From e24e4ef8808e0d886d82f265ccf8ec2910eba764 Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Thu, 17 Oct 2019 16:30:18 +0100 Subject: [PATCH 1/8] Add force-https option and flag Signed-off-by: Josh Michielsen --- main.go | 1 + options.go | 2 ++ 2 files changed, 3 insertions(+) diff --git a/main.go b/main.go index a4bf378e..5baa8cd2 100644 --- a/main.go +++ b/main.go @@ -32,6 +32,7 @@ func main() { flagSet.String("http-address", "127.0.0.1:4180", "[http://]: or unix:// to listen on for HTTP clients") flagSet.String("https-address", ":443", ": to listen on for HTTPS clients") + flagSet.Bool("force-https", false, "force HTTPS redirect") flagSet.String("tls-cert-file", "", "path to certificate file") flagSet.String("tls-key-file", "", "path to private key file") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") diff --git a/options.go b/options.go index 37bbb0b9..ddc10cfd 100644 --- a/options.go +++ b/options.go @@ -34,6 +34,7 @@ type Options struct { ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets" env:"OAUTH2_PROXY_PROXY_WEBSOCKETS"` HTTPAddress string `flag:"http-address" cfg:"http_address" env:"OAUTH2_PROXY_HTTP_ADDRESS"` HTTPSAddress string `flag:"https-address" cfg:"https_address" env:"OAUTH2_PROXY_HTTPS_ADDRESS"` + ForceHTTPS bool `flag:"force-https" cfg:"force_https" env:"OAUTH2_PROXY_FORCE_HTTPS"` RedirectURL string `flag:"redirect-url" cfg:"redirect_url" env:"OAUTH2_PROXY_REDIRECT_URL"` ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"` ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"` @@ -145,6 +146,7 @@ func NewOptions() *Options { ProxyWebSockets: true, HTTPAddress: "127.0.0.1:4180", HTTPSAddress: ":443", + ForceHTTPS: false, DisplayHtpasswdForm: true, CookieOptions: options.CookieOptions{ CookieName: "_oauth2_proxy", From aae91b0ad6cddae6d7ea17085f4713567aba248a Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Thu, 17 Oct 2019 16:30:48 +0100 Subject: [PATCH 2/8] Add new handler to redirect to HTTPS if flag is set Signed-off-by: Josh Michielsen --- http.go | 10 ++++++++++ main.go | 4 ++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/http.go b/http.go index 2cee227b..0c84fb4b 100644 --- a/http.go +++ b/http.go @@ -152,3 +152,13 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) { tc.SetKeepAlivePeriod(3 * time.Minute) return tc, nil } + +func redirectToHTTPS(opts *Options, h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if opts.ForceHTTPS { + http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect) + } + + h.ServeHTTP(w, r) + }) +} diff --git a/main.go b/main.go index 5baa8cd2..fb859064 100644 --- a/main.go +++ b/main.go @@ -186,9 +186,9 @@ func main() { var handler http.Handler if opts.GCPHealthChecks { - handler = gcpHealthcheck(LoggingHandler(oauthproxy)) + handler = redirectToHTTPS(opts, gcpHealthcheck(LoggingHandler(oauthproxy))) } else { - handler = LoggingHandler(oauthproxy) + handler = redirectToHTTPS(opts, LoggingHandler(oauthproxy)) } s := &Server{ Handler: handler, From 271efe776e3b01b5526f1b284e48732e1131b5c0 Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Thu, 17 Oct 2019 16:37:36 +0100 Subject: [PATCH 3/8] Added tests Signed-off-by: Josh Michielsen --- http_test.go | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/http_test.go b/http_test.go index f5ee1421..bfb9bb24 100644 --- a/http_test.go +++ b/http_test.go @@ -106,3 +106,32 @@ func TestGCPHealthcheckNotIngressPut(t *testing.T) { assert.Equal(t, "test", rw.Body.String()) } + +func TestRedirectToHTTPSTrue(t *testing.T) { + opts := NewOptions() + opts.ForceHTTPS = true + handler := func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("test")) + } + + h := redirectToHTTPS(opts, http.HandlerFunc(handler)) + rw := httptest.NewRecorder() + r, _ := http.NewRequest("GET", "/", nil) + h.ServeHTTP(rw, r) + + assert.Equal(t, http.StatusPermanentRedirect, rw.Code, "status code should be %d, got: %d", http.StatusPermanentRedirect, rw.Code) +} + +func TestRedirectToHTTPSFalse(t *testing.T) { + opts := NewOptions() + handler := func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("test")) + } + + h := redirectToHTTPS(opts, http.HandlerFunc(handler)) + rw := httptest.NewRecorder() + r, _ := http.NewRequest("GET", "/", nil) + h.ServeHTTP(rw, r) + + assert.Equal(t, http.StatusOK, rw.Code, "status code should be %d, got: %d", http.StatusOK, rw.Code) +} From bed0336608ca139cd5617be1949ae05aa6f6dc0e Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Thu, 17 Oct 2019 22:04:24 +0100 Subject: [PATCH 4/8] Add SSL check and test no redirect when HTTPS Signed-off-by: Josh Michielsen --- http.go | 2 +- http_test.