From 6efc88cff55eca1461e295a37d0cce5998001cb2 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Tue, 22 Jan 2019 11:52:25 +0100
Subject: [PATCH] disallow /summary and /refs via Cloudfront

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 roles/fedora-web/ostree/files/ostree.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/fedora-web/ostree/files/ostree.conf b/roles/fedora-web/ostree/files/ostree.conf
index 3cfd248ff6..2c9a1091ae 100644
--- a/roles/fedora-web/ostree/files/ostree.conf
+++ b/roles/fedora-web/ostree/files/ostree.conf
@@ -1,4 +1,11 @@
 DocumentRoot /srv/web/ostree
 
 RewriteEngine On
+
 RewriteRule "^/objects/([a-f0-9]{2})/([a-f0-9]{62})\.commitmeta$" https://d1gglb5celp6et.cloudfront.net/objects/$1/$2.commitmeta
+
+RewriteCond %{HTTP:X-Amz-Cf-Id} ^$
+RewriteRule ^/summary - [F]
+
+RewriteCond %{HTTP:X-Amz-Cf-Id} ^$
+RewriteRule ^/refs - [F]