Merge pull request #2682 from edx/e0d/nginx-redirect-to-ssl

SSL Redirect rationalization

Merge pull request #2682 from edx/e0d/nginx-redirect-to-ssl
SSL Redirect rationalization
a6149ea5 · Edward Zarecor · 86f9cb6d · 4ba79e36 · a6149ea5 · a6149ea5
Commit a6149ea5 authored Jan 08, 2016 by Edward Zarecor
10 changed files
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -21,6 +21,10 @@ NGINX_REDIRECT_TO_HTTPS: False
 #
 # cat www.example.com.crt bundle.crt > www.example.com.chained.crt
+# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
+# It should be set to one of !!null, "scheme" or "forward_for_proto"
+NGINX_HTTPS_REDIRECT_STRATEGY: "scheme"
 NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
 NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/analytics_api.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/analytics_api.j2
@@ -7,6 +7,32 @@ upstream analytics_api_app_server {
 server {
  listen {{ ANALYTICS_API_NGINX_PORT }} default_server;
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
  location ~ ^/static/(?P<file>.*) {
    root {{ COMMON_DATA_DIR }}/{{ analytics_api_service_name }};
    try_files /staticfiles/$file =404;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
@@ -41,27 +41,33 @@ error_page {{ k }} {{ v }};
  # request the browser to use SSL for all connections
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  {% endif %}
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;
  }
  {% endif %}
  server_name {{ CMS_HOSTNAME }};
  access_log {{ nginx_log_dir }}/access.log {{ NGINX_LOG_FORMAT_NAME }};

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
@@ -30,20 +30,24 @@ server {
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  {% endif %}
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
-  # Nginx does not support nested conditions 
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2
@@ -7,6 +7,32 @@ upstream {{ edx_notes_api_service_name }}_app_server {
 server {
  listen {{ edx_notes_api_nginx_port }} default_server;
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
  location / {
    try_files $uri @proxy_to_app;
  }

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
@@ -33,20 +33,26 @@ location @proxy_to_app {
    proxy_pass http://insights_app_server;
  }
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+  {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2
@@ -22,7 +22,33 @@ server {
  {% else %}
  listen {{ KIBANA_NGINX_PORT }} {{ default_site }};
  {% endif %}
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+  {% endif %}
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
+  {% endif %}
  server_name {{ KIBANA_SERVER_NAME }};
  root {{ kibana_app_dir }}/htdocs;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
@@ -76,23 +76,30 @@ server {
    expires epoch;
  }
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+  {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;
  }
  {% endif %}
 }
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -62,20 +62,26 @@ error_page {{ k }} {{ v }};
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  {% endif %}
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
@@ -31,20 +31,26 @@ server {
  {% endif %}
+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;