From e7cf461e0cbd0d02297a83344b6d2117fcd3bceb Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 17 Apr 2018 21:51:10 +0200 Subject: [PATCH] Deploy 'brokenostreekojipkgs' to avoid https (and thus http/2) for ostree Signed-off-by: Patrick Uiterwijk --- playbooks/include/proxies-reverseproxy.yml | 8 ++++ playbooks/include/proxies-websites.yml | 5 +++ ...reversepassproxy.brokenostreekojipkgs.conf | 44 +++++++++++++++++++ .../templates/reversepassproxy.kojipkgs.conf | 8 ++++ 4 files changed, 65 insertions(+) create mode 100644 roles/httpd/reverseproxy/templates/reversepassproxy.brokenostreekojipkgs.conf diff --git a/playbooks/include/proxies-reverseproxy.yml b/playbooks/include/proxies-reverseproxy.yml index a1b1ed5b51..b5e1836376 100644 --- a/playbooks/include/proxies-reverseproxy.yml +++ b/playbooks/include/proxies-reverseproxy.yml @@ -627,6 +627,14 @@ proxyurl: http://localhost:10062 keephost: true + # Nuke after F28 GA. + # See roles/httpd/reverseproxy/reversepassproxy.brokenostreekojipkgs.conf + - role: httpd/reverseproxy + website: brokenostreekojipkgs.fedoraproject.org + destname: brokenostreekojipkgs + proxyurl: http://localhost:10062 + keephost: true + - role: httpd/reverseproxy website: os.fedoraproject.org destname: os diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml index 66f9437d66..9b187ab81b 100644 --- a/playbooks/include/proxies-websites.yml +++ b/playbooks/include/proxies-websites.yml @@ -523,6 +523,11 @@ - kojipkgs02.fedoraproject.org cert_name: "{{wildcard_cert_name}}" + - role: httpd/website + site_name: brokenostreekojipkgs.fedoraproject.org + ssl: false + sslonly: false + - role: httpd/website site_name: apps.fedoraproject.org server_aliases: [apps.stg.fedoraproject.org] diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.brokenostreekojipkgs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.brokenostreekojipkgs.conf new file mode 100644 index 0000000000..4285046f42 --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.brokenostreekojipkgs.conf @@ -0,0 +1,44 @@ +{% if rewrite %} +RewriteEngine On +RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] + +{% endif %} +{% if header_scheme %} +RequestHeader set X-Forwarded-Scheme https early +RequestHeader set X-Scheme https early +RequestHeader set X-Forwarded-Proto https early + +{% endif %} +{% if header_expect %} +RequestHeader unset Expect early + +{% endif %} +{% if keephost %} +ProxyPreserveHost On +{% endif %} + +# This is to deal with a broken ostree (actually libcurl) that doesn't work well with ostree +# The only remaining image with this bug is F27 Fedora Atomic Workstation +# Can be nuked after F28 GA +RewriteEngine On +RewriteCond %{HTTP_USER_AGENT} !^ostree\ $ +RewriteRule ^(.*)$ https://kojipkgs.fedoraproject.org/$1 [L,R=302] + + +{% if 'phx2' in inventory_hostname %} + +{% if balancer_name is defined %} + + {% for member in balancer_members %} + BalancerMember "{{ member }}/{{remotepath}}" + {% endfor %} + +ProxyPass {{ localpath }} "balancer://{{balancer_name}}" +{% else %} +ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} +{% endif %} +ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} + +{% else %} +Redirect 421 / +{% endif %} diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf index e7d258a722..4b1b49eca4 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf @@ -17,6 +17,14 @@ RequestHeader unset Expect early ProxyPreserveHost On {% endif %} +# This is to deal with a broken ostree (actually libcurl) that doesn't work well with ostree +# The only remaining image with this bug is F27 Fedora Atomic Workstation +# Can be nuked after F28 GA +RewriteEngine On +RewriteCond %{HTTP_USER_AGENT} ^ostree\ $ +RewriteRule ^/atomic/repo/(.*)$ http://brokenostreekojipkgs.fedoraproject.org/atomic/repo/$1 [L,R=302] + + {% if 'phx2' in inventory_hostname %} {% if balancer_name is defined %}