enforce HTTPS #322
enforce HTTPS #322
Conversation
| @@ -0,0 +1,7 @@ | |||
| // +build appengine | |||
|
|
|||
| package main | |||
There was a problem hiding this comment.
oh, godoc.org doesn't run on app engine anymore, so this is unnecessary.
|
I could be convinced that the appengine default code shouldn't be in there, but it followed what was done in the commit linked to in the latest comment on 304. |
| @@ -898,7 +900,17 @@ func main() { | |||
|
|
|||
| cacheBusters.Handler = mux | |||
|
|
|||
| if err := http.ListenAndServe(*httpAddr, hostMux{{"api.", apiMux}, {"", mux}}); err != nil { | |||
| var allMux http.Handler = hostMux{{"api.", apiMux}, {"", mux}} | |||
There was a problem hiding this comment.
The mux name is already taken by the {"", mux} entry.
I could rename that to webMux or something, but that was a slightly larger change. Totally up for it, though.
|
I think this could all be simpler. We should just check whether the host is |
|
Yes, please drop the app engine stuff. |
|
Okay, so I was hoping to get HTTPS enforced even on a installation of gddo-server that was not on appengine or on godoc.org. Unfortunately, some clients will include Host headers that have ports in them which the Go HTTP library does not remove. See golang/go#10463. (I'm guessing those ports are removed up by the appengine frontends or else that other bit of code wouldn't behave correctly.) Also, in order to match all of the domains, this code would have have to go inside the hostMux to work correctly or do a I'm totally willing to accept push back on that, but it would be a bit of a bummer. |
|
"godoc.org" is the only valid domain for the service. Let's restrict the scope of this issue to making godoc.org HTTPS-only. We can worry about other users another time. |
|
Hold up. I just realized that since godoc.org is deployed behind nginx that this entire effort is futile. I guess I'll have to fix this on the deployment side. Sorry for wasting your time. :-( |
|
Oh, shoot. Sorry for wasting yours with a bunch of back and forth! If nginx sets (and clears from outside requests) X-Forward-Proto, we can use that. |
|
Let me investigate. |
|
The relevant header is |
|
Okay, pushed. I'd be willing to write code for the api.godoc.org cert in another PR if that's what's needed. |
Redirect HTTP links to HTTPS and set HSTS correctly. This is specific to the godoc.org set up (with nginx passing a X-Scheme header back) and without fixing up api.godoc.org. Fixes golang#304.
|
I've blown out my timebox for this change for now. Feel free to pick up where I left off. |
Redirect HTTP links to HTTPS and set HSTS correctly.
This is specific to the godoc.org set up (with nginx passing a X-Scheme header back) and without fixing up api.godoc.org.
Fixes #304.