[SPIKE] Add Nginx configuration - increase security and performance

[raftmsohani]

Description:
Nginx is an HTTP server and reverse proxy. Currently, the backend (Django) is NOT behind a proxy server. This can cause security and/or performance issues for the application. The intention behind this ticket is to add proxy server (Nginx) in front of Gunicorn.
The proxy server should forward headers, handle static files, rate limit requests, etc.

Note: This is in conjunction with ticket #1543.

Acceptance Criteria:

• Request header are successfully being forwarded to Gunicorn and Django
• Requests from clients are rate limited
• Static files are cached
• Testing Checklist has run and all tests pass
• README is updated, if necessary

Tasks:

• Create config file for Nginx
• Create docker file/add Nginx to docker-compose file
• If ticket Add Gunicorn settings to correctly receive header #1543 is not implemented yet, then add the command to Gunicorn to trust Nginx
• Run Testing Checklist and confirm all tests pass

Notes:

• The configuration has to be revisited at deployment

Supporting Documentation:
Please include any relevant log snippets/files/screen shots

• UK nginx as firewall sample

Open Questions:
Please include any questions or decisions that must be made before beginning work or to confidently call this issue complete

TODOs:

• Remove unused CSP vars in settings
• Investigate and remove unused middleware logic
• Must have: Add URLs to backend proxy. Currently only /v1 is added but we need to add any URL schema such as /admin. Also need to add a note to url.py file for future url schemas
• Remove cloud.gov route to the backend.
• Remove "corsheaders" package.
• Must have: add new deployment logic for Nginx, the new network, etc
• Nice to have: Add authentication to Nginx for backend API, so that the URL is not directly reachable without authentication. This need further investigation. One idea is only /auth is reachable and after user is authenticated, then Nginx allows other URLs. This need token authentication between frontend/backend and Nginx

[riatzukiza]

https://stackoverflow.com/questions/60576263/cloudfoundry-how-to-use-multiple-buildpacks-nginx-django-gunicorn

[riatzukiza]

We don't use the docker compose for deployments, we are using cloud foundry buildpacks

[riatzukiza]

Theres a history behind the decision to use the buildpacks over a docker file that happened well before the current team was in place. The python build pack is fed ramped, if we used a docker container, or if we changed the start commands as the stack overflow link I posted above is suggesting, it would complicate the approval process. This should considered very carefully.

[valcollignon]

Tasks need to be revised, per backlog refinement 1.18.22. CC: @riatzukiza @abottoms-coder @raftmsohani

[andrew-jameson]

A little bit of scope creep, would like to implement a IP block list because of the recent harassment we received from China/Nepal in prod. That could be it's own ticket, but wanted to discuss it for this as well.

As a small aside, if you can get a inclusive list of US-only based IP addresses for prep work for implementing this in production, that'd be great.

[raftmsohani]

• Added GeoIP white list for United States using https://lite.ip2location.com/united-states-of-america-ip-address-ranges?lang=en_US. Any blocked IP has to be added to the list

[raftmsohani]

This issue is now resolved by : #2449