WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-20 12:07:34 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6706723eea466bc9ffedc00a2fc86a0797279113
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.git.conf
Michal Konecny 66ea3d1769 [httpd] Re-enable history endpoint on src.fp.o 
See https://pagure.io/fedora-infrastructure/issue/13011 for more info.

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
2026-01-07 09:01:48 +00:00

75 lines
2.9 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
#
# block some DDOS against forks.
# Unfortunately, this can block legit access as well
# So best to be narrow.
#
# we want to block the request(s) and also block things
# with the referer of that request
#
# You can run something like:
# grep /fork/ /var/log/httpd/src.fedoraproject.org-access.log | grep -v static | awk '{print $7}' | awk -F\/ '{print $1 " " $2 " " $3 " " $4 " " $5}' | sort | uniq -c | sort -nr | head -3
# on proxy01/10 to see the top list of fork requests.
#
RewriteEngine On
# example block of a particular fork
#RewriteCond %{REQUEST_URI} ^/fork/vmojzis/rpms/selinux-policy.*$
#RewriteRule .* - [F]
#RewriteCond %{HTTP_REFERER} .*/fork//vmojzis/rpms/selinux-policy.*$
#RewriteRule .* - [F]
# disable blame and history links because the scrapers hit them too hard
RewriteCond %{REQUEST_URI} ^/rpms/.*/blame/.*$
RewriteRule .* - [F]
# If you are a krb5 purist, please skip this.
# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks
# while having an auth check on the proxies.
# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but
# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after
# which the request will still fail (because pkgs will require auth).
# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses.
# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes
# files to be uploaded twice.
# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever
# someone gets into the local network, they could send their own request to the pkgs server, which will
# then trust any username header (terrible idea, see CVE-2016-1000038).
# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client
# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way
# authenticate the user on its own accord.
# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and*
# pkgs will accept the GSSAPI security context.
<Location /repo/pkgs/upload.cgi>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/pkgs.keytab
Require valid-user
</Location>
{% if datacenter == 'rdu3' %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}
Reference in New Issue View Git Blame Copy Permalink