Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #19822: Refactor apache configs - webapp #2521

Merged
merged 1 commit into from Aug 19, 2021
Merged

Fixes #19822: Refactor apache configs - webapp #2521

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
61 changes: 1 addition & 60 deletions rudder-webapp/SOURCES/rudder-apache-webapp-common.conf
View file
Open in desktop
@@ -1,60 +1 @@
# Prevent Chrome loop detection to block the page after too many
# page reloads.
<LocationMatch "/rudder(?!/relay-api|/api)">
Header add X-Chrome-Exponential-Throttling "disable"
Header add X-UA-Compatible "IE=Edge"
</LocationMatch>

# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

# Prevent the apache logs from being cluttered by 404 errors
# due to a missing robots.txt file.
Alias /robots.txt /opt/rudder/share/load-page/robots.txt

# Nice loading page if the Java server is not ready
Alias /images /opt/rudder/share/load-page/images
Alias /files /opt/rudder/share/load-page/files

Alias /rudder-loading.html /opt/rudder/share/load-page/rudder-loading.html
Alias /rudder-not-loaded.html /opt/rudder/share/load-page/rudder-not-loaded.html

ErrorDocument 503 /rudder-loading.html
ErrorDocument 404 /rudder-not-loaded.html

# avoid indexation by search engines
Header set X-Robots-Tag "noindex, nofollow"

#set "secure" and "HttpOnly" for all cookies without these pragma
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"

#jetty is leaking its version in the "Server" header, remove it
Header unset Server

# We want ProxyErrorOverride disabled in most cases but that's the only way i know for apache to override a 404 sent by a proxified application
# (if proxyfied app send a content with a 404 (or any other error), apache will not use the Error document defined, but directly use content produced)
# However, if disabled, but the web app does not send any content, apache will overwrite the content (it will be ok for our 503 error on apache 2.2)
ProxyErrorOverride On
<LocationMatch "^/rudder/((secure/)?api|authentication|relay-api)">
ProxyErrorOverride Off
</LocationMatch>
<LocationMatch "^/(inventories|inventory-updates|uuid)">
ProxyErrorOverride Off
</LocationMatch>

# Enforce permissive access to the load page directory
<Directory /opt/rudder/share/load-page>
Require all granted
</Directory>

# Note: The preceding statements are here for compatibility purpose and will
# be removed in a future version of Rudder, which will enforce authenticated
# calls to every API part.

# Link to Rudder documentation
Alias /rudder-doc /usr/share/doc/rudder/html
<Directory /usr/share/doc/rudder/html>
Require all granted
AllowOverrideList Redirect
</Directory>
# kept for compatibility, see rudder-apache-webapp-ssl.conf
61 changes: 61 additions & 0 deletions rudder-webapp/SOURCES/rudder-apache-webapp-ssl.conf
View file
Open in desktop
@@ -1,3 +1,64 @@
# Prevent Chrome loop detection to block the page after too many
# page reloads.
<LocationMatch "/rudder(?!/relay-api|/api)">
Header add X-Chrome-Exponential-Throttling "disable"
Header add X-UA-Compatible "IE=Edge"
</LocationMatch>

# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

# Prevent the apache logs from being cluttered by 404 errors
# due to a missing robots.txt file.
Alias /robots.txt /opt/rudder/share/load-page/robots.txt

# Nice loading page if the Java server is not ready
Alias /images /opt/rudder/share/load-page/images
Alias /files /opt/rudder/share/load-page/files

Alias /rudder-loading.html /opt/rudder/share/load-page/rudder-loading.html
Alias /rudder-not-loaded.html /opt/rudder/share/load-page/rudder-not-loaded.html

ErrorDocument 503 /rudder-loading.html
ErrorDocument 404 /rudder-not-loaded.html

# avoid indexation by search engines
Header set X-Robots-Tag "noindex, nofollow"

#set "secure" and "HttpOnly" for all cookies without these pragma
Header edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly"
Header edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure"

#jetty is leaking its version in the "Server" header, remove it
Header unset Server

# We want ProxyErrorOverride disabled in most cases but that's the only way i know for apache to override a 404 sent by a proxified application
# (if proxyfied app send a content with a 404 (or any other error), apache will not use the Error document defined, but directly use content produced)
# However, if disabled, but the web app does not send any content, apache will overwrite the content (it will be ok for our 503 error on apache 2.2)
ProxyErrorOverride On
<LocationMatch "^/rudder/((secure/)?api|authentication|relay-api)">
ProxyErrorOverride Off
</LocationMatch>
<LocationMatch "^/(inventories|inventory-updates|uuid)">
ProxyErrorOverride Off
</LocationMatch>

# Enforce permissive access to the load page directory
<Directory /opt/rudder/share/load-page>
Require all granted
</Directory>

# Note: The preceding statements are here for compatibility purpose and will
# be removed in a future version of Rudder, which will enforce authenticated
# calls to every API part.

# Link to Rudder documentation
Alias /rudder-doc /usr/share/doc/rudder/html
<Directory /usr/share/doc/rudder/html>
Require all granted
AllowOverrideList Redirect
</Directory>

# Rudder webapp
RewriteEngine on
RewriteRule ^/$ /rudder [R]
Expand Down