From 00b6c5f315ac00e9da8a6de99c50b064e9f87872 Mon Sep 17 00:00:00 2001 From: Rob Watson Date: Wed, 3 Jan 2018 20:02:46 +0000 Subject: Implement HTTPS-only pages - Check `config.json` for `httpsonly` attribute - Store value against custom domain or group/project pair - Respond with 301 redirect to HTTP requests to these domains/projects Re: https://gitlab.com/gitlab-org/gitlab-ce/issues/28857 --- app.go | 72 +++++++++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 47 insertions(+), 25 deletions(-) (limited to 'app.go') diff --git a/app.go b/app.go index afc43466..f7b07976 100644 --- a/app.go +++ b/app.go @@ -66,49 +66,71 @@ func (a *theApp) healthCheck(w http.ResponseWriter, r *http.Request, https bool) } } -func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https bool) { - w := newLoggingResponseWriter(ww) - defer w.Log(r) +func (a *theApp) redirectToHTTPS(w http.ResponseWriter, r *http.Request, statusCode int) { + u := *r.URL + u.Scheme = "https" + u.Host = r.Host + u.User = nil - metrics.SessionsActive.Inc() - defer metrics.SessionsActive.Dec() + http.Redirect(w, r, u.String(), statusCode) +} +func (a *theApp) getHostAndDomain(r *http.Request) (host string, domain *domain) { + host, _, err := net.SplitHostPort(r.Host) + if err != nil { + host = r.Host + } + + return host, a.domain(host) +} + +func (a *theApp) tryAuxiliaryHandlers(w http.ResponseWriter, r *http.Request, https bool, host string, domain *domain) bool { // short circuit content serving to check for a status page if r.RequestURI == a.appConfig.StatusPath { - a.healthCheck(&w, r, https) - return + a.healthCheck(w, r, https) + return true } // Add auto redirect if !https && a.RedirectHTTP { - u := *r.URL - u.Scheme = "https" - u.Host = r.Host - u.User = nil - - http.Redirect(&w, r, u.String(), 307) - return - } - - host, _, err := net.SplitHostPort(r.Host) - if err != nil { - host = r.Host + a.redirectToHTTPS(w, r, http.StatusTemporaryRedirect) + return true } // In the event a host is prefixed with the artifact prefix an artifact // value is created, and an attempt to proxy the request is made - if a.Artifact.TryMakeRequest(host, &w, r) { - return + if a.Artifact.TryMakeRequest(host, w, r) { + return true } if !a.isReady() { - httperrors.Serve503(&w) - return + httperrors.Serve503(w) + return true } - domain := a.domain(host) if domain == nil { - httperrors.Serve404(&w) + httperrors.Serve404(w) + return true + } + + if !https && domain.isHTTPSOnly(r) { + a.redirectToHTTPS(w, r, http.StatusMovedPermanently) + return true + } + + return false +} + +func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https bool) { + w := newLoggingResponseWriter(ww) + defer w.Log(r) + + metrics.SessionsActive.Inc() + defer metrics.SessionsActive.Dec() + + host, domain := a.getHostAndDomain(r) + + if a.tryAuxiliaryHandlers(&w, r, https, host, domain) { return } -- cgit v1.2.3