Integrate ELB with the CloudFormation stack

[hackdna]

The current beta site is deployed behind an ELB which terminates HTTPS. We should be able to create a new ELB when setting up a brand new stack or re-use an existing one if available.
There should be settings added to the config.yml.template for load balancer name, all necessary HTTPS certificate files and other items necessary for provisioning an ELB.
Apache config template should be changed to configure redirect from HTTP to HTTPS.
Set ServerName in Apache config from SITE_URL

[hackdna]

Add ELB to the stack

[hackdna]

Configure HTTPS using Puppet

[hackdna]

An example of Apache config file updated for HTTPS:

# Generated from apache.erb.conf
# by refinery-modules/refinery/manifests/init.pp

WSGIPythonHome /home/ubuntu/.virtualenvs/refinery-platform

SetEnv DJANGO_SETTINGS_MODULE config.settings.aws

<VirtualHost *:80>
    ServerName dev.stemcellcommons.org

    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    <Directory /srv/refinery-platform/refinery/config>
        <Files wsgi.py>
            Order deny,allow
            Require all granted
        </Files>
    </Directory>
    WSGIScriptAlias / /srv/refinery-platform/refinery/config/wsgi.py

    WSGIDaemonProcess refinery user=ubuntu group=ubuntu \
        python-path=/srv/refinery-platform/refinery:/home/ubuntu/.virtualenvs/refinery-platform/lib/python2.7/site-packages
    WSGIProcessGroup refinery

    #Alias /robots.txt /vagrant/refinery/static/robots.txt
    #Alias /favicon.ico /vagrant/refinery/static/favicon.ico

    AliasMatch ^/([^/]*\.css) /srv/refinery-platform/refinery/static/styles/$1

    Alias /static/ /srv/refinery-platform/static/
    Alias /media/ /data/media/

    <Directory /srv/refinery-platform/static>
        Order deny,allow
        Require all granted
    </Directory>

    <Directory /data/media>
        Order deny,allow
        Require all granted
    </Directory>

</VirtualHost>

[drj11]

Noting here so I don't lose it. Can get Amazon to create our certificates: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html

[hackdna]

Btw, it is possible to have conditionals in the template: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/conditions-section-structure.html

[hackdna]

As we discussed, there should be a single file for all stack settings, including tags. Also, we should probably have two AWS deployment modes. Prod: with SSL and dev: with no SSL. Dev mode settings/templates would be useful for Vagrant deployments too.

[hackdna]

Regarding HTTPS handing in Django: https://docs.djangoproject.com/en/1.9/topics/security/#ssl-https
See also #1293

[hackdna]

Also, we should log actual client IPs in Apache logs, not the ELB IPs (X-Forwarded-For header)