commit b386dbd631b11200d8687ce022960f4d28240a65
Author: Ian Wienand <iwienand@redhat.com>
Date:   Thu Sep 24 21:30:05 2020 +1000

    gitea: fix 3081 proxy
    
    The Apache 3081 proxy allows us to do layer 7 filtering on incoming
    requests.  However, it was returning 502 errors because it proxies to
    https://localhost and the certificate doesn't match (see
    SSLProxyCheckPeerName directive).  However, we can't use the full
    hostname in the gate because our self-signed certificate doesn't cover
    that.
    
    Add a variable and proxy to localhost in the gate, and the full
    hostname in production.  This avoids us having to turn off
    SSLProxyCheckPeerName.
    
    Change-Id: Ie12178a692f81781b848beb231f9035ececa3fd8

diff --git a/playbooks/roles/gitea/README.rst b/playbooks/roles/gitea/README.rst
index 74e10b4..30718c4 100644
--- a/playbooks/roles/gitea/README.rst
+++ b/playbooks/roles/gitea/README.rst
@@ -1 +1,16 @@
 Install, configure, and run Gitea.
+
+**Role Variables**
+
+.. zuul:rolevar:: gitea_reverse_proxy
+   :default: False
+
+   Create an Apache reverse proxy listening on port 3081.  This can be
+   useful for OSI layer 7 filtering; e.g. matching bad User-Agent
+   fields.
+
+.. zuul:rolevar:: gitea_reverse_proxy_hostname
+   :default: inventory_hostname
+
+   The name of the hostname to reverse proxy to.  Only necessary for
+   testing where we do not have a certificate for the hostname.
diff --git a/playbooks/roles/gitea/defaults/main.yaml b/playbooks/roles/gitea/defaults/main.yaml
index f001486..aade2dc 100644
--- a/playbooks/roles/gitea/defaults/main.yaml
+++ b/playbooks/roles/gitea/defaults/main.yaml
@@ -1,2 +1,3 @@
 gitea_no_log: true
 gitea_reverse_proxy: false
+gitea_reverse_proxy_hostname: '{{ inventory_hostname }}'
diff --git a/playbooks/roles/gitea/templates/gitea.vhost.j2 b/playbooks/roles/gitea/templates/gitea.vhost.j2
index f700f71..7c0edb7 100644
--- a/playbooks/roles/gitea/templates/gitea.vhost.j2
+++ b/playbooks/roles/gitea/templates/gitea.vhost.j2
@@ -69,7 +69,7 @@ Listen 3081
   RewriteCond %{HTTP_USER_AGENT} "=Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999" 
   RewriteRule . - [R=403,L]
 
-  ProxyPass  / https://localhost:3000/ retry=0
-  ProxyPassReverse / https://localhost:3000/
+  ProxyPass  / https://{{ gitea_reverse_proxy_hostname }}:3000/ retry=0
+  ProxyPassReverse / https://{{ gitea_reverse_proxy_hostname }}:3000/
 
 </VirtualHost>
diff --git a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
index a2876a7..02ddc66 100644
--- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
@@ -8,5 +8,6 @@ gitea_root_password: BUbBcpToMwR05ZCB
 gitea_no_log: false
 gitea_gerrit_password: yVpMWIUIvT7f6NwA
 gitea_reverse_proxy: true
+gitea_reverse_proxy_hostname: localhost
 iptables_extra_public_tcp_ports:
   - 3081