Insights Cloudfront CDN configuration (#3961)

* Initialize INSIGHTS_CLOUDFRONT to null * Put cloudfront domain under INSIGHTS_CONFIG * Use INSIGHTS_CLOUDFRONT_DOMAIN in insights config * Define INSIGHTS_CLOUDFRONT_DOMAIN null by default * Set CORS_ORIGIN_WHITELIST to INSIGHTS_DOMAIN * Add CORS header to Insights static files * Split CORS whitelist into default and extra * Allow HEAD, GET, OPTIONS in Insights static * Try setting CORS Origin to $http_origin * Use if cond to enable/disable CORS instead of map * Missing space * Don't initialize $cors * Back to the old $cors_origin map * Don't send CORS whitelist to django settings * Replace tab with spaces * Remove allow_all var, and update changelog * Rename CLOUDFRONT to CDN in var name

Insights Cloudfront CDN configuration (#3961)
* Initialize INSIGHTS_CLOUDFRONT to null * Put cloudfront domain under INSIGHTS_CONFIG * Use INSIGHTS_CLOUDFRONT_DOMAIN in insights config * Define INSIGHTS_CLOUDFRONT_DOMAIN null by default * Set CORS_ORIGIN_WHITELIST to INSIGHTS_DOMAIN * Add CORS header to Insights static files * Split CORS whitelist into default and extra * Allow HEAD, GET, OPTIONS in Insights static * Try setting CORS Origin to $http_origin * Use if cond to enable/disable CORS instead of map * Missing space * Don't initialize $cors * Back to the old $cors_origin map * Don't send CORS whitelist to django settings * Replace tab with spaces * Remove allow_all var, and update changelog * Rename CLOUDFRONT to CDN in var name
5623a1da · Tyler Hallada · GitHub · f05666f9 · 5623a1da · 5623a1da
Commit 5623a1da authored Jun 30, 2017 by Tyler Hallada Committed by GitHub Jun 30, 2017
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 0 deletions

CHANGELOG.md
+5 -0

playbooks/roles/insights/defaults/main.yml
+11 -0

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
+20 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -303,3 +303,8 @@
 - Role: insights
  - Removed `SUPPORT_EMAIL` setting from `INSIGHTS_CONFIG`, as it is was replaced by `SUPPORT_URL`.
+- Role: insights
+  - Added `INSIGHTS_DOMAIN` to configure the domain Insights is deployed on
+  - Added `INSIGHTS_CLOUDFRONT_DOMAIN` to configure the domain static files can be served from
+  - Added `INSIGHTS_CORS_ORIGIN_WHITELIST_EXTRA` to configure allowing CORS on domains other than the `INSIGHTS_DOMAIN`
--- a/playbooks/roles/insights/defaults/main.yml
+++ b/playbooks/roles/insights/defaults/main.yml
@@ -51,6 +51,8 @@ INSIGHTS_THEME_SCSS: 'sass/themes/open-edx.scss'
 INSIGHTS_RESEARCH_URL: 'https://www.edx.org/research-pedagogy'
 INSIGHTS_OPEN_SOURCE_URL: 'http://set-me-please'
+INSIGHTS_DOMAIN: 'insights'
 # Comma-delimited list of field names to include in the Learner List CSV download
 # e.g., "username,segments,cohort,engagements.videos_viewed,last_updated"
 # Default (null) includes all available fields, in alphabetical order
@@ -79,6 +81,13 @@ INSIGHTS_LMS_COURSE_SHORTCUT_BASE_URL: "URL_FOR_LMS_COURSE_LIST_PAGE"
 INSIGHTS_SESSION_EXPIRE_AT_BROWSER_CLOSE: false
+INSIGHTS_CDN_DOMAIN: !!null
+INSIGHTS_CORS_ORIGIN_WHITELIST_EXTRA: []
+INSIGHTS_CORS_ORIGIN_WHITELIST_DEFAULT:
+  - "{{ INSIGHTS_DOMAIN }}"
+INSIGHTS_CORS_ORIGIN_WHITELIST: "{{ INSIGHTS_CORS_ORIGIN_WHITELIST_DEFAULT + INSIGHTS_CORS_ORIGIN_WHITELIST_EXTRA }}"
 #
 # This block of config is dropped into /edx/etc/insights.yml
 # and is read in by analytics_dashboard/settings/production.py
@@ -136,6 +145,8 @@ INSIGHTS_CONFIG:
  SESSION_EXPIRE_AT_BROWSER_CLOSE: "{{ INSIGHTS_SESSION_EXPIRE_AT_BROWSER_CLOSE }}"
  CMS_COURSE_SHORTCUT_BASE_URL: "{{ INSIGHTS_CMS_COURSE_SHORTCUT_BASE_URL }}"
  LEARNER_API_LIST_DOWNLOAD_FIELDS: "{{ INSIGHTS_LEARNER_API_LIST_DOWNLOAD_FIELDS }}"
+  # CDN url to serve assets from
+  CDN_DOMAIN: "{{ INSIGHTS_CDN_DOMAIN }}"
 INSIGHTS_NEWRELIC_APPNAME: "{{ COMMON_ENVIRONMENT }}-{{ COMMON_DEPLOYMENT }}-analytics-api"
 INSIGHTS_PIP_EXTRA_ARGS: "-i {{ COMMON_PYPI_MIRROR_URL }}"

--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2
@@ -4,6 +4,19 @@ upstream insights_app_server {
    {% endfor %}
 }
+# The Origin request header indicates where a fetch originates from. It doesn't include any path information,
+# but only the server name (e.g. https://www.example.com).
+# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin for details.
+#
+# Here we set the value that is included in the Access-Control-Allow-Origin response header. If the origin is one
+# of our known hosts--served via HTTP or HTTPS--we allow for CORS. Otherwise, we set the "null" value, disallowing CORS.
+map $http_origin $cors_origin {
+  default "null";
+{% for host in INSIGHTS_CORS_ORIGIN_WHITELIST %}
+  "~*^https?:\/\/{{ host|replace('.', '\.') }}$" $http_origin;
+{% endfor %}
+}
 server {
  listen {{ INSIGHTS_NGINX_PORT }} default_server;
@@ -20,6 +33,13 @@ server {
  location ~ ^/static/(?P<file>.*) {
    root {{ COMMON_DATA_DIR }}/{{ insights_service_name }};
+    add_header Cache-Control "max-age=31536000";
+    add_header 'Access-Control-Allow-Origin' $cors_origin;
+    add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS';
+    # Inform downstream caches to take certain headers into account when reading/writing to cache.
+    add_header 'Vary' 'Accept-Encoding,Origin';
    try_files /staticfiles/$file =404;
  }