Instead of just /pool/updates/main/l/linux/*, redirect everything except:
- if coming from fastly or aws
- if coming from nagios or mini-nag
- if using the onion service
- if doing a health check
Eventually we might point the security.d.o name directly at the CDN, but let's
see if this helps already.
<% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
<% end %>
<% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
<% end %>
- RewriteRule ^/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
- RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
- RewriteCond %{HTTP_USER_AGENT} "!Amazon CloudFront"
- RewriteCond %{HTTP_USER_AGENT} "!check_http"
- RewriteCond %{HTTP_USER_AGENT} "!dsa-check-mirrorsync"
- <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
- RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
- <% end %>
- RewriteRule ^/debian-security/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
+ RewriteCond %{REQUEST_URI} "!=/_health"
+ RewriteRule ^/(.*) http://security-cdn.debian.org/$1 [L,R=302]
CustomLog /var/log/apache2/security.debian.org-access.log privacy
ServerSignature On
CustomLog /var/log/apache2/security.debian.org-access.log privacy
ServerSignature On