{% if rewrite %} RewriteEngine On RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] {% endif %} {% if header_scheme %} RequestHeader set X-Forwarded-Scheme https early RequestHeader set X-Scheme https early RequestHeader set X-Forwarded-Proto https early {% endif %} {% if header_expect %} RequestHeader unset Expect early {% endif %} {% if keephost %} ProxyPreserveHost On {% endif %} # If you are a krb5 purist, please skip this. # This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks # while having an auth check on the proxies. # This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but # unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after # which the request will still fail (because pkgs will require auth). # What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses. # As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes # files to be uploaded twice. # However, I did not want to make the proxies send a plain HTTP header, since this means that whenever # someone gets into the local network, they could send their own request to the pkgs server, which will # then trust any username header (terrible idea, see CVE-2016-1000038). # So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client # sends on to pkgs, which will then *again* start a new GSSAPI security context and that way # authenticate the user on its own accord. # This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and* # pkgs will accept the GSSAPI security context. AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:/etc/pkgs.keytab Require valid-user {% if datacenter == 'iad2' %} ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} {% else %} Redirect 421 / {% endif %}