Apply apache us filter to Zuul

This is some evidence these vhosts are impacted. Mitigate that with our rules. While we are at it we modify the ruleset to add a newly noticed item. Change-Id: I8c20193e4e474898a0bdc395b25fd9de94469dd6
2024-04-03 09:31:17 -07:00 · 2024-04-03 09:31:17 -07:00 · 6ca2b9a7d5
parent f85db03506
commit 6ca2b9a7d5
4 changed files with 16 additions and 0 deletions
--- a/playbooks/roles/apache-ua-filter/files/ua-filter.conf
+++ b/playbooks/roles/apache-ua-filter/files/ua-filter.conf
@ -49,6 +49,7 @@
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999" [OR]
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Mobile Safari/537.36" [OR]
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" [OR]
+  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.94 Mobile Safari/537.36 (compatible; GoogleOther)" [OR]
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/48.0.2564.116 Mobile Safari/537.36 T7/9.1 baidubrowser/7.19.13.0 (Baidu; P1 7.1.1)" [OR]
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.97 Mobile Safari/537.36" [OR]
  RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.106 Mobile Safari/537.36 AWP/2.0 SogouMSE,SogouMobileBrowser/5.22.8" [OR]
--- a/playbooks/roles/zuul-web/tasks/main.yaml
+++ b/playbooks/roles/zuul-web/tasks/main.yaml
@ -5,6 +5,11 @@
      - apache2-utils
    state: present

+- name: Add UA filter macro to apache config
+  # This is used in the zuul apache vhost.
+  include_role:
+    name: apache-ua-filter
+
 - name: Apache modules
  apache2_module:
    state: present
--- a/playbooks/roles/zuul-web/templates/openstack.vhost.j2
+++ b/playbooks/roles/zuul-web/templates/openstack.vhost.j2
@ -7,6 +7,7 @@
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/zuul-access.log combined-cache
+  Use UserAgentFilter

  Redirect / https://zuul.openstack.org/

@ -40,6 +41,10 @@
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

+  # This macro relies on mod rewrite rules so put it before any of the
+  # actual rewrites we want to perform.
+  Use UserAgentFilter
+
  RewriteEngine on

  RewriteRule ^/api/connection/(.*)$ http://127.0.0.1:9000/api/connection/$1 [P,L]
--- a/playbooks/roles/zuul-web/templates/zuul.vhost.j2
+++ b/playbooks/roles/zuul-web/templates/zuul.vhost.j2
@ -7,6 +7,7 @@
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/zuul-access.log combined-cache
+  Use UserAgentFilter

  Redirect / https://zuul.opendev.org/

@ -40,6 +41,10 @@
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

+  # This macro relies on mod rewrite rules so put it before any of the
+  # actual rewrites we want to perform.
+  Use UserAgentFilter
+
  RewriteEngine on

  RewriteRule ^/api/tenant/(.*)/console-stream ws://127.0.0.1:9000/api/tenant/$1/console-stream [P,L]