From 6ca2b9a7d51e43f16c009b5ab0455a048441f61d Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 3 Apr 2024 09:31:17 -0700 Subject: [PATCH] Apply apache us filter to Zuul This is some evidence these vhosts are impacted. Mitigate that with our rules. While we are at it we modify the ruleset to add a newly noticed item. Change-Id: I8c20193e4e474898a0bdc395b25fd9de94469dd6 --- playbooks/roles/apache-ua-filter/files/ua-filter.conf | 1 + playbooks/roles/zuul-web/tasks/main.yaml | 5 +++++ playbooks/roles/zuul-web/templates/openstack.vhost.j2 | 5 +++++ playbooks/roles/zuul-web/templates/zuul.vhost.j2 | 5 +++++ 4 files changed, 16 insertions(+) diff --git a/playbooks/roles/apache-ua-filter/files/ua-filter.conf b/playbooks/roles/apache-ua-filter/files/ua-filter.conf index ee8340b90c..8c4b67d6d2 100644 --- a/playbooks/roles/apache-ua-filter/files/ua-filter.conf +++ b/playbooks/roles/apache-ua-filter/files/ua-filter.conf @@ -49,6 +49,7 @@ RewriteCond %{HTTP_USER_AGENT} "=Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999" [OR] RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Mobile Safari/537.36" [OR] RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" [OR] + RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.94 Mobile Safari/537.36 (compatible; GoogleOther)" [OR] RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/48.0.2564.116 Mobile Safari/537.36 T7/9.1 baidubrowser/7.19.13.0 (Baidu; P1 7.1.1)" [OR] RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.97 Mobile Safari/537.36" [OR] RewriteCond %{HTTP_USER_AGENT} "=Mozilla/5.0 (Linux; Android 7.1.1; OPPO R9sk Build/NMF26F; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/68.0.3440.106 Mobile Safari/537.36 AWP/2.0 SogouMSE,SogouMobileBrowser/5.22.8" [OR] diff --git a/playbooks/roles/zuul-web/tasks/main.yaml b/playbooks/roles/zuul-web/tasks/main.yaml index 9b393926f7..59c9f1403b 100644 --- a/playbooks/roles/zuul-web/tasks/main.yaml +++ b/playbooks/roles/zuul-web/tasks/main.yaml @@ -5,6 +5,11 @@ - apache2-utils state: present +- name: Add UA filter macro to apache config + # This is used in the zuul apache vhost. + include_role: + name: apache-ua-filter + - name: Apache modules apache2_module: state: present diff --git a/playbooks/roles/zuul-web/templates/openstack.vhost.j2 b/playbooks/roles/zuul-web/templates/openstack.vhost.j2 index 23eae4dc82..521e798b48 100644 --- a/playbooks/roles/zuul-web/templates/openstack.vhost.j2 +++ b/playbooks/roles/zuul-web/templates/openstack.vhost.j2 @@ -7,6 +7,7 @@ LogLevel warn CustomLog ${APACHE_LOG_DIR}/zuul-access.log combined-cache + Use UserAgentFilter Redirect / https://zuul.openstack.org/ @@ -40,6 +41,10 @@ # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + # This macro relies on mod rewrite rules so put it before any of the + # actual rewrites we want to perform. + Use UserAgentFilter + RewriteEngine on RewriteRule ^/api/connection/(.*)$ http://127.0.0.1:9000/api/connection/$1 [P,L] diff --git a/playbooks/roles/zuul-web/templates/zuul.vhost.j2 b/playbooks/roles/zuul-web/templates/zuul.vhost.j2 index 683d6ea9ba..d921230ef9 100644 --- a/playbooks/roles/zuul-web/templates/zuul.vhost.j2 +++ b/playbooks/roles/zuul-web/templates/zuul.vhost.j2 @@ -7,6 +7,7 @@ LogLevel warn CustomLog ${APACHE_LOG_DIR}/zuul-access.log combined-cache + Use UserAgentFilter Redirect / https://zuul.opendev.org/ @@ -40,6 +41,10 @@ # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + # This macro relies on mod rewrite rules so put it before any of the + # actual rewrites we want to perform. + Use UserAgentFilter + RewriteEngine on RewriteRule ^/api/tenant/(.*)/console-stream ws://127.0.0.1:9000/api/tenant/$1/console-stream [P,L]