Set AllowEncodedSlashes NoDecode on 8080 revproxy

This is a follow-up on nocanon from [1]. This ensures Apache does not filter any requests originally containing encoded slashes. [1] I5a3a6551536e2d1e87aa074e0de7619a367b1971 Change-Id: I94fcb67a914da6ab4d6e1bfd0a2e02121d22559c
2020-04-05 16:02:23 +02:00 · 2020-04-05 16:02:23 +02:00 · 3c47bdbd5d
commit 3c47bdbd5d
parent b474879c03
2 changed files with 10 additions and 0 deletions
--- a/modules/openstack_project/templates/mirror.vhost.erb
+++ b/modules/openstack_project/templates/mirror.vhost.erb
@ -143,6 +143,11 @@ LogFormat "%h %l %u %t \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-a
    CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8080_access.log combined-cache
    ServerSignature Off

+    # Let upstreams decide on encoded slash handling.
+    # The default is 'Off' which returns 404 for URLs with encoded slashes,
+    # i.e. '%2f' instead of '/'.
+    AllowEncodedSlashes NoDecode
+
    # Caching reverse proxy for things that don't make sense in AFS
    #
    # General cache rules
--- a/playbooks/roles/mirror/templates/mirror.vhost.j2
+++ b/playbooks/roles/mirror/templates/mirror.vhost.j2
@ -155,6 +155,11 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
    CustomLog /var/log/apache2/proxy_8080_access.log combined-cache
    ServerSignature Off

+    # Let upstreams decide on encoded slash handling.
+    # The default is 'Off' which returns 404 for URLs with encoded slashes,
+    # i.e. '%2f' instead of '/'.
+    AllowEncodedSlashes NoDecode
+
    # Caching reverse proxy for things that don't make sense in AFS
    #
    # General cache rules