Dzahn has uploaded a new change for review.
https://gerrit.wikimedia.org/r/105944
Change subject: do not use generated .htaccess from Bugzilla
......................................................................
do not use generated .htaccess from Bugzilla
Bugzilla has an option to check for and auto-create
.htaccess file in it's document root to avoid leaking
config for download and other reasons
this was enabled for testing but let's not actually use it
for prod. that would just split the Apache config into one
part being in puppet and another part being auto-created by
BZ's checksetup.pl and make debugging more complicated and
I think it's messy to have config in separate places.
so, disable the option and instead copy exactly what it generated
once into the main Apache config template here in puppet.
only drawback i see: if upstream changes this we'd have to sync
or check our config here
Change-Id: I7e6566c9abcf3c1bab13aeab508aba3b307652cd
---
M modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
M modules/bugzilla/templates/localconfig.erb
2 files changed, 34 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/44/105944/1
diff --git a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
index 28e1675..44c1f28 100644
--- a/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
+++ b/modules/bugzilla/templates/apache/bugzilla.wikimedia.org.erb
@@ -91,6 +91,39 @@
Options +ExecCGI +FollowSymLinks
AllowOverride Limit FileInfo Indexes
DirectoryIndex index.cgi index.html
+
+ # what Bugzilla generates in a .htaccess otherwise if you enable it
+
+ # Don't allow people to retrieve non-cgi executable files or our
private data
+ <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
+ deny from all
+ </FilesMatch>
+
+ Options -Indexes
+
+ <IfModule mod_expires.c>
+ <IfModule mod_headers.c>
+ <IfModule mod_env.c>
+ <FilesMatch (\.js|\.css)$>
+ ExpiresActive On
+ # According to RFC 2616, "1 year in the future" means "never
expire".
+ # We change the name of the file's URL whenever its modification
date
+ # changes, so browsers can cache any individual JS or CSS URL
forever.
+ # However, since all JS and CSS URLs involve a ? in them (for the
changing
+ # name) we have to explicitly set an Expires header or browsers
won't
+ # *ever* cache them.
+ ExpiresDefault "now plus 1 years"
+ Header append Cache-Control "public"
+ </FilesMatch>
+
+ # This lets Bugzilla know that we are properly sending
Cache-Control
+ # and Expires headers for CSS and JS files.
+ SetEnv BZ_CACHE_CONTROL 1
+ </IfModule>
+ </IfModule>
+ </IfModule>
+ # /from bugzilla generated .htaccess
+
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
diff --git a/modules/bugzilla/templates/localconfig.erb
b/modules/bugzilla/templates/localconfig.erb
index 7c6e866..4487e64 100644
--- a/modules/bugzilla/templates/localconfig.erb
+++ b/modules/bugzilla/templates/localconfig.erb
@@ -6,7 +6,7 @@
# they don't exist.
#
# If this is set to 0, checksetup.pl will not create .htaccess files.
-$create_htaccess = 1;
+$create_htaccess = 0;
# The name of the group that your web server runs as. On Red Hat
# distributions, this is usually "apache". On Debian/Ubuntu, it is
--
To view, visit https://gerrit.wikimedia.org/r/105944
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7e6566c9abcf3c1bab13aeab508aba3b307652cd
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <dz...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
