r/gitea: Handle encoded / characters in HTTP paths

Gitea package names (e.g. OCI images, etc.) can contain `/` charactres. These are encoded as %2F in request paths. Apache needs to forward these sequences to the Gitea server without decoding them. Unfortunately, the `AllowEncodedSlashes` setting, which controls this behavior, is a per-virtualhost setting that is *not* inherited from the main server configuration, and therefore must be explicitly set inside the `VirtualHost` block. This means Gitea needs its own virtual host definition, and cannot rely on the default virtual host.
2022-11-25 17:43:07 -06:00 · 2022-11-25 17:43:07 -06:00 · 772f669ab2
parent c625b28d6d
commit 772f669ab2
4 changed files with 35 additions and 4 deletions
--- a/group_vars/gitea.yml
+++ b/group_vars/gitea.yml
@ -1,3 +1,4 @@
+apache_default_ssl_vhost: false
 sshd_agent_forwarding: false
 sshd_tcp_forwarding: false
 sshd_x11_forwarding: false
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -11,3 +11,8 @@ gitea_http_domain: '{{ gitea_ssh_domain }}'
 gitea_root_url: 'http://{{ gitea_http_domain }}:3000/'
 gitea_webhook_allowed_host_list:
 - '*'
+
+gitea_ssl_certificate: >-
+  {{ apache_ssl_certificate }}
+gitea_ssl_certificate_key: >-
+  {{ apache_ssl_certificate_key }}
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -74,10 +74,10 @@
    enabled=yes

 - name: ensure apache is configured to proxy for gitea
-  copy:
-    src=gitea.httpd.conf
-    dest=/etc/httpd/conf.d/gitea.conf
-    mode=0644
+  template:
+    src: gitea.httpd.conf.j2
+    dest: /etc/httpd/conf.d/gitea.conf
+    mode: u=rw,go=r
  notify: reload httpd
 - name: ensure selinux allows apache to proxy for gitea
  seboolean:
--- a/roles/gitea/templates/gitea.httpd.conf.j2
+++ b/roles/gitea/templates/gitea.httpd.conf.j2
@ -0,0 +1,25 @@
+# vim: set ft=apache :
+RewriteEngine on
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
+
+<VirtualHost _default_:443>
+    ServerName {{ gitea_http_domain }}
+
+    SSLCertificateFile {{ gitea_ssl_certificate }}
+    SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
+    SSLCertificateChainFile {{ gitea_ssl_certificate }}
+
+    RewriteEngine On
+    RewriteCond %{HTTPS} !on
+    RewriteRule /.* https://%{SERVER_NAME}$0
+
+    Header always set \
+        Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+    ProxyPreserveHost On
+    ProxyRequests Off
+    ProxyPass / http://localhost:3000/ nocanon
+    ProxyPassReverse / http://localhost:3000/
+    AllowEncodedSlashes NoDecode
+</VirtualHost>