Configure https-redirect per service

James Bardin · James Bardin · commit b823cab71ef7 · 2015-03-13T16:27:19.000-04:00
- allow http and https services to coexist
- add test to make sure our redirect behaviour works in the first place
diff --git a/admin_test.go b/admin_test.go
@@ -8,6 +8,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"sync"
 
 	"github.com/litl/shuttle/client"
@@ -58,7 +59,6 @@ func (s *HTTPSuite) SetUpSuite(c *C) {
 
 	httpsRouter := NewHostRouter(httpsServer)
 	httpsRouter.Scheme = "https"
-	httpsRouter.SSLOnly = sslOnly
 
 	httpsReady := make(chan bool)
 	go httpsRouter.Start(httpsReady)
@@ -658,3 +658,59 @@ func (s *HTTPSuite) TestHTTPSRouter(c *C) {
 	checkHTTP("https://alt.vhost2.test:"+s.httpsPort+"/addr", "alt.vhost2.test", srv2.addr, 200, c)
 	checkHTTP("https://star.vhost2.test:"+s.httpsPort+"/addr", "star.vhost2.test", srv2.addr, 200, c)
 }
+
+// Verify that Settting HTTPSRedirect on a service works as expected for https
+// and for X-Forwarded-Proto:https.
+func (s *HTTPSuite) TestHTTPSRedirect(c *C) {
+	srv1 := s.backendServers[0]
+
+	svcCfgOne := client.ServiceConfig{
+		Name:          "VHostTest1",
+		Addr:          "127.0.0.1:9000",
+		HTTPSRedirect: true,
+		VirtualHosts:  []string{"vhost1.test", "alt.vhost1.test", "star.vhost1.test"},
+		Backends: []client.BackendConfig{
+			{Addr: srv1.addr},
+		},
+	}
+
+	err := Registry.AddService(svcCfgOne)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			Dial: localDial,
+		},
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return fmt.Errorf("redirected")
+		},
+	}
+
+	// this should redirect to https
+	reqHTTP, _ := http.NewRequest("HEAD", "http://localhost:"+s.httpPort+"/addr", nil)
+	reqHTTP.Host = "vhost1.test"
+
+	resp, err := client.Do(reqHTTP)
+	if err != nil {
+		if err, ok := err.(*url.Error); ok {
+			if err.Err.Error() != "redirected" {
+				c.Fatal(err)
+			}
+		} else {
+			c.Fatal(err)
+		}
+	}
+	c.Assert(resp.StatusCode, Equals, http.StatusMovedPermanently)
+
+	// this should be OK
+	reqHTTP.Header = map[string][]string{
+		"X-Forwarded-Proto": {"https"},
+	}
+	resp, err = client.Do(reqHTTP)
+	if err != nil {
+		c.Fatal(err)
+	}
+	c.Assert(resp.StatusCode, Equals, http.StatusOK)
+}
diff --git a/client/config.go b/client/config.go
@@ -69,6 +69,11 @@ type Config struct {
 	// backend service, including name resolution.
 	DialTimeout int `json:"connect_timeout"`
 
+	// HTTPSRedirect when set to true, redirects non-https request to https on
+	// all services. The request may either have Scheme set to 'https',  or
+	// have an "X-Forwarded-Proto: https" header.
+	HTTPSRedirect bool `json:"https-redirect"`
+
 	// Services is a slice of ServiceConfig for each service. A service
 	// corresponds to one listening connection, and a number of backends to
 	// proxy.
@@ -189,6 +194,11 @@ type ServiceConfig struct {
 	// backend service, including name resolution.
 	DialTimeout int `json:"connect_timeout"`
 
+	// HTTPSRedirect when set to true, redirects non-https request to https. The
+	// request may either have Scheme set to 'https',  or have an
+	// "X-Forwarded-Proto: https" header.
+	HTTPSRedirect bool `json:"https-redirect"`
+
 	// Virtualhosts is a set of virtual hostnames for which this service should
 	// handle HTTP requests.
 	VirtualHosts []string `json:"virtual_hosts,omitempty"`
diff --git a/http.go b/http.go
@@ -29,9 +29,6 @@ type HostRouter struct {
 	// the http frontend
 	server *http.Server
 
-	// automatically redirect to https
-	SSLOnly bool
-
 	// HTTP/HTTPS
 	Scheme string
 
@@ -53,15 +50,6 @@ func (r *HostRouter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	req.Header.Set("X-Request-Id", reqId)
 	w.Header().Add("X-Request-Id", reqId)
 
-	if r.SSLOnly {
-		if req.TLS != nil || req.Header.Get("X-Forwarded-Proto") != "https" {
-			//TODO: verify RequestURI
-			redirLoc := "https://" + req.Host + req.RequestURI
-			http.Redirect(w, req, redirLoc, http.StatusMovedPermanently)
-			return
-		}
-	}
-
 	var err error
 	host := req.Host
 
@@ -137,7 +125,6 @@ func startHTTPServer(wg *sync.WaitGroup) {
 	}
 
 	httpRouter = NewHostRouter(httpServer)
-	httpRouter.SSLOnly = sslOnly
 
 	httpRouter.Start(nil)
 }
@@ -224,7 +211,6 @@ func startHTTPSServer(wg *sync.WaitGroup) {
 
 	httpRouter = NewHostRouter(httpsServer)
 	httpRouter.Scheme = "https"
-	httpRouter.SSLOnly = sslOnly
 
 	httpRouter.Start(nil)
 }
diff --git a/main.go b/main.go
@@ -26,8 +26,8 @@ var (
 	// Debug logging
 	debug bool
 
