Merge pull request #2682 from edx/e0d/nginx-redirect-to-ssl

SSL Redirect rationalization

playbooks/roles/nginx/defaults/main.yml

@@ -21,6 +21,10 @@ NGINX_REDIRECT_TO_HTTPS: False
 #
 # cat www.example.com.crt bundle.crt > www.example.com.chained.crt
 
+# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
+# It should be set to one of !!null, "scheme" or "forward_for_proto"
+NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
+
 NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
 NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/analytics_api.j2

@@ -7,6 +7,32 @@ upstream analytics_api_app_server {
 server {
   listen {{ ANALYTICS_API_NGINX_PORT }} default_server;
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
+  
   location ~ ^/static/(?P<file>.*) {
     root {{ COMMON_DATA_DIR }}/{{ analytics_api_service_name }};
     try_files /staticfiles/$file =404;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -41,27 +41,33 @@ error_page {{ k }} {{ v }};
   # request the browser to use SSL for all connections
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
   {% endif %}
-  
+
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
 
-  # Nginx does not support nested conditions 
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
+     {% endif %}
 
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;
   }
   {% endif %}
-  
+
   server_name {{ CMS_HOSTNAME }};
 
   access_log {{ nginx_log_dir }}/access.log {{ NGINX_LOG_FORMAT_NAME }};

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2

@@ -30,20 +30,24 @@ server {
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
   {% endif %}
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
-
-  # Nginx does not support nested conditions 
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
-
+     {% endif %}
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2

@@ -7,6 +7,32 @@ upstream {{ edx_notes_api_service_name }}_app_server {
 server {
   listen {{ edx_notes_api_nginx_port }} default_server;
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
+  
   location / {
     try_files $uri @proxy_to_app;
   }

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2

@@ -33,20 +33,26 @@ location @proxy_to_app {
     proxy_pass http://insights_app_server;
   }
   
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
 
-  # Nginx does not support nested conditions 
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
+  {% endif %}
 
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2

@@ -22,7 +22,33 @@ server {
   {% else %}
   listen {{ KIBANA_NGINX_PORT }} {{ default_site }};
   {% endif %}
+  
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+  {% endif %}
 
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
+  
   server_name {{ KIBANA_SERVER_NAME }};
 
   root {{ kibana_app_dir }}/htdocs;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2

@@ -76,23 +76,30 @@ server {
     expires epoch;
   }
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
 
-  # Nginx does not support nested conditions 
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
+  {% endif %}
 
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;
   }
   {% endif %}
+
 }

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -62,20 +62,26 @@ error_page {{ k }} {{ v }};
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
   {% endif %}
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
 
-  # Nginx does not support nested conditions 
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
+     {% endif %}
 
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2

@@ -31,20 +31,26 @@ server {
 
   {% endif %}
 
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
   {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
   if ($scheme != "https") 
   { 
    set $do_redirect_to_https "true";
   }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
 
-  # Nginx does not support nested conditions 
   # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
   if ($http_x_forwarded_proto = "http") 
   {
    set $do_redirect_to_https "true";
   }
+     {% endif %}
 
+  # Execute the actual redirect
   if ($do_redirect_to_https = "true")
   {
   rewrite ^ https://$host$request_uri? permanent;