[ws-proxy] make https default and redirect http

Author: AlexTugarev

chart/config/proxy/lib.workspace-locations.conf

@@ -15,5 +15,5 @@ location / {
     error_log off;
 
     proxy_set_header x-wsproxy-host $host;
-    proxy_pass http://wsproxy$request_uri;
+    proxy_pass https://wsproxy$request_uri;
 }

chart/config/proxy/lib.workspace-port-locations.conf

@@ -19,7 +19,7 @@ location / {
     error_log off;
 
     proxy_set_header x-wsproxy-host $host;
-    proxy_pass http://wsproxy$request_uri;
+    proxy_pass https://wsproxy$request_uri;
 }
 {{- else }}
 

chart/config/proxy/vhost.upstreams.conf

@@ -22,7 +22,7 @@ upstream dashboard {
 {{- $wsProxy := .Values.components.wsProxy -}}
 {{- if (and $wsProxy (not $wsProxy.disabled)) }}
 upstream wsproxy {
-    server ws-proxy.${KUBE_NAMESPACE}.svc.cluster.local:8080;
+    server ws-proxy.${KUBE_NAMESPACE}.svc.cluster.local:9090;
 
     # Keep up to 100 connections to upstream alive and re-use them for faster responses
     keepalive 100;

chart/templates/ws-proxy-configmap.yaml

@@ -18,8 +18,8 @@ data:
   config.json: |-
     {
         "ingress": {
-            "address": ":{{- $comp.ports.httpProxy.containerPort -}}",
-            "https": {{ $comp.useHTTPS -}},
+            "httpAddress": ":{{- $comp.ports.httpProxy.containerPort -}}",
+            "httpsAddress": ":{{- $comp.ports.httpsProxy.containerPort -}}",
             "header": "{{- $comp.hostHeader -}}"
         },
         "workspaceInfoProviderConfig": {
@@ -32,13 +32,10 @@ data:
             }
         },
         "proxy": {
-            {{- if and $comp.useHTTPS $.Values.certificatesSecret.secretName }}
             "https": {
-                "enabled": true,
                 "crt": "/mnt/certificates/tls.crt",
                 "key": "/mnt/certificates/tls.key"
             },
-            {{- end }}
             "transportConfig": {
                 "connectTimeout": "10s",
                 "idleConnTimeout": "60s",

chart/templates/ws-proxy-networkpolicy.yaml

@@ -20,10 +20,12 @@ spec:
   policyTypes:
   - Ingress
   ingress:
-  # Allow access to HTTP proxy port from everywhere
+  # Allow access to HTTP/HTTPS proxy ports from everywhere
   - ports:
     - protocol: TCP
       port: {{ $comp.ports.httpProxy.containerPort }}
+    - protocol: TCP
+      port: {{ $comp.ports.httpsProxy.containerPort }}
     {{ if $comp.ports.wsManagerProxy }}
     - protocol: TCP
       port: {{ $comp.ports.wsManagerProxy.containerPort }}

chart/values.yaml

@@ -466,7 +466,6 @@ components:
       cpu: 100m
       memory: 64Mi
     replicas: 1
-    useHTTPS: false
     hostHeader: "x-wsproxy-host"
     wsManagerProxy:
       enabled: false
@@ -478,6 +477,9 @@ components:
       httpProxy:
         expose: true
         containerPort: 8080
+      httpsProxy:
+        expose: true
+        containerPort: 9090
       metrics:
         expose: false
         containerPort: 9500

components/ws-proxy/cmd/root.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"os"
 
-	validation "github.com/go-ozzo/ozzo-validation"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
 
@@ -55,7 +54,7 @@ func init() {
 
 // Config configures this servuce
 type Config struct {
-	Ingress                     HostBasedIngressConfig            `json:"ingress"`
+	Ingress                     proxy.HostBasedIngressConfig      `json:"ingress"`
 	Proxy                       proxy.Config                      `json:"proxy"`
 	WorkspaceInfoProviderConfig proxy.WorkspaceInfoProviderConfig `json:"workspaceInfoProviderConfig"`
 	PProfAddr                   string                            `json:"pprofAddr"`
@@ -82,23 +81,6 @@ func (c *Config) Validate() error {
 	return nil
 }
 
