Block access to Gitiles

Once restarted onto the parent change, our Gerrit deployment will no longer link to Gitiles representations of changes or the Git tree. Explicitly deny access to the Gitiles URL base path in the Apache vhost config, since we can't effectively remove the plugin itself. This should help prevent search engines from finding its copies of our projects rather than the ones we want people to use in Gitea. Change-Id: I3c96221256662443f7a43344afd12194dce82b9d
2022-02-18 18:42:12 +00:00 · 2022-02-18 18:42:12 +00:00 · 77972b0150
parent 0022dc2545
commit 77972b0150
2 changed files with 11 additions and 0 deletions
--- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@ -61,6 +61,11 @@
  #RewriteCond %{REQUEST_URI} !^/maintenance.html$
  #RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]

+  # We can't disable this plugin, but don't want people using it
+  <Location "/plugins/gitiles">
+    Require all denied
+  </Location>
+
  ProxyPassMatch ^/robots.txt$ !
  ProxyPassMatch ^/server-status !
  # Comment out these two lines if the maintenance message above is in use
--- a/testinfra/test_gerrit.py
+++ b/testinfra/test_gerrit.py
@ -65,3 +65,9 @@ def test_openinfra_cla(host):
    assert '200 OK' in cmd.stdout
    assert 'Content-Type: text/html' in cmd.stdout
    assert 'OpenInfra Foundation Individual Contributor License Agreement' in cmd.stdout
+
+def test_gitiles_blocked(host):
+    cmd = host.run('curl --include --insecure '
+                   '--resolve review.opendev.org:443:127.0.0.1 '
+                   'https://review.opendev.org/plugins/gitiles/opendev/system-config/')
+    assert '403 Forbidden' in cmd.stdout