X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ffiles%2Fjenkins%2Fjenkins.debian.org;h=7e38bdb04e314d6bb62e69bff03319d70bfef550;hb=29cbe59430d1e7d7d5575579b48513c56227e2f7;hp=e8d9ebed55eb968b5d0ccec94ea0233182df60e1;hpb=32cc0ca47da8021103744f26d3ced982ea0c22ad;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org
index e8d9ebed5..7e38bdb04 100644
--- a/modules/roles/files/jenkins/jenkins.debian.org
+++ b/modules/roles/files/jenkins/jenkins.debian.org
@@ -6,6 +6,7 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 
 	Use common-debian-service-ssl jenkins.debian.org
 	Use common-ssl-HSTS
+	Use http-pkp-jenkins.debian.org
 
 	SSLCACertificateFile /var/lib/dsa/sso/ca.crt
 	SSLCARevocationCheck chain
@@ -28,6 +29,27 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 			Allow from all
 		</Proxy>
 		AllowEncodedSlashes NoDecode
+
+		<Location /http-auth-jenkins/>
+			AuthName "Debian Jenkins"
+			AuthType Digest
+			AuthDigestProvider file
+			AuthUserFile /srv/jenkins.debian.org/etc/htdigest
+			Require valid-user
+
+			RewriteEngine On
+			# see the Apache documentation on why this has to be lookahead
+			RewriteCond %{LA-U:REMOTE_USER} (.+)
+			# this actually doesn't rewrite anything. what we do here is to set RU to the match above
+			# "NS" prevents flooding the error log
+			RewriteRule .* - [E=RU:%1,NS]
+			RequestHeader set X-Forwarded-User %{RU}e
+
+			ProxyPass http://127.0.0.1:8080/ retry=15 nocanon
+			ProxyPassReverse http://127.0.0.1:8080/
+			ProxyPassReverse http://jenkins.debian.org/http-auth-jenkins/
+		</Location>
+
 		ProxyPass / http://127.0.0.1:8080/ retry=15 nocanon
 		ProxyPassReverse / http://127.0.0.1:8080/
 		ProxyPassReverse / http://jenkins.debian.org/