Content differences:
--- /etc/apache2/jenkins_proxy_ext.orig
+++ /etc/apache2/jenkins_proxy_ext
@@ -0,0 +1,70 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### puppet:///modules/contint/apache/proxy_jenkins_ext
+#####################################################################
+# vim: filetype=apache
+
+ProxyPass /jenkins https://jenkins.discovery.wmnet:1443/jenkins nocanon
+ProxyPassReverse /jenkins https://jenkins.discovery.wmnet:1443/jenkins
+ProxyRequests Off
+
+# Note the proxy file is included in the <VirtualHost> section and thus applies
+# to every sites (integration docroot, zuul status) beside just Jenkins. But
+# that should cause any problem.
+AllowEncodedSlashes NoDecode
+
+# Local reverse proxy authorization override
+# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Debian)
+
+<Proxy https://jenkins.discovery.wmnet:1443/jenkins*>
+
+ # user agent blacklisting for Jenkins
+ SetEnvIf User-Agent 80legs bad_browser
+ SetEnvIf User-Agent bingbot bad_browser
+ SetEnvIf User-Agent Baiduspider bad_browser
+ SetEnvIf User-Agent JikeSpider bad_browser
+ SetEnvIf User-Agent SISTRIX bad_browser
+ SetEnvIf User-Agent Sogou bad_browser
+ SetEnvIf User-Agent Sosospider bad_browser
+ SetEnvIf User-Agent TweetmemeBot bad_browser
+ SetEnvIf User-Agent ZumBot bad_browser
+
+ # Jenkins is behind cache_text, the API calls lacks cache headers and their
+ # 4xx errors ends up being cached which causes troubles when
+ #
+ # Jenkins job builder creates a job (it check whether a job exists by
+ # hitting the API, which cache a 404, then checks whether the job got
+ # successfullyy created and fails beacuse it is server the cached 404).
+ SetEnvIf Request_URI .*/api/json.* NO_CACHE
+ Header set Cache-Control "no-cache,must-revalidate" env=NO_CACHE
+
+ # Fresnel produces huge json traces we want to keep compressed but we need
+ # to be able to drag'n drop them in Chrome console which requires
+ # application/json type - T249268
+ SetEnvIf Request_URI "^/jenkins/.*fresnel.*\.json\.gz$" JSON_GZ
+ Header set Content-Type application/json env=JSON_GZ
+ Header set Content-Encoding gzip env=JSON_GZ
+
+ # Network Error Logging (NEL) headers - T303725
+ Header always set Report-To '{"group": "wm_nel", "max_age": 604800, "endpoints": [{"url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0"}]}'
+ Header always set NEL '{"report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}'
+
+ # Prevent access to certain URLs - T63964
+ SetEnvIf Request_URI ^/jenkins/computer/.*/builds DENY_BUILDS_ACCESS
+ SetEnvIf Request_URI ^/jenkins/user/.*/builds DENY_BUILDS_ACCESS
+ SetEnvIf Request_URI ^/jenkins/view/.*/builds DENY_BUILDS_ACCESS
+
+ # Blacklist RSS feeds entirely
+ SetEnvIf Request_URI ^/jenkins/.*/rss(All|Failed|Latest) DENY_BUILDS_ACCESS
+
+ # SECURITY-991 - T219991
+ SetEnvIf Request_URI ^/jenkins/descriptorByName/hudson.plugins.gearman.GearmanPluginConfig/testConnection DENY_GEARMAN_TEST_CONFIG
+
+ <RequireAll>
+ Require all granted
+ Require not env bad_browser
+ Require not env DENY_BUILDS_ACCESS
+ Require not env DENY_GEARMAN_TEST_CONFIG
+ </RequireAll>
+
+</Proxy>
Relevant files