ansible/roles/sf-gateway/templates/gateway.common.j2

    <Directory "/var/www">
        AllowOverride None
        Require all granted
    </Directory>

    DocumentRoot /var/www/

    Alias /icons/ "/usr/share/httpd/icons/"

    <Directory "/usr/share/httpd/icons">
        Options Indexes MultiViews FollowSymlinks
        AllowOverride None
        Require all granted
    </Directory>

    <Directory "/var/www/keys">
        Options Indexes
        AllowOverride None
        Require all granted
        IndexOptions FancyIndexing HTMLTable NameWidth=* SuppressDescription
    </Directory>

    RewriteEngine On

    # Disable caching of static or api files
    <LocationMatch "/static">
        CacheDisable on
    </LocationMatch>
    <LocationMatch "/api">
        CacheDisable on
    </LocationMatch>

    # Enable cross request for cgit content
    <Location "/cgit">
        Header set Access-Control-Allow-Origin '*'
    </Location>

    {% if _zuul_job_version is defined %}
    Alias "/docs/zuul-jobs" "/usr/share/doc/zuul-jobs-doc-{{ _zuul_job_version.stdout.split('-')[3] }}/html"
    {% endif %}
    Alias "/docs/managesf" "/usr/share/doc/managesf/"
    Alias "/docs" "/usr/share/doc/software-factory/"
    <Directory "/usr/share/doc/">
        Require all granted
    </Directory>
    {% for directory in gateway_directories -%}
    Alias "/{{ directory.name }}" "{{ directory.path }}"
    <Directory {{ directory.path }}>
    {% for option in directory.options %}
    {{ option }}
    {% endfor -%}
    </Directory>
    {% endfor -%}
    <Directory /var/www>
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
    <Directory /var/www/managesf>
        Order allow,deny
        Deny from all
    </Directory>

{% if 'grafana' in roles %}
    <LocationMatch "^/grafana/">
        RequestHeader unset X-Forwarded-User
    </LocationMatch>

{% endif %}
    <IfModule mod_proxy.c>
        ProxyVia On
        ProxyRequests Off

{% if 'gerrit' in roles %}
        ProxyPass /r {{ gerrit_internal_url | regex_replace('\\/$', '') }} nocanon retry=0
        ProxyPassReverse /r {{ gerrit_internal_url | regex_replace('\\/$', '') }}

        RewriteRule ^/r/gitweb(.*)$  /r/plugins/gitiles/$1/ [R]

{% endif %}

{% if 'zuul' in roles %}
        ProxyPass /zuul {{ zuul_web_url }} nocanon retry=0
        ProxyPassReverse /zuul {{ zuul_web_url }}

        RewriteRule ^/zuul/*$ /zuul/t/{{ tenant_name }}/status [R,L]

        # Rewrite api to zuul-web

        RewriteRule ^/zuul/api/tenant/(.*)/console-stream$ {{ zuul_ws_url }}/api/tenant/$1/console-stream [P,L]
        RewriteRule ^/zuul/api/(.*)$ {{ zuul_web_url }}/api/$1 [P,L]

        Redirect "/docs/zuul" "https://zuul-ci.org/docs/zuul/{{ _zuul_version.stdout }}"
        Redirect "/docs/nodepool" "https://zuul-ci.org/docs/nodepool/{{ _nodepool_version.stdout }}"
{% endif %}
{% if tenant_deployment %}
        ProxyPass /zuul {{ master_sf_url }}/zuul nocanon retry=0
        ProxyPassReverse /zuul {{ master_sf_url }}/zuul

        RewriteRule ^/zuul/*$ /zuul/status [R,L]

        SSLProxyEngine On
        <location /zuul>
            RequestHeader set Host "{{ master_sf_fqdn }}"
            ProxyPreserveHost Off
        </location>

        # Rewrite api to zuul-web
        RewriteRule ^/zuul/api/console-stream$ wss://{{ master_sf_fqdn }}/zuul/api/tenant/{{ tenant_name }}/console-stream [P,L]
        RewriteRule ^/zuul/api/(.*)$ {{ master_sf_url }}/zuul/api/tenant/{{ tenant_name }}/$1 [P,L]

        Redirect "/docs/zuul" "{{ master_sf_url }}/docs/zuul"
        Redirect "/docs/nodepool" "{{ master_sf_url }}/docs/nodepool"
{% endif %}

        # SF-UI: Rewrite HTML5 url to the index.html
        <Directory /usr/share/sf-ui>
            DirectoryIndex index.html
            Require all granted
            Order allow,deny
            Allow from all
        </Directory>
        # If the request match an sf-ui SPA route
        RewriteRule ^/(project|login|logout).*$ /usr/share/sf-ui/index.html [L]
        RewriteRule ^/auth/settings$ /usr/share/sf-ui/index.html [L]
        RewriteRule ^/$ /usr/share/sf-ui/index.html [L]
        # If the request match an sf-ui filename, then redirect to it
        RewriteCond /usr/share/sf-ui/%{REQUEST_FILENAME} -f
        RewriteRule .* /usr/share/sf-ui/%{REQUEST_FILENAME} [L]

{% if 'managesf' in roles %}
        ProxyPass /manage/ http://managesf:20001/ retry=0 timeout=2400
        ProxyPassReverse /manage/ http://managesf:20001/ timeout=2400

