From 85c26d6d209e83360ddce08e824e403468d5c6a2 Mon Sep 17 00:00:00 2001
From: Seth Boyles <seth.boyles@broadcom.com>
Date: Tue, 30 Jan 2024 16:46:45 +0000
Subject: [PATCH] Revert "Add public TLS endpoint for blobstore"

This reverts commit 332abbbf5f71af695121577f11d116d47a39e417.

Co-authored-by: Amelia Downs <amelia.downs@broadcom.com>
---
 jobs/blobstore/spec                           | 12 ---
 jobs/blobstore/templates/blobstore.conf.erb   | 92 +------------------
 .../templates/blobstore_public.crt.erb        |  1 -
 .../templates/blobstore_public.key.erb        |  1 -
 4 files changed, 5 insertions(+), 101 deletions(-)
 delete mode 100644 jobs/blobstore/templates/blobstore_public.crt.erb
 delete mode 100644 jobs/blobstore/templates/blobstore_public.key.erb

diff --git a/jobs/blobstore/spec b/jobs/blobstore/spec
index 6ede3bbff2..308902da52 100644
--- a/jobs/blobstore/spec
+++ b/jobs/blobstore/spec
@@ -12,8 +12,6 @@ templates:
   write_users.erb:      config/write_users
   blobstore.crt.erb:    ssl/blobstore.crt
   blobstore.key.erb:    ssl/blobstore.key
-  blobstore_public.crt.erb:    ssl/blobstore_public.crt
-  blobstore_public.key.erb:    ssl/blobstore_public.key
   pre-start.sh.erb:     bin/pre-start
   backup.erb:           bin/bbr/backup
   restore.erb:          bin/bbr/restore
@@ -54,9 +52,6 @@ properties:
   blobstore.port:
     description: TCP port on which the blobstore server (nginx) listens
     default: 8080
-  blobstore.public_tls_port:
-    description: TCP port on which the blobstore server (nginx) listens
-    default: 8081
   blobstore.tls.port:
     description: The TCP port on which the internal blobstore server listens
     default: 4443
@@ -67,13 +62,6 @@ properties:
   blobstore.tls.private_key:
     description: The PEM-encoded private key for signing TLS/SSL traffic
 
-  blobstore.public_tls.cert:
-    description: The PEM-encoded certificate (optionally as a certificate chain) for serving blobs over TLS/SSL
-
-  blobstore.public_tls.private_key:
-    description: The PEM-encoded private key for signing TLS/SSL traffic
-
-
   blobstore.admin_users:
     description: |
      List of Username and Password pairs that have admin access to the blobstore. Cloud Controller must use one of these to access the blobstore via HTTP Basic Auth.
diff --git a/jobs/blobstore/templates/blobstore.conf.erb b/jobs/blobstore/templates/blobstore.conf.erb
index 5bdf86c430..cdd3ec249d 100644
--- a/jobs/blobstore/templates/blobstore.conf.erb
+++ b/jobs/blobstore/templates/blobstore.conf.erb
@@ -1,26 +1,10 @@
-# Default server
-#
-
 <% unless p('temporary_disable_non_tls_endpoints')  %>
-
+# Default server
 server {
-  listen      <%= p('blobstore.port') %>;
-  return 404;
-}
-<% end %>
-
-server {
-  listen      <%= p('blobstore.public_tls_port') %> ssl;
-
-  ssl_certificate     /var/vcap/jobs/blobstore/ssl/blobstore_public.crt;
-  ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key;
-
-  ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
-  ssl_protocols TLSv1.2;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
+  listen      <%= p("blobstore.port") %>;
   return 404;
 }
+<% end  %>
 
 upstream blob_url_signer {
   server unix:/var/vcap/data/blobstore/signer.sock;
@@ -111,78 +95,11 @@ server {
   }
 }
 
-# Public server
-#
-
 <% unless p('temporary_disable_non_tls_endpoints')  %>
+# Public server
 server {
-  server_name blobstore.<%= p('system_domain') %>;
-
   listen      <%= p('blobstore.port') %>;
-
-  root        /var/vcap/store/shared/;
-
-  access_log /var/vcap/sys/log/blobstore/public_access.log;
-  error_log  /var/vcap/sys/log/blobstore/public_error.log;
-
-  # ensure the contents of this location block always match the internal server /read/ location block
-  location /read/ {
-    if ( $request_method !~ ^(GET|HEAD)$ ) {
-      return 405;
-    }
-
-    secure_link $arg_md5,$arg_expires;
-    secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>";
-
-    if ($secure_link = "") {
-      return 403;
-    }
-
-    if ($secure_link = "0") {
-      return 410;
-    }
-
-    alias /var/vcap/store/shared/;
-  }
-
-  # ensure the contents of this location block always match the internal server /write/ location block
-  location /write/ {
-    dav_methods PUT;
-    create_full_put_path on;
-
-    if ( $request_method !~ ^(PUT)$ ) {
-      return 405;
-    }
-
-    secure_link $arg_md5,$arg_expires;
-    secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>";
-
-    if ($secure_link = "") {
-      return 403;
-    }
-
-    if ($secure_link = "0") {
-      return 410;
-    }
-
-    alias /var/vcap/store/shared/;
-  }
-}
-
-<% end %>
-
-server {
-  listen      <%= p('blobstore.public_tls_port') %> ssl;
   server_name blobstore.<%= p('system_domain') %>;
-
-  ssl_certificate     /var/vcap/jobs/blobstore/ssl/blobstore_public.crt;
-  ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key;
-
-  ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
-  ssl_protocols TLSv1.2;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-
   root        /var/vcap/store/shared/;
 
   access_log /var/vcap/sys/log/blobstore/public_access.log;
@@ -231,3 +148,4 @@ server {
     alias /var/vcap/store/shared/;
   }
 }
+<% end %>
diff --git a/jobs/blobstore/templates/blobstore_public.crt.erb b/jobs/blobstore/templates/blobstore_public.crt.erb
deleted file mode 100644
index ebbbe12dde..0000000000
--- a/jobs/blobstore/templates/blobstore_public.crt.erb
+++ /dev/null
@@ -1 +0,0 @@
-<%= p('blobstore.public_tls.cert') %>
diff --git a/jobs/blobstore/templates/blobstore_public.key.erb b/jobs/blobstore/templates/blobstore_public.key.erb
deleted file mode 100644
index c99e4a2823..0000000000
--- a/jobs/blobstore/templates/blobstore_public.key.erb
+++ /dev/null
@@ -1 +0,0 @@
-<%= p('blobstore.public_tls.private_key') %>