From 928cf866f4af748c75f4589dd4588dedbfaa30b5 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Tue, 22 Feb 2022 10:59:36 +0100 Subject: [PATCH] copr-fe: enforce https everywhere except for repo files - Drop WSGIPassAuthorization, no authorization on http:// - Drop 'WSGIProcessGroup repo' for port 80. Repo consumers should go through https:// too (dnf-plugins-core's default) anyways. So any repo-file traffic over plain http:// would be more visible in the port80 process group - Add RewriteCond+RewriteRule config for the automatic redirect Relates: https://pagure.io/copr/copr/issue/2100 --- roles/copr/frontend/templates/httpd/coprs.conf | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/roles/copr/frontend/templates/httpd/coprs.conf b/roles/copr/frontend/templates/httpd/coprs.conf index c159da3d09..d39d4ab2e3 100644 --- a/roles/copr/frontend/templates/httpd/coprs.conf +++ b/roles/copr/frontend/templates/httpd/coprs.conf @@ -24,25 +24,26 @@ WSGIApplicationGroup %{GLOBAL} ServerName {{ copr_frontend_public_hostname }} ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org - # We don't strictly enforce https (only HSTS) for python-processed content. - # This is still useful at least for *.repo URLs. But, that's why we still - # configure port 80 here. - WSGIPassAuthorization On + # Keep port 80 open for the .repo and certbot URLs WSGIProcessGroup port80 - - WSGIProcessGroup repo - + Require all granted + RewriteEngine on + {% if letsencrypt is defined %} # For ansible.git roles/copr/certbot role. Needs to run on port 80. - RewriteEngine on RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L] {% endif %} + + # Redirect everything everything but repo files to https:// + RewriteCond %{HTTPS} !on + RewriteCond %{REQUEST_URI} !/repo/ + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]