{% endif %}
{% if 'etherpad' in roles %}
        RewriteRule ^/etherpad$ etherpad/ [R]
        ProxyPass /etherpad/ http://127.0.0.1:9001/ retry=0
        ProxyPassReverse /etherpad/ http://127.0.0.1:9001/

{% endif %}
{% if 'lodgeit' in roles %}
        RewriteRule ^/paste$ paste/ [R]
        ProxyPass /paste http://127.0.0.1:5000/paste retry=0
        ProxyPassReverse /paste http://127.0.0.1:5000/paste
{% endif %}
{% if koji_host|default(False) %}

        ProxyPass /koji/ http://{{ koji_host }}/koji/ retry=0
        ProxyPassReverse /koji/ http://{{ koji_host }}/koji/

        ProxyPass /koji-static/ http://{{ koji_host }}/koji-static/ retry=0
        ProxyPassReverse /koji-static/ http://{{ koji_host }}/koji-static/

        ProxyPass /kojifiles/ http://{{ koji_host }}/kojifiles/ retry=0
        ProxyPassReverse /kojifiles/ http://{{ koji_host }}/kojifiles/

{% endif %}

{% if 'nodepool-builder' in roles %}
{% for builder in groups['nodepool-builder'] %}
{% if builder != gateway_host %}
        ProxyPass /nodepool-builder/{{ builder }}/ http://{{ builder }}/nodepool-builder/
        ProxyPassReverse /nodepool-builder/{{ builder }}/ http://{{ builder }}/nodepool-builder/
{% endif %}
{% endfor %}
{% endif %}

{% if 'nodepool-launcher' in roles %}
{% for launcher in groups['nodepool-launcher'] %}
{% if launcher != gateway_host %}
        ProxyPass /nodepool-launcher/{{ launcher }}/ http://{{ launcher }}/nodepool-launcher/
        ProxyPassReverse /nodepool-launcher/{{ launcher }}/ http://{{ launcher }}/nodepool-launcher/
{% endif %}
{% endfor %}
{% endif %}

{% if 'logserver' in roles %}
        ProxyPass /logs/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs/
        ProxyPassReverse /logs/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs/

        ProxyPass /logs-raw/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs-raw/
        ProxyPassReverse /logs-raw/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs-raw/

{% endif %}
{% if 'hound' in roles %}
        RewriteRule ^/codesearch$ codesearch/ [R]
        ProxyPass /codesearch/ {{ hound_internal_url }}/
        ProxyPassReverse /codesearch/ {{ hound_internal_url }}/

{% endif %}
        ProxyPass /auth/ http://{{ keycloak_host }}:{{ keycloak_http_port }}/auth/
        ProxyPassReverse /auth/ http://{{ keycloak_host }}:{{ keycloak_http_port }}/auth/

        ProxyPreserveHost On
        AllowEncodedSlashes NoDecode
        <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
        </Proxy>

{% if 'grafana' in roles %}
        RewriteRule ^/grafana$ grafana/ [R]
        ProxyPass /grafana/ {{ grafana_internal_url }}/
        ProxyPassReverse /grafana/ {{ grafana_internal_url }}/
{% endif %}
    </IfModule>

{% if 'nodepool' in roles %}
    <Directory /var/www/nodepool>
        IndexOptions FancyIndexing FoldersFirst
        Options MultiViews Indexes
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
{% endif %}

{% if 'nodepool-builder' in roles %}
    {% for builder in groups['nodepool-builder'] -%}
        {% if builder == gateway_host  -%}
    Alias /nodepool-builder/{{ builder }}/ /var/www/html/nodepool-builder/
        {% endif %}
    {% endfor %}
{% endif %}

{% if 'nodepool-launcher' in roles %}
    {% for launcher in groups['nodepool-launcher'] -%}
        {% if launcher == gateway_host  -%}
    Alias /nodepool-launcher/{{ launcher }}/ /var/www/html/nodepool-launcher/
        {% endif -%}
    {% endfor -%}
{% endif %}

    <Location "/auth">
        RequestHeader add "X-forwarded-proto" "https"
        RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s"
    </Location>

{% if 'managesf' in roles %}
    <Location "/manage">
        RequestHeader unset X-Remote-User
        AuthType oauth20
        Require valid-user
        RequestHeader set X-Remote-User %{REMOTE_USER}s
    </Location>

    <Location "/manage/v2/configurations">
        Allow from All
        Satisfy Any
    </Location>

    # Enable "anonymous" access to read resources.
    <Location "/manage/v2/resources">
        RequestHeader unset X-Remote-User
        AuthType oauth20
        <RequireAny>
            <RequireAll>
                Require valid-user
                Require method POST
            </RequireAll>
            <RequireAll>
                Require method GET
            </RequireAll>
        </RequireAny>
        RequestHeader set X-Remote-User %{REMOTE_USER}s
    </Location>

    <Location "/manage/about">
        Allow from All
        Satisfy Any
    </Location>


{% endif %}

{% if authentication["authenticated_only"] %}
    # Make sure static files, docs, git and the topmenu are accessible even if
    # anonymous access is disabled. Git itself is protected by Gerrit
    <LocationMatch "^(?!/(r/.*/(info/refs|git-upload-pack)|docs|static|auth|index.html|_defconf.tgz|.well-known|zuul/api/connection/[^\/]+/payload|server-status|$))">
        Order deny,allow
        Allow from all
        AuthType openid-connect
        Require valid-user
    </LocationMatch>
{% endif %}

# Needed for redirection to work
    <Location "/redirect">
        AuthType openid-connect
        require valid-user
    </Location>