gitea: fix 3081 proxy

The Apache 3081 proxy allows us to do layer 7 filtering on incoming
requests.  However, it was returning 502 errors because it proxies to
https://localhost and the certificate doesn't match (see
SSLProxyCheckPeerName directive).  However, we can't use the full
hostname in the gate because our self-signed certificate doesn't cover
that.

Add a variable and proxy to localhost in the gate, and the full
hostname in production.  This avoids us having to turn off
SSLProxyCheckPeerName.

Change-Id: Ie12178a692f81781b848beb231f9035ececa3fd8

playbooks/roles/gitea/README.rst

@@ -1 +1,16 @@
 Install, configure, and run Gitea.
+
+**Role Variables**
+
+.. zuul:rolevar:: gitea_reverse_proxy
+   :default: False
+
+   Create an Apache reverse proxy listening on port 3081.  This can be
+   useful for OSI layer 7 filtering; e.g. matching bad User-Agent
+   fields.
+
+.. zuul:rolevar:: gitea_reverse_proxy_hostname
+   :default: inventory_hostname
+
+   The name of the hostname to reverse proxy to.  Only necessary for
+   testing where we do not have a certificate for the hostname.

playbooks/roles/gitea/defaults/main.yaml

@@ -1,2 +1,3 @@
 gitea_no_log: true
 gitea_reverse_proxy: false
+gitea_reverse_proxy_hostname: '{{ inventory_hostname }}'

playbooks/roles/gitea/templates/gitea.vhost.j2

@@ -69,7 +69,7 @@ Listen 3081
   RewriteCond %{HTTP_USER_AGENT} "=Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999" 
   RewriteRule . - [R=403,L]
 
-  ProxyPass  / https://localhost:3000/ retry=0
-  ProxyPassReverse / https://localhost:3000/
+  ProxyPass  / https://{{ gitea_reverse_proxy_hostname }}:3000/ retry=0
+  ProxyPassReverse / https://{{ gitea_reverse_proxy_hostname }}:3000/
 
 </VirtualHost>

playbooks/zuul/templates/group_vars/gitea.yaml.j2

@@ -8,5 +8,6 @@ gitea_root_password: BUbBcpToMwR05ZCB
 gitea_no_log: false
 gitea_gerrit_password: yVpMWIUIvT7f6NwA
 gitea_reverse_proxy: true
+gitea_reverse_proxy_hostname: localhost
 iptables_extra_public_tcp_ports:
   - 3081