ENT-10411: Added ability to disable plain http for Mission Portal

MPF.md

@@ -239,6 +239,55 @@ manage High Availability of Enterprise Hubs is enabled.
 
 **Note:** This class is **not** defined by default.
 
+### Disable plain http for CFEngine Enterprise Mission Portal
+
+By default Mission Portal listens for HTTP requests on port 80, redirecting to HTTPS on port 443. To prevent the web server from listening on port 80 at all define `default:cfe_cfengine_enterprise_disable_plain_http`.
+
+**For example:**
+
+```json
+{
+  "classes": {
+    "default:cfe_enterprise_disable_plain_http": {
+      "class_expressions": [ "am_policy_hub|policy_server::" ]
+    }
+  }
+}
+```
+
+**Notes:**
+
+- If this class (`default:cfe_enterprise_disable_http_redirect_to_https`) is defined the class `default:cfe_enterprise_disable_plain_http` is defined is automatically defined.
+
+**History:**
+
+- Added in CFEngine 3.23.0
+
+### Disable plain http redirect to https for CFEngine Enterprise Mission Portal
+
+By default Mission Portal listens for HTTP requests on port 80, redirecting to HTTPS on port 443. To prevent redirection of requests on HTTP to HTTPS define `default:cfe_enterprise_disable_http_redirect_to_https`.
+
+**For example:**
+
+```json
+{
+  "classes": {
+    "default:cfe_enterprise_disable_http_redirect_to_https": {
+      "class_expressions": [ "(am_policy_hub|policy_server).test_server::" ]
+    }
+  }
+}
+```
+
+**Notes:**
+
+- If `default:cfe_enterprise_disable_plain_http` is defined, this class (`default:cfe_enterprise_disable_http_redirect_to_https`) is automatically defined.
+
+**History:**
+
+- Added in CFEngine 3.6.0
+- Class renamed from `cfe_cfengine_enterprise_enable_plain_http` to `cfe_enterprise_disable_http_redirect_to_https` in CFEngine 3.23.0
+
 ### Disable cf\_promises\_validated check
 
 For non policy hubs the default update policy only performs a full scan of

cfe_internal/enterprise/templates/httpd.conf.mustache

@@ -5,7 +5,11 @@ ServerSignature Off
 ServerTokens ProductOnly
 ServerName {{{vars.sys.fqhost}}}
 ServerRoot "{{{vars.sys.workdir}}}/httpd"
+{{#classes.cfe_enterprise_disable_plain_http}}
+# ENT-10411
 Listen 80
+{{/classes.cfe_enterprise_disable_plain_http}}
+
 PidFile "{{{vars.mission_portal_apache_from_stage.httpd_pid_file}}}"
 
 # Modules
@@ -230,11 +234,11 @@ AddType    application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_v
   <IfModule rewrite_module>
     RewriteEngine On
 
-    {{^classes.cfe_enterprise_enable_plain_http}}
+    {{^classes.cfe_enterprise_disable_http_redirect_to_https}}
     # Force https with redirection
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
-    {{/classes.cfe_enterprise_enable_plain_http}}
+    {{/classes.cfe_enterprise_disable_http_redirect_to_https}}
 
     {{#classes.mission_portal_index_php_redirect_enabled}}
     # redirect from `index.php/path` to `/path`

controls/def.cf

@@ -676,6 +676,21 @@ bundle common def
       # Enable paths to POSIX tools instead of native tools when possible.
       "mpf_stdlib_use_posix_utils" expression => "any";
 
+    enterprise_edition.(policy_server|am_policy_hub)::
+      "cfe_enterprise_disable_http_redirect_to_https"
+        scope => "namespace",
+        expression => "cfe_cfengine_enterprise_enable_plain_http";
+
+      "cfe_enterprise_disable_http_redirect_to_https"
+        expression => "cfe_enterprise_disable_plain_http",
+        comment => "If plain http is disabled, it makes no sense to redirect to it, so we disable that as well.";
+
+  reports:
+      "Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly. The  'cfe_enterprise_disable_http_redirect_to_https' class has been set automatically."
+        if => "cfe_enterprise_disable_http_redirect_to_https.cfe_cfengine_enterprise_enable_plain_http";
+      "Warning: the 'cfe_cfengine_enterprise_enable_plain_http' class has been deprecated in favor of 'cfe_enterprise_disable_http_redirect_to_https', please adjust accordingly."
+        if => "cfe_cfengine_enterprise_enable_plain_http.!cfe_enterprise_disable_http_redirect_to_https";
+
 }
 
 bundle common inventory_control