Pull request 1985: 2998-hsts

Updates #2998. Updates #4941. Squashed commit of the following: commit ef6ed6acb89b10c4bf1b0c7ba34002f9d7f2e68c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:43:25 2023 +0300 all: imp chlog commit 0957a85d53edcd5eba591e42301191db42a258ad Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Aug 30 18:31:46 2023 +0300 home: add hsts when force_https is true
2025-05-05 07:22:54 +03:00 · 2023-08-30 18:57:36 +03:00 · 2023-08-30 18:57:36 +03:00 · 18d15be4e8
commit 18d15be4e8
parent a2ca8b5b4a
3 changed files with 45 additions and 24 deletions
--- a/internal/home/control.go
+++ b/internal/home/control.go
@ -321,9 +321,10 @@ func preInstallHandler(handler http.Handler) http.Handler {
 	return &preInstallHandlerStruct{handler}
 }

-// handleHTTPSRedirect redirects the request to HTTPS, if needed.  If ok is
-// true, the middleware must continue handling the request.
-func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
+// handleHTTPSRedirect redirects the request to HTTPS, if needed, and adds some
+// HTTPS-related headers.  If proceed is true, the middleware must continue
+// handling the request.
+func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (proceed bool) {
 	web := Context.web
 	if web.httpsServer.server == nil {
 		return true
@ -362,21 +363,17 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 		respHdr.Set(httphdr.AltSvc, altSvc)
 	}

-	if r.TLS == nil && forceHTTPS {
-		hostPort := host
-		if portHTTPS != defaultPortHTTPS {
-			hostPort = netutil.JoinHostPort(host, portHTTPS)
+	if forceHTTPS {
+		if r.TLS == nil {
+			u := httpsURL(r.URL, host, portHTTPS)
+			http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
+
+			return false
 		}

-		httpsURL := &url.URL{
-			Scheme:   aghhttp.SchemeHTTPS,
-			Host:     hostPort,
-			Path:     r.URL.Path,
-			RawQuery: r.URL.RawQuery,
-		}
-		http.Redirect(w, r, httpsURL.String(), http.StatusTemporaryRedirect)
-
-		return false
+		// TODO(a.garipov): Consider adding a configurable max-age.  Currently,
+		// the default is 365 days.
+		respHdr.Set(httphdr.StrictTransportSecurity, aghhttp.HdrValStrictTransportSecurity)
 	}

 	// Allow the frontend from the HTTP origin to send requests to the HTTPS
@ -395,6 +392,22 @@ func handleHTTPSRedirect(w http.ResponseWriter, r *http.Request) (ok bool) {
 	return true
 }

+// httpsURL returns a copy of u for redirection to the HTTPS version, taking the
+// hostname and the HTTPS port into account.
+func httpsURL(u *url.URL, host string, portHTTPS int) (redirectURL *url.URL) {
+	hostPort := host
+	if portHTTPS != defaultPortHTTPS {
+		hostPort = netutil.JoinHostPort(host, portHTTPS)
+	}
+
+	return &url.URL{
+		Scheme:   aghhttp.SchemeHTTPS,
+		Host:     hostPort,
+		Path:     u.Path,
+		RawQuery: u.RawQuery,
+	}
+}
+
 // postInstall lets the handler to run only if firstRun is false.  Otherwise, it
 // redirects to /install.html.  It also enforces HTTPS if it is enabled and
 // configured and sets appropriate access control headers.
@ -408,11 +421,10 @@ func postInstall(handler func(http.ResponseWriter, *http.Request)) func(http.Res
 			return
 		}

-		if !handleHTTPSRedirect(w, r) {
-			return
+		proceed := handleHTTPSRedirect(w, r)
+		if proceed {
+			handler(w, r)
 		}
-
-		handler(w, r)
 	}
 }