opendev/system-config
Code Issues Proposed changes
3e6c282d54
system-config/playbooks/roles/gerrit/templates/gerrit.vhost.j2
Jeremy Stanley 77972b0150 Block access to Gitiles 
Once restarted onto the parent change, our Gerrit deployment will no
longer link to Gitiles representations of changes or the Git tree.
Explicitly deny access to the Gitiles URL base path in the Apache
vhost config, since we can't effectively remove the plugin itself.
This should help prevent search engines from finding its copies of
our projects rather than the ones we want people to use in Gitea.

Change-Id: I3c96221256662443f7a43344afd12194dce82b9d
2022-02-18 21:39:27 +00:00

96 lines
2.7 KiB
Django/Jinja
Raw Blame History

<VirtualHost *:80>
ServerName {{ gerrit_vhost_name }}
ServerAdmin webmaster@openstack.org
ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
Redirect / https://{{ gerrit_vhost_name }}/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName {{ gerrit_vhost_name }}
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
RewriteEngine on
ProxyRequests off
ProxyVia off
ProxyPreserveHost on
ProxyStatus On
# Uncomment to show a temporary maintenance message
#ProxyPassMatch ^/maintenance.html$ !
#Alias /maintenance.html /home/gerrit2/review_site/static/maintenance.html
#RewriteCond %{REQUEST_URI} !^/maintenance.html$
#RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]
# We can't disable this plugin, but don't want people using it
<Location "/plugins/gitiles">
Require all denied
</Location>
ProxyPassMatch ^/robots.txt$ !
ProxyPassMatch ^/server-status !
# Comment out these two lines if the maintenance message above is in use
ProxyPass / http://localhost:8081/ nocanon
ProxyPassReverse / http://localhost:8081/
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
Alias /robots.txt /home/gerrit2/review_site/static/robots.txt
<Directory /home/gerrit2/review_site/git/>
Require all granted
Order allow,deny
Allow from all
</Directory>
<Directory /usr/lib/git-core>
Require all granted
Allow from all
Satisfy Any
</Directory>
<Directory /home/gerrit2/review_site/static/>
Require all granted
Allow from all
Satisfy Any
</Directory>
</VirtualHost>
</IfModule>
View Git Blame Copy Permalink