Add web server rewrite rules to Braeburn

[ryandesign (Ryan Carsten Schmidt)]

Currently we use MaxCDN to serve our web site. A number of web server rewrite rules are configured on the CDN:

• Requests for /files/ports.tar.gz are redirected 301 permanent to https://distfiles.macports.org/ports.tar.gz
• Requests for ^/guide(/.*)?$ are redirected 301 permanent to https://guide.macports.org$1
• Requests for ^/trac(/.*)?$ are redirected 301 permanent to https://trac.macports.org$1
• Requests for ^/t/(\d+)$ are redirected 301 permanent to https://trac.macports.org/ticket/$1
• Requests for ^/(?:feed\.xml|(?:post|news)(?:/.*)?)$ are proxied to our GitHub Pages site at ​http://macports.github.io but with a forced Host header of www.macports.org
• All other requests are handled by our old PHP-based web site hosted on Braeburn

We have been notified that on December 2 we will no longer be able to use MaxCDN for free. I am trying to find another CDN that will host us for free, but have not been successful yet. Even if we do find another CDN, they might not offer us the capability of configuring the web server rules so that different paths can be handled by different origin servers.

Therefore, please configure the web server on Braeburn with the above rules. MaxCDN uses nginx so their rules file can't be used directly on Braeburn since that uses Apache.

[neverpanic (Clemens Lang)]

And now I know what that's not the setup we originally did, because GitHub requires a SNI of macports.github.io (because we won't give them a valid certificate for macports.org), but a Host header of www.macports.org. Apache's mod_proxy just doesn't support that.

I've now forwarded that specific content through a local nginx that does.

[ryandesign (Ryan Carsten Schmidt)]

I deliberately ​configured macports.github.io with the www.macports.org CNAME so that if any user happens to visit macports.github.io they will be redirected to www.macports.org.

GitHub Pages doesn't require https, so if you wanted to proxy it through Apache without https that could work. But we might prefer to use https at this point.

[neverpanic (Clemens Lang)]

I don't want the connection between our server and GitHub to be unencrypted. Anybody in a position to MitM that connection could inject JavaScript under macports.org and, for example, grab cookies that might work for Trac.