X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ffiles%2Fjenkins%2Fjenkins.debian.org;h=7e38bdb04e314d6bb62e69bff03319d70bfef550;hb=e4588b11bfd3d7c536de20a19552732a4d6c51f7;hp=b5ccc6b04f0081e961781bff5f19733a591519df;hpb=21e5d62634a48c6fb4ee93d58a68eb4a485984d5;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/files/jenkins/jenkins.debian.org b/modules/roles/files/jenkins/jenkins.debian.org
index b5ccc6b04..7e38bdb04 100644
--- a/modules/roles/files/jenkins/jenkins.debian.org
+++ b/modules/roles/files/jenkins/jenkins.debian.org
@@ -6,6 +6,14 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 
 	Use common-debian-service-ssl jenkins.debian.org
 	Use common-ssl-HSTS
+	Use http-pkp-jenkins.debian.org
+
+	SSLCACertificateFile /var/lib/dsa/sso/ca.crt
+	SSLCARevocationCheck chain
+	SSLCARevocationFile /var/lib/dsa/sso/ca.crl
+	SSLVerifyClient optional
+
+	SSLOptions +StdEnvVars
 
 	<IfModule mod_userdir.c>
 		UserDir disabled
@@ -14,11 +22,34 @@ Use common-debian-service-https-redirect * jenkins.debian.org
 	CustomLog /var/log/apache2/jenkins.debian.org-access.log privacy
 	ServerSignature On
 	<IfModule mod_proxy.c>
+		RequestHeader unset X-Forwarded-User
+		RequestHeader set X-Forwarded-User "%{SSL_CLIENT_S_DN_CN}e" env=SSL_CLIENT_S_DN_CN
 		<Proxy *>
 			Order deny,allow
 			Allow from all
 		</Proxy>
 		AllowEncodedSlashes NoDecode
+
+		<Location /http-auth-jenkins/>
+			AuthName "Debian Jenkins"
+			AuthType Digest
+			AuthDigestProvider file
+			AuthUserFile /srv/jenkins.debian.org/etc/htdigest
+			Require valid-user
+
+			RewriteEngine On
+			# see the Apache documentation on why this has to be lookahead
+			RewriteCond %{LA-U:REMOTE_USER} (.+)
+			# this actually doesn't rewrite anything. what we do here is to set RU to the match above
+			# "NS" prevents flooding the error log
+			RewriteRule .* - [E=RU:%1,NS]
+			RequestHeader set X-Forwarded-User %{RU}e
+
+			ProxyPass http://127.0.0.1:8080/ retry=15 nocanon
+			ProxyPassReverse http://127.0.0.1:8080/
+			ProxyPassReverse http://jenkins.debian.org/http-auth-jenkins/
+		</Location>
+
 		ProxyPass / http://127.0.0.1:8080/ retry=15 nocanon
 		ProxyPassReverse / http://127.0.0.1:8080/
 		ProxyPassReverse / http://jenkins.debian.org/