From 3c47bdbd5df324b434512cb51dea63d22e15019c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= <radoslaw.piliszek@gmail.com>
Date: Sun, 5 Apr 2020 16:02:23 +0200
Subject: [PATCH] Set AllowEncodedSlashes NoDecode on 8080 revproxy

This is a follow-up on nocanon from [1].
This ensures Apache does not filter any requests originally
containing encoded slashes.

[1] I5a3a6551536e2d1e87aa074e0de7619a367b1971

Change-Id: I94fcb67a914da6ab4d6e1bfd0a2e02121d22559c
---
 modules/openstack_project/templates/mirror.vhost.erb | 5 +++++
 playbooks/roles/mirror/templates/mirror.vhost.j2     | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/modules/openstack_project/templates/mirror.vhost.erb b/modules/openstack_project/templates/mirror.vhost.erb
index 1e6c384283..2a9cd10d01 100644
--- a/modules/openstack_project/templates/mirror.vhost.erb
+++ b/modules/openstack_project/templates/mirror.vhost.erb
@@ -143,6 +143,11 @@ LogFormat "%h %l %u %t \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-a
     CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8080_access.log combined-cache
     ServerSignature Off
 
+    # Let upstreams decide on encoded slash handling.
+    # The default is 'Off' which returns 404 for URLs with encoded slashes,
+    # i.e. '%2f' instead of '/'.
+    AllowEncodedSlashes NoDecode
+
     # Caching reverse proxy for things that don't make sense in AFS
     #
     # General cache rules
diff --git a/playbooks/roles/mirror/templates/mirror.vhost.j2 b/playbooks/roles/mirror/templates/mirror.vhost.j2
index 5fdcaf1fac..8ed3771f86 100644
--- a/playbooks/roles/mirror/templates/mirror.vhost.j2
+++ b/playbooks/roles/mirror/templates/mirror.vhost.j2
@@ -155,6 +155,11 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
     CustomLog /var/log/apache2/proxy_8080_access.log combined-cache
     ServerSignature Off
 
+    # Let upstreams decide on encoded slash handling.
+    # The default is 'Off' which returns 404 for URLs with encoded slashes,
+    # i.e. '%2f' instead of '/'.
+    AllowEncodedSlashes NoDecode
+
     # Caching reverse proxy for things that don't make sense in AFS
     #
     # General cache rules