Merge pull request #2594 from edx/arbab/ops-1208

OPS-1208 Refactor Nginx SSL redirect bahavior

playbooks/roles/nginx/defaults/main.yml

@@ -11,6 +11,7 @@ NGINX_EDXAPP_EXTRA_CONFIGS: []
 NGINX_EDXAPP_CUSTOM_REDIRECTS: {}
 
 NGINX_ENABLE_SSL: False
+NGINX_REDIRECT_TO_HTTPS: False
 # Set these to real paths on your
 # filesystem, otherwise nginx will
 # use a self-signed snake-oil cert

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -30,18 +30,36 @@ server {
 error_page {{ k }} {{ v }};
   {% endfor %}
 
+  listen {{ EDXAPP_CMS_NGINX_PORT }} {{ default_site }};
+
   {% if NGINX_ENABLE_SSL %}
 
-  listen {{ EDXAPP_CMS_NGINX_PORT }} {{ default_site }};
   listen {{ EDXAPP_CMS_SSL_NGINX_PORT }} ssl;
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
   ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
   # request the browser to use SSL for all connections
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  {% endif %}
   
-  {% else %}
-  listen {{ EDXAPP_CMS_NGINX_PORT }} {{ default_site }};
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
   {% endif %}
   
   server_name {{ CMS_HOSTNAME }};
@@ -91,19 +109,4 @@ error_page {{ k }} {{ v }};
   {% include "robots.j2" %}
   {% include "static-files.j2" %}
 
-  {% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
-   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
-  }
-
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
-    rewrite ^ https://$host$request_uri? permanent;
-  }
- {% endif %}
 }

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2

@@ -18,18 +18,36 @@ upstream ecommerce_app_server {
 server {
   server_name {{ ECOMMERCE_HOSTNAME }};
 
+  listen {{ ECOMMERCE_NGINX_PORT }} {{ default_site }};
+
   {% if NGINX_ENABLE_SSL %}
 
-  listen {{ ECOMMERCE_NGINX_PORT }} {{ default_site }};
   listen {{ ECOMMERCE_SSL_NGINX_PORT }} ssl;
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
   ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
   # request the browser to use SSL for all connections
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  {% endif %}
 
-  {% else %}
-  listen {{ ECOMMERCE_NGINX_PORT }} {{ default_site }};
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
   {% endif %}
 
   location ~ ^/static/(?P<file>.*) {
@@ -53,20 +71,5 @@ location @proxy_to_app {
     proxy_pass http://ecommerce_app_server;
   }
 
-{% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
-   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
-  }
-
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
-    rewrite ^ https://$host$request_uri? permanent;
-  }
- {% endif %}
 }
 

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/insights.j2

@@ -33,18 +33,22 @@ location @proxy_to_app {
     proxy_pass http://insights_app_server;
   }
   
-{% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
   }
 
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
+  if ($do_redirect_to_https = "true")
+  {
   rewrite ^ https://$host$request_uri? permanent;
   }
   {% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms-preview.j2

@@ -76,18 +76,22 @@ server {
     expires epoch;
   }
 
-  {% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
   }
 
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
+  if ($do_redirect_to_https = "true")
+  {
   rewrite ^ https://$host$request_uri? permanent;
   }
   {% endif %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -51,19 +51,35 @@ server {
 error_page {{ k }} {{ v }};
   {% endfor %}
 
+  listen {{ EDXAPP_LMS_NGINX_PORT }} {{ default_site }};
 
   {% if NGINX_ENABLE_SSL %}
-
-  listen {{ EDXAPP_LMS_NGINX_PORT }} {{ default_site }};
   listen {{ EDXAPP_LMS_SSL_NGINX_PORT }} {{ default_site }} ssl;
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
   ssl_certificate_key /etc/ssl/private/{{ NGINX_SSL_KEY|basename }};
   # request the browser to use SSL for all connections
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+  {% endif %}
 
-  {% else %}
-  listen {{ EDXAPP_LMS_NGINX_PORT }} {{ default_site }};
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
   {% endif %}
   
   access_log {{ nginx_log_dir }}/access.log {{ NGINX_LOG_FORMAT_NAME }};
@@ -185,19 +201,4 @@ location ~ ^{{ EDXAPP_MEDIA_URL }}/(?P<file>.*) {
   {% include "robots.j2" %}
   {% include "static-files.j2" %}
 
- {% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
-   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
-  }
-
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
-    rewrite ^ https://$host$request_uri? permanent;
-  }
- {% endif %}
 }

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/programs.j2

@@ -18,9 +18,10 @@ upstream programs_app_server {
 server {
   server_name {{ PROGRAMS_HOSTNAME }};
   
+  listen {{ PROGRAMS_NGINX_PORT }} {{ default_site }};
+  
   {% if NGINX_ENABLE_SSL %}
 
-  listen {{ PROGRAMS_NGINX_PORT }} {{ default_site }};
   listen {{ PROGRAMS_SSL_NGINX_PORT }} ssl;
 
   ssl_certificate /etc/ssl/certs/{{ NGINX_SSL_CERTIFICATE|basename }};
@@ -28,8 +29,26 @@ server {
   # Request that the browser use SSL for all connections.
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
-  {% else %}
-  listen {{ PROGRAMS_NGINX_PORT }} {{ default_site }};
+  {% endif %}
+
+  {% if NGINX_REDIRECT_TO_HTTPS %}
+  # Redirect http to https over single instance
+  if ($scheme != "https") 
+  { 
+   set $do_redirect_to_https "true";
+  }
+
+  # Nginx does not support nested conditions 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
+  if ($http_x_forwarded_proto = "http") 
+  {
+   set $do_redirect_to_https "true";
+  }
+
+  if ($do_redirect_to_https = "true")
+  {
+  rewrite ^ https://$host$request_uri? permanent;
+  }
   {% endif %}
 
   location ~ ^/static/(?P<file>.*) {
@@ -61,19 +80,5 @@ location @proxy_to_app {
     proxy_redirect off;
     proxy_pass http://programs_app_server;
   }
-{% if NGINX_SET_X_FORWARDED_HEADERS %}
-   if ($scheme != "https") {
-    rewrite ^ https://$host$uri permanent;
-   }
- {% else %}
-  # Forward to HTTPS if we're an HTTP request...
-  if ($http_x_forwarded_proto = "http") {
-    set $do_redirect "true";
-  }
 
-  # Run our actual redirect...
-  if ($do_redirect = "true") {
-    rewrite ^ https://$host$request_uri? permanent;
-  }
- {% endif %}
 }

util/jenkins/ansible-provision.sh

@@ -174,6 +174,7 @@ COURSE_DISCOVERY_SSL_NGINX_PORT: 443
 COURSE_DISCOVERY_VERSION: $course_discovery_version
 
 NGINX_SET_X_FORWARDED_HEADERS: True
+NGINX_REDIRECT_TO_HTTPS: True
 EDX_ANSIBLE_DUMP_VARS: true
 migrate_db: "yes"
 openid_workaround: True