diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index 9e920eda64..31de8a4aa3 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -158,78 +158,41 @@ localpath: /accounts proxyurl: http://localhost:10004 - # Ipsilon is odd here -- it has an entry for both stg and prod. - role: httpd/reverseproxy - website: id.stg.fedoraproject.org - destname: os-id - balancer_name: app-os - targettype: openshift - keephost: true - tags: - - id.fedoraproject.org - when: env == "staging" - - - role: httpd/reverseproxy - website: username.id.stg.fedoraproject.org - destname: os-usernameid - balancer_name: app-os - targettype: openshift - keephost: true - tags: - - id.fedoraproject.org - when: env == "staging" - - - role: httpd/reverseproxy - website: id.stg.fedoraproject.org - destname: 00-kdcproxy - remotepath: /KdcProxy - localpath: /KdcProxy - proxyurl: http://localhost:10053 - tags: - - id.fedoraproject.org - when: env == "staging" - - - role: httpd/reverseproxy - website: id.stg.fedoraproject.org - destname: 00-ipa - remotepath: /ipa - localpath: /ipa - proxyurl: http://localhost:10061 - tags: - - id.fedoraproject.org - when: env == "staging" - - - role: httpd/reverseproxy - website: id.fedoraproject.org + website: "id{{ env_suffix }}.fedoraproject.org" destname: id - proxyurl: http://localhost:10020 + balancer_name: app-os + targettype: openshift + keephost: true tags: - id.fedoraproject.org - when: env != "staging" - role: httpd/reverseproxy - website: username.id.fedoraproject.org + website: "username.id{{ env_suffix }}.fedoraproject.org" destname: usernameid - proxyurl: http://localhost:10020 + balancer_name: app-os + targettype: openshift + keephost: true tags: - id.fedoraproject.org - when: env != "staging" - role: httpd/reverseproxy - website: id.fedoraproject.org + website: "id{{ env_suffix }}.fedoraproject.org" destname: 00-kdcproxy remotepath: /KdcProxy localpath: /KdcProxy proxyurl: http://localhost:10053 - when: env != "staging" + tags: + - id.fedoraproject.org - role: httpd/reverseproxy - website: id.fedoraproject.org + website: "id{{ env_suffix }}.fedoraproject.org" destname: 00-ipa remotepath: /ipa localpath: /ipa proxyurl: http://localhost:10061 - when: env != "staging" + tags: + - id.fedoraproject.org - role: httpd/reverseproxy website: apps.fedoraproject.org diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index a087b9bf09..d6d56d53a0 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -703,14 +703,12 @@ cert_name: wildcard-2017.fedorahosted.org - role: httpd/website - site_name: id.fedoraproject.org + site_name: "id{{ env_suffix }}.fedoraproject.org" sslonly: true cert_name: "{{wildcard_cert_name}}" - SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert stssubdomains: false tags: - id.fedoraproject.org - when: env == "production" - role: httpd/website site_name: username.id.fedoraproject.org @@ -725,21 +723,13 @@ - id.fedoraproject.org when: env == "production" - - role: httpd/website - site_name: id.stg.fedoraproject.org - cert_name: "{{wildcard_cert_name}}" - SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert - sslonly: true - tags: - - id.fedoraproject.org - when: env == "staging" - - role: httpd/website site_name: username.id.stg.fedoraproject.org server_aliases: - "*.id.stg.fedoraproject.org" # Must not be sslonly, because example.id.fedoraproject.org must be reachable # via plain http for openid identity support + sslonly: false cert_name: "{{wildcard_cert_name}}" SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert tags: diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf deleted file mode 100644 index 115fed5d03..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf +++ /dev/null @@ -1,25 +0,0 @@ -RequestHeader unset Expect early -RequestHeader set X-Forwarded-Scheme https early -RequestHeader set X-Forwarded-Proto https early - -# Cannot redirect to HTTPS for *.id.fedoraproject.org or set -# "includeSubdomains", because relying parties need to be able to access -# username.id.fedoraproject.org via plain HTTP -Header always add Strict-Transport-Security "max-age=31536000; preload" - -RewriteEngine on - -RewriteRule ^(.+) - [PT] - - - # required for rewrite rule - Options +SymLinksIfOwnerMatch - RewriteEngine on - RewriteCond %{HTTPS} off - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} - - - -ProxyPass {{localpath}} {{proxyurl}}{{remotepath}} -ProxyPassReverse {{localpath}} {{proxyurl}}{{remotepath}} - diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf deleted file mode 100644 index 6a3845b6a6..0000000000 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf +++ /dev/null @@ -1,25 +0,0 @@ -RequestHeader unset Expect early -RequestHeader set X-Forwarded-Scheme https early -RequestHeader set X-Forwarded-Proto https early - -# Cannot redirect to HTTPS for *.id.fedoraproject.org or set -# "includeSubdomains", because relying parties need to be able to access -# username.id.fedoraproject.org via plain HTTP - -RewriteEngine on - -RewriteMap lowercase int:tolower - -{% if env == "staging" %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$ -{% else %} -RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$ -{% endif %} - -RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C] - -{% if env == "staging" %} -RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L] -{% else %} -RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P] -{% endif %}