Merge pull request #3075 from carmstrong/pr-2976

carmstrong · carmstrong · commit 5ff8193f9d96 · 2015-02-16T09:09:38.000-08:00
feat(router): add optional HTTPs redirect
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -45,6 +45,7 @@ setting                                      description
 /deis/router/controller/timeout/connect      proxy_connect_timeout for deis-controller (default: 10m)
 /deis/router/controller/timeout/read         proxy_read_timeout for deis-controller (default: 20m)
 /deis/router/controller/timeout/send         proxy_send_timeout for deis-controller (default: 20m)
+/deis/router/enforceHTTPS                    redirect all HTTP traffic to HTTPS (default: false)
 /deis/router/firewall/enabled                nginx naxsi firewall enabled (default: false)
 /deis/router/firewall/errorCode              nginx default firewall error code (default: 400)
 /deis/router/gzip                            nginx gzip setting (default: on)
diff --git a/docs/managing_deis/ssl-endpoints.rst b/docs/managing_deis/ssl-endpoints.rst
@@ -87,5 +87,18 @@ certificate chain, append the intermediate certs to the bottom of the sslCert va
     To secure all endpoints on the platform domain, you must use a wildcard certificate.
 
 
+Redirecting traffic to HTTPS
+----------------------------
+
+Once your cluster is serving traffic over HTTPS, you can optionally instruct the router component
+to forward all traffic on HTTP to HTTPS (application traffic and requests to the controller component).
+
+This is achieved with ``deisctl``:
+
+.. code-block:: console
+
+    $ deisctl config router set enforceHTTPS=true
+
+
 .. _`installing an SSL cert for load balancing`: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
 .. _`Product FAQ`: http://www.rackspace.com/knowledge_center/product-faq/cloud-load-balancers
diff --git a/router/image/templates/nginx.conf b/router/image/templates/nginx.conf
@@ -55,6 +55,8 @@ http {
         ''      close;
     }
 
+    {{ $enforceHTTPS := or .deis_router_enforceHTTPS "false" }}
+
     ## start deis-controller
     {{ if .deis_controller_host }}
     upstream deis-controller {
@@ -88,6 +90,12 @@ http {
         {{ if eq $useFirewall "true" }}location /RequestDenied {
             return {{ $firewallErrorCode }};
         }{{ end }}
+
+        {{ if eq $enforceHTTPS "true" }}
+        if ($http_x_forwarded_proto != "https") {
+          rewrite ^(.*)$ https://$host$1 permanent;
+        }
+        {{ end }}
     }
     ## end deis-controller
 
@@ -157,6 +165,12 @@ http {
 
             proxy_next_upstream         error timeout http_502 http_503 http_504;
 
+            {{ if eq $enforceHTTPS "true" }}
+            if ($http_x_forwarded_proto != "https") {
+              rewrite ^(.*)$ https://$host$1 permanent;
+            }
+            {{ end }}
+
             add_header                  X-Deis-Upstream   $upstream_addr;
 
             proxy_pass                  http://{{ Base $service.Key }};
