Commit a6149ea5 by Edward Zarecor

Merge pull request #2682 from edx/e0d/nginx-redirect-to-ssl

SSL Redirect rationalization
parents 86f9cb6d 4ba79e36
......@@ -21,6 +21,10 @@ NGINX_REDIRECT_TO_HTTPS: False
#
# cat www.example.com.crt bundle.crt > www.example.com.chained.crt
# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
# It should be set to one of !!null, "scheme" or "forward_for_proto"
NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'
......
......@@ -7,6 +7,32 @@ upstream analytics_api_app_server {
server {
listen {{ ANALYTICS_API_NGINX_PORT }} default_server;
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
}
{% endif %}
location ~ ^/static/(?P<file>.*) {
root {{ COMMON_DATA_DIR }}/{{ analytics_api_service_name }};
try_files /staticfiles/$file =404;
......
......@@ -41,27 +41,33 @@ error_page {{ k }} {{ v }};
# request the browser to use SSL for all connections
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{% endif %}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Nginx does not support nested conditions
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
}
{% endif %}
server_name {{ CMS_HOSTNAME }};
access_log {{ nginx_log_dir }}/access.log {{ NGINX_LOG_FORMAT_NAME }};
......
......@@ -30,20 +30,24 @@ server {
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{% endif %}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
# Nginx does not support nested conditions
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
......
......@@ -7,6 +7,32 @@ upstream {{ edx_notes_api_service_name }}_app_server {
server {
listen {{ edx_notes_api_nginx_port }} default_server;
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
}
{% endif %}
location / {
try_files $uri @proxy_to_app;
}
......
......@@ -33,20 +33,26 @@ location @proxy_to_app {
proxy_pass http://insights_app_server;
}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Nginx does not support nested conditions
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
......
......@@ -22,7 +22,33 @@ server {
{% else %}
listen {{ KIBANA_NGINX_PORT }} {{ default_site }};
{% endif %}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
}
{% endif %}
server_name {{ KIBANA_SERVER_NAME }};
root {{ kibana_app_dir }}/htdocs;
......
......@@ -76,23 +76,30 @@ server {
expires epoch;
}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Nginx does not support nested conditions
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
}
{% endif %}
}
......@@ -62,20 +62,26 @@ error_page {{ k }} {{ v }};
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
{% endif %}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Nginx does not support nested conditions
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
......
......@@ -31,20 +31,26 @@ server {
{% endif %}
# Nginx does not support nested condition or or conditions so
# there is an unfortunate mix of conditonals here.
{% if NGINX_REDIRECT_TO_HTTPS %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
# Redirect http to https over single instance
if ($scheme != "https")
{
set $do_redirect_to_https "true";
}
{% endif %}
{% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
# Nginx does not support nested conditions
# Forward to HTTPS if we're an HTTP request... and the server is behind ELB
if ($http_x_forwarded_proto = "http")
{
set $do_redirect_to_https "true";
}
{% endif %}
# Execute the actual redirect
if ($do_redirect_to_https = "true")
{
rewrite ^ https://$host$request_uri? permanent;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment