WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-13 23:40:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a1036116588e7ba16f2e028e9eb7745832df1614
fedora-infra_ansible/roles/httpd/reverseproxy/templates/reversepassproxy.git.conf
Patrick Uiterwijk bc3bbcb5c0 Also return 421 from non-phx2 proxies for src.fp.o 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2017-11-26 21:13:33 +00:00

51 lines
2.1 KiB
Plaintext
Raw Blame History

{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
{% endif %}
{% if header_expect %}
RequestHeader unset Expect early
{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}
# If you are a krb5 purist, please skip this.
# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks
# while having an auth check on the proxies.
# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but
# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after
# which the request will still fail (because pkgs will require auth).
# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses.
# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes
# files to be uploaded twice.
# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever
# someone gets into the local network, they could send their own request to the pkgs server, which will
# then trust any username header (terrible idea, see CVE-2016-1000038).
# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client
# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way
# authenticate the user on its own accord.
# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and*
# pkgs will accept the GSSAPI security context.
<Location /repo/pkgs/upload.cgi>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/pkgs.keytab
Require valid-user
</Location>
{% if 'phx2' in inventory_hostname %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}
Reference in New Issue View Git Blame Copy Permalink