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/http.go b/http.go index 0c84fb4b..9ef0499c 100644 --- a/http.go +++ b/http.go @@ -155,7 +155,7 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) { func redirectToHTTPS(opts *Options, h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if opts.ForceHTTPS { + if opts.ForceHTTPS && r.TLS == nil { http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect) } diff --git a/http_test.go b/http_test.go index bfb9bb24..400213a0 100644 --- a/http_test.go +++ b/http_test.go @@ -135,3 +135,24 @@ func TestRedirectToHTTPSFalse(t *testing.T) { assert.Equal(t, http.StatusOK, rw.Code, "status code should be %d, got: %d", http.StatusOK, rw.Code) } + +func TestRedirectNotWhenHTTPS(t *testing.T) { + opts := NewOptions() + opts.ForceHTTPS = true + handler := func(w http.ResponseWriter, req *http.Request) { + w.Write([]byte("test")) + } + + h := redirectToHTTPS(opts, http.HandlerFunc(handler)) + s := httptest.NewTLSServer(h) + defer s.Close() + + opts.HTTPSAddress = s.URL + client := s.Client() + res, err := client.Get(s.URL) + if err != nil { + t.Fatalf("request to test server failed with error: %v", err) + } + + assert.Equal(t, http.StatusOK, res.StatusCode, "status code should be %d, got: %d", http.StatusOK, res.StatusCode) +} From 56d195a433d1c15d860e22fd47b619ac52765be5 Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Thu, 17 Oct 2019 22:20:15 +0100 Subject: [PATCH 5/8] Docs and changelog Signed-off-by: Josh Michielsen --- CHANGELOG.md | 1 + docs/configuration/configuration.md | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d76e8958..d3c1e4dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## Changes since v4.0.0 - [#227](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka) +- [#259](https://github.com/pusher/oauth2_proxy/pull/259) Redirect to HTTPS (@jmickey) - [#273](https://github.com/pusher/oauth2_proxy/pull/273) Support Go 1.13 (@dio) - [#275](https://github.com/pusher/oauth2_proxy/pull/275) docker: build from debian buster (@syscll) diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index c076dc88..332c2238 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -44,6 +44,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example | `-extra-jwt-issuers` | string | if `-skip-jwt-bearer-tokens` is set, a list of extra JWT `issuer=audience` pairs (where the issuer URL has a `.well-known/openid-configuration` or a `.well-known/jwks.json`) | | | `-exclude-logging-paths` | string | comma separated list of paths to exclude from logging, eg: `"/ping,/path2"` |`""` (no paths excluded) | | `-flush-interval` | duration | period between flushing response buffers when streaming responses | `"1s"` | +| `-force-https` | bool | enforce https redirect | `false` | | `-banner` | string | custom banner string. Use `"-"` to disable default banner. | | | `-footer` | string | custom footer string. Use `"-"` to disable default footer. | | | `-gcp-healthchecks` | bool | will enable `/liveness_check`, `/readiness_check`, and `/` (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses | false | From dcc430f6f141f2dc4071952ae2f6c3e7a1e15979 Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Mon, 21 Oct 2019 23:21:35 +0100 Subject: [PATCH 6/8] Check `X-Forwared-Proto` for https (via another reverse proxy) Signed-off-by: Josh Michielsen --- http.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http.go b/http.go index 9ef0499c..b7ee9598 100644 --- a/http.go +++ b/http.go @@ -155,7 +155,8 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) { func redirectToHTTPS(opts *Options, h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if opts.ForceHTTPS && r.TLS == nil { + proto := r.Header.Get("X-Forwarded-Proto") + if opts.ForceHTTPS && r.TLS == nil && strings.ToLower(proto) != "https" { http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect) } From fe9efba0c524c4356ef8e8020f20052954e04aa3 Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Tue, 22 Oct 2019 14:19:39 +0100 Subject: [PATCH 7/8] Documentation change Co-Authored-By: Joel Speed --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index fb859064..e84a796e 100644 --- a/main.go +++ b/main.go @@ -32,7 +32,7 @@ func main() { flagSet.String("http-address", "127.0.0.1:4180", "[http://]: or unix:// to listen on for HTTP clients") flagSet.String("https-address", ":443", ": to listen on for HTTPS clients") - flagSet.Bool("force-https", false, "force HTTPS redirect") + flagSet.Bool("force-https", false, "force HTTPS redirect for HTTP requests") flagSet.String("tls-cert-file", "", "path to certificate file") flagSet.String("tls-key-file", "", "path to private key file") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") From c0bfe0357a06339831f50a997a6708ea18ac745b Mon Sep 17 00:00:00 2001 From: Josh Michielsen Date: Tue, 22 Oct 2019 14:21:06 +0100 Subject: [PATCH 8/8] Confirm that the proto is not empty, and change condition to OR Co-Authored-By: Joel Speed --- http.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http.go b/http.go index b7ee9598..88280c44 100644 --- a/http.go +++ b/http.go @@ -156,7 +156,7 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) { func redirectToHTTPS(opts *Options, h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { proto := r.Header.Get("X-Forwarded-Proto") - if opts.ForceHTTPS && r.TLS == nil && strings.ToLower(proto) != "https" { + if opts.ForceHTTPS && (r.TLS == nil || (proto != "" && strings.ToLower(proto) != "https")) { http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect) }