Handle nonencrypted connections to ELB (#4565)

* Handle nonencrypted connections to ELB

* fix

* names

* rm

* ip_disclosure_on_redirect

* forgot

* spacing

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/app.j2

@@ -8,13 +8,13 @@
 server {
   server_name {{ edx_django_service_hostname }};
   listen {{ edx_django_service_nginx_port }};
-{% if NGINX_ENABLE_SSL or NGINX_REDIRECT_TO_HTTPS %}
-  if ( $host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
-      return 403;
-  }
+
+{% if NGINX_ENABLE_SSL %}
+  {% include "concerns/handle-ip-disclosure.j2" %}
   rewrite ^ https://$host$request_uri? permanent;
 {% else %}  
-    {% include "concerns/app-common.j2" %}
+  {% include "concerns/handle-tls-terminated-elsewhere-redirect.j2" %}
+  {% include "concerns/app-common.j2" %}
 {% endif %}
 }
 

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/handle-ip-disclosure.j2

+if ( $host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
+    return 403;
+}

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/handle-tls-terminated-elsewhere-redirect.j2

+{% if NGINX_REDIRECT_TO_HTTPS %}
+    
+   {% include "concerns/handle-ip-disclosure.j2" %}
+
+   {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+        if ($scheme != "https") 
+        { 
+          set $do_redirect_to_https "true";
+        }
+
+   {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+        if ($http_x_forwarded_proto = "http") 
+        {
+          set $do_redirect_to_https "true";
+        }
+   {% endif %}
+
+  if ($do_redirect_to_https = "true")
+  {
+      return 301 https://$host$request_uri;
+  }
+ {% endif %}