gitlab: Fix revproxy for web IDE

The reverse proxy must allow and pass encoded slashes. See: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/65649#note_416862810

gitlab: Fix revproxy for web IDE
The reverse proxy must allow and pass encoded slashes. See: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/65649#note_416862810
9e54f698 · James T. Lee · b05125cd · 9e54f698 · 9e54f698
Commit 9e54f698 authored Nov 30, 2020 by James T. Lee
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 12 deletions

manifests/lib/revproxy.pp manifests/lib/revproxy.pp +31 -9

manifests/service/gitlab.pp manifests/service/gitlab.pp +4 -3

No files found.
--- a/manifests/lib/revproxy.pp
+++ b/manifests/lib/revproxy.pp
@@ -6,17 +6,38 @@ define nest::lib::revproxy (
  Optional[Integer] $port                            = undef,
  Boolean $ssl                                       = true,
  Optional[String[1]] $websockets                    = undef,
+  Boolean $allow_encoded_slashes                     = false,
  Boolean $preserve_host                             = false,
  Hash[String[1], Any] $extra_params                 = {},
 ) {
  if $websockets {
    include '::apache::mod::proxy_wstunnel'
+  }
+  $proxy_pass_match = [
+    $websockets ? {
+      undef   => [],
+      default => [{
+        'path'         => "^/(${websockets})$",
+        'url'          => "ws://${destination}/\$1",
+        'reverse_urls' => []
+      }],
+    },
+    $allow_encoded_slashes ? {
+      true    => [{
+        'path'         => '^/(.*)$',
+        'url'          => "http://${destination}/\$1",
+        'keywords'     => ['nocanon'],
+        'reverse_urls' => [],
+      }],
+      default => [],
+    },
+  ].flatten
-    $websockets_proxy_pass = [{
+  $allow_encoded_slashes_vhost = $allow_encoded_slashes ? {
-      'path'         => "^/(${websockets})$",
+    true    => on,
-      'url'          => "ws://${destination}/\$1",
+    default => undef,
-      'reverse_urls' => []
-    }]
  }
  $certbot_exception = @(EOT)
@@ -35,10 +56,11 @@ define nest::lib::revproxy (
    ssl           => $ssl,
    zfs_docroot   => false,
    extra_params  => {
-      'proxy_preserve_host' => $preserve_host,
+      'allow_encoded_slashes' => $allow_encoded_slashes_vhost,
-      'proxy_pass_match'    => $websockets_proxy_pass,
+      'proxy_preserve_host'   => $preserve_host,
-      'proxy_dest'          => "http://${destination}",
+      'proxy_pass_match'      => $proxy_pass_match,
-      'custom_fragment'     => $certbot_exception,
+      'proxy_dest'            => "http://${destination}",
+      'custom_fragment'       => $certbot_exception,
    } + $extra_params,
  }
 }
--- a/manifests/service/gitlab.pp
+++ b/manifests/service/gitlab.pp
@@ -108,8 +108,9 @@ class nest::service::gitlab (
  }
  nest::lib::revproxy { 'gitlab.james.tl':
-    destination => '172.18.0.2',
+    destination           => '172.18.0.2',
-    ip          => ['104.156.227.40', '2001:19f0:300:2005::40'],
+    ip                    => ['104.156.227.40', '2001:19f0:300:2005::40'],
-    websockets  => '.*\.ws',
+    websockets            => '.*\.ws',
+    allow_encoded_slashes => true,
  }
 }