feat: probe http on every URL in addition to https (per KB 6972355)#17
Merged
Conversation
Per Red Hat KB 6972355, the Azure firewall must allow both http (tcp/80) and https (tcp/443) to every listed host. The KB states port 80 is "often a redirect to 443" but "Red Hat cannot guarantee dependent services do not need it" — open both. The KB's only HTTPS-only exception (*.blob.core.windows.net) is not present in this list. Add `http` to the schemes list of all 16 entries, taking probe coverage from 16 to 32. The play's existing `follow_redirects: all` means an http probe that 301s to https resolves to the final https status, so the same expected `status` works for both schemes on every entry. Top-of-file comment documents the KB-derived rationale (one informative comment beats 16 uninformative ones). Tested locally: 32 of 32 probes pass from a host with open egress (exit 0). Closes #10. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #10.
Add
httpto every entry'sschemeslist inplaybooks/files/websites.yml, taking probe coverage from 16 URLs to 32 URL/scheme combinations. Required by Red Hat KB 6972355 to validate the Azure firewall correctly.What I learned re-reading the KB
When I opened #10 I assumed the KB called for http on a subset of URLs (OCSP, CRL). It does not. The KB says:
The only HTTPS-only call-out is
*.blob.core.windows.net, which is not in this list. So the right move is http on every entry, not a curated subset — which is what this PR does.I also chose one informative top-of-file comment over 16 uninformative per-entry comments (the original acceptance criterion). Each per-entry comment would have to say the same thing — "for redirect / dependent service support per KB" — which is exactly what the top-of-file comment now says once.
Why this stays revertible on its own
This is the only change in #8–#12 that alters which URLs we probe. If the weekly cron turns red on a Monday, the firewall-rule punch list output (added by #12) will name the exact host:port combinations to look at, and this PR can be reverted on its own without touching any of the surrounding work.
Test results
Locally on a Fedora laptop with open egress:
Every http probe successfully followed
follow_redirects: allto the host's https endpoint and matched the expected status.Files
playbooks/files/websites.yml— every entry gets[http, https]and the file header gains a KB-rationale comment block.CHANGELOG.md— entry under[Unreleased] / Added.Test plan
yamllintclean locallyansible-lintclean locally🤖 Generated with Claude Code