use upgrade=websocket where possible

manifests/config/apache.pp

@@ -182,8 +182,23 @@
     order   => '03',
   }
 
-  include apache::mod::proxy_wstunnel
-  $websockets_backend = regsubst($_proxy_backend, 'http://', 'ws://')
+  # mod_proxy supports "ProxyPass ... upgrade=websocket" since 2.4.47
+  # EL8: 2.4.37 / EL9: 2.4.62 / Debian11: 2.4.62 / Ubuntu20.04: 2.4.41 / Ubuntu22.04: 2.4.52
+  $proxy_upgrade_websocket = !($facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8') and !($facts['os']['name'] == 'Ubuntu' and $facts['os']['release']['major'] == '20.04')
+  if $proxy_upgrade_websocket {
+    $vhost_rewrites = []
+    $_proxy_params = $proxy_params + ['upgrade=websocket']
+  } else {
+    include apache::mod::proxy_wstunnel
+    $websockets_backend = regsubst($_proxy_backend, 'http://', 'ws://')
+    $websockets_rewrite = {
+      'comment'      => 'Upgrade Websocket connections',
+      'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
+      'rewrite_rule' => "/(.*) ${websockets_backend}\$1 [P,L]",
+    }
+    $vhost_rewrites = [$websockets_rewrite]
+    $_proxy_params = $proxy_params
+  }
 
   $vhost_http_request_headers = [
     'set X_FORWARDED_PROTO "http"',
@@ -209,15 +224,9 @@
       'no_proxy_uris' => $_proxy_no_proxy_uris,
       'path'          => pick($suburi, '/'),
       'url'           => $_proxy_backend,
-      'params'        => $proxy_params,
+      'params'        => $_proxy_params,
     },
-    'rewrites'            => [
-      {
-        'comment'      => 'Upgrade Websocket connections',
-        'rewrite_cond' => '%{HTTP:Upgrade} =websocket [NC]',
-        'rewrite_rule' => "/(.*) ${websockets_backend}\$1 [P,L]",
-      },
-    ],
+    'rewrites'            => $vhost_rewrites,
   }
 
   $vhost_https_request_headers = [

manifests/plugin/remote_execution/cockpit.pp

@@ -72,11 +72,16 @@
       require        => Class['foreman::database'],
     }
   } else {
-    include apache::mod::rewrite
-    include apache::mod::proxy_wstunnel
     include apache::mod::proxy_http
+    if $foreman::config::apache::proxy_upgrade_websocket {
+      $_apache_template = 'cockpit-apache-ssl.conf.erb'
+    } else {
+      include apache::mod::rewrite
+      include apache::mod::proxy_wstunnel
+      $_apache_template = 'cockpit-apache-ssl-rewrite.conf.erb'
+    }
     foreman::config::apache::fragment { 'cockpit':
-      ssl_content => template('foreman/cockpit-apache-ssl.conf.erb'),
+      ssl_content => template("foreman/${_apache_template}"),
     }
 
     foreman_config_entry { 'remote_execution_cockpit_url':

templates/cockpit-apache-ssl-rewrite.conf.erb

@@ -0,0 +1,11 @@
+### File managed with puppet ###
+
+<Location <%= @cockpit_path %>>
+  ProxyPreserveHost On
+
+  RewriteEngine On
+  RewriteCond %{HTTP:Upgrade} =websocket [NC]
+  RewriteRule <%= @cockpit_path %>/(.*)           ws://<%= @cockpit_host %>:<%= @cockpit_port %><%= @cockpit_path %>/$1 [P]
+
+  ProxyPass http://<%= @cockpit_host %>:<%= @cockpit_port %><%= @cockpit_path %>
+</Location>

templates/cockpit-apache-ssl.conf.erb

@@ -2,10 +2,5 @@
 
 <Location <%= @cockpit_path %>>
   ProxyPreserveHost On
-
-  RewriteEngine On
-  RewriteCond %{HTTP:Upgrade} =websocket [NC]
-  RewriteRule <%= @cockpit_path %>/(.*)           ws://<%= @cockpit_host %>:<%= @cockpit_port %><%= @cockpit_path %>/$1 [P]
-  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
-  RewriteRule <%= @cockpit_path %>/(.*)           http://<%= @cockpit_host %>:<%= @cockpit_port %><%= @cockpit_path %>/$1 [P]
+  ProxyPass http://<%= @cockpit_host %>:<%= @cockpit_port %><%= @cockpit_path %> upgrade=websocket
 </Location>