Foreman » Smart Proxy

https://groups.google.com/forum/#!topic/foreman-users/5fhXp7e_u5Q - Original report

https://github.com/sinatra/sinatra/commit/0f9a959253bdf0c39422ffb9b60278df46ef0248 - suspected root problem, credit to Pete Harvey on Foreman-Users Google Group for finding this

I too am having this issue.

Settings.yml:

# cat /etc/foreman-proxy/settings.yml
---
#replace default location of "settings.d" 
:settings_directory: /etc/foreman-proxy/settings.d

# SSL Setup
# If enabled, all communication would be verified via SSL
# NOTE that both certificates need to be signed by the same CA in order for this to work
# see http://theforeman.org/projects/smart-proxy/wiki/SSL for more information
:ssl_certificate: /var/lib/puppet/ssl/certs/foreman-proxy.<REDACTED>.pem
:ssl_ca_file: /var/lib/puppet/ssl/certs/ca.pem
:ssl_private_key: /var/lib/puppet/ssl/private_keys/foreman-proxy.<REDACTED>.pem

# Hosts which the proxy accepts connections from
# commenting the following lines would mean every verified SSL connection allowed
#:trusted_hosts:
#- foreman.prod.domain
#- foreman.dev.domain
#to deny access to all hosts use:
#:trusted_hosts: []

#:foreman_url: http://127.0.0.1:3000

# SSL settings for client authentication against Foreman. If undefined, the values
# from general SSL options are used instead. Mainly useful when Foreman uses
# different certificates for its web UI and for smart-proxy requests.
#:foreman_ssl_ca: ssl/certs/ca.pem
#:foreman_ssl_cert: ssl/certs/fqdn.pem
#:foreman_ssl_key: ssl/private_keys/fqdn.pem

# by default smart_proxy runs in the foreground. To enable running as a daemon, uncomment 'daemon' setting
:daemon: true
# Only used when 'daemon' is set to true.
# Uncomment and modify if you want to change the default pid file '/var/run/foreman-proxy/foreman-proxy.pid'
:daemon_pid: /var/run/foreman-proxy/foreman-proxy.pid

# HTTP ports configuration
# http is disabled by default. To enable, uncomment 'http_port' setting
#:http_port: 8000
# https is enabled if certificate, CA certificate, and private key are present in locations specifed by
# ssl_certificate, ssl_ca_file, and ssl_private_key correspondingly
# default values for https_port is 8443
:https_port: 8443

# Shared options for virsh DNS/DHCP provider
:virsh_network: default

# Log configuration
# Uncomment and modify if you want to change the location of the log file or use STDOUT
:log_file: /var/log/foreman-proxy/proxy.log
# Uncomment and modify if you want to change the log level
# WARN, DEBUG, ERROR, FATAL, INFO, UNKNOWN
:log_level: DEBUG

Looking at listeners on port 8443:

# lsof -n -i4 -a -P -p `cat /var/run/foreman-proxy/foreman-proxy.pid`
COMMAND  PID          USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
ruby    5811 foreman-proxy    5u  IPv4 27769254      0t0  TCP 127.0.0.1:8443 (LISTEN)

Potential workarounds:

• add export RACK_ENV='production' to init script
• add proxy FQDN to hosts entry for 127.0.0.1
  • this assumes the foreman is on the same machine
  • this allows foreman to connect and import classes/environments