theforeman · pavanshekar · Apr 20, 2026
diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml
@@ -3,6 +3,7 @@ httpd_pulp_api_backend: http://localhost:24817
 httpd_pulp_content_backend: http://localhost:24816
 httpd_foreman_backend: http://localhost:3000
 httpd_pub_dir: /var/www/html/pub
+httpd_enabled_pulp_snippets: []
 
 # External authentication configuration
 httpd_external_authentication: "{{ external_authentication | default(None) }}"

diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
@@ -68,6 +68,10 @@
     ProxyPassReverse {{ httpd_pulp_content_backend }}/pulp/content
   </Location>
 
+{% for httpd_pulp_snippet in httpd_enabled_pulp_snippets %}
+{% include httpd_pulp_snippet+'.j2' %}
+{% endfor %}
+
   <Location "/pulp/api/v3">
     RequestHeader unset REMOTE_USER
     RequestHeader unset REMOTE-USER

diff --git a/src/roles/httpd/templates/pypi.j2 b/src/roles/httpd/templates/pypi.j2
@@ -0,0 +1,7 @@
+  <Location "/pypi">
+    RequestHeader unset X-CLIENT-CERT
+    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
+    RequestHeader set X-FORWARDED-PROTO expr=%{REQUEST_SCHEME}
+    ProxyPass {{ httpd_pulp_api_backend }}/pypi timeout=600
+    ProxyPassReverse {{ httpd_pulp_api_backend }}/pypi
+  </Location>
diff --git a/src/vars/base.yaml b/src/vars/base.yaml
@@ -25,6 +25,7 @@ httpd_server_ca_certificate: "{{ server_ca_certificate }}"
 httpd_client_ca_certificate: "{{ client_ca_certificate }}"
 httpd_server_certificate: "{{ server_certificate }}"
 httpd_server_key: "{{ server_key }}"
+httpd_enabled_pulp_snippets: "{{ ['pypi'] if 'content/python' in enabled_features else [] }}"
 
 pulp_content_origin: "https://{{ ansible_facts['fqdn'] }}"
 pulp_pulp_url: "https://{{ ansible_facts['fqdn'] }}"

diff --git a/src/vars/flavors/katello.yml b/src/vars/flavors/katello.yml
@@ -5,4 +5,5 @@ flavor_features:
   - content/ansible
   - content/container
   - content/deb
+  - content/python
   - content/rpm
diff --git a/tests/httpd_test.py b/tests/httpd_test.py
@@ -52,6 +52,13 @@ def test_https_pulp_auth(server, certificates, server_fqdn):
     assert cmd.succeeded
     assert cmd.stdout == '200'
 
+def test_https_pypi_endpoint(server, certificates, server_fqdn):
+    cmd = server.run(f"{CURL_CMD} --cacert {certificates['ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/pypi/")
+    assert cmd.succeeded
+    # Verify route proxies to Pulp: 404 from Pulp confirms correct configuration
+    # (unconfigured routes return 503)
+    assert cmd.stdout == '404'
+
 def test_pub_directory_exists(server):
     pub_dir = server.file(HTTPD_PUB_DIR)
     assert pub_dir.exists