Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gorouter should be able to redirect HTTP to HTTPS traffic #386

Open
domdom82 opened this issue Feb 5, 2024 · 0 comments
Open

Gorouter should be able to redirect HTTP to HTTPS traffic #386

domdom82 opened this issue Feb 5, 2024 · 0 comments

Comments

@domdom82
Copy link
Contributor

domdom82 commented Feb 5, 2024
edited by maxmoehl
Loading

Is this a security vulnerability?

no.

Issue

While HTTP is dying off, many browsers still don't use HTTPS out-of-the-box. Unless your browser has HSTS set for the domain, most browsers will initially go for HTTP when the user just enters the domain's name without a https:// prefix.

Gorouter now supports both http and https traffic, there is no means to tell a user arriving at port 80 to go get upgraded to TLS at port 443.
The current option if you don't want port 80 to be used for traffic, is to close it completely. Which is inconvenient as users will first see "connection refused" errors and then have to manually type the "https://" prefix in their address bar.

It would be much nicer to have an option enable_redirect_to_ssl which works in two ways:

  1. If a request arrived at port 80 it gets redirected to port 443
  2. If a request arrived at port 443 but x-forwarded-proto is set to http, this means gorouter is behind a proxy who forwarded http traffic to gorouter's https port, so the connection is not fully secure. The user will also see a redirect to https.

Affected Versions

All

Context

In our deployments we use HAProxy BOSH-release as a front-end proxy before Gorouter. HAProxy also supports redirects but it's hard to know there which domains should be redirected. The reason why redirects should not be "blind" is potential security threats of cache poisoning and others if such systems are used.

Gorouter on the other hand, knows all routes because it receives them from NATS, so it would be the better candidate to serve "verified" redirects as it knows if a given host header exists on the platform or not.

Steps to Reproduce

  1. curl -H 'host: cat-videos.cf-app.com' http://cf-app.com

Expected result

HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://cat-videos.cf-app.com/

Current result

Either

Connection refused

or

<cat videos served from port 80>

Possible Fix

  • Introduce a new spec property enable_redirect_to_ssl: <bool> (default false)

The first property will be read by a new middleware in gorouter that comes after lookup.go and will return a 301 to the client with the domain presented in the host header. The middleware will send the redirect if either

  • the request came in via http, or
  • the request contains a x-forwarded-proto: http header
@domdom82 domdom82 changed the title Gorouter should be able to redirect HTTP to HTTP traffic Gorouter should be able to redirect HTTP to HTTPS traffic Feb 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Application Runtime Platform Working Group
Status: Pending Review | Discussion
Milestone
No milestone
Development

No branches or pull requests
1 participant
@domdom82