Redirect for pkgs
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk
parent
09b6991fa8
commit
8f24e63bcb
1 changed files with 7 additions and 52 deletions
|
|
@ -12,13 +12,17 @@ SSLRandomSeed startup file:/dev/urandom 256
|
||||||
SSLRandomSeed connect builtin
|
SSLRandomSeed connect builtin
|
||||||
SSLCryptoDevice builtin
|
SSLCryptoDevice builtin
|
||||||
|
|
||||||
# SSL host
|
<VirtualHost _default_:80>
|
||||||
|
ServerName pkgs.{{ env_suffix }}fedoraproject.org
|
||||||
|
Redirect "/" "https://src{{ env_suffix }}.fedoraprojet.org/"
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
<VirtualHost _default_:443>
|
<VirtualHost _default_:443>
|
||||||
# This alias must come before the /repo/ one to avoid being overridden.
|
# This alias must come before the /repo/ one to avoid being overridden.
|
||||||
ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi
|
ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi
|
||||||
|
|
||||||
Alias /repo/ /srv/cache/lookaside/
|
Alias /repo/ /srv/cache/lookaside/
|
||||||
ServerName pkgs.fedoraproject.org
|
ServerName pkgs{{ env_suffix }}.fedoraproject.org
|
||||||
ServerAdmin webmaster@fedoraproject.org
|
ServerAdmin webmaster@fedoraproject.org
|
||||||
|
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
@ -31,56 +35,7 @@ SSLCryptoDevice builtin
|
||||||
SSLProtocol {{ ssl_protocols }}
|
SSLProtocol {{ ssl_protocols }}
|
||||||
SSLCipherSuite {{ ssl_ciphers }}
|
SSLCipherSuite {{ ssl_ciphers }}
|
||||||
|
|
||||||
# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
|
Redirect "/" "https://src{{ env_suffix }}.fedoraprojet.org/"
|
||||||
SSLVerifyClient optional
|
|
||||||
# Must be here for POST operations to upload.cgi
|
|
||||||
SSLOptions +OptRenegotiate
|
|
||||||
ErrorLog logs/ssl_error_log
|
|
||||||
CustomLog logs/ssl_access_log \
|
|
||||||
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"
|
|
||||||
|
|
||||||
<Directory /repo/pkgs/>
|
|
||||||
SSLVerifyClient optional
|
|
||||||
SSLVerifyDepth 1
|
|
||||||
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
<Location /repo/pkgs/upload.cgi>
|
|
||||||
SSLRequireSSL
|
|
||||||
|
|
||||||
Options +ExecCGI
|
|
||||||
|
|
||||||
{% if env == "production" %}
|
|
||||||
SSLVerifyClient optional
|
|
||||||
SSLVerifyDepth 1
|
|
||||||
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
AuthType GSSAPI
|
|
||||||
GssapiSSLonly On
|
|
||||||
AuthName "GSSAPI Single Sign On Login"
|
|
||||||
GssapiCredStore keytab:/etc/httpd.keytab
|
|
||||||
|
|
||||||
{% if env == "production" %}
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
|
|
||||||
SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
|
|
||||||
|
|
||||||
<RequireAny>
|
|
||||||
<RequireAll>
|
|
||||||
Require env cert_s_o_valid
|
|
||||||
Require env cert_s_ou_valid
|
|
||||||
Require env cert_i_o_valid
|
|
||||||
Require env cert_i_ou_valid
|
|
||||||
</RequireAll>
|
|
||||||
Require valid-user
|
|
||||||
</RequireAny>
|
|
||||||
{% else %}
|
|
||||||
Require valid-user
|
|
||||||
{% endif %}
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
# Allow upload via src
|
# Allow upload via src
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue