From f10ce98e0f19a68b5d886038a115b6ede6dcccb9 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Wed, 30 Jan 2019 20:17:06 +0100
Subject: [PATCH] Disallow cloudfront from accessing ostree refs and summray

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 .../templates/reversepassproxy.kojipkgs.conf        | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf
index c47da108d2..aededdb6cc 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.kojipkgs.conf
@@ -1,5 +1,18 @@
 {% if rewrite %}
 RewriteEngine On
+
+# Make sure that CloudFront does not cache ostree summary or refs files.
+# These should always be requested directly from Fedora, so any user directly
+#  hitting a cloudfront setup should update their configuration.
+RewriteCond %{HTTP:X-Amz-Cf-Id} !^$
+RewriteRule ^/atomic/repo/summary - [F]
+RewriteCond %{HTTP:X-Amz-Cf-Id} !^$
+RewriteRule ^/atomic/repo/refs - [F]
+RewriteCond %{HTTP:X-Amz-Cf-Id} !^$
+RewriteRule ^/ostree/repo/summary - [F]
+RewriteCond %{HTTP:X-Amz-Cf-Id} !^$
+RewriteRule ^/ostree/repo/refs - [F]
+
 RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
 
 {% endif %}