Skip to content

fix: enforce HTTPS root redirect for conductor /list#332

Merged
amits-2u merged 5 commits into
masterfrom
amits-2u/GSRE-3751-fix-conductor-redirect-issue
Apr 13, 2026
Merged

fix: enforce HTTPS root redirect for conductor /list#332
amits-2u merged 5 commits into
masterfrom
amits-2u/GSRE-3751-fix-conductor-redirect-issue

Conversation

@amits-2u
Copy link
Copy Markdown
Contributor

@amits-2u amits-2u commented Apr 9, 2026
edited
Loading

Summary

This change fixes the conductor root redirect so requests to / are redirected to an explicit HTTPS URL using a configured canonical hostname instead of a relative path or request-derived host. This prevents the HTTPS to HTTP downgrade seen by security scanners.

What changed

  • Added a new conductor variable: CONDUCTOR_ROOT_REDIRECT_URL.
  • Updated the conductor nginx template to redirect / to {{CONDUCTOR_ROOT_REDIRECT_URL}}.
  • Redirect now resolves to the canonical environment hostname:
Stage: https://masters.stage.edx.org/list/
Prod: https://masters.edx.org/list/

Why

  • Security scan flagged a connection security downgrade in the redirect chain:
- https://masters.stage.edx.org/ -> http://masters.stage.edx.org/list/
- https://masters.edx.org/ -> http://masters.edx.org/list/
  • This change ensures the redirect remains HTTPS end-to-end while also pinning the redirect to a known, configured hostname.

Validation

  • After stage deploy, verify: curl -I https://masters.stage.edx.org/
  • Expected Location header: https://masters.stage.edx.org/list/
  • Confirm no HTTPS to HTTP hop in the redirect chain.

Rollout plan

  • Deploy and validate in stage first.
  • Keep prod pipeline paused until stage validation is complete.
  • Resume prod deployment after verification.
  • Merge and deploy alongside the paired edx-internal change that sets CONDUCTOR_ROOT_REDIRECT_URL for stage and prod.

Make sure that the following steps are done before merging:

  • Have a Site Reliability Engineer review the PR if you don't own all of the services impacted.
  • If you are adding any new default values that need to be overridden when this change goes live, update internal repos and add an entry to the top of the CHANGELOG.
  • Performed the appropriate testing.

Copilot AI review requested due to automatic review settings April 9, 2026 11:45
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Conductor nginx site template so requests to / redirect to the Conductor root target over HTTPS, aligning root redirects with an HTTPS canonical URL.

Changes:

  • Change the / location redirect to return an absolute https://… URL (instead of a path-only redirect).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 Outdated
@amits-2u amits-2u requested a review from Copilot April 9, 2026 13:30
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread playbooks/roles/conductor/defaults/main.yml Outdated
robrap
robrap reviewed Apr 9, 2026
View reviewed changes
Comment thread playbooks/roles/nginx/templates/edx/app/nginx/sites-available/conductor.j2 Outdated
@amits-2u amits-2u requested a review from Copilot April 13, 2026 09:20
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread playbooks/roles/conductor/tasks/main.yml Outdated
Comment thread playbooks/roles/conductor/tasks/main.yml Outdated
@amits-2u amits-2u requested a review from Copilot April 13, 2026 09:47
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread playbooks/roles/conductor/tasks/main.yml Outdated
Comment thread playbooks/roles/conductor/tasks/main.yml Outdated
Comment thread playbooks/roles/conductor/tasks/main.yml Outdated
@amits-2u amits-2u merged commit fe73f27 into master Apr 13, 2026
1 of 3 checks passed
@amits-2u amits-2u deleted the amits-2u/GSRE-3751-fix-conductor-redirect-issue branch April 13, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robrap robrap robrap left review comments

Copilot code review Copilot Copilot left review comments

@HeinrichL93 HeinrichL93 HeinrichL93 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@amits-2u @robrap @HeinrichL93