Dzahn has uploaded a new change for review. https://gerrit.wikimedia.org/r/105944
Change subject: do not use generated .htaccess from Bugzilla ...................................................................... do not use generated .htaccess from Bugzilla Bugzilla has an option to check for and auto-create .htaccess file in it's document root to avoid leaking config for download and other reasons this was enabled for testing but let's not actually use it for prod. that would just split the Apache config into one part being in puppet and another part being auto-created by BZ's checksetup.pl and make debugging more complicated and I think it's messy to have config in separate places. so, disable the option and instead copy exactly what it generated once into the main Apache config template here in puppet. only drawback i see: if upstream changes this we'd have to sync or check our config here Change-Id: I7e6566c9abcf3c1bab13aeab508aba3b307652cd --- M modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb M modules/bugzilla/templates/localconfig.erb 2 files changed, 34 insertions(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/44/105944/1 diff --git a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb index 28e1675..44c1f28 100644 --- a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb +++ b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb @@ -91,6 +91,39 @@ Options +ExecCGI +FollowSymLinks AllowOverride Limit FileInfo Indexes DirectoryIndex index.cgi index.html + + # what Bugzilla generates in a .htaccess otherwise if you enable it + + # Don't allow people to retrieve non-cgi executable files or our private data + <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$> + deny from all + </FilesMatch> + + Options -Indexes + + <IfModule mod_expires.c> + <IfModule mod_headers.c> + <IfModule mod_env.c> + <FilesMatch (\.js|\.css)$> + ExpiresActive On + # According to RFC 2616, "1 year in the future" means "never expire". + # We change the name of the file's URL whenever its modification date + # changes, so browsers can cache any individual JS or CSS URL forever. + # However, since all JS and CSS URLs involve a ? in them (for the changing + # name) we have to explicitly set an Expires header or browsers won't + # *ever* cache them. + ExpiresDefault "now plus 1 years" + Header append Cache-Control "public" + </FilesMatch> + + # This lets Bugzilla know that we are properly sending Cache-Control + # and Expires headers for CSS and JS files. + SetEnv BZ_CACHE_CONTROL 1 + </IfModule> + </IfModule> + </IfModule> + # /from bugzilla generated .htaccess + </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ diff --git a/modules/bugzilla/templates/localconfig.erb b/modules/bugzilla/templates/localconfig.erb index 7c6e866..4487e64 100644 --- a/modules/bugzilla/templates/localconfig.erb +++ b/modules/bugzilla/templates/localconfig.erb @@ -6,7 +6,7 @@ # they don't exist. # # If this is set to 0, checksetup.pl will not create .htaccess files. -$create_htaccess = 1; +$create_htaccess = 0; # The name of the group that your web server runs as. On Red Hat # distributions, this is usually "apache". On Debian/Ubuntu, it is -- To view, visit https://gerrit.wikimedia.org/r/105944 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7e6566c9abcf3c1bab13aeab508aba3b307652cd Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Dzahn <dz...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits