copr-fe: enforce https everywhere except for repo files

- Drop WSGIPassAuthorization, no authorization on http://
- Drop 'WSGIProcessGroup repo' for port 80.  Repo consumers should go
  through https:// too (dnf-plugins-core's default) anyways.  So any
  repo-file traffic over plain http:// would be more visible in the
  port80 process group
- Add RewriteCond+RewriteRule config for the automatic redirect

Relates: https://pagure.io/copr/copr/issue/2100

roles/copr/frontend/templates/httpd/coprs.conf

@@ -24,25 +24,26 @@ WSGIApplicationGroup %{GLOBAL}
     ServerName {{ copr_frontend_public_hostname }}
     ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org
 
-    # We don't strictly enforce https (only HSTS) for python-processed content.
+    # Keep port 80 open for the .repo and certbot URLs
-    # This is still useful at least for *.repo URLs.  But, that's why we still
-    # configure port 80 here.
-    WSGIPassAuthorization On
     <Location />
         WSGIProcessGroup port80
     </Location>
-    <LocationMatch "/repo/">
+
-        WSGIProcessGroup repo
-    </LocationMatch>
     <Directory /usr/share/copr>
         Require all granted
     </Directory>
 
+    RewriteEngine on
+
 {% if letsencrypt is defined %}
     # For ansible.git roles/copr/certbot role.  Needs to run on port 80.
-    RewriteEngine on
     RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
 {% endif %}
+
+    # Redirect everything everything but repo files to https://
+    RewriteCond %{HTTPS} !on
+    RewriteCond %{REQUEST_URI} !/repo/
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
 </VirtualHost>
 
 <VirtualHost *:443>