From d79d6ca4879d7b5a63f7cae528ac327ca0977e8c Mon Sep 17 00:00:00 2001
From: Jiri Kyjovsky <j1.kyjovsky@gmail.com>
Date: Wed, 7 Jan 2026 13:51:19 +0100
Subject: [PATCH] copr/anubis: fix configuration on frontend to protect only
 /coprs (same for distgit)

Anubis was accidentally enabled for all traffic (/) instead of just
the /coprs/ web UI. This caused unnecessary bot challenges for API
clients, dnf/yum, and other automated tools.

Use Anubis BASE_PREFIX to cleanly protect only specific endpoints:
- Frontend: /coprs/ (web UI)
- Dist-git: /{{ cgit_uri }}/ (package browser)

https://anubis.techaro.lol/docs/admin/installation#using-base-prefix
---
 inventory/group_vars/copr_dist_git_aws          |  3 +++
 inventory/group_vars/copr_dist_git_dev_aws      |  3 +++
 inventory/group_vars/copr_front_aws             |  3 +++
 inventory/group_vars/copr_front_dev_aws         |  3 +++
 roles/anubis/templates/default.env.j2           |  6 ++++++
 .../policies.yaml.j2.copr-infrastructure        | 17 +++++++++--------
 roles/copr/dist_git/templates/default.env.j2    | 11 -----------
 roles/copr/dist_git/templates/policies.yaml.j2  |  9 ---------
 roles/copr/dist_git/templates/ssl.conf.j2       |  6 +++++-
 roles/copr/frontend/templates/httpd/coprs.conf  |  9 +++++++--
 10 files changed, 39 insertions(+), 31 deletions(-)
 delete mode 100644 roles/copr/dist_git/templates/default.env.j2
 delete mode 100644 roles/copr/dist_git/templates/policies.yaml.j2

diff --git a/inventory/group_vars/copr_dist_git_aws b/inventory/group_vars/copr_dist_git_aws
index 0a90ee2dba..e6b730f4c6 100644
--- a/inventory/group_vars/copr_dist_git_aws
+++ b/inventory/group_vars/copr_dist_git_aws
@@ -1,6 +1,9 @@
 ---
 copr_machine_type: distgit
 
+# Anubis protects only /packages/ endpoint
+anubis_base_prefix: /packages
+
 freezes: false
 # consumed by roles/copr/certbot
 letsencrypt:
diff --git a/inventory/group_vars/copr_dist_git_dev_aws b/inventory/group_vars/copr_dist_git_dev_aws
index ffc4e5437c..1c420803da 100644
--- a/inventory/group_vars/copr_dist_git_dev_aws
+++ b/inventory/group_vars/copr_dist_git_dev_aws
@@ -1,6 +1,9 @@
 ---
 copr_machine_type: distgit
 
+# Anubis protects only /packages/ endpoint
+anubis_base_prefix: /packages
+
 devel: true
 freezes: false
 # consumed by roles/copr/certbot
diff --git a/inventory/group_vars/copr_front_aws b/inventory/group_vars/copr_front_aws
index f9e29f5545..bbde0207d2 100644
--- a/inventory/group_vars/copr_front_aws
+++ b/inventory/group_vars/copr_front_aws
@@ -2,6 +2,9 @@
 copr_machine_type: frontend
 
 copr_fe_homedir: /usr/share/copr/coprs_frontend
+
+# Anubis protects only /coprs/ endpoint
+anubis_base_prefix: /coprs
 copr_frontend_public_hostname: "copr.fedorainfracloud.org"
 copr_kerberos_auth_enabled: true
 copr_messaging_queue: "a9b74258-21c6-4e79-ba65-9e858dc84a2b"
diff --git a/inventory/group_vars/copr_front_dev_aws b/inventory/group_vars/copr_front_dev_aws
index afdd836455..5ee617b084 100644
--- a/inventory/group_vars/copr_front_dev_aws
+++ b/inventory/group_vars/copr_front_dev_aws
@@ -1,6 +1,9 @@
 ---
 copr_machine_type: frontend
 
+# Anubis protects only /coprs/ endpoint
+anubis_base_prefix: /coprs
+
 allowlist_emails:
   - msuchy@redhat.com
   - praiskup@redhat.com
diff --git a/roles/anubis/templates/default.env.j2 b/roles/anubis/templates/default.env.j2
index 690e02e184..55fa189aab 100644
--- a/roles/anubis/templates/default.env.j2
+++ b/roles/anubis/templates/default.env.j2
@@ -9,3 +9,9 @@ TARGET="http://127.0.0.1:8345"
 
