Bug 1585076

Summary: Exclude Satellite fqdn and localhost from possible proxying when user set foreman http proxy
Product: Red Hat Satellite Reporter: Lukas Pramuk <lpramuk>
Component: InfrastructureAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: ehelms, mmccune, satellite6-bugs
Target Milestone: 6.4.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-1.18.0-1.RC2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1585069 Environment:
Last Closed: 2018-10-16 19:19:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Pramuk 2018-06-01 09:16:16 UTC 
+++ This bug was initially created as a clone of Bug #1585069 +++

Description of problem:
There is new RFE which implemented general http proxy for foreman(+katello)
BZ 1333595 (6.4 clone is BZ 1572304)

If you set the setting to valid http proxy then suddenly all katello pages (and even org edit) throws "403 Forbidden" at you !!! This ultimate breakage is caused by the fact that every request is now proxied, even between internal components and even requests to localhost !!!

Some requests cannot and must not be proxied, for example all katello pages requests candlepin (8443/tcp) going via proxy all is denied.

Unless you specify Satellite FQDN in "HTTP(S) proxy except hosts" which is really really tricky and wouldn't be obvoius to many CUs.

So please exclude Satellite fqdn and localhost by default from being proxied.
Either by listing them by default in "HTTP(S) proxy except hosts" or (for localhost most applicable) exluding them right away in http proxy code.

Version-Release number of selected component (if applicable):
@satellite-6.3.1-3.el7sat.noarch (6.3.2 Snap1)
foreman-1.15.6.43-1.el7sat.noarch

How reproducible:
deterministic

Steps to Reproduce:
1. Set HTTP(S) proxy (having exlude list empty = which is default)
2. Navigate to any Katello page

"403 Forbidden" keeps smiling at ya

Actual results:
really really tricky and not obvious to many CUs.
setting http proxy breaks product

Expected results:
setting http proxy doesn't break anything
Comment 2 Lukas Pramuk 2018-07-24 10:26:32 UTC 
*** Bug 1596359 has been marked as a duplicate of this bug. ***
Comment 3 Lukas Pramuk 2018-09-03 22:21:41 UTC 
VERIFIED.

@satellite-6.4.0-13.el7sat.noarch
foreman-1.18.0.18-1.el7sat.noarch

by two following manual reproducers:

A) 
1. Set "HTTP(S) proxy except hosts" to list of all capsules (usually [SATFQDN])

2. Set "HTTP(S) proxy" (http://proxy.example.com:3128)

3. Navigate to any Katello page

>>> success, Katello page is rendered correctly, when except hosts settings contains list of all capsules

B)
1. Set "HTTP(S) proxy" to nonsense (http://nononoproxy.example.com:3128)

2. Create a docker compute resource http://localhost:2375

>>> success, traffic to localhost is no more proxied
Comment 4 Bryan Kearney 2018-10-16 19:19:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927