From bc95beb2695fc7ab26bd81e10ec56ddeb16bc7a9 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 24 Nov 2017 22:20:25 +0000
Subject: [PATCH] Split id.fp.o and username.id.fp.o for TLS/h2 reasons. Start
 with staging

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 playbooks/include/proxies-reverseproxy.yml    |  6 +++++
 playbooks/include/proxies-websites.yml        |  7 ++++++
 .../templates/reversepassproxy.id.conf        | 18 ++-----------
 .../reversepassproxy.usernameid.conf          | 25 +++++++++++++++++++
 4 files changed, 40 insertions(+), 16 deletions(-)
 create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf

diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml
index e93429c464..be88cbbe93 100644
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@@ -161,6 +161,12 @@
     proxyurl: http://localhost:10020
     when: env == "staging"
 
+  - role: httpd/reverseproxy
+    website: username.id.stg.fedoraproject.org
+    destname: usernameid
+    proxyurl: http://localhost:10020
+    when: env == "staging"
+
   - role: httpd/reverseproxy
     website: id.stg.fedoraproject.org
     destname: 00-kdcproxy
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index e5667f8496..01c7306a12 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -667,6 +667,13 @@
 
   - role: httpd/website
     name: id.stg.fedoraproject.org
+    cert_name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
+    sslonly: true
+    when: env == "staging"
+
+  - role: httpd/website
+    name: username.id.stg.fedoraproject.org
     server_aliases:
     - "*.id.stg.fedoraproject.org"
     # Must not be sslonly, because example.id.fedoraproject.org must be reachable
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
index c453cb5358..987076c881 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@@ -7,31 +7,17 @@ RequestHeader set X-Forwarded-Proto https early
 # username.id.fedoraproject.org via plain HTTP 
 Header always add Strict-Transport-Security "max-age=15768000; preload" 
 
-
 RewriteEngine on
 
+{% if env == "production" %}
 RewriteMap lowercase int:tolower
-
-
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-{% else %}
 RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-{% endif %}
-
-
 RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-
-
-{% if env == "staging" %}
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
-{% else %}
 RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
-{% endif %}
-
 
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
+{% endif %}
 
 
 RewriteRule ^(.+) - [PT]
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
new file mode 100644
index 0000000000..6a3845b6a6
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
@@ -0,0 +1,25 @@
+RequestHeader unset Expect early
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+
+# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
+# "includeSubdomains", because relying parties need to be able to access 
+# username.id.fedoraproject.org via plain HTTP 
+
+RewriteEngine on
+
+RewriteMap lowercase int:tolower
+
+{% if env == "staging" %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
+{% else %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
+{% endif %}
+
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+
+{% if env == "staging" %}
+RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
+{% else %}
+RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
+{% endif %}