-	// Redirect to SSL endpoint
-	sslOnly bool
+	// Redirect to HTTPS endpoint
+	httpsRedirect bool
 
 	// version flags
 	version      bool
@@ -47,8 +47,8 @@ func init() {
 	flag.BoolVar(&debug, "debug", false, "verbose logging")
 	flag.BoolVar(&version, "v", false, "display version")
 
-	// FIXME: we may only want this for one HTTPRouter
-	flag.BoolVar(&sslOnly, "sslOnly", false, "require SSL")
+	flag.BoolVar(&httpsRedirect, "https-redirect", false, "redirect all http vhost requests to https")
+	flag.BoolVar(&httpsRedirect, "sslOnly", false, "require https (deprecated)")
 
 	flag.Parse()
 }
diff --git a/registry.go b/registry.go
@@ -172,6 +172,11 @@ func (s *ServiceRegistry) UpdateConfig(cfg client.Config) error {
 		s.cfg.DialTimeout = cfg.DialTimeout
 	}
 
+	// apply the https rediect flag
+	if httpsRedirect {
+		s.cfg.HTTPSRedirect = true
+	}
+
 	invalidPorts := []string{
 		// FIXME: lookup bound addresses some other way.  We may have multiple
 		//        http listeners, as well as all listening Services.
@@ -275,6 +280,7 @@ func (s *ServiceRegistry) AddService(svcCfg client.ServiceConfig) error {
 // Replacing a configuration will shutdown the existing service, and start a
 // new one, which will cause the listening socket to be temporarily
 // unavailable.
+// FIXME: this doesn't update service configuration options!
 func (s *ServiceRegistry) UpdateService(newCfg client.ServiceConfig) error {
 	s.Lock()
 	defer s.Unlock()
@@ -572,4 +578,7 @@ func (s *ServiceRegistry) setServiceDefaults(svc *client.ServiceConfig) {
 	if svc.DialTimeout == 0 && s.cfg.DialTimeout != 0 {
 		svc.DialTimeout = s.cfg.DialTimeout
 	}
+	if s.cfg.HTTPSRedirect {
+		svc.HTTPSRedirect = true
+	}
 }
diff --git a/service.go b/service.go
@@ -24,6 +24,7 @@ type Service struct {
 	sync.Mutex
 	Name          string
 	Addr          string
+	HTTPSRedirect bool
 	VirtualHosts  []string
 	Backends      []*Backend
 	Balance       string
@@ -97,6 +98,7 @@ func NewService(cfg client.ServiceConfig) *Service {
 		CheckInterval: cfg.CheckInterval,
 		Fall:          cfg.Fall,
 		Rise:          cfg.Rise,
+		HTTPSRedirect: cfg.HTTPSRedirect,
 		VirtualHosts:  cfg.VirtualHosts,
 		ClientTimeout: time.Duration(cfg.ClientTimeout) * time.Millisecond,
 		ServerTimeout: time.Duration(cfg.ServerTimeout) * time.Millisecond,
@@ -228,6 +230,7 @@ func (s *Service) Config() client.ServiceConfig {
 		Name:          s.Name,
 		Addr:          s.Addr,
 		VirtualHosts:  s.VirtualHosts,
+		HTTPSRedirect: s.HTTPSRedirect,
 		Balance:       s.Balance,
 		CheckInterval: s.CheckInterval,
 		Fall:          s.Fall,
@@ -552,6 +555,15 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	atomic.AddInt64(&s.HTTPActive, 1)
 	defer atomic.AddInt64(&s.HTTPActive, -1)
 
+	if s.HTTPSRedirect {
+		if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") != "https" {
+			//TODO: verify RequestURI
+			redirLoc := "https://" + r.Host + r.RequestURI
+			http.Redirect(w, r, redirLoc, http.StatusMovedPermanently)
+			return
+		}
+	}
+
 	s.httpProxy.ServeHTTP(w, r, s.NextAddrs())
 }
 
diff --git a/shuttle-cli/main.go b/shuttle-cli/main.go
@@ -41,6 +41,7 @@ func init() {
 	configFS.IntVar(&cfg.ClientTimeout, "client-timeout", 0, "innactivity timeout for client connections")
 	configFS.IntVar(&cfg.ServerTimeout, "server-timeout", 0, "innactivity timeout for server connections")
 	configFS.IntVar(&cfg.DialTimeout, "dial-timeout", 0, "timeout for dialing new connections connections")
+	configFS.BoolVar(&cfg.HTTPSRedirect, "https-redirect", false, "rediect all http requests to https")
 
 	serviceFS.StringVar(&serviceCfg.Addr, "address", "", "service listening address")
 	serviceFS.StringVar(&serviceCfg.Network, "network", "", "service network type")
@@ -51,6 +52,7 @@ func init() {
 	serviceFS.IntVar(&serviceCfg.ClientTimeout, "client-timeout", 0, "innactivity timeout for client connections")
 	serviceFS.IntVar(&serviceCfg.ServerTimeout, "server-timeout", 0, "innactivity timeout for server connections")
 	serviceFS.IntVar(&serviceCfg.DialTimeout, "dial-timeout", 0, "timeout for dialing new connections connections")
+	serviceFS.BoolVar(&serviceCfg.HTTPSRedirect, "https-redirect", false, "rediect all http requests to https")
 	serviceFS.Var(&vhosts, "vhost", "virtual host name. may be set multiple times")
 	serviceFS.Var(&errorPages, "error-page", "location for http error code formatted as 'http://example.com/|500,503'. may be set multiple times")
 