-// HostBasedIngressConfig configures the host-based ingress
-type HostBasedIngressConfig struct {
-	Address string `json:"address"`
-	Header  string `json:"header"`
-}
-
-// Validate validates this config
-func (c *HostBasedIngressConfig) Validate() error {
-	if c == nil {
-		return xerrors.Errorf("host based ingress config is mandatory")
-	}
-	return validation.ValidateStruct(c,
-		validation.Field(&c.Address, validation.Required),
-		validation.Field(&c.Header, validation.Required),
-	)
-}
-
 // WSManagerProxyConfig configures the ws-manager TCP proxy
 type WSManagerProxyConfig struct {
 	ListenAddress string            `json:"listenAddress"`

components/ws-proxy/cmd/run.go

@@ -56,9 +56,8 @@ var runCmd = &cobra.Command{
 		}
 		log.Infof("workspace info provider started")
 
-		addr := cfg.Ingress.Address
-		go proxy.NewWorkspaceProxy(addr, cfg.Proxy, proxy.HostBasedRouter(cfg.Ingress.Header, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffix), workspaceInfoProvider).MustServe()
-		log.Infof("started proxying on %s", addr)
+		go proxy.NewWorkspaceProxy(cfg.Ingress, cfg.Proxy, proxy.HostBasedRouter(cfg.Ingress.Header, cfg.Proxy.GitpodInstallation.WorkspaceHostSuffix), workspaceInfoProvider).MustServe()
+		log.Infof("started proxying on %s", cfg.Ingress.HttpAddress)
 
 		if cfg.PProfAddr != "" {
 			go pprof.Serve(cfg.PProfAddr)

components/ws-proxy/pkg/proxy/config.go

@@ -18,7 +18,6 @@ import (
 // Config is the configuration for a WorkspaceProxy
 type Config struct {
 	HTTPS struct {
-		Enabled     bool   `json:"enabled"`
 		Key         string `json:"key"`
 		Certificate string `json:"crt"`
 	} `json:"https,omitempty"`
@@ -51,6 +50,25 @@ func (c *Config) Validate() error {
 	return nil
 }
 
+// HostBasedIngressConfig configures the host-based ingress
+type HostBasedIngressConfig struct {
+	HttpAddress  string `json:"httpAddress"`
+	HttpsAddress string `json:"httpsAddress"`
+	Header       string `json:"header"`
+}
+
+// Validate validates this config
+func (c *HostBasedIngressConfig) Validate() error {
+	if c == nil {
+		return xerrors.Errorf("host based ingress config is mandatory")
+	}
+	return validation.ValidateStruct(c,
+		validation.Field(&c.HttpAddress, validation.Required),
+		validation.Field(&c.HttpsAddress, validation.Required),
+		validation.Field(&c.Header, validation.Required),
+	)
+}
+
 // WorkspacePodConfig contains config around the workspace pod
 type WorkspacePodConfig struct {
 	ServiceTemplate     string `json:"serviceTemplate"`

components/ws-proxy/pkg/proxy/proxy.go

@@ -16,45 +16,56 @@ import (
 
 // WorkspaceProxy is the entity which forwards all inbound requests to the relevant workspace pods
 type WorkspaceProxy struct {
-	Address               string
+	Ingress               HostBasedIngressConfig
 	Config                Config
 	WorkspaceRouter       WorkspaceRouter
 	WorkspaceInfoProvider WorkspaceInfoProvider
 }
 
 // NewWorkspaceProxy creates a new workspace proxy
-func NewWorkspaceProxy(address string, config Config, workspaceRouter WorkspaceRouter, workspaceInfoProvider WorkspaceInfoProvider) *WorkspaceProxy {
+func NewWorkspaceProxy(ingress HostBasedIngressConfig, config Config, workspaceRouter WorkspaceRouter, workspaceInfoProvider WorkspaceInfoProvider) *WorkspaceProxy {
 	return &WorkspaceProxy{
-		Address:               address,
+		Ingress:               ingress,
 		Config:                config,
 		WorkspaceRouter:       workspaceRouter,
 		WorkspaceInfoProvider: workspaceInfoProvider,
 	}
 }
 
