Zhuyifei1999 has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/357878 )
Change subject: tools-static: add /fontcdn/ to reverse-proxy to Google Fonts ...................................................................... tools-static: add /fontcdn/ to reverse-proxy to Google Fonts Endpoints: * /fontcdn/? => redirect to https://tools.wmflabs.org/fontcdn/ * /fontcdn/s/ => reverse proxy to https://fonts.gstatic.com/s/ * /fontcdn/css => reverse proxy to https://fonts.googleapis.com/css with substitution of '//fonts.gstatic.com/' This reverse proxy is not cached, since if a hacker were to use us to dos google, we would long melt before google can notice anything. Bug: T110027 Change-Id: I62dce4132e90a825811969790800a0d46d41ae09 --- M modules/toollabs/templates/static-server.conf.erb 1 file changed, 36 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/78/357878/1 diff --git a/modules/toollabs/templates/static-server.conf.erb b/modules/toollabs/templates/static-server.conf.erb index 9c2939a..034830d 100644 --- a/modules/toollabs/templates/static-server.conf.erb +++ b/modules/toollabs/templates/static-server.conf.erb @@ -70,6 +70,42 @@ root /srv/; # Is ok, nginx ensures that this is /cdnjs/* only } + location = /fontcdn { + return 302 "https://<%= @web_domain %>/fontcdn/"; + } + + location = /fontcdn/ { + return 302 "https://<%= @web_domain %>/fontcdn/"; + } + + location /fontcdn/ { + # Don't mess with the cookie in any case + proxy_hide_header Set-Cookie; + proxy_set_header Cookie ""; + + # And hide the referrer for privacy reasons + proxy_set_header Referer "https://<%= @web_domain %>/fontcdn/"; + + add_header Access-Control-Allow-Origin '*'; + + # rewrite is an action directive and does not inherit + + location /fontcdn/s/ { + rewrite ^/fontcdn(/.*)$ $1 break; + proxy_pass https://fonts.gstatic.com; + } + + location /fontcdn/css { + rewrite ^/fontcdn(/.*)$ $1 break; + proxy_pass https://fonts.googleapis.com; + + # subs_filter works only on uncompressed data + proxy_set_header Accept-Encoding ""; + subs_filter_types text/css; + subs_filter '//fonts.gstatic.com/' '//tools-static.wmflabs.org/fontcdn/'; + } + } + location ~ ^/([^/]+)(/.*)?$ { autoindex on; add_header Access-Control-Allow-Origin '*'; -- To view, visit https://gerrit.wikimedia.org/r/357878 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I62dce4132e90a825811969790800a0d46d41ae09 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Zhuyifei1999 <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
