Split id.fp.o and username.id.fp.o for TLS/h2 reasons. Start with staging

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2017-11-24 22:20:25 +00:00 · 2017-11-24 22:20:25 +00:00 · bc95beb269
commit bc95beb269
parent cc1795cec7
4 changed files with 40 additions and 16 deletions
--- a/playbooks/include/proxies-reverseproxy.yml
+++ b/playbooks/include/proxies-reverseproxy.yml
@ -161,6 +161,12 @@
    proxyurl: http://localhost:10020
    when: env == "staging"

+  - role: httpd/reverseproxy
+    website: username.id.stg.fedoraproject.org
+    destname: usernameid
+    proxyurl: http://localhost:10020
+    when: env == "staging"
+
  - role: httpd/reverseproxy
    website: id.stg.fedoraproject.org
    destname: 00-kdcproxy
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@ -667,6 +667,13 @@

  - role: httpd/website
    name: id.stg.fedoraproject.org
+    cert_name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
+    sslonly: true
+    when: env == "staging"
+
+  - role: httpd/website
+    name: username.id.stg.fedoraproject.org
    server_aliases:
    - "*.id.stg.fedoraproject.org"
    # Must not be sslonly, because example.id.fedoraproject.org must be reachable
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.id.conf
@ -7,31 +7,17 @@ RequestHeader set X-Forwarded-Proto https early
 # username.id.fedoraproject.org via plain HTTP 
 Header always add Strict-Transport-Security "max-age=15768000; preload" 

-
 RewriteEngine on

+{% if env == "production" %}
 RewriteMap lowercase int:tolower
-
-
-{% if env == "staging" %}
-RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
-{% else %}
 RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
-{% endif %}
-
-
 RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
-
-
-{% if env == "staging" %}
-RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
-{% else %}
 RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
-{% endif %}
-

 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
+{% endif %}


 RewriteRule ^(.+) - [PT]
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.usernameid.conf
@ -0,0 +1,25 @@
+RequestHeader unset Expect early
+RequestHeader set X-Forwarded-Scheme https early
+RequestHeader set X-Forwarded-Proto https early
+
+# Cannot redirect to HTTPS for *.id.fedoraproject.org or set 
+# "includeSubdomains", because relying parties need to be able to access 
+# username.id.fedoraproject.org via plain HTTP 
+
+RewriteEngine on
+
+RewriteMap lowercase int:tolower
+
+{% if env == "staging" %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.stg\.fedoraproject\.org$
+{% else %}
+RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z0-9-]+\.id\.fedoraproject\.org$
+{% endif %}
+
+RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
+
+{% if env == "staging" %}
+RewriteRule ^([a-z0-9-]+)\.id\.stg\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P,L]
+{% else %}
+RewriteRule ^([a-z0-9-]+)\.id\.fedoraproject\.org/.* {{proxyurl}}/openid/id/$1/ [P]
+{% endif %}