diff options
| author | Patrick Uiterwijk <puiterwijk@redhat.com> | 2017-07-22 11:32:04 +0000 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2017-07-22 11:32:04 +0000 |
| commit | dc7d020e21ec622f0225da2bf9c44ce50c3360b8 (patch) | |
| tree | 36cd8d1a411a423c04645b4a265cd02fd6e679bf /roles/httpd/reverseproxy/templates | |
| parent | 0a0268b89e04e940bd168ae6cc275ee66ca03da2 (diff) | |
| download | ansible-dc7d020e21ec622f0225da2bf9c44ce50c3360b8.tar.gz ansible-dc7d020e21ec622f0225da2bf9c44ce50c3360b8.tar.xz ansible-dc7d020e21ec622f0225da2bf9c44ce50c3360b8.zip | |
Fix fedpkg double uploads by abusing the krb5 replay cache being local
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'roles/httpd/reverseproxy/templates')
| -rw-r--r-- | roles/httpd/reverseproxy/templates/reversepassproxy.src.conf | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf new file mode 100644 index 000000000..023b4d2ff --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.src.conf @@ -0,0 +1,46 @@ +{% if rewrite %} +RewriteEngine On +RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] + +{% endif %} +{% if header_scheme %} +RequestHeader set X-Forwarded-Scheme https early +RequestHeader set X-Scheme https early +RequestHeader set X-Forwarded-Proto https early + +{% endif %} +{% if header_expect %} +RequestHeader unset Expect early + +{% endif %} +{% if keephost %} +ProxyPreserveHost On +{% endif %} + +# If you are a krb5 purist, please skip this. +# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks +# while having an auth check on the proxies. +# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but +# unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after +# which the request will still fail (because pkgs will require auth). +# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses. +# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes +# files to be uploaded twice. +# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever +# someone gets into the local network, they could send their own request to the pkgs server, which will +# then trust any username header (terrible idea, see CVE-2016-1000038). +# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client +# sends on to pkgs, which will then *again* start a new GSSAPI security context and that way +# authenticate the user on its own accord. +# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and* +# pkgs will accept the GSSAPI security context. + +<Location /repo/pkgs/upload.cgi> + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore keytab:/etc/pkgs.keytab + Require valid-user +</Location> + +ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} +ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} |