From 0040245fce35479e152aad6322e3ca6bc436640c Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sun, 4 Nov 2018 13:03:42 +0100
Subject: [PATCH] Redirect all of security.d.o to security-cdn

Instead of just /pool/updates/main/l/linux/*, redirect everything except:
- if coming from fastly or aws
- if coming from nagios or mini-nag
- if using the onion service
- if doing a health check

Eventually we might point the security.d.o name directly at the CDN, but let's
see if this helps already.
---
 .../templates/security_mirror/security.debian.org.erb | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index 1af877d2e..9e487215a 100644
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -46,15 +46,8 @@
    <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
    RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
    <% end %>
-   RewriteRule ^/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
-   RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
-   RewriteCond %{HTTP_USER_AGENT} "!Amazon CloudFront"
-   RewriteCond %{HTTP_USER_AGENT} "!check_http"
-   RewriteCond %{HTTP_USER_AGENT} "!dsa-check-mirrorsync"
-   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
-   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
-   <% end %>
-   RewriteRule ^/debian-security/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
+   RewriteCond %{REQUEST_URI} "!=/_health"
+   RewriteRule ^/(.*) http://security-cdn.debian.org/$1 [L,R=302]
 
    CustomLog /var/log/apache2/security.debian.org-access.log privacy
    ServerSignature On
-- 
2.20.1