From 14ea88dd852359e581b01925d07c56aafcc98729 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Sat, 13 Apr 2019 21:15:41 +0200
Subject: [PATCH] Add Zanata id.fp.o TLSv1 workaround

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 files/httpd/website_id_fp_o_zanata.conf | 29 +++++++++++++++++++++++++
 playbooks/groups/proxies.yml            | 11 ++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 files/httpd/website_id_fp_o_zanata.conf

diff --git a/files/httpd/website_id_fp_o_zanata.conf b/files/httpd/website_id_fp_o_zanata.conf
new file mode 100644
index 0000000000..f2c9322b39
--- /dev/null
+++ b/files/httpd/website_id_fp_o_zanata.conf
@@ -0,0 +1,29 @@
+# This is an HTTP config purely for Zanata, which mirrors id.fp.o
+# They run on old Java, which means that they do not support TLSv1.2, so let's
+# give them TLSv1.0 as well.
+# On how this works, look at the proxies' iptables: they will have a rule that
+# forwards a limited set of IP addresses' 443/tcp to 44342/tcp.
+Listen 44342 https
+<VirtualHost *:44342>
+  ServerName id.fedoraproject.org
+  ServerAdmin webmaster@fedoraproject.org
+
+  RequestHeader unset X-Forwarded-For
+
+  Protocols h2 http/1.1
+
+  SSLEngine on
+  SSLUseStapling on
+  SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
+
+  SSLHonorCipherOrder On
+
+  SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+  Header always add Strict-Transport-Security "max-age=31536000; preload"
+  Include "conf.d/id.fedoraproject.org/*.conf"
+</VirtualHost>
+
diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml
index a5a716644b..606fab19d1 100644
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -128,6 +128,17 @@
     notify:
     - reload proxyhttpd
 
+  # This really doesn't belong here, but it really shouldn't be needed to begin
+  # with. See the comments in the file as to why this exists.
+  - copy:
+      src="{{ files }}/httpd/website_id_fp_o_zanata.conf"
+      dest=/etc/httpd/conf.d/id.fedoraproject.org.zanata.conf
+    notify:
+    - reload apache
+    tags:
+    - config
+    - apache
+
   #
   # If this is an initial deployment, make sure docs are synced over.
   # Do not count these as changed ever