Merge pull request #483 from azavea/feature/hmc/http-to-https

Add support for redirecting HTTP to HTTPS

Vagrantfile

@@ -37,15 +37,16 @@ end
 # if any dependencies are missing
 def install_dependent_roles
   ansible_directory = File.join("deployment", "ansible")
-  ansible_roles_txt = File.join(ansible_directory, "roles.txt")
+  ansible_roles_spec = File.join(ansible_directory, "roles.yml")
 
-  File.foreach(ansible_roles_txt) do |line|
-    role_name, role_version = line.split(",")
+  YAML.load_file(ansible_roles_spec).each do |role|
+    role_name = role["src"]
+    role_version = role["version"]
     role_path = File.join(ansible_directory, "roles", role_name)
     galaxy_metadata = galaxy_install_info(role_name)
 
     if galaxy_metadata["version"] != role_version.strip
-      unless system("ansible-galaxy install -f -r #{ansible_roles_txt} -p #{File.dirname(role_path)}")
+      unless system("ansible-galaxy install -f -r #{ansible_roles_spec} -p #{File.dirname(role_path)}")
         $stderr.puts "\nERROR: An attempt to install Ansible role dependencies failed."
         exit(1)
       end
@@ -125,7 +126,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     end
 
     # Web
-    app.vm.network "forwarded_port", guest: 80, host: 8024
+    app.vm.network "forwarded_port", guest: 443, host: 8024
 
     # Django Dev
     app.vm.network "forwarded_port", guest: 8026, host: 8026

deployment/ansible/app.yml

@@ -1,6 +1,6 @@
 ---
 - hosts: app
-  sudo: True
+  become: True
 
   pre_tasks:
     - name: Update APT cache

deployment/ansible/database.yml

@@ -1,6 +1,6 @@
 ---
 - hosts: database
-  sudo: True
+  become: True
 
   pre_tasks:
     - name: Update APT cache

deployment/ansible/otp.yml

@@ -1,6 +1,6 @@
 ---
 - hosts: otp
-  sudo: True
+  become: True
 
   pre_tasks:
     - name: Update APT cache

deployment/ansible/roles.yml

@@ -0,0 +1,32 @@
+- src: azavea.git
+  version: 0.1.0
+
+- src: azavea.java
+  version: 0.2.6
+
+- src: azavea.opentripplanner
+  version: 1.0.1
+
+- src: azavea.nginx
+  version: 0.2.2
+
+- src: azavea.nodejs
+  version: 0.4.0
+
+- src: azavea.packer
+  version: 0.2.0
+
+- src: azavea.papertrail
+  version: 1.1.1
+
+- src: azavea.pip
+  version: 0.1.1
+
+- src: azavea.python
+  version: 0.1.0
+
+- src: azavea.virtualenv
+  version: 0.1.0
+
+- src: azavea.postgresql-support
+  version: 0.3.0

deployment/ansible/roles/cac-tripplanner.app/tasks/jslibs.yml

@@ -1,33 +1,33 @@
 ---
 - name: Clear out the NPM artifacts when in production (want a fresh set)
   file: path="{{ root_src_dir }}/node_modules" state=absent
-  sudo: yes
+  become: yes
   when: production
 
 - name: Install NPM dependencies
   command: npm install chdir="{{ root_src_dir }}"
-  sudo: no
+  become: no
 
 - name: Create Static Directory
   file: path="{{ root_static_dir }}" state=directory mode=0755 owner="{{ app_username }}"
-  sudo: yes
+  become: yes
 
 - name: Install application javascript dependencies with bower
   command: npm run bower-install
-  sudo: no
+  become: no
   args:
     chdir: "{{ root_src_dir }}"
 
 - name: Create static files -- development
   command: npm run gulp-development
-  sudo: no
+  become: no
   args:
     chdir: "{{ root_src_dir }}"
   when: not production and not test
 
 - name: Create static files -- production
   command: npm run gulp-production
-  sudo: no
+  become: no
   args:
     chdir: "{{ root_src_dir }}"
   when: production or test

deployment/ansible/roles/cac-tripplanner.app/tasks/main.yml

@@ -67,8 +67,7 @@
   notify: Restart nginx
 
 - name: Touch cron job log file if it does not exist
-  command: touch {{ app_cron_event_feed_log }}
-           creates={{ app_cron_event_feed_log }}
+  copy: content="" dest="{{ app_cron_event_feed_log }}" force=no
 
