Disable welcome page
   ansible.builtin.file:
     path: /etc/httpd/conf.d/welcome.conf
diff --git a/src/vars/base.yaml b/src/vars/base.yaml
@@ -23,6 +23,9 @@ foreman_oauth_consumer_secret: abcdefghijklmnopqrstuvwxyz123456
 foreman_plugins: "{{ enabled_features | features_to_foreman_plugins }}"
 foreman_url: "https://{{ ansible_facts['fqdn'] }}"
 
+foreman_listen_stream: /run/httpd.foreman.sock
+httpd_foreman_backend: "unix://{{ foreman_listen_stream }}|http://%{HTTP_HOST}/"
+
 httpd_server_ca_certificate: "{{ server_ca_certificate }}"
 httpd_client_ca_certificate: "{{ client_ca_certificate }}"
 httpd_server_certificate: "{{ server_certificate }}"
