Don't redirect on security for cloudfront and tor hidden service

Redirecting from https or .onion to plain http is probably a bad plan.

diff --git a/modules/roles/templates/security_mirror/security.debian.org.erb b/modules/roles/templates/security_mirror/security.debian.org.erb
index d4be2a4..3d2e0f1 100644 (file)
--- a/modules/roles/templates/security_mirror/security.debian.org.erb
+++ b/modules/roles/templates/security_mirror/security.debian.org.erb
@@ -40,8 +40,16 @@
    RewriteRule ^/$      http://www.debian.org/security/
 
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
    RewriteCond %{HTTP:Fastly-Client-IP} !. [NV]
+   RewriteCond %{HTTP_USER_AGENT} !"Amazon CloudFront"
+   <% if scope.function_onion_global_service_hostname(['security.debian.org']) -%>
+   RewriteCond %{HTTP_HOST} "!=<%= scope.function_onion_global_service_hostname(['security.debian.org']) %>"
+   <% end %>
    RewriteRule ^/debian-security/(pool/updates/main/l/linux/.*) http://security-cdn.debian.org/$1 [L,R=302]
 
    # Possible values include: debug, info, notice, warn, error, crit,