 - name: Touch cron job log file if it does not exist, and set permissions
   file: path={{ app_cron_event_feed_log}} state=touch

deployment/ansible/roles/cac-tripplanner.app/templates/nginx-default.j2

@@ -1,18 +1,53 @@
+# Public VPC subnet CIDRs
+set_real_ip_from 10.0.0.0/24;
+set_real_ip_from 10.0.2.0/24;
+set_real_ip_from 10.0.4.0/24;
+set_real_ip_from 10.0.6.0/24;
+
+real_ip_header X-Forwarded-For;
+
+server {
+    listen 80;
+    server_name gophillygo.org www.gophillygo.org;
+    return 301 https://$host$request_uri;
+}
+
+map $http_x_forwarded_proto $policy {
+    default "";
+    https   "default-src https: data: blob: 'unsafe-inline' 'unsafe-eval'";
+}
+
 server {
-    listen 80 default_server;
+    listen 443 default_server;
+    server_name gophillygo.org www.gophillygo.org localhost;
 
-    server_name _;
+    # A set of recommended security headers:
+    #
+    #   https://scotthelme.co.uk/hardening-your-http-response-headers/
+    #
+    add_header Strict-Transport-Security "max-age=15552000; preload" always;
+    add_header Content-Security-Policy $policy always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
 
     location / {
         proxy_set_header Host $http_host;
-        proxy_pass http://127.0.0.1:8000;
+        proxy_set_header X-Forwarded-For $remote_addr;
         proxy_read_timeout {{ otp_session_timeout_s }}s;
+        proxy_redirect off;
+
+        proxy_pass http://127.0.0.1:8000;
     }
 
     location /admin/destinations/destination/add/ {
         proxy_set_header Host $http_host;
-        proxy_pass http://127.0.0.1:8000;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_redirect off;
+
         client_max_body_size 10M;
+
+        proxy_pass http://127.0.0.1:8000;
     }
 
     location /static/ {

deployment/ansible/roles/cac-tripplanner.database/tasks/main.yml

@@ -7,17 +7,17 @@
 
 - name: Create postgres database
   postgresql_db: name={{ postgres_db }}
-  sudo_user: postgres
+  become_user: postgres
 
 - name: Create postgres user
   postgresql_user: db={{ postgres_db }}
                    name={{ postgres_user }}
                    password={{ postgres_password }}
                    role_attr_flags=SUPERUSER
-  sudo_user: postgres
+  become_user: postgres
 
 - name: Add PostGIS extension
-  sudo_user: postgres
+  become_user: postgres
   command: psql {{ postgres_db }} -c "CREATE EXTENSION postgis"
   register: psql_result
   failed_when: >
@@ -36,4 +36,3 @@
               regexp='host\s+all\s+all\s+(127\.0\.0\.1\/32|0\.0\.0\.0\/0)\s+md5'
               line="host all all 0.0.0.0/0 md5"
   notify: Restart Postgres
-

deployment/ansible/roles/cac-tripplanner.otp-data/tasks/main.yml

@@ -19,7 +19,7 @@
 
 - name: Download OTP Data (test)
   local_action: command aws s3 sync s3://cleanair-otp-data/ ../../otp_data/
-  sudo: no
+  become: no
   when: test
 
 - name: Copy OTP Data (test/develop)

deployment/cloudformation/app.py

@@ -193,13 +193,19 @@ def set_up_stack(self):
                 ec2.SecurityGroupRule(
                     IpProtocol='tcp', CidrIp=VPC_CIDR, FromPort=p, ToPort=p
                 )
-                for p in [22, 80]
+                for p in [22, 80, 443]
             ] + [
                 ec2.SecurityGroupRule(
                     IpProtocol='tcp', SourceSecurityGroupId=Ref(sg),
                     FromPort=80, ToPort=80
                 )
                 for sg in [app_server_load_balancer_security_group]
+            ] + [
+                ec2.SecurityGroupRule(
+                    IpProtocol='tcp', SourceSecurityGroupId=Ref(sg),
+                    FromPort=443, ToPort=443
+                )
+                for sg in [app_server_load_balancer_security_group]
             ],
             SecurityGroupEgress=[
                 ec2.SecurityGroupRule(
@@ -215,19 +221,28 @@ def set_up_stack(self):
 
