Deploy httpd config to prevent varnish attacks

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

roles/httpd/website/tasks/main.yml

@@ -52,6 +52,20 @@
   - httpd
   - httpd/website
 
+- name: Copy over varnish workaround for {{name}}
+  template: >
+    src=blockchunked.conf
+    dest=/etc/httpd/conf.d/{{name}}/blockchunked.conf
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - httpd
+  - httpd/website
+  - security/workaround
+
 - name: And lastly, the robots.txt file
   copy: >
     src={{item}}

roles/httpd/website/templates/blockchunked.conf

@@ -0,0 +1,4 @@
+# Workaround for https://www.varnish-cache.org/lists/pipermail/varnish-announce/2017-August/000722.html
+<If "%{HTTP:Transfer-Encoding} == 'chunked'">
+    Require all denied
+</If>