Use force_https_urls on when deploying with Cloud Run

[simonw]

Original title: datasette.absolute_url() should return https:// not http:// on Cloud Run

https://latest-with-plugins.datasette.io/github/issue_comments.Notebook?_labels=on currently provides http:// links, which break in Observable since it won't load http:// content.

[simonw]

https://github.com/simonw/datasette-export-notebook/blob/aec398eab4f34791d240d7bc47b6eec575b357be/datasette_export_notebook/__init__.py#L18-L23

Maybe this is a bug in datasette.absolute_url? Perhaps it doesn't take the scheme into account.

[simonw]

Weird...

datasette/datasette/app.py

Lines 609 to 613 in a882d67

	def absolute_url(self, request, path):
	url = urllib.parse.urljoin(request.url, path)
	if url.startswith("http://") and self.setting("force_https_urls"):
	url = "https://" + url[len("http://") :]
	return url

    def absolute_url(self, request, path):
        url = urllib.parse.urljoin(request.url, path)
        if url.startswith("http://") and self.setting("force_https_urls"):
            url = "https://" + url[len("http://") :]
        return url

That looks like it should work. Needs more digging.

[simonw]

https://latest-with-plugins.datasette.io/-/settings says "force_https_urls": false

[simonw]

https://latest-with-plugins.datasette.io/fixtures/sortable.json has the bug too - the next_url is http:// when it should be https://.

[simonw]

Moving this to the Datasette repo.

[simonw]

https://latest-with-plugins.datasette.io/-/asgi-scope

{'asgi': {'spec_version': '2.1', 'version': '3.0'},
 'client': ('169.254.8.129', 54971),
 'headers': [(b'host', b'latest-with-plugins.datasette.io'),
             (b'user-agent',
              b'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko'
              b'/20100101 Firefox/84.0'),
             (b'accept',
              b'text/html,application/xhtml+xml,application/xml;q=0.9,image/'
              b'webp,*/*;q=0.8'),
             (b'accept-language', b'en-US,en;q=0.5'),
             (b'dnt', b'1'),
             (b'cookie',
              b'_ga_LL6M7BK6D4=GS1.1.1609886546.49.1.1609886923.0; _ga=GA1.1'
              b'.894633707.1607575712'),
             (b'upgrade-insecure-requests', b'1'),
             (b'x-client-data', b'CgSL6ZsV'),
             (b'x-cloud-trace-context',
              b'e776af843c657d2a3da28a73b726e6fe/14187666787557102189;o=1'),
             (b'x-forwarded-for', b'148.64.98.14'),
             (b'x-forwarded-proto', b'https'),
             (b'forwarded', b'for="148.64.98.14";proto=https'),
             (b'accept-encoding', b'gzip, deflate, br'),
             (b'content-length', b'0')],
 'http_version': '1.1',
 'method': 'GET',
 'path': '/-/asgi-scope',
 'query_string': b'',
 'raw_path': b'/-/asgi-scope',
 'root_path': '',
 'scheme': 'http',
 'server': ('169.254.8.130', 8080),
 'type': 'http'}

Note the 'scheme': 'http' but also the (b'x-forwarded-proto', b'https').

[simonw]

Easiest fix would be for publish cloudrun to set force_https_urls:

datasette publish now used to do this:

datasette/datasette/publish/now.py

Lines 59 to 63 in 07e208c

	if extra_options:
	extra_options += " "
	else:
	extra_options = ""
	extra_options += "--config force_https_urls:on"

[simonw]

Deploying that change now to test it.

[simonw]

Issue fixed - https://latest-with-plugins.datasette.io/github/issue_comments.Notebook?_labels=on displays the correct schemes now.

I can't think of a reason anyone on Cloud Run would ever NOT want the force_https_urls option, but just in case I've made it so if you pass --extra-options --setting force_https_urls off to publish cloudrun your setting will be respected.

datasette/datasette/publish/cloudrun.py

Lines 105 to 110 in 97fb10c

	if not extra_options:
	extra_options = ""
	if "force_https_urls" not in extra_options:
	if extra_options:
	extra_options += " "
	extra_options += "--setting force_https_urls on"