theforeman · pablomh · May 4, 2026
diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml
@@ -13,6 +13,12 @@ httpd_threads_per_child: 16
 httpd_thread_limit: 64
 httpd_listen_backlog: 511
 
+# Registration admission control: maximum concurrent connections to Puma
+# for /rhsm and /register endpoints via an Apache balancer pool.
+# Set to 0 to disable. When enabled, requests beyond this limit are queued
+# by Apache instead of overwhelming Puma during registration bursts.
+httpd_registration_admission_max: 0
+
 # External authentication configuration
 httpd_external_authentication: "{{ external_authentication | default(None) }}"
 httpd_ipa_manage_sssd: true

diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
@@ -95,6 +95,15 @@
   ProxyPass /icons !
   ProxyPass /images !
   ProxyPass /server-status !
+{% if httpd_registration_admission_max | default(0) | int > 0 %}
+  <Proxy balancer://foreman-registration>
+      BalancerMember {{ httpd_foreman_backend }} retry=0 timeout=900 max={{ httpd_registration_admission_max }}
+  </Proxy>
+  ProxyPass /rhsm balancer://foreman-registration/rhsm
+  ProxyPassReverse /rhsm balancer://foreman-registration/rhsm
+  ProxyPass /register balancer://foreman-registration/register
+  ProxyPassReverse /register balancer://foreman-registration/register
+{% endif %}
   ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 

diff --git a/src/roles/httpd/templates/foreman-vhost.conf.j2 b/src/roles/httpd/templates/foreman-vhost.conf.j2
@@ -58,6 +58,15 @@
   ProxyPass /icons !
   ProxyPass /images !
   ProxyPass /server-status !
+{% if httpd_registration_admission_max | default(0) | int > 0 %}
+  <Proxy balancer://foreman-registration>
+      BalancerMember {{ httpd_foreman_backend }} retry=0 timeout=900 max={{ httpd_registration_admission_max }}
+  </Proxy>
+  ProxyPass /rhsm balancer://foreman-registration/rhsm
+  ProxyPassReverse /rhsm balancer://foreman-registration/rhsm
+  ProxyPass /register balancer://foreman-registration/register
+  ProxyPassReverse /register balancer://foreman-registration/register
+{% endif %}
   ProxyPass / {{ httpd_foreman_backend }}/ retry=0 timeout=900 upgrade=websocket
   ProxyPassReverse / {{ httpd_foreman_backend }}/
 

diff --git a/src/vars/tuning/extra-extra-large.yml b/src/vars/tuning/extra-extra-large.yml
@@ -4,6 +4,7 @@ min_ram_mb: 262144
 
 httpd_server_limit: 64
 httpd_max_request_workers: 1024
+httpd_registration_admission_max: 2400
 
 postgresql_max_connections: 1000
 postgresql_shared_buffers: 32GB

diff --git a/src/vars/tuning/extra-large.yml b/src/vars/tuning/extra-large.yml
@@ -4,6 +4,7 @@ min_ram_mb: 131072
 
 httpd_server_limit: 64
 httpd_max_request_workers: 1024
+httpd_registration_admission_max: 1200
 
 postgresql_max_connections: 1000
 postgresql_shared_buffers: 16GB

diff --git a/src/vars/tuning/large.yml b/src/vars/tuning/large.yml
@@ -4,6 +4,7 @@ min_ram_mb: 65536
 
 httpd_server_limit: 64
 httpd_max_request_workers: 1024
+httpd_registration_admission_max: 600
 
 postgresql_max_connections: 1000
 postgresql_shared_buffers: 8GB

diff --git a/src/vars/tuning/medium.yml b/src/vars/tuning/medium.yml
@@ -4,6 +4,7 @@ min_ram_mb: 32768
 
 httpd_server_limit: 64
 httpd_max_request_workers: 1024
+httpd_registration_admission_max: 300
 
 postgresql_max_connections: 1000
 postgresql_shared_buffers: 4GB