dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/gitea: Handle encoded / characters in HTTP paths 

Gitea package names (e.g. OCI images, etc.) can contain `/` charactres.
These are encoded as %2F in request paths.  Apache needs to forward
these sequences to the Gitea server without decoding them.
Unfortunately, the `AllowEncodedSlashes` setting, which controls this
behavior, is a per-virtualhost setting that is *not* inherited from the
main server configuration, and therefore must be explicitly set inside
the `VirtualHost` block.  This means Gitea needs its own virtual host
definition, and cannot rely on the default virtual host.
btop
Dustin 2022-11-25 17:43:07 -06:00
parent c625b28d6d
commit 772f669ab2
4 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
group_vars/gitea.yml
View File

@ -1,3 +1,4 @@
apache_default_ssl_vhost: false
sshd_agent_forwarding: false sshd_agent_forwarding: false
sshd_tcp_forwarding: false sshd_tcp_forwarding: false
sshd_x11_forwarding: false sshd_x11_forwarding: false

5
roles/gitea/defaults/main.yml
View File

@ -11,3 +11,8 @@ gitea_http_domain: '{{ gitea_ssh_domain }}'
gitea_root_url: 'http://{{ gitea_http_domain }}:3000/' gitea_root_url: 'http://{{ gitea_http_domain }}:3000/'
gitea_webhook_allowed_host_list: gitea_webhook_allowed_host_list:
- '*' - '*'
gitea_ssl_certificate: >-
{{ apache_ssl_certificate }}
gitea_ssl_certificate_key: >-
{{ apache_ssl_certificate_key }}

8
roles/gitea/tasks/main.yml
View File

@ -74,10 +74,10 @@
enabled=yes enabled=yes
- name: ensure apache is configured to proxy for gitea - name: ensure apache is configured to proxy for gitea
copy: template:
src=gitea.httpd.conf src: gitea.httpd.conf.j2
dest=/etc/httpd/conf.d/gitea.conf dest: /etc/httpd/conf.d/gitea.conf
mode=0644 mode: u=rw,go=r
notify: reload httpd notify: reload httpd
- name: ensure selinux allows apache to proxy for gitea - name: ensure selinux allows apache to proxy for gitea
seboolean: seboolean:

25
roles/gitea/templates/gitea.httpd.conf.j2 Normal file
View File

@ -0,0 +1,25 @@
# vim: set ft=apache :
RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
<VirtualHost _default_:443>
ServerName {{ gitea_http_domain }}
SSLCertificateFile {{ gitea_ssl_certificate }}
SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
SSLCertificateChainFile {{ gitea_ssl_certificate }}
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule /.* https://%{SERVER_NAME}$0
Header always set \
Strict-Transport-Security "max-age=63072000; includeSubDomains"
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:3000/ nocanon
ProxyPassReverse / http://localhost:3000/
AllowEncodedSlashes NoDecode
</VirtualHost>