From d6131df6a85ecb45559ed1a15a14c42fd92a21c7 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Sun, 10 Jul 2022 07:54:38 -0700
Subject: [PATCH] apache: Also configure to serve on /freedombox

This is useful mostly for future when we may switch from /plinth to /freedombox.

Tests:

- Accessing /freedombox/app/transmission works. Although redirects generated by
the FreedomBox web service still redirect to /plinth. For example, redirection
after logout and auto-redirection to login page.

- Accessing pages of FreedomBox works as usual on /plinth and /freedombox.
Content-Security-Policy is set.

- Accessing /foo/plinth/app/transmission throws 404.

- Accessing http:// redirects to https:// for /plinth and /freedombox.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 data/etc/apache2/conf-available/freedombox-tls.conf |  4 ++--
 data/etc/apache2/conf-available/freedombox.conf     | 12 ++++++++----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/data/etc/apache2/conf-available/freedombox-tls.conf b/data/etc/apache2/conf-available/freedombox-tls.conf
index 8c1441c9c..1a3cf184b 100644
--- a/data/etc/apache2/conf-available/freedombox-tls.conf
+++ b/data/etc/apache2/conf-available/freedombox-tls.conf
@@ -7,11 +7,11 @@
 ##   mod_rewrite
 ##   mod_ssl
 ##
-<Location /plinth>
+<LocationMatch "^/(plinth|freedombox)">
     RewriteEngine on
     # Don't redirect for onion sites as it is not needed and leads to
     # unnecessary warning.
     RewriteCond %{HTTP_HOST} !^.*\.onion$ [NC]
     ReWriteCond %{HTTPS} !=on
     RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
-</Location>
+</LocationMatch>
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index 72bb34ea1..f765b047f 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -44,7 +44,6 @@
 ## other services.
 ##
 RedirectMatch "^/$" "/plinth"
-RedirectMatch "^/freedombox" "/plinth"
 
 ##
 ## Disable sending Referer (sic) header from FreedomBox web interface to
@@ -79,11 +78,11 @@ RedirectMatch "^/freedombox" "/plinth"
 ## Disable browser guessing of MIME types. FreedoBox already sets good content
 ## types for all the common file types.
 ##
-<Location /plinth>
+<LocationMatch "^/(plinth|freedombox)">
     Header set Referrer-Policy 'same-origin'
     Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
     Header set X-Content-Type-Options 'nosniff'
-</Location>
+</LocationMatch>
 
 ##
 ## On all sites, provide FreedomBox on a default path: /plinth
@@ -93,7 +92,7 @@ RedirectMatch "^/freedombox" "/plinth"
 ##   mod_proxy
 ##   mod_proxy_http
 ##
-<Location /plinth>
+<Location /freedombox>
     ProxyPass        http://127.0.0.1:8000/plinth
     ## Send the scheme from user's request to enable Plinth to redirect
     ## URLs, set cookies, set absolute URLs (if any) properly.
@@ -107,6 +106,11 @@ RedirectMatch "^/freedombox" "/plinth"
     ## https://github.com/jazzband/django-axes/issues/286
     RequestHeader    unset X-Forwarded-For
 </Location>
+<Location /plinth>
+    ProxyPass        http://127.0.0.1:8000/plinth
+    RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+    RequestHeader    unset X-Forwarded-For
+</Location>
 
 ##
 ## Serve FreedomBox icon as /favicon.ico for apps that don't present their own