From 238e916fa08913da44c1fcfee22a4425195d09c4 Mon Sep 17 00:00:00 2001 From: Mark Spicer Date: Tue, 14 Nov 2017 17:01:07 -0500 Subject: [PATCH] Redirect HTTP to HTTPS when SSL is enabled. In our current drone setup, we are not using a proxy, thus letting drone handle SSL termination. In addition, we are not exposing port 80 (effectively disabling insecure drone access). When new engineers join and attempt to access drone, they are not sent a 301 and often complain that they either do not have access or that drone is broken (when in reality they are just accessing drone via the incorrect protocol/port). This commit changes the default behavior when running drone with a server-cert by only sending redirects on port 80 rather than allowing both secure and insecure access. --- cmd/drone-server/server.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cmd/drone-server/server.go b/cmd/drone-server/server.go index d2eb60489..c53488b8e 100644 --- a/cmd/drone-server/server.go +++ b/cmd/drone-server/server.go @@ -536,7 +536,7 @@ func server(c *cli.Context) error { // start the server with tls enabled if c.String("server-cert") != "" { g.Go(func() error { - return http.ListenAndServe(":http", handler) + return http.ListenAndServe(":http", http.HandlerFunc(redirect)) }) g.Go(func() error { serve := &http.Server{ @@ -675,6 +675,15 @@ func (a *authorizer) authorize(ctx context.Context) error { return errors.New("missing agent token") } +func redirect(w http.ResponseWriter, req *http.Request) { + var serverHost string = droneserver.Config.Server.Host + serverHost = strings.TrimPrefix(serverHost, "http://") + serverHost = strings.TrimPrefix(serverHost, "https://") + req.URL.Scheme = "https" + req.URL.Host = serverHost + http.Redirect(w, req, req.URL.String(), http.StatusMovedPermanently) +} + func cacheDir() string { const base = "golang-autocert" if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" {