Coryleeio/ip disclosure (#4623)

* Revert "Removing the 403 for internal IP disclosure because it is breaking ecom (#4566)"

This reverts commit 6b817024.

* WIP

* cleanup

* WIP

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/app.j2

@@ -10,9 +10,13 @@ server {
   listen {{ edx_django_service_nginx_port }};
 
 {% if NGINX_ENABLE_SSL %}
+  {% include "concerns/handle-ip-disclosure.j2" %}
   rewrite ^ https://$host$request_uri? permanent;
 {% else %}  
-  {% include "concerns/handle-tls-terminated-elsewhere-redirect.j2" %}
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+    {% include "concerns/handle-tls-terminated-elsewhere-ip-disclosure.j2" %}
+    {% include "concerns/handle-tls-terminated-elsewhere-redirect.j2" %}
+  {% endif %}
   {% include "concerns/app-common.j2" %}
 {% endif %}
 }

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/handle-ip-disclosure.j2

-if ( $host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
-    return 403;
-}
+# If you are changing this be warned that it lives in multiple places
+# there is a TLS redirect to same box, and a TLS redirect to externally terminated TLS
+# version of this in nginx and in edx_django_service role.
+
+if ($host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") { 
+  	return 403;
+} 

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/handle-tls-terminated-elsewhere-ip-disclosure.j2

+
+# If you are changing this be warned that it lives in multiple places
+# there is a TLS redirect to same box, and a TLS redirect to externally terminated TLS
+# version of this in nginx and in edx_django_service role.
+
+if ($host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") { 
+  set $test_ip_disclosure  A; 
+} 
+
+if ($http_x_forwarded_for != "") { 
+  set $test_ip_disclosure  "${test_ip_disclosure}B"; 
+} 
+
+if ($test_ip_disclosure = AB) { 
+	return 403;
+} 

playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/concerns/handle-tls-terminated-elsewhere-redirect.j2

-{% if NGINX_REDIRECT_TO_HTTPS %}
-    
-   {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-        if ($scheme != "https") 
-        { 
-          set $do_redirect_to_https "true";
-        }
+{% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+    if ($scheme != "https") 
+    { 
+      set $do_redirect_to_https "true";
+    }
 
-   {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-        if ($http_x_forwarded_proto = "http") 
-        {
-          set $do_redirect_to_https "true";
-        }
-   {% endif %}
+{% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+    if ($http_x_forwarded_proto = "http") 
+    {
+      set $do_redirect_to_https "true";
+    }
+{% endif %}
+
+    if ($do_redirect_to_https = "true")
+    {
+        return 301 https://$host$request_uri;
+    }
 
-  if ($do_redirect_to_https = "true")
-  {
-      return 301 https://$host$request_uri;
-  }
- {% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -48,31 +48,7 @@ error_page {{ k }} {{ v }};
   # Prevent invalid display courseware in IE 10+ with high privacy settings
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';
 
-  # Nginx does not support nested condition or or conditions so
-  # there is an unfortunate mix of conditonals here.
-  {% if NGINX_REDIRECT_TO_HTTPS %}
-     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-  # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
-   set $do_redirect_to_https "true";
-  }
-
-     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
-  {
-   set $do_redirect_to_https "true";
-  }
-     {% endif %}
-
-  # Execute the actual redirect
-  if ($do_redirect_to_https = "true")
-  {
-  return 301 https://$host$request_uri;
-  }
-  {% endif %}
+  {% include "handle-tls-redirect-and-ip-disclosure.j2" %}
 
   server_name {{ CMS_HOSTNAME }};
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/edx_notes_api.j2

@@ -25,31 +25,7 @@ server {
   # Prevent invalid display courseware in IE 10+ with high privacy settings
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';
 
-  # Nginx does not support nested condition or or conditions so
-  # there is an unfortunate mix of conditonals here.
-  {% if NGINX_REDIRECT_TO_HTTPS %}
-     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-  # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
-   set $do_redirect_to_https "true";
-  }
-  
-     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
-  {
-   set $do_redirect_to_https "true";
-  }
-     {% endif %}
-
-  # Execute the actual redirect
-  if ($do_redirect_to_https = "true")
-  {
-  return 301 https://$host$request_uri;
-  }
-  {% endif %}
+  {% include "handle-tls-redirect-and-ip-disclosure.j2" %}
   
   location / {
     try_files $uri @proxy_to_app;