 # Custom policies will live here once they are ready (package needs to be fixed)
 POLICY_FNAME=/etc/anubis/policies.yaml
+{% if anubis_base_prefix is defined %}
+
+# Protect only {{ anubis_base_prefix }} endpoint
+# https://anubis.techaro.lol/docs/admin/installation#using-base-prefix
+BASE_PREFIX={{ anubis_base_prefix }}
+{% endif %}
diff --git a/roles/anubis/templates/policies.yaml.j2.copr-infrastructure b/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
index a727b0e90d..cacb5f7c3d 100644
--- a/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
+++ b/roles/anubis/templates/policies.yaml.j2.copr-infrastructure
@@ -1,5 +1,6 @@
 ---
 bots:
+{% if copr_machine_type == "frontend" %}
   - name: allow badges
     action: ALLOW
     path_regex: status_image/last_build.png$
@@ -13,17 +14,17 @@ bots:
     action: ALLOW
     path_regex: /repo/
 
-  - name: allow webhooks
-    action: ALLOW
-    path_regex: ^/webhooks/
-
-  - name: all behind coprs
+  - name: coprs-web-ui
     action: WEIGH
     weight:
       adjust: 20
     path_regex: ^/coprs
+{% elif copr_machine_type == "distgit" %}
+  - name: packages
+    action: WEIGH
+    weight:
+      adjust: 20
+    path_regex: ^/packages
+{% endif %}
 
   - import: (data)/meta/default-config.yaml
-
-# Custom allowlist of API endpoint specified by each copr instance will live here
-# - import: /etc/anubis/endpoint-allowlist.yaml
diff --git a/roles/copr/dist_git/templates/default.env.j2 b/roles/copr/dist_git/templates/default.env.j2
deleted file mode 100644
index a3b16ffc30..0000000000
--- a/roles/copr/dist_git/templates/default.env.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# most of the configuration is done in the policy file
-# https://anubis.techaro.lol/docs/admin/installation
-
-# Anubis listens to this IP:PORT
-BIND="127.0.0.1:8987"
-
-# IP:PORT of the desired web app
-TARGET="http://127.0.0.1:8345"
-
-# Custom policies will live here once they are ready (package needs to be fixed)
-# POLICY_FNAME=/etc/anubis/policies.yaml
diff --git a/roles/copr/dist_git/templates/policies.yaml.j2 b/roles/copr/dist_git/templates/policies.yaml.j2
deleted file mode 100644
index c8aae19257..0000000000
--- a/roles/copr/dist_git/templates/policies.yaml.j2
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# if any custom bot policies are needed, they can be added here
-bots:
-  # these are solid defaults from
-  # https://github.com/TecharoHQ/anubis/blob/main/data/botPolicies.yaml
-  - import: (data)/botPolicies.yaml
-
-# Custom allowlist of API endpoint specified by each copr instance will live here
-# - import: /etc/anubis/endpoint-allowlist.yaml
diff --git a/roles/copr/dist_git/templates/ssl.conf.j2 b/roles/copr/dist_git/templates/ssl.conf.j2
index 8bc6075b19..bc53f4bdb7 100644
--- a/roles/copr/dist_git/templates/ssl.conf.j2
+++ b/roles/copr/dist_git/templates/ssl.conf.j2
@@ -33,10 +33,14 @@ SSLCryptoDevice builtin
     RequestHeader set X-Forwarded-Proto "https"
     RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
 
-    # BIND port
+    # /{{ cgit_uri }}/ goes through Anubis (configured with BASE_PREFIX=/{{ cgit_uri }})
     ProxyPass /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
     ProxyPassReverse /{{ cgit_uri }}/ http://localhost:8987/{{ cgit_uri }}/
 
+    # Everything else goes directly to backend
+    ProxyPass / http://localhost:8345/
+    ProxyPassReverse / http://localhost:8345/
+
     <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
     </FilesMatch>
diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf
index 4053e47fe1..1893426826 100644
--- a/roles/copr/frontend/templates/httpd/coprs.conf
+++ b/roles/copr/frontend/templates/httpd/coprs.conf
@@ -85,8 +85,13 @@ WSGIApplicationGroup %{GLOBAL}
     ProxyRequests Off
     ProxyVia Off
 
-    ProxyPass / http://127.0.0.1:8987/
-    ProxyPassReverse / http://127.0.0.1:8987/
+    # /coprs/ goes through Anubis (configured with BASE_PREFIX=/coprs)
+    ProxyPass /coprs/ http://127.0.0.1:8987/coprs/
+    ProxyPassReverse /coprs/ http://127.0.0.1:8987/coprs/
+
+    # Everything else goes directly to backend
+    ProxyPass / http://127.0.0.1:8345/
+    ProxyPassReverse / http://127.0.0.1:8345/
 </VirtualHost>