WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-26 03:23:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
42e930e97f22ca75a3e7fbbf6658d8d5efe27f2e
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.conf
Kevin Fenzi 80ef5e47df proxies / reverseproxypass: try and only 421 ocp4 non iad2 proxies 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-06-05 13:44:02 -07:00

86 lines
2.6 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
{% if balancer_name is defined %}
# This is something that wants a apache balancer
{% if 'iad2' in inventory_hostname or not ocp4|bool %}
# This proxy is in iad2 and so we setup the balancer.
# Non iad2 proxies just send a 421 for this application to avoid firefox h2 reuse bug
SSLProxyEngine On
{% if targettype is defined and targettype == "openshift" %}
SSLProxyVerify require
SSLProxyCheckPeerName Off
{% if ocp4 and env == "production" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-prod.pem"
{% elif ocp4 and env == "staging" %}
SSLProxyCACertificateFile "/etc/haproxy/ocp-stg.pem"
{% else %}
SSLProxyCACertificateFile "/etc/haproxy/os-master.pem"
{% endif %}
{% endif %}
<Proxy "balancer://{{balancer_name}}-websocket">
{% for member in balancer_members %}
{% if http_not_https_yes_this_is_insecure_and_i_feel_bad %}
{% if remotepath is defined and remotepath != "/" %}
BalancerMember "ws://{{ member }}{{ remotepath }}"
{% else %}
BalancerMember "ws://{{ member }}"
{% endif %}
{% else %}
{% if remotepath is defined and remotepath != "/" %}
BalancerMember "wss://{{ member }}{{ remotepath }}"
{% else %}
BalancerMember "wss://{{ member }}"
{% endif %}
{% endif %}
{% endfor %}
</Proxy>
RewriteEngine on
RewriteCond %{HTTP:Upgrade} ^WebSocket$ [NC]
RewriteCond %{HTTP:Connection} Upgrade [NC]
{% if remotepath is defined and remotepath != "/" %}
RewriteCond %{REQUEST_URI} ^{{ remotepath }}/(.)*
{% endif %}
RewriteRule .* "balancer://{{ balancer_name }}-websocket%{REQUEST_URI}" [P]
<Proxy "balancer://{{balancer_name}}">
{% for member in balancer_members %}
{% if http_not_https_yes_this_is_insecure_and_i_feel_bad %}
BalancerMember "http://{{ member }}"
{% else %}
BalancerMember "https://{{ member }}"
{% endif %}
{% endfor %}
</Proxy>
ProxyPass {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
ProxyPassReverse {{ localpath }} "balancer://{{balancer_name}}{{remotepath}}"
{% elif ocp4|bool %}
# This is a non iad2 proxy and an app that only exists in iad2
# We do this to avoid a h2 connection reuse bug by firefox.
Redirect 421 /
{% endif %}
{% else %}
# This is an application that just goes to one url, not a balancer
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} {{ proxyopts }}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink