add support to redirect HTTP to HTTPS

Fixes #777

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

config/config.go

@@ -98,6 +98,8 @@ var (
 			AllowedHosts:            nil,
 			AllowedHostsAreRegex:    false,
 			HostsProxyHeaders:       nil,
+			HTTPSRedirect:           false,
+			HTTPSHost:               "",
 			HTTPSProxyHeaders:       nil,
 			STSSeconds:              0,
 			STSIncludeSubdomains:    false,
@@ -1142,7 +1144,7 @@ func getHTTPDSecurityProxyHeadersFromEnv(idx int) []httpd.HTTPSProxyHeader {
 	return httpsProxyHeaders
 }
 
-func getHTTPDSecurityConfFromEnv(idx int) (httpd.SecurityConf, bool) {
+func getHTTPDSecurityConfFromEnv(idx int) (httpd.SecurityConf, bool) { //nolint:gocyclo
 	var result httpd.SecurityConf
 	isSet := false
 
@@ -1170,6 +1172,18 @@ func getHTTPDSecurityConfFromEnv(idx int) (httpd.SecurityConf, bool) {
 		isSet = true
 	}
 
+	httpsRedirect, ok := lookupBoolFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_REDIRECT", idx))
+	if ok {
+		result.HTTPSRedirect = httpsRedirect
+		isSet = true
+	}
+
+	httpsHost, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__SECURITY__HTTPS_HOST", idx))
+	if ok {
+		result.HTTPSHost = httpsHost
+		isSet = true
+	}
+
 	httpsProxyHeaders := getHTTPDSecurityProxyHeadersFromEnv(idx)
 	if len(httpsProxyHeaders) > 0 {
 		result.HTTPSProxyHeaders = httpsProxyHeaders

config/config_test.go

@@ -854,6 +854,8 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS", "*.example.com,*.example.net")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HOSTS_PROXY_HEADERS", "X-Forwarded-Host")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_REDIRECT", "1")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_HOST", "www.example.com")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__KEY", "X-Forwarded-Proto")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__VALUE", "https")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_SECONDS", "31536000")
@@ -900,6 +902,8 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HOSTS_PROXY_HEADERS")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_REDIRECT")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_HOST")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__KEY")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__HTTPS_PROXY_HEADERS__1__VALUE")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__STS_SECONDS")
@@ -975,6 +979,8 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.True(t, bindings[2].Security.AllowedHostsAreRegex)
 	require.Len(t, bindings[2].Security.HostsProxyHeaders, 1)
 	require.Equal(t, "X-Forwarded-Host", bindings[2].Security.HostsProxyHeaders[0])
+	require.True(t, bindings[2].Security.HTTPSRedirect)
+	require.Equal(t, "www.example.com", bindings[2].Security.HTTPSHost)
 	require.Len(t, bindings[2].Security.HTTPSProxyHeaders, 1)
 	require.Equal(t, "X-Forwarded-Proto", bindings[2].Security.HTTPSProxyHeaders[0].Key)
 	require.Equal(t, "https", bindings[2].Security.HTTPSProxyHeaders[0].Value)

docs/full-configuration.md

@@ -256,6 +256,8 @@ The configuration file contains the following sections:
       - `allowed_hosts`, list of strings. Fully qualified domain names that are allowed. An empty list allows any and all host names. Default: empty.
       - `allowed_hosts_are_regex`, boolean. Determines if the provided allowed hosts contains valid regular expressions. Default: `false`.
       - `hosts_proxy_headers`, list of string. Defines a set of header keys that may hold a proxied hostname value for the request, for example `X-Forwarded-Host`. Default: empty.
+      - `https_redirect`, boolean. Set to `true` to redirect HTTP requests to HTTPS. Default: `false`.
+      - `https_host`, string. Defines the host name that is used to redirect HTTP requests to HTTPS. Default is blank, which indicates to use the same host. For example, if `https_redirect` is enabled and `https_host` is blank, a request for `http://127.0.0.1/web/client/login` will be redirected to `https://127.0.0.1/web/client/login`, if `https_host` is set to `www.example.com` the same request will be redirected to `https://www.example.com/web/client/login`.
       - `https_proxy_headers`, list of struct, each struct contains the fields `key` and `value`. Defines a a list of header keys with associated values that would indicate a valid https request. For example `key` could be `X-Forwarded-Proto` and `value` `https`. Default: empty.
       - `sts_seconds`, integer. Defines the max-age of the `Strict-Transport-Security` header. This header will be included for `https` responses or for HTTP request if the request includes a defined HTTPS proxy header. Default: `0`, which would NOT include the header.
       - `sts_include_subdomains`, boolean. Set to `true`, the `includeSubdomains` will be appended to the `Strict-Transport-Security` header. Default: `false`.

httpd/httpd.go

@@ -255,6 +255,11 @@ type SecurityConf struct {
 	AllowedHostsAreRegex bool `json:"allowed_hosts_are_regex" mapstructure:"allowed_hosts_are_regex"`
 	// HostsProxyHeaders is a set of header keys that may hold a proxied hostname value for the request.
 	HostsProxyHeaders []string `json:"hosts_proxy_headers" mapstructure:"hosts_proxy_headers"`
+	// Set to true to redirect HTTP requests to HTTPS
+	HTTPSRedirect bool `json:"https_redirect" mapstructure:"https_redirect"`
+	// HTTPSHost defines the host name that is used to redirect HTTP requests to HTTPS.
+	// Default is "", which indicates to use the same host.
+	HTTPSHost string `json:"https_host" mapstructure:"https_host"`
 	// HTTPSProxyHeaders is a list of header keys with associated values that would indicate a valid https request.
 	HTTPSProxyHeaders []HTTPSProxyHeader `json:"https_proxy_headers" mapstructure:"https_proxy_headers"`
 	// STSSeconds is the max-age of the Strict-Transport-Security header.

httpd/server.go

@@ -1092,6 +1092,9 @@ func (s *httpdServer) initializeRouter() {
 			AllowedHosts:            s.binding.Security.AllowedHosts,
 			AllowedHostsAreRegex:    s.binding.Security.AllowedHostsAreRegex,
 			HostsProxyHeaders:       s.binding.Security.HostsProxyHeaders,
+			SSLRedirect:             s.binding.Security.HTTPSRedirect,
+			SSLHost:                 s.binding.Security.HTTPSHost,
+			SSLTemporaryRedirect:    true,
 			SSLProxyHeaders:         s.binding.Security.getHTTPSProxyHeaders(),
 			STSSeconds:              s.binding.Security.STSSeconds,
 			STSIncludeSubdomains:    s.binding.Security.STSIncludeSubdomains,

sftpgo.json

@@ -241,6 +241,8 @@
           "allowed_hosts": [],
           "allowed_hosts_are_regex": false,
           "hosts_proxy_headers": [],
+          "https_redirect": false,
+          "https_host": "",
           "https_proxy_headers": [],
           "sts_seconds": 0,
           "sts_include_subdomains": false,