From b873aa0e4721846c9c776ccfbe07385a43f91830 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Wed, 3 Jun 2020 14:24:47 -0700
Subject: [PATCH] oci-registry: also allow cloudfront to access the registry
 directly

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../templates/reversepassproxy.registry-generic.conf             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
index e2878a8d78..dee27ee59a 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry-generic.conf
@@ -6,6 +6,7 @@ ProxyPreserveHost On
 
 {% if env == "production" %}
 RewriteCond %{HTTP:VIA} !cdn77
+RewriteCond %{HTTP:VIA} !cloudfront
 RewriteCond %{SERVER_NAME} !^registry-no-cdn\.fedoraproject.org$
 RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
 RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]