From 772f669ab2983d84b87a76234ea21976d42242f9 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 25 Nov 2022 17:43:07 -0600 Subject: [PATCH] r/gitea: Handle encoded / characters in HTTP paths Gitea package names (e.g. OCI images, etc.) can contain `/` charactres. These are encoded as %2F in request paths. Apache needs to forward these sequences to the Gitea server without decoding them. Unfortunately, the `AllowEncodedSlashes` setting, which controls this behavior, is a per-virtualhost setting that is *not* inherited from the main server configuration, and therefore must be explicitly set inside the `VirtualHost` block. This means Gitea needs its own virtual host definition, and cannot rely on the default virtual host. --- group_vars/gitea.yml | 1 + roles/gitea/defaults/main.yml | 5 +++++ roles/gitea/tasks/main.yml | 8 ++++---- roles/gitea/templates/gitea.httpd.conf.j2 | 25 +++++++++++++++++++++++ 4 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 roles/gitea/templates/gitea.httpd.conf.j2 diff --git a/group_vars/gitea.yml b/group_vars/gitea.yml index 54de1a5..ee4d371 100644 --- a/group_vars/gitea.yml +++ b/group_vars/gitea.yml @@ -1,3 +1,4 @@ +apache_default_ssl_vhost: false sshd_agent_forwarding: false sshd_tcp_forwarding: false sshd_x11_forwarding: false diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml index a4e6bc0..70383a9 100644 --- a/roles/gitea/defaults/main.yml +++ b/roles/gitea/defaults/main.yml @@ -11,3 +11,8 @@ gitea_http_domain: '{{ gitea_ssh_domain }}' gitea_root_url: 'http://{{ gitea_http_domain }}:3000/' gitea_webhook_allowed_host_list: - '*' + +gitea_ssl_certificate: >- + {{ apache_ssl_certificate }} +gitea_ssl_certificate_key: >- + {{ apache_ssl_certificate_key }} diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index 3c8beda..da57f14 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -74,10 +74,10 @@ enabled=yes - name: ensure apache is configured to proxy for gitea - copy: - src=gitea.httpd.conf - dest=/etc/httpd/conf.d/gitea.conf - mode=0644 + template: + src: gitea.httpd.conf.j2 + dest: /etc/httpd/conf.d/gitea.conf + mode: u=rw,go=r notify: reload httpd - name: ensure selinux allows apache to proxy for gitea seboolean: diff --git a/roles/gitea/templates/gitea.httpd.conf.j2 b/roles/gitea/templates/gitea.httpd.conf.j2 new file mode 100644 index 0000000..90cd30b --- /dev/null +++ b/roles/gitea/templates/gitea.httpd.conf.j2 @@ -0,0 +1,25 @@ +# vim: set ft=apache : +RewriteEngine on +RewriteCond %{HTTPS} !on +RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L] + + + ServerName {{ gitea_http_domain }} + + SSLCertificateFile {{ gitea_ssl_certificate }} + SSLCertificateKeyFile {{ gitea_ssl_certificate_key }} + SSLCertificateChainFile {{ gitea_ssl_certificate }} + + RewriteEngine On + RewriteCond %{HTTPS} !on + RewriteRule /.* https://%{SERVER_NAME}$0 + + Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + + ProxyPreserveHost On + ProxyRequests Off + ProxyPass / http://localhost:3000/ nocanon + ProxyPassReverse / http://localhost:3000/ + AllowEncodedSlashes NoDecode +