Merge pull request #3494 from edx/e0d/sec-90

E0d/sec 90

Merge pull request #3494 from edx/e0d/sec-90
E0d/sec 90
190bf9b4 · Edward Zarecor · GitHub · b0432484 · 603c165b · 190bf9b4
Commit 190bf9b4 authored Nov 28, 2016 by Edward Zarecor Committed by GitHub Nov 28, 2016
14 changed files
--- a/docker/build/discovery/Dockerfile
+++ b/docker/build/discovery/Dockerfile
--- a/docker/build/insights/Dockerfile
+++ b/docker/build/insights/Dockerfile
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
@@ -83,6 +83,8 @@ error_page {{ k }} {{ v }};
  
  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;

+  {% include "python_lib.zip.j2" %}
+  {% include "common-settings.j2" %}

  location @proxy_to_cms_app {
    {% if NGINX_SET_X_FORWARDED_HEADERS %}

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/common-settings.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/common-settings.j2
+
+# Common settings used across nginx configurations
+
+# Disables server version feedback on pages and in headers
+server_tokens off;
+
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/credentials.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/credentials.j2
@@ -23,6 +23,8 @@ server {
  listen {{ CREDENTIALS_NGINX_PORT }} {{ default_site }};
  listen {{ CREDENTIALS_SSL_NGINX_PORT }} ssl;

+  {% include "common-settings.j2" %}
+
  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
  # request the browser to use SSL for all connections

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2
@@ -24,6 +24,8 @@ server {

  listen {{ ECOMMERCE_SSL_NGINX_PORT }} ssl;

+  {% include "common-settings.j2" %}
+
  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
  # request the browser to use SSL for all connections

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2
@@ -7,6 +7,8 @@ upstream {{ edx_notes_api_service_name }}_app_server {
 server {
  listen {{ edx_notes_api_nginx_port }} default_server;

+  {% include "common-settings.j2" %}
+
  # Prevent invalid display courseware in IE 10+ with high privacy settings
  add_header P3P '{{ NGINX_P3P_MESSAGE }}';


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
@@ -10,6 +10,8 @@ server {
  {% if NGINX_ENABLE_SSL %}
  listen {{ INSIGHTS_NGINX_SSL_PORT }} ssl;

+  {% include "common-settings.j2" %}
+
  ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
  ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
  # request the browser to use SSL for all connections

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2
@@ -20,6 +20,9 @@ server {

  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;

+  {% include "python_lib.zip.j2" %}
+  {% include "common-settings.j2" %}
+
  location @proxy_to_lms-preview_app {
    {% if NGINX_SET_X_FORWARDED_HEADERS %}
    proxy_set_header X-Forwarded-Proto $scheme;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -113,6 +113,9 @@ error_page {{ k }} {{ v }};

  rewrite ^(.*)/favicon.ico$ /static/images/favicon.ico last;

+  {% include "python_lib.zip.j2" %}
+  {% include "common-settings.j2" %}
+
  location @proxy_to_lms_app {
    {% if NGINX_SET_X_FORWARDED_HEADERS %}
    proxy_set_header X-Forwarded-Proto $scheme;

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2
@@ -19,6 +19,8 @@ server {
  server_name {{ PROGRAMS_HOSTNAME }};
  
  listen {{ PROGRAMS_NGINX_PORT }} {{ default_site }};
+
+  {% include "common-settings.j2" %}
  
  {% if NGINX_ENABLE_SSL %}


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/python_lib.zip.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/python_lib.zip.j2
+
+  # Blackholes an archive of python library files that instructors
+  # may provide for sandboxed python problem types, the internal
+  # directive will result in nginx emitting an nginx 404. Users
+  # will not be redirected to the application 404 page.
+  location ~* python_lib.zip {
+    internal;
+  }
+
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/xqueue.j2
@@ -7,6 +7,8 @@ upstream xqueue_app_server {
 server {
  listen {{ XQUEUE_NGINX_PORT }} default_server;

+  {% include "common-settings.j2" %}
+
  location / {
    {% if XQUEUE_ENABLE_BASIC_AUTH|bool %}
      {% include "basic-auth.j2" %}

--- a/util/parsefiles_config.yml
+++ b/util/parsefiles_config.yml
@@ -6,12 +6,12 @@ aws_plays_paths:
 docker_plays_paths:
  - docker/plays
 weights:
-  - discovery: 6
+#  - discovery: 6
  - go-agent: 3
  - xqwatcher: 3
  - analytics_api: 1
  - edxapp: 28
-  - insights: 4
+#  - insights: 4
  - credentials: 8
  - forum: 7
  - nginx: 1