fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf

RequestHeader unset Expect early
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Forwarded-Proto https early

# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
# "includeSubdomains", because relying parties need to be able to access 
# username.id.fedoraproject.org via plain HTTP 
Header always add Strict-Transport-Security "max-age=15768000; preload" 


RewriteEngine on

RewriteMap lowercase int:tolower


{% if env == "staging" %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
{% else %}
RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
{% endif %}


RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]


{% if env == "staging" %}
RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
{% else %}
RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
{% endif %}


RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]


RewriteRule ^(.+) - [PT]

<Location /login>
    # required for rewrite rule
    Options +SymLinksIfOwnerMatch
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</Location>


ProxyPass {{localpath}} {{proxyurl}}{{remotepath}}
ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}}