Hide Forgot
Pulp exposes any repo with a kickstart tree over HTTP due to limitations in anaconda. This causes a problem for RHUI since all accesses need to be done through authenticated HTTPS. The easiest way to get around this for RHUI is to have the installer disable the HTTP serving of any repositories which is done by removing the directive for the /ks directory.
Note that this only affects the RHUA (Pulp server). The CDS instance HTTP configuration does not expose anything over HTTP. However this wouldn't prevent clients from going to the RHUA directly to access content (it's not simple, but still a security risk nonetheless).
commit 87a42cbd7815b25606febcf3682ac14cefb12981 Author: Jay Dobies <jason.dobies> Date: Wed Jul 6 11:14:34 2011 -0400 719348 - Remove the kickstart directive entirely in the RHUA installation to prevent repositories with kickstart trees from being exposed over HTTP and thus not held to authentication requirements rhui-2.0/tools/etc/rhui/templates/rh-rhua-config.spec To verify: - Sync a repository that has a kickstart tree (e.g. RHEL base channel) - Attempt to access the repository on the RHUA directly over HTTP (which also implies not using an entitlement certificate); it shouldn't work You might also want to just verify that repos aren't accessible over HTTP on the CDS, though I think you've already tested that.
Fixed in 2.0.35. Note that the fix occurs in the RHUA configuration, so you'll have to generate a new RHUA config RPM from this version of RHUI Tools and install that.
Me accessing via browser was a bad idea. Checked by adding the below line, in rh-cloud.repo and without entitlement certs. baseurl=http://dhcp201-137.englab.pnq.redhat.com/pulp/ks/content/dist/rhel/rhui/server-6/releases/$releasever/$basearch/os No longer the conf file has the ks directive and we cannot access the repos with the above url.
moving to release pending
closing out, product released