{% if rewrite %} RewriteEngine On RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] {% endif %} {% if header_scheme %} RequestHeader set X-Forwarded-Scheme https early RequestHeader set X-Scheme https early RequestHeader set X-Forwarded-Proto https early {% endif %} {% if header_expect %} RequestHeader unset Expect early {% endif %} {% if keephost %} ProxyPreserveHost On {% endif %} # # block some DDOS against forks. # Unfortunately, this can block legit access as well # So best to be narrow. # # we want to block the request(s) and also block things # with the referer of that request # # You can run something like: # grep /fork/ /var/log/httpd/src.fedoraproject.org-access.log | grep -v static | awk '{print $7}' | awk -F\/ '{print $1 " " $2 " " $3 " " $4 " " $5}' | sort | uniq -c | sort -nr | head -3 # on proxy01/10 to see the top list of fork requests. # RewriteEngine On # example block of a particular fork #RewriteCond %{REQUEST_URI} ^/fork/vmojzis/rpms/selinux-policy.*$ #RewriteRule .* - [F] #RewriteCond %{HTTP_REFERER} .*/fork//vmojzis/rpms/selinux-policy.*$ #RewriteRule .* - [F] # disable blame and history links because the scrapers hit them too hard RewriteCond %{REQUEST_URI} ^/rpms/.*/blame/.*$ RewriteRule .* - [F] # If you are a krb5 purist, please skip this. # This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks # while having an auth check on the proxies. # This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but # unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after # which the request will still fail (because pkgs will require auth). # What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses. # As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes # files to be uploaded twice. # However, I did not want to make the proxies send a plain HTTP header, since this means that whenever # someone gets into the local network, they could send their own request to the pkgs server, which will # then trust any username header (terrible idea, see CVE-2016-1000038). # So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client # sends on to pkgs, which will then *again* start a new GSSAPI security context and that way # authenticate the user on its own accord. # This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and* # pkgs will accept the GSSAPI security context. AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:/etc/pkgs.keytab Require valid-user {% if datacenter == 'rdu3' %} ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} {% else %} Redirect 421 / {% endif %}