WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-05-01 05:51:56 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5f2be1fc4ecc1cd4e97797b2fd6ebe093aa387ff
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.git.conf
Kevin Fenzi d5e1fa08f2 proxies: drop some requests that use referrer of some forks 
there's about... 7million hits a day from sites passing a referrer
of forks/kernel or forks/firefox where they are fetching static content
over and over and over. This may be because before they were blocked
from the forks themselves they were also downloading the js and static
content, and now they are just too dumb to see the 403 and still
want to fetch the old static content. Fortunately, they send a
referrer we can match on.

So, this should cut load another chunk.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-10-15 13:53:28 -07:00

62 lines
2.3 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/fork/.*/rpms/kernel.*$
RewriteRule .* - [F]
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^/fork/.*/rpms/kernel.*$
RewriteRule .* - [F]
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^/fork/.*/rpms/firefox.*$
RewriteRule .* - [F]
# If you are a krb5 purist, please skip this.
# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks
# while having an auth check on the proxies.
# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but
# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after
# which the request will still fail (because pkgs will require auth).
# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses.
# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes
# files to be uploaded twice.
# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever
# someone gets into the local network, they could send their own request to the pkgs server, which will
# then trust any username header (terrible idea, see CVE-2016-1000038).
# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client
# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way
# authenticate the user on its own accord.
# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and*
# pkgs will accept the GSSAPI security context.
<Location /repo/pkgs/upload.cgi>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/pkgs.keytab
Require valid-user
</Location>
{% if datacenter == 'rdu3' %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}
Reference in New Issue View Git Blame Copy Permalink