From 025ad39f67f644d2bd238be5ebece382870c593a Mon Sep 17 00:00:00 2001
From: Michael Olund <michaelo@openroad.ca>
Date: Mon, 2 Nov 2020 13:53:37 -0800
Subject: [PATCH] DIV-1164 - Configure NGINX to block access to anonymous Redis
 file requests

---
 openshift/templates/nginx-proxy/conf.d/server.conf | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/openshift/templates/nginx-proxy/conf.d/server.conf b/openshift/templates/nginx-proxy/conf.d/server.conf
index 341054c8..e5b2ff69 100644
--- a/openshift/templates/nginx-proxy/conf.d/server.conf
+++ b/openshift/templates/nginx-proxy/conf.d/server.conf
@@ -25,17 +25,18 @@ server {
         proxy_cookie_domain ~(?P<domain>(justice.gov.bc.ca))$ "$domain; Secure";
 
         # remove directories from incoming requests;
-        rewrite ^/divorce-dev$ / last;
-        rewrite ^/divorce-test$ / last;
         rewrite ^/divorce$ / last;
-        
-        rewrite ^/divorce-dev(.*)$ $1 last;
-        rewrite ^/divorce-test(.*)$ $1 last;
         rewrite ^/divorce(.*)$ $1 last;
     }
 
+    # block all external access to the anonymous Redis image handler used for image to PDF conversion in Weasyprint
+    # e.g. /divorce/api/documents/a8eeb280-f063-47d4-ab01-919319d61866_smtp_png/0/
+    location ~* ^/divorce\/api\/documents\/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}_\w+\/\d+\/$ {
+         return 403;
+    }
+
     # static (no rewrite and add caching)
-    location ~ /(divorce|divorce\-test|divorce\-dev)/static/ {
+    location /divorce/static/ {
 
         expires 365d;
         add_header Cache-Control "public";