Merge pull request #3498 from edx/max/sec-220

SEC-220: Block external logged in checking

Merge pull request #3498 from edx/max/sec-220
SEC-220: Block external logged in checking
ffc253f1 · Max Rothman · GitHub · 7bdd9d45 · 118000ae · ffc253f1
Commit ffc253f1 authored Nov 29, 2016 by Max Rothman Committed by GitHub Nov 29, 2016
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 4 deletions

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+29 -4

No files found.
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -116,6 +116,20 @@ error_page {{ k }} {{ v }};
  {% include "python_lib.zip.j2" %}
  {% include "common-settings.j2" %}
+  {% if NGINX_EDXAPP_EMBARGO_CIDRS -%}
+  #only redirect to embargo when $embargo == true and $uri != /embargo
+  #this is a hack to do multiple conditionals
+  if ( $embargo ) {
+    set $do_embargo "A";
+  }
+  if ( $uri != "/embargo" ) {
+    set $do_embargo "${do_embargo}B";
+  }
+  if ( $do_embargo = "AB" ) {
+    return 302 /embargo;
+  }
+  {% endif -%}
  location @proxy_to_lms_app {
    {% if NGINX_SET_X_FORWARDED_HEADERS %}
    proxy_set_header X-Forwarded-Proto $scheme;
@@ -140,11 +154,22 @@ error_page {{ k }} {{ v }};
    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH|bool %}
      {% include "basic-auth.j2" %}
    {% endif %}
-    {% if NGINX_EDXAPP_EMBARGO_CIDRS -%}
-    if ( $embargo ) {
+    try_files $uri @proxy_to_lms_app;
-      return 302 /embargo;
  }
-    {% endif -%}
+  # /login?next=<any image> can be used by 3rd party sites in <img> tags to
+  # determine whether a user on their site is logged into edX.
+  # The most common image to use is favicon.ico.
+  location /login {
+    {% if EDXAPP_LMS_ENABLE_BASIC_AUTH|bool %}
+      {% include "basic-auth.j2" %}
+    {% endif %}
+    if ( $arg_next = "favicon.ico" ) {
+      return 403;
+    }
    try_files $uri @proxy_to_lms_app;
  }