Skip to content

feat: probe http on every URL in addition to https (per KB 6972355)#17

Merged
ericcames merged 1 commit into
mainfrom
10-add-http-schemes
May 21, 2026
Merged

feat: probe http on every URL in addition to https (per KB 6972355)#17
ericcames merged 1 commit into
mainfrom
10-add-http-schemes

Conversation

@ericcames

@ericcames ericcames commented May 21, 2026

Copy link
Copy Markdown
Owner

Summary

Closes #10.

Add http to every entry's schemes list in playbooks/files/websites.yml, taking probe coverage from 16 URLs to 32 URL/scheme combinations. Required by Red Hat KB 6972355 to validate the Azure firewall correctly.

What I learned re-reading the KB

When I opened #10 I assumed the KB called for http on a subset of URLs (OCSP, CRL). It does not. The KB says:

"We will list ports 80 and 443 even though many use https only. The reason for this is that port 80 is often provided as a convenience to redirect to port 443. We cannot guarantee that one of these dependent services may need to route traffic on port 80, so we suggest you open the firewall rule for both."

The only HTTPS-only call-out is *.blob.core.windows.net, which is not in this list. So the right move is http on every entry, not a curated subset — which is what this PR does.

I also chose one informative top-of-file comment over 16 uninformative per-entry comments (the original acceptance criterion). Each per-entry comment would have to say the same thing — "for redirect / dependent service support per KB" — which is exactly what the top-of-file comment now says once.

Why this stays revertible on its own

This is the only change in #8#12 that alters which URLs we probe. If the weekly cron turns red on a Monday, the firewall-rule punch list output (added by #12) will name the exact host:port combinations to look at, and this PR can be reverted on its own without touching any of the surrounding work.

Test results

Locally on a Fedora laptop with open egress:

TASK [Show summary] ************************************************************
ok: [...] => {
    "msg": "32 of 32 URL probes passed."
}

Every http probe successfully followed follow_redirects: all to the host's https endpoint and matched the expected status.

Files

  • playbooks/files/websites.yml — every entry gets [http, https] and the file header gains a KB-rationale comment block.
  • CHANGELOG.md — entry under [Unreleased] / Added.

Test plan

  • yamllint clean locally
  • ansible-lint clean locally
  • All 32 probes pass locally
  • CI green on PR
  • Weekly cron stays green on next scheduled run

🤖 Generated with Claude Code

Per Red Hat KB 6972355, the Azure firewall must allow both http (tcp/80)
and https (tcp/443) to every listed host. The KB states port 80 is
"often a redirect to 443" but "Red Hat cannot guarantee dependent
services do not need it" — open both. The KB's only HTTPS-only
exception (*.blob.core.windows.net) is not present in this list.

Add `http` to the schemes list of all 16 entries, taking probe coverage
from 16 to 32. The play's existing `follow_redirects: all` means an http
probe that 301s to https resolves to the final https status, so the
same expected `status` works for both schemes on every entry.

Top-of-file comment documents the KB-derived rationale (one informative
comment beats 16 uninformative ones).

Tested locally: 32 of 32 probes pass from a host with open egress
(exit 0).

Closes #10.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@ericcames ericcames added the enhancement New feature or request label May 21, 2026
@ericcames
ericcames merged commit 8c5524e into main May 21, 2026
2 checks passed
@ericcames
ericcames deleted the 10-add-http-schemes branch May 21, 2026 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add http scheme to URLs that require it per Red Hat KB 6972355

1 participant