feat: Add prospectus s3 proxy nginx ISRE-2008

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/prospectus.j2

@@ -11,6 +11,10 @@ server {
 
   add_header X-Frame-Options DENY;
 
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+  resolver 127.0.0.53;
+  {% endif %}
+
   {% if NGINX_PROSPECTUS_DISABLE_INDEXING %}
 
   add_header X-Robots-Tag "noindex, nofollow" always;
@@ -50,42 +54,82 @@ server {
   location = /404.html {
     root   {{ PROSPECTUS_DATA_DIR }};
     add_header Cache-Control "no-store, max-age=0" always;
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+  {% endif %}
   }
 
   location /event {
     # this page is designed to be injected into other pages via an iframe
     add_header X-Frame-Options '';
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+  {% endif %}
   }
 
   # Cache js/css for a long time at the edge, they are versioned in their names
   location ~ \.(js|css)$ {
     add_header 'Cache-Control' 'public, max-age=31536000, immutable';
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+  {% endif %}
   }
 
   # images sometimes change, we want to cache them for an hour at the edge to reduce bandwidth.
 
   location /images/ {
     add_header 'Cache-Control' 'public, max-age=3600';
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+  {% endif %}
   }
 
   # favicon is requested a lot.  cache it at the edge.
 
   location /favicon.ico {
       add_header 'Cache-Control' 'public, max-age=86400';
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+  {% endif %}
   }
 
 
   # Ignore the rollout group headers for the health check endpoint.
   location /HealthCheck {
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}/HealthCheck/index.html;
+    # proxy_redirect ensures redirects from s3 are rewritten
+    # For example it will fix a redirect from s3 to prevent /school/mitx from trying to redirect to /924c142-1/school/mitx/
+    # The second parameter being " " is to prevent nginx sticking http://hostname in front of the location directive
+    proxy_redirect "/{{ PROSPECTUS_S3_HOSTING_PREFIX }}" " ";
+  {% else %}
     try_files $uri $uri/index.html;
+  {% endif %}
   }
-
   location /es/bio/ {
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    rewrite ^ /{{ PROSPECTUS_S3_HOSTING_PREFIX }}/es/bio/index.html break;
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}/es/bio/index.html;
+    # proxy_redirect ensures redirects from s3 are rewritten
+    # For example it will fix a redirect from s3 to prevent /school/mitx from trying to redirect to /924c142-1/school/mitx/
+    # The second parameter being " " is to prevent nginx sticking http://hostname in front of the location directive
+    proxy_redirect "/{{ PROSPECTUS_S3_HOSTING_PREFIX }}" " ";
+  {% else %}
     try_files $uri $uri/ /es/bio/index.html;
+  {% endif %}
   }
 
   location /bio/ {
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    rewrite ^ /{{ PROSPECTUS_S3_HOSTING_PREFIX }}/bio/index.html break;
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}/bio/index.html;
+    # proxy_redirect ensures redirects from s3 are rewritten
+    # For example it will fix a redirect from s3 to prevent /school/mitx from trying to redirect to /924c142-1/school/mitx/
+    # The second parameter being " " is to prevent nginx sticking http://hostname in front of the location directive
+    proxy_redirect "/{{ PROSPECTUS_S3_HOSTING_PREFIX }}" " ";
+  {% else %}
     try_files $uri $uri/ /bio/index.html;
+  {% endif %}
   }
 
   # preview pages are not cached, and have basic auth
@@ -142,6 +186,16 @@ server {
     add_header 'Cache-Control' 'public, max-age=1800';
     try_files $uri $uri/index.html =404;
 
+  location / {
+  {% if PROSPECTUS_S3_HOSTING_PROXY_ENABLED %}
+    proxy_pass {{ PROSPECTUS_S3_HOSTING_BUCKET_URL }}/{{ PROSPECTUS_S3_HOSTING_PREFIX }}$request_uri;
+    # proxy_redirect ensures redirects from s3 are rewritten
+    # For example it will fix a redirect from s3 to prevent /school/mitx from trying to redirect to /924c142-1/school/mitx/
+    # The second parameter being " " is to prevent nginx sticking http://hostname in front of the location directive
+    proxy_redirect "/{{ PROSPECTUS_S3_HOSTING_PREFIX }}" " ";
+  {% endif %}
+  }
+
   # PROSPECTUS_STATIC_SITES will be a list of dictionaries which have a:
   #   - router_path: The path you will go to on the router to access the content
   #   - proxied_path: The path to proxy the requests to
@@ -162,6 +216,6 @@ server {
         proxy_pass {{ static_site.proxied_path }}/$1/index.html;
     }
 
-  {% endfor %}
+  {% endfor -%}
 }
 

playbooks/roles/prospectus/defaults/main.yml

@@ -63,6 +63,7 @@ prospectus_use_python3: true
 PROSPECTUS_RETAIN_CACHE_PUBLIC_DIRS: False
 PROSPECTUS_ENABLE_NGINX: True
 PROSPECTUS_ENABLE_BUILD: True
+PROSPECTUS_S3_HOSTING_PROXY_ENABLED: False
 PROSPECTUS_S3_UPLOAD_ENABLED: False
 PROSPECTUS_S3_UPLOAD_MAX_CONCURENCT_REQUESTS: 50
 PROSPECTUS_S3_HOSTING_BUCKET: !!null