copr-anubis: loosen policies (go through defaults), allow essentials

roles/anubis/templates/policies.yaml.j2.copr-infrastructure

@@ -1,30 +1,85 @@
 ---
 bots:
 {% if copr_machine_type == "frontend" %}
-  - name: allow badges
-    action: ALLOW
-    path_regex: status_image/last_build.png$
+  # Machine/API endpoints - ALLOW without challenge
+  # These are used by dnf, copr-cli, webhooks, and internal services
 
-  # For yum-util-copr:
-  # /coprs/g/copr/copr-dev/repo/epel-9/
-  # For dnf-plugins-core (dnf4):
-  # /coprs/g/copr/copr-dev/repo/epel-9/group_copr-copr-dev-epel-9.repo
-  # DNF5 uses /api_3/.
-  - name: allow repos
+  # API api info
+  - name: allow-api
+    action: ALLOW
+    path_regex: ^/api
+
+  # Copr's API
+  - name: allow-api-v3
+    action: ALLOW
+    path_regex: ^/api_3
+
+  # Internal backend communication
+  - name: allow-backend
+    action: ALLOW
+    path_regex: ^/backend
+
+  # Webhooks from GitHub, GitLab, Pagure, etc.
+  - name: allow-webhooks
+    action: ALLOW
+    path_regex: ^/webhooks
+
+  # RSS feeds for feed readers
+  - name: allow-rss
+    action: ALLOW
+    path_regex: ^/rss
+
+  # Internal stats receiver
+  - name: allow-stats
+    action: ALLOW
+    path_regex: ^/stats_rcv
+
+  # Internal temp files
+  - name: allow-tmp
+    action: ALLOW
+    path_regex: ^/tmp
+
+  # Repo metadata for dnf/yum
+  - name: allow-repos
     action: ALLOW
     path_regex: /repo/
 
-  - name: coprs-web-ui
-    action: WEIGH
-    weight:
-      adjust: 20
-    path_regex: ^/coprs
+  # Build status badges
+  - name: allow-badges
+    action: ALLOW
+    path_regex: status_image/last_build.png$
+
+  # Trusted services - ALLOW by user-agent
+
+  # Packit - automated upstream/downstream sync
+  # https://packit.dev
+  - name: allow-packit
+    action: ALLOW
+    user_agent_regex: packit.dev/packit
+
+  # Web UI endpoints - protected (browsers get challenged)
+  # /coprs, /admin, /status, /recent, /explore, /batches, /groups, /user
+  # These are handled by default-config
+
 {% elif copr_machine_type == "distgit" %}
-  - name: packages
-    action: WEIGH
-    weight:
-      adjust: 20
-    path_regex: ^/packages
+  # Dist-git: Allow git operations, protect web UI
+
+  # Git clone/fetch operations (git clients)
+  - name: allow-git-operations
+    action: ALLOW
+    path_regex: ^/git
+
+  # cgit static files
+  - name: allow-cgit-static
+    action: ALLOW
+    path_regex: ^/cgit-data
+
+  # Per-task logs (accessed by backend)
+  - name: allow-logs
+    action: ALLOW
+    path_regex: ^/per-task-logs
+
+  # /packages (cgit web UI) - protected, handled by default-config
 {% endif %}
 
   - import: (data)/meta/default-config.yaml

roles/copr/dist_git/templates/ssl.conf.j2

@@ -33,13 +33,10 @@ SSLCryptoDevice builtin
     RequestHeader set X-Forwarded-Proto "https"
     RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
 
-    # /{{ cgit_uri }}/ goes through Anubis (configured with BASE_PREFIX=/{{ cgit_uri }})
-    ProxyPass /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
-    ProxyPassReverse /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
-
-    # Everything else goes directly to backend
-    ProxyPass / http://localhost:8345/
-    ProxyPassReverse / http://localhost:8345/
+    # All traffic goes through Anubis for bot protection.
+    # Policies control which endpoints are protected vs allowed in /etc/anubis/policies.yaml
+    ProxyPass / http://localhost:8987/
+    ProxyPassReverse / http://localhost:8987/
 
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars

roles/copr/frontend/templates/httpd/coprs.conf

@@ -85,13 +85,10 @@ WSGIApplicationGroup %{GLOBAL}
     ProxyRequests Off
     ProxyVia Off
 
-    # /coprs/ goes through Anubis (configured with BASE_PREFIX=/coprs)
-    ProxyPass /coprs/ http://127.0.0.1:8987/coprs/
-    ProxyPassReverse /coprs/ http://127.0.0.1:8987/coprs/
-
-    # Everything else goes directly to backend
-    ProxyPass / http://127.0.0.1:8345/
-    ProxyPassReverse / http://127.0.0.1:8345/
+    # All traffic goes through Anubis for bot protection.
+    # Policies control which endpoints are protected vs allowed in /etc/anubis/policies.yaml
+    ProxyPass / http://127.0.0.1:8987/
+    ProxyPassReverse / http://127.0.0.1:8987/
 </VirtualHost>