WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-03-31 17:31:36 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
99eab71b2ebd689ee467fb89e3f63ef5cc8c2a5e
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.git.conf
Kevin Fenzi 7984b46eb7 The great phx2 pruning run (1st cut). 
Since we no longer have any machines in phx2, I have tried to remove
them from ansible. Note that there are still some places where we need
to remove them still: nagios, dhcp, named were not touched, and in cases
where it wasn't pretty clear what a conditional was doing I left it to
be cleaned up later.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2020-06-14 14:14:31 -07:00

51 lines
2.1 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
# If you are a krb5 purist, please skip this.
# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks
# while having an auth check on the proxies.
# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but
# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after
# which the request will still fail (because pkgs will require auth).
# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses.
# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes
# files to be uploaded twice.
# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever
# someone gets into the local network, they could send their own request to the pkgs server, which will
# then trust any username header (terrible idea, see CVE-2016-1000038).
# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client
# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way
# authenticate the user on its own accord.
# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and*
# pkgs will accept the GSSAPI security context.
<Location /repo/pkgs/upload.cgi>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/pkgs.keytab
Require valid-user
</Location>
{% if datacenter == 'iad2' %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}
Reference in New Issue View Git Blame Copy Permalink