From 0302040f3c9dec91ec59c42eaf3c59894ebfc655 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Wed, 25 May 2022 17:29:37 -0700 Subject: [PATCH] proxies / reverseproxy / blockerbugs: have proxies return 421 for non iad2 access. This is the fun firefox h2 connection reuse bug. blockerbugs is only in iad2, so if firefox tries to reuse a connection to another proxy for it, just send it a 421 so it knows thats bad on it. Signed-off-by: Kevin Fenzi --- .../reversepassproxy.blockerbugs.conf | 5 +++++ .../templates/reversepassproxy.fas3.conf | 3 --- .../reversepassproxy.sticky-notes.conf | 20 ------------------- 3 files changed, 5 insertions(+), 23 deletions(-) create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf delete mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.fas3.conf delete mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.sticky-notes.conf diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf new file mode 100644 index 0000000000..ee26261dfd --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.blockerbugs.conf @@ -0,0 +1,5 @@ +{% if 'iad2' in inventory_hostname %} +{% include "reversepassproxy.conf" %} +{% else %} +Redirect 421 / +{% endif %} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.fas3.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.fas3.conf deleted file mode 100644 index 2b1e505a06..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.fas3.conf +++ /dev/null @@ -1,3 +0,0 @@ -ProxyPass {{localpath}} {{proxyurl}}{{remotepath}} -ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}} -ProxyPreserveHost on diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.sticky-notes.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.sticky-notes.conf deleted file mode 100644 index ada5bd3518..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.sticky-notes.conf +++ /dev/null @@ -1,20 +0,0 @@ - - require all denied - - -{% if header_scheme %} -RequestHeader set X-Forwarded-Scheme https early -RequestHeader set X-Scheme https early -RequestHeader set X-Forwarded-Proto https early - -{% endif %} -{% if header_expect %} -RequestHeader unset Expect early - -{% endif %} -{% if keephost %} -ProxyPreserveHost On -{% endif %} - -ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} -ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}