Merge pull request #4456 from edx/nadeem/OPS-2235

Limit django access from MIT vpn cidrs

Merge pull request #4456 from edx/nadeem/OPS-2235
Limit django access from MIT vpn cidrs
ce042b9c · Nadeem Shahzad · GitHub · ee6de585 · 0c51975d · ce042b9c
Unverified Commit ce042b9c authored Apr 19, 2018 by Nadeem Shahzad Committed by GitHub Apr 19, 2018
8 changed files
--- a/playbooks/roles/ecommerce/defaults/main.yml
+++ b/playbooks/roles/ecommerce/defaults/main.yml
@@ -214,6 +214,8 @@ ecommerce_create_demo_data: false
 ECOMMERCE_ENABLE_ANTIVIRUS: false
 ECOMMERCE_ANTIVIRUS_SCAN_DIRECTORY: "{{ ecommerce_code_dir }}"

+ECOMMERCE_ENABLE_DJANGO_ADMIN_RESTRICTION: false
+
 #
 # OS packages
 #

--- a/playbooks/roles/ecommerce/meta/main.yml
+++ b/playbooks/roles/ecommerce/meta/main.yml
@@ -45,6 +45,7 @@ dependencies:
      - payment
      - \.well-known/apple-developer-merchantid-domain-association
    edx_django_service_gunicorn_worker_class: "{{ ECOMMERCE_GUNICORN_WORKER_CLASS }}"
+    EDX_DJANGO_SERVICE_ENABLE_DJANGO_ADMIN_RESTRICTION: '{{ ECOMMERCE_ENABLE_DJANGO_ADMIN_RESTRICTION }}'
  - role: antivirus
    ANTIVIRUS_SCAN_DIRECTORY: "{{ ECOMMERCE_ANTIVIRUS_SCAN_DIRECTORY }}"
    when: ECOMMERCE_ENABLE_ANTIVIRUS
--- a/playbooks/roles/edx_django_service/defaults/main.yml
+++ b/playbooks/roles/edx_django_service/defaults/main.yml
@@ -218,3 +218,5 @@ edx_django_service_automated_users:
 # key *MUST* be supplied for all commands.
 #
 edx_django_service_post_migrate_commands: []
+
+EDX_DJANGO_SERVICE_ENABLE_DJANGO_ADMIN_RESTRICTION: false
--- a/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/app.j2
+++ b/playbooks/roles/edx_django_service/templates/edx/app/nginx/sites-available/app.j2
@@ -82,6 +82,16 @@ server {
    try_files $uri @proxy_to_app;
  }

+{% if NGINX_DJANGO_ADMIN_ACCESS_CIDRS and EDX_DJANGO_SERVICE_ENABLE_DJANGO_ADMIN_RESTRICTION %}
+  location /admin {
+    {% for cidr in NGINX_DJANGO_ADMIN_ACCESS_CIDRS %}
+      allow {{ cidr }};
+    {% endfor %}
+      deny all;
+      try_files $uri @proxy_to_app;
+  }
+{% endif %}
+
  {% include 'robots.j2' %}

  location @proxy_to_app {

--- a/playbooks/roles/edxapp/defaults/main.yml
+++ b/playbooks/roles/edxapp/defaults/main.yml
@@ -1513,3 +1513,5 @@ SERVICE_WORKER_USERS:
    username: "{{ EDXAPP_VEDA_SERVICE_USER_NAME }}"
    is_staff: true
    is_superuser: false
+
+EDXAPP_ENABLE_DJANGO_ADMIN_RESTRICTION: false
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -182,3 +182,5 @@ NGINX_CREATE_HTPASSWD_FILE: >
 NGINX_EDXAPP_CMS_APP_EXTRA: ""
 # Extra settings to add to site configuration for LMS
 NGINX_EDXAPP_LMS_APP_EXTRA: ""
+
+NGINX_DJANGO_ADMIN_ACCESS_CIDRS: []
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2
@@ -144,6 +144,16 @@ error_page {{ k }} {{ v }};
    try_files $uri @proxy_to_cms_app;
  }

+{% if NGINX_DJANGO_ADMIN_ACCESS_CIDRS and EDXAPP_ENABLE_DJANGO_ADMIN_RESTRICTION %}
+  location /admin {
+    {% for cidr in NGINX_DJANGO_ADMIN_ACCESS_CIDRS %}
+      allow {{ cidr }};
+    {% endfor %}
+      deny all;
+      try_files $uri @proxy_to_lms_app;
+  }
+{% endif %}
+
  {% include "robots.j2" %}
  {% include "static-files.j2" %}


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -300,6 +300,16 @@ location ~ ^{{ EDXAPP_MEDIA_URL }}/(?P<file>.*) {
    expires {{ EDXAPP_PROFILE_IMAGE_MAX_AGE }}s;
 }

+{% if NGINX_DJANGO_ADMIN_ACCESS_CIDRS and EDXAPP_ENABLE_DJANGO_ADMIN_RESTRICTION %}
+  location /admin {
+    {% for cidr in NGINX_DJANGO_ADMIN_ACCESS_CIDRS %}
+      allow {{ cidr }};
+    {% endfor %}
+      deny all;
+      try_files $uri @proxy_to_lms_app;
+  }
+{% endif %}
+
  {% include "robots.j2" %}
  {% include "static-files.j2" %}
  {% include "extra_locations_lms.j2" ignore missing %}