         # ELB to App Server
         self.add_resource(ec2.SecurityGroupEgress(
-            'sgEgressELBtoApp',
+            'sgEgressELBtoAppHTTP',
             GroupId=Ref(app_server_load_balancer_security_group),
             DestinationSecurityGroupId=Ref(app_server_security_group),
             IpProtocol='tcp',
             FromPort=80,
             ToPort=80
         ))
 
+        self.add_resource(ec2.SecurityGroupEgress(
+            'sgEgressELBtoAppHTTPS',
+            GroupId=Ref(app_server_load_balancer_security_group),
+            DestinationSecurityGroupId=Ref(app_server_security_group),
+            IpProtocol='tcp',
+            FromPort=443,
+            ToPort=443
+        ))
+
         # Bastion to App Server, app server to db, app server to inet
         rules = [
             (self.param_bastion_security_group,
              app_server_security_group,
-             [80, 22]),
+             [80, 443, 22]),
             (app_server_security_group,
              self.param_database_security_group,
              [POSTGRES]),
@@ -268,13 +283,15 @@ def set_up_stack(self):
             Listeners=[
                 elb.Listener(
                     LoadBalancerPort='80',
+                    Protocol='HTTP',
                     InstancePort='80',
-                    Protocol='HTTP'
+                    InstanceProtocol='HTTP'
                 ),
                 elb.Listener(
                     LoadBalancerPort='443',
-                    InstancePort='80',
                     Protocol='HTTPS',
+                    InstancePort='443',
+                    InstanceProtocol='HTTP',
                     SSLCertificateId=Ref(self.param_ssl_certificate_arn)
                 )
             ],
@@ -540,6 +557,6 @@ class WebServerStack(AppServerStack):
     """
     Web stack for Cac
     """
-    HEALTH_ENDPOINT = 'HTTP:80/'
+    HEALTH_ENDPOINT = 'HTTP:443/'
     STACK_NAME_PREFIX = 'Web'
     INPUTS = dict(BASE_INPUTS, **{'AppServerAMI': ['global:WebServerAMI']})

deployment/packer/cac.json

@@ -77,8 +77,9 @@
         "sudo apt-get update",
         "mkdir -p {{user `ansible_staging_directory`}}",
         "mkdir -p {{user `intermediate_directory`}}",
-        "sudo apt-get -y install build-essential python-dev python-pip git libssl-dev libffi-dev",
-        "sudo pip install --upgrade ansible setuptools"
+        "sudo apt-get -y install build-essential python-dev python-pip git",
+        "sudo pip install paramiko==1.16.0",
+        "sudo pip install ansible==2.1.0.0"
       ]
     },
     {

deployment/packer/cac_packer.py

@@ -4,6 +4,7 @@
 import os
 import subprocess
 import urllib2
+import shutil
 
 
 class CacStackException(Exception):
@@ -48,6 +49,15 @@ def run_packer(machine_type, region, creds):
       creds (Dict): Dictionary containing AWS credentials
     """
 
+    # Remove examples subdirectory from all Azavea roles
+    ansible_roles_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../ansible/roles')
+    for role_path in os.listdir(ansible_roles_path):
+        examples_path = os.path.join(ansible_roles_path, role_path, 'examples')
+
+        if role_path.startswith('azavea') and os.path.isdir(examples_path):
+            print('Removing {}'.format(examples_path))
+            shutil.rmtree(examples_path)
+
     aws_ubuntu_ami = get_ubuntu_ami(region)
 
     env = os.environ.copy()

python/cac_tripplanner/cac_tripplanner/settings.py

@@ -8,6 +8,9 @@
 https://docs.djangoproject.com/en/1.7/ref/settings/
 """
 
+from boto.utils import get_instance_metadata
+from django.core.exceptions import ImproperlyConfigured
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 import os
 import yaml
@@ -62,7 +65,21 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = not secrets['production']
 
-ALLOWED_HOSTS = ['*']
+ALLOWED_HOSTS = [
+    '.gophillygo.org',
+    '.elb.amazonaws.com',
+    'localhost'
+]
+
+if secrets['production']:
+    instance_metadata = get_instance_metadata()
+
+    if not instance_metadata:
+        raise ImproperlyConfigured('Unable to access instance metadata')
+
+    # ELBs use the instance IP in the Host header and ALLOWED_HOSTS
+    # checks against the Host header.
+    ALLOWED_HOSTS.append(instance_metadata['local-ipv4'])
 
 INTERNAL_IPS = tuple(secrets['internal_ips'])