+func redirectToHttps(w http.ResponseWriter, r *http.Request) {
+	target := "https://" + r.Host + r.URL.Path
+	if len(r.URL.RawQuery) > 0 {
+		target += "?" + r.URL.RawQuery
+	}
+	log.WithField("target", target).Debug("redirect to https")
+	http.Redirect(w, r, target, http.StatusTemporaryRedirect)
+}
+
 // MustServe starts the proxy and ends the process if doing so fails
 func (p *WorkspaceProxy) MustServe() {
 	handler, err := p.Handler()
 	if err != nil {
 		log.WithError(err).Fatal("cannot initialize proxy - this is likely a configuration issue")
 		return
 	}
-	srv := &http.Server{Addr: p.Address, Handler: handler}
+	srv := &http.Server{Addr: p.Ingress.HttpsAddress, Handler: handler}
 
-	if p.Config.HTTPS.Enabled {
-		var (
-			crt = p.Config.HTTPS.Certificate
-			key = p.Config.HTTPS.Key
-		)
-		if tproot := os.Getenv("TELEPRESENCE_ROOT"); tproot != "" {
-			crt = filepath.Join(tproot, crt)
-			key = filepath.Join(tproot, key)
-		}
-		err = srv.ListenAndServeTLS(crt, key)
-	} else {
-		err = srv.ListenAndServe()
+	var (
+		crt = p.Config.HTTPS.Certificate
+		key = p.Config.HTTPS.Key
+	)
+	if tproot := os.Getenv("TELEPRESENCE_ROOT"); tproot != "" {
+		crt = filepath.Join(tproot, crt)
+		key = filepath.Join(tproot, key)
 	}
+	go func() {
+		err := http.ListenAndServe(p.Ingress.HttpAddress, http.HandlerFunc(redirectToHttps))
+		if err != nil {
+			log.WithError(err).Fatal("cannot start http proxy")
+		}
+	}()
 
+	err = srv.ListenAndServeTLS(crt, key)
 	if err != nil {
 		log.WithError(err).Fatal("cannot start proxy")
 		return

components/ws-proxy/pkg/proxy/routes.go

@@ -257,12 +257,16 @@ func installWorkspacePortRoutes(r *mux.Router, config *RouteHandlerConfig) error
 
 	// forward request to workspace port
 	r.NewRoute().HandlerFunc(
-		proxyPass(
-			config,
-			workspacePodPortResolver,
-			withHTTPErrorHandler(showPortNotFoundPage),
-			withXFrameOptionsFilter(),
-		),
+		func(rw http.ResponseWriter, r *http.Request) {
+			r.Header.Add("X-Forwarded-Proto", "https")
+			r.Header.Add("X-Forwarded-Host", r.Host+":443")
+			proxyPass(
+				config,
+				workspacePodPortResolver,
+				withHTTPErrorHandler(showPortNotFoundPage),
+				withXFrameOptionsFilter(),
+			)(rw, r)
+		},
 	)
 
 	return nil

components/ws-proxy/pkg/proxy/routes_test.go

@@ -605,7 +605,13 @@ func TestRoutes(t *testing.T) {
 				router = test.Router(&cfg)
 			}
 
-			proxy := NewWorkspaceProxy(":8080", cfg, router, &fakeWsInfoProvider{infos: workspaces})
+			ingress := HostBasedIngressConfig{
+				HttpAddress:  "8080",
+				HttpsAddress: "9090",
+				Header:       "",
+			}
+
+			proxy := NewWorkspaceProxy(ingress, cfg, router, &fakeWsInfoProvider{infos: workspaces})
 			handler, err := proxy.Handler()
 			if err != nil {
 				t.Fatalf("cannot create proxy handler: %q", err)