From 0e6cb58f1c4ccb5ab26112ab3ed0a0c71b3d890b Mon Sep 17 00:00:00 2001 From: John Karahalis Date: Wed, 24 Sep 2014 15:25:45 -0700 Subject: [PATCH] Bug 1043604: Add global Apache configuration A new file is added, all-servers.conf, which contains Apache settings that should be used on all servers. The file is hooked up to our local environment via Puppet and the WebOps team will ensure that it's also used on our public servers. --- configs/htaccess | 15 +++++---------- etc/apache/all-servers.conf | 15 +++++++++++++++ media/fonts/.htaccess | 9 --------- puppet/manifests/classes/site-config.pp | 14 +++++++++++++- 4 files changed, 33 insertions(+), 20 deletions(-) create mode 100644 etc/apache/all-servers.conf diff --git a/configs/htaccess b/configs/htaccess index 6791e2557da..0ff37cf913b 100644 --- a/configs/htaccess +++ b/configs/htaccess @@ -59,10 +59,10 @@ RewriteRule ^es4(/.*)?$ http://wiki.ecmascript.org/ [R] # HACK: Django will eventually redirect the user to the right spot, but skip a # couple of redirects for these known legacy locales -RewriteRule ^en/(.*)$ /mwsgi/en-US/$1 [L,QSA,NE,NC,E=CORS:True] -RewriteRule ^cn/(.*)$ /mwsgi/zh-CN/$1 [L,QSA,NE,NC,E=CORS:True] -RewriteRule ^zh_cn/(.*)$ /mwsgi/zh-CN/$1 [L,QSA,NE,NC,E=CORS:True] -RewriteRule ^zh_tw/(.*)$ /mwsgi/zh-TW/$1 [L,QSA,NE,NC,E=CORS:True] +RewriteRule ^en/(.*)$ /mwsgi/en-US/$1 [L,QSA,NE,NC] +RewriteRule ^cn/(.*)$ /mwsgi/zh-CN/$1 [L,QSA,NE,NC] +RewriteRule ^zh_cn/(.*)$ /mwsgi/zh-CN/$1 [L,QSA,NE,NC] +RewriteRule ^zh_tw/(.*)$ /mwsgi/zh-TW/$1 [L,QSA,NE,NC] # These are some known static files RewriteCond %{REQUEST_URI} !/favicon.ico @@ -72,9 +72,4 @@ RewriteCond %{REQUEST_URI} !/block_862be.html RewriteCond %{REQUEST_URI} !/block_f90c2.html # Everything else passes through the Django handler -RewriteRule ^(.*)$ /mwsgi/$1 [L,QSA,NE,E=CORS:True] - -# Allow wide-open CORS on the site. -Header set Access-Control-Allow-Origin "*" env=CORS -Header set Access-Control-Allow-Methods "GET" env=CORS -Header set Access-Control-Allow-Credentials "false" env=CORS +RewriteRule ^(.*)$ /mwsgi/$1 [L,QSA,NE] diff --git a/etc/apache/all-servers.conf b/etc/apache/all-servers.conf new file mode 100644 index 00000000000..732d9c541ed --- /dev/null +++ b/etc/apache/all-servers.conf @@ -0,0 +1,15 @@ +Header set Access-Control-Allow-Origin "*" +Header set Access-Control-Allow-Methods "GET" +Header set Access-Control-Allow-Credentials "false" + + + # Only enable CORS for fonts when the request is coming from a Mozilla domain + Header unset Access-Control-Allow-Origin + SetEnvIf Origin "https?://(.*\.mozilla\.(com|org|net))" CORS=$0 + SetEnvIf Origin "https?://(mdn\.mozillademos\.org)" CORS=$0 + Header set Access-Control-Allow-Origin %{CORS}e env=CORS + + # block hotlinking by referer to .woff, .eof, .ttf files except mozilla domains + RewriteCond "%{HTTP_REFERER}" "!https?://.*\.mozilla\.(com|org|net)/.*$" + RewriteRule \.(woff|eot|ttf)$ - [F,NC,L,E=!CORS] + diff --git a/media/fonts/.htaccess b/media/fonts/.htaccess index 6737a01b0fe..035add5354f 100644 --- a/media/fonts/.htaccess +++ b/media/fonts/.htaccess @@ -1,12 +1,3 @@ -# CORS only for mozilla domains -SetEnvIf Origin "https?://(.*\.mozilla\.(com|org|net))" CORS=$0 -SetEnvIf Origin "https?://(mdn\.mozillademos\.org)" CORS=$0 -Header set Access-Control-Allow-Origin %{CORS}e env=CORS - -# block hotlinking by referer to .woff, .eof, .ttf files except mozilla domains -RewriteCond "%{HTTP_REFERER}" "!https?://.*\.mozilla\.(com|org|net)/.*$" -RewriteRule \.(woff|eot|ttf)$ - [F,NC,L,E=!CORS] - Header append vary "Origin" ExpiresActive On diff --git a/puppet/manifests/classes/site-config.pp b/puppet/manifests/classes/site-config.pp index 47880dd9254..685c35c8e77 100644 --- a/puppet/manifests/classes/site-config.pp +++ b/puppet/manifests/classes/site-config.pp @@ -54,11 +54,23 @@ Apache::Loadmodule['vhost_alias'], ]; } + file { "/etc/apache2/conf.d/all-servers.conf": + source => "/home/vagrant/src/etc/apache/all-servers.conf", + require => [ + Package['apache2'], + Apache::Loadmodule['env'], + Apache::Loadmodule['setenvif'], + Apache::Loadmodule['headers'], + ]; + } service { "apache2": ensure => running, enable => true, require => [ Package['apache2'], ], - subscribe => File['/etc/apache2/conf.d/mozilla-kuma-apache.conf'] + subscribe => [ + File['/etc/apache2/conf.d/mozilla-kuma-apache.conf'], + File['/etc/apache2/conf.d/all-servers.conf'], + ] } }