From 3996374ea0d65e52201649c71e09fe45a8e25918 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Jan 24 2024 23:19:14 +0000
Subject: proxies / ipa / ui: try and edit the referrer for new ipa


New ipa checks the referrer to avoid CSRF issues.
We need to have the proxy edit requests for the right internal hostname
for it to be able to work.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
index 0333fc2..20eec6b 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.00-ipa.conf
@@ -1,4 +1,5 @@
 ProxyPassReverseCookieDomain ipa01{{env_suffix}}.iad2.fedoraproject.org id{{env_suffix}}.fedoraproject.org
+RequestHeader edit Referer ^https://id\.fedoraproject\.org/ https://ipa01{{env_suffix}}.iad2.fedoraproject.org
 
 ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
 ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}