WIP for review

f9af54a8 · Edward Zarecor · beb11c51 · f9af54a8 · f9af54a8
Commit f9af54a8 authored Jan 07, 2016 by Edward Zarecor
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletions

playbooks/roles/nginx/defaults/main.yml
+4 -0

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+7 -1

No files found.
--- a/playbooks/roles/nginx/defaults/main.yml
+++ b/playbooks/roles/nginx/defaults/main.yml
@@ -21,6 +21,10 @@ NGINX_REDIRECT_TO_HTTPS: False
 #
 # cat www.example.com.crt bundle.crt > www.example.com.chained.crt

+# This variable is only checked if NGINX_REDIRECT_TO_HTTPS is true
+# It should be set to one of !!null, "scheme" or "forward_for_proto"
+NGINX_HTTPS_REDIRECT_STRAGEGY: !!null
+
 NGINX_SSL_CERTIFICATE: 'ssl-cert-snakeoil.pem'
 NGINX_SSL_KEY: 'ssl-cert-snakeoil.key'


--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -62,20 +62,26 @@ error_page {{ k }} {{ v }};
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  {% endif %}

+  # Nginx does not support nested condition or or conditions so
+  # there is an unfortunate mix of conditonals here.
  {% if NGINX_REDIRECT_TO_HTTPS %}
+     {% if NGINX_HTTPS_REDIRECT_STRATEGEY == "scheme" %}
  # Redirect http to https over single instance
  if ($scheme != "https") 
  { 
   set $do_redirect_to_https "true";
  }
+     {% endif %}
+  {% if NGINX_HTTPS_REDIRECT_STRATEGEY == "forward_for_proto" %}

-  # Nginx does not support nested conditions 
  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
  if ($http_x_forwarded_proto = "http") 
  {
   set $do_redirect_to_https "true";
  }
+  {% endif %}

+  # Execute the actual redirect
  if ($do_redirect_to_https = "true")
  {
  rewrite ^ https://$host$request_uri? permanent;