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/handle-ip-disclosure.j2

+# If you are changing this be warned that it lives in multiple places
+# there is a TLS redirect to same box, and a TLS redirect to externally terminated TLS
+# version of this in nginx and in edx_django_service role.
+
+if ($host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") { 
+  	return 403;
+} 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/handle-tls-redirect-and-ip-disclosure.j2

+
+{% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
+  
+  # Redirect http to https on this instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+
+  {% include "handle-ip-disclosure.j2" %}
+
+     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
+
+
+  {% include "handle-tls-terminated-elsewhere-ip-disclosure.j2" %}
+  # Forward to HTTPS terminated elsewhere
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+     {% endif %}
+
+  # Execute the actual redirect
+  if ($do_redirect_to_https = "true")
+  {
+  return 301 https://$host$request_uri;
+  }
+{% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/handle-tls-terminated-elsewhere-ip-disclosure.j2

+# If you are changing this be warned that it lives in multiple places
+# there is a TLS redirect to same box, and a TLS redirect to externally terminated TLS
+# version of this in nginx and in edx_django_service role.
+
+if ($host ~ "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") { 
+  set $test_ip_disclosure  A; 
+} 
+
+if ($http_x_forwarded_for != "") { 
+  set $test_ip_disclosure  "${test_ip_disclosure}B"; 
+} 
+
+if ($test_ip_disclosure = AB) { 
+	return 403;
+} 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2

@@ -74,29 +74,5 @@ location @proxy_to_app {
   # Prevent invalid display courseware in IE 10+ with high privacy settings
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';
   
-  # Nginx does not support nested condition or or conditions so
-  # there is an unfortunate mix of conditonals here.
-  {% if NGINX_REDIRECT_TO_HTTPS %}
-     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-  # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
-   set $do_redirect_to_https "true";
-  }
-
-     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
-  {
-   set $do_redirect_to_https "true";
-  }
-  {% endif %}
-
-  # Execute the actual redirect
-  if ($do_redirect_to_https = "true")
-  {
-  return 301 https://$host$request_uri;
-  }
-  {% endif %}
+  {% include "handle-tls-redirect-and-ip-disclosure.j2" %}
 }

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/kibana.j2

@@ -23,31 +23,7 @@ server {
   listen {{ KIBANA_NGINX_PORT }} {{ default_site }};
   {% endif %}
   
-  # Nginx does not support nested condition or or conditions so
-  # there is an unfortunate mix of conditonals here.
-  {% if NGINX_REDIRECT_TO_HTTPS %}
-     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-  # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
-   set $do_redirect_to_https "true";
-  }
-
-     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
-  {
-   set $do_redirect_to_https "true";
-  }
-  {% endif %}
-
-  # Execute the actual redirect
-  if ($do_redirect_to_https = "true")
-  {
-  return 301 https://$host$request_uri;
-  }
-  {% endif %}
+  {% include "handle-tls-redirect-and-ip-disclosure.j2" %}
   
   server_name {{ KIBANA_SERVER_NAME }};
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -97,31 +97,7 @@ error_page {{ k }} {{ v }};
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';
 
 
-  # Nginx does not support nested condition or or conditions so
-  # there is an unfortunate mix of conditonals here.
-  {% if NGINX_REDIRECT_TO_HTTPS %}
-     {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
-  # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
-   set $do_redirect_to_https "true";
-  }
-
-     {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
-  {
-   set $do_redirect_to_https "true";
-  }
-     {% endif %}
-
-  # Execute the actual redirect
-  if ($do_redirect_to_https = "true")
-  {
-  return 301 https://$host$request_uri;
-  }
-  {% endif %}
+  {% include "handle-tls-redirect-and-ip-disclosure.j2" %}
   
   access_log {{ nginx_log_dir }}/access.log {{ NGINX_LOG_FORMAT_NAME }};
   error_log {{ nginx_log_dir }}/error.log error;