From: Julien Cristau <jcristau@debian.org>
Date: Thu, 20 Oct 2016 17:43:54 +0000 (+0200)
Subject: Don't redirect on security for cloudfront and tor hidden service
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=9ad5a2655ea0cf9d375c029dd602f5d816024af8;p=mirror%2Fdsa-puppet.git

Don't redirect on security for cloudfront and tor hidden service

Redirecting from https or .onion to plain http is probably a bad plan.
---

diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index d4be2a440..3d2e0f1e2 100644
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -40,8 +40,16 @@
    RewriteRule ^/$      http://www.debian.org/security/
 
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/debian-security/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
 
    # Possible values include: debug, info, notice, warn, error, crit,