From 9ad5a2655ea0cf9d375c029dd602f5d816024af8 Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Thu, 20 Oct 2016 19:43:54 +0200
Subject: [PATCH] Don't redirect on security for cloudfront and tor hidden
 service

Redirecting from https or .onion to plain http is probably a bad plan.
---
 .../templates/security_mirror/security.debian.org.erb     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index d4be2a440..3d2e0f1e2 100644
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -40,8 +40,16 @@
    RewriteRule ^/$      http://www.debian.org/security/
 
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/debian-security/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
 
    # Possible values include: debug, info, notice, warn, error, crit,
-- 
2.20.1