Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/pagure/templates/0_pagure.conf
Kevin Fenzi 836d79193c pagure: update ansible for latest blocks from ai 
Update the latest project blocks that were added.

Also, extend the bot block to docs.pagure.io, which was
being hammered by scrapers.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-05-30 10:02:24 -07:00

325 lines
9.6 KiB
Text
Raw Blame History

WSGISocketPrefix run/wsgi
#WSGIRestrictStdout On
WSGIRestrictSignal Off
WSGIPythonOptimize 1
WSGIPassAuthorization On
{% if env == 'pagure-staging' %}
# Only use a single process because flask-oidc stores its credentials in a dictionary.
WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=1 threads=20 inactivity-timeout=300
{% else %}
WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=15 threads=6 inactivity-timeout=300
{% endif %}
WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300
Protocols h2 h2c http/1.1
ServerLimit 100
ThreadsPerChild 30
MaxRequestWorkers 3000
MaxConnectionsPerChild 1000
## Redirects http -> https
<VirtualHost *:80>
{% if env == 'pagure-staging' %}
ServerName stg.pagure.io
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
Redirect permanent / https://stg.pagure.io/
{% else %}
ServerName pagure.io
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
Redirect permanent / https://pagure.io/
{% endif %}
</VirtualHost>
<VirtualHost *:80>
{% if env == 'pagure-staging' %}
ServerName docs.stg.pagure.org
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
Redirect permanent / https://docs.stg.pagure.org/
{% else %}
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
ServerName docs.pagure.org
Redirect permanent / https://docs.pagure.org/
{% endif %}
</VirtualHost>
<VirtualHost *:80>
{% if env == 'pagure-staging' %}
ServerName releases.stg.pagure.org
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
Redirect permanent / https://releases.stg.pagure.org/
{% else %}
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
ServerName releases.pagure.org
Redirect permanent / https://releases.pagure.org/
{% endif %}
</VirtualHost>
<VirtualHost *:80>
{% if env == 'pagure-staging' %}
ServerName stg.pagure.org
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
Redirect permanent / https://releases.stg.pagure.org/
{% else %}
ServerName pagure.org
#Redirect permanent / https://releases.pagure.org/
ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
{% endif %}
# Added until we can get the cert out
DocumentRoot "/var/www/releases"
<Directory />
Options +Indexes
IndexOptions NameWidth=*
</Directory>
</VirtualHost>
## End of redirects http -> https
<VirtualHost *:443>
{% if env == 'pagure-staging' %}
ServerName stg.pagure.io
{% else %}
ServerName pagure.io
{% endif %}
TimeOut 600
Alias "/robots.txt" "/var/www/html/robots.txt"
WSGIScriptAlias / /var/www/pagure.wsgi
ServerAdmin admin@fedoraproject.org
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
{% if env == 'pagure-staging' %}
SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key
{% else %}
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/pagure.io.key
{% endif %}
SetEnv GIT_PROJECT_ROOT /srv/git/repositories
<Location />
WSGIProcessGroup pagure
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
<Location /releases>
{% if env == 'pagure-staging' %}
Redirect "/releases" https://releases.stg.pagure.org
{% else %}
Redirect "/releases" https://releases.pagure.org
{% endif %}
</Location>
# Drop distributed web hits
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/linux-forgeperf.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/git/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/virt-ark/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/lersek/edk2/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/binutils-gdb/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/releng/fedora-scm-requests/blob/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/releng/fedora-scm-requests/raw/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fork/sergiomb/releng/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fork/.*/pagure/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fork/.*/389-base/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/llvm-project-mirror/.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/gfwlist/raw/master.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fork/mohanboddu/fedora-infra/ansible.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fedora-docs/fedora-docs-web/blob.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^fedora-qa/os-autoinst-distri-fedora/blob.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^releng/fedora-scm-requests/blob.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^pagure/usage/index.html.*$
RewriteRule .* - [F]
RewriteCond %{REQUEST_URI} ^/fork/.*/koji/.*$
RewriteRule .* - [F]
# Spiders-gone-wild
# These spiders may not follow robots.txt and will
# hit admin sections which consume large amounts of CPU
RewriteCond %{HTTP_USER_AGENT} "(Bytespider|ClaudeBot|Amazonbot|YandexBot|ChatGLM-Spider|GPTBot|Barkrowler|YisouSpider|MJ12bot)" [NC]
RewriteRule .* - [F,L]
<Location /apache-status>
SetHandler server-status
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
Require host localhost
</RequireAny>
</Location>
</VirtualHost>
<VirtualHost *:443>
{% if env == 'pagure-staging' %}
ServerName stg.pagure.org
{% else %}
ServerName pagure.org
{% endif %}
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
{% if env == 'pagure-staging' %}
SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key
{% else %}
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/pagure.io.key
{% endif %}
{% if env == 'pagure-staging' %}
Redirect permanent / https://stg.pagure.io/
{% else %}
Redirect permanent / https://pagure.io/
{% endif %}
</VirtualHost>
<VirtualHost *:443>
{% if env == 'pagure-staging' %}
ServerName docs.stg.pagure.org
{% else %}
ServerName docs.pagure.org
{% endif %}
WSGIScriptAlias / /var/www/docs_pagure.wsgi
SSLEngine on
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
{% if env == 'pagure-staging' %}
SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key
{% else %}
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/private/pagure.io.key
{% endif %}
# redirects for sssd docs.
# https://pagure.io/fedora-infrastructure/issue/8995
RedirectMatch ^/SSSD.sssd$ https://sssd.io
RedirectMatch ^/SSSD.sssd/$ https://sssd.io
RedirectMatch ^/SSSD.sssd/index.html https://sssd.io/index.html
RedirectMatch ^/SSSD.sssd/(.*) https://sssd.io/docs/$1
# Spiders-gone-wild
# These spiders may not follow robots.txt and will
# hit admin sections which consume large amounts of CPU
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "(Bytespider|ClaudeBot|Amazonbot|YandexBot|ChatGLM-Spider|GPTBot|Barkrowler|YisouSpider|MJ12bot)" [NC]
RewriteRule .* - [F,L]
<Location />
WSGIProcessGroup paguredocs
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order deny,allow
Allow from all
</IfModule>
</Location>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot "/var/www/releases"
{% if env == 'pagure-staging' %}
ServerName releases.stg.pagure.org
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/stg.pagure.io.cert
SSLCertificateKeyFile /etc/pki/tls/private/stg.pagure.io.key
SSLCertificateChainFile /etc/pki/tls/certs/stg.pagure.io.intermediate.cert
SSLHonorCipherOrder On
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
{% else %}
ServerName releases.pagure.org
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateKeyFile /etc/pki/tls/private/pagure.io.key
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLHonorCipherOrder On
SSLProtocol {{ ssl_protocols }}
SSLCipherSuite {{ ssl_ciphers }}
{% endif %}
AddType application/octet-stream msi
<Directory />
Options +Indexes
IndexOptions NameWidth=*
</Directory>
</VirtualHost>
Reference in a new issue View git blame Copy permalink