Gorouter should be able to redirect HTTP to HTTPS traffic

## Is this a security vulnerability?
no.

## Issue
While HTTP is dying off, many browsers still don't use HTTPS out-of-the-box. Unless your browser has [HSTS set](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) for the domain, most browsers will initially go for HTTP when the user just enters the domain's name without a `https://` prefix.

Gorouter now supports both [http](https://github.com/cloudfoundry/gorouter/blob/main/router/router.go#L215) and [https](https://github.com/cloudfoundry/gorouter/blob/main/router/router.go#L220) traffic, there is no means to tell a user arriving at port 80 to go get upgraded to TLS at port 443.
The current option if you don't want port 80 to be used for traffic, is to close it completely. Which is inconvenient as users will first see "connection refused" errors and then have to manually type the "https://" prefix in their address bar.

It would be much nicer to have an option `enable_redirect_to_ssl` which works in two ways:
1. If a request arrived at port 80 it gets redirected to port 443
2. If a request arrived at port 443 but `x-forwarded-proto` is set to `http`, this means gorouter is behind a proxy who forwarded http traffic to gorouter's https port, so the connection is not fully secure. The user will also see a redirect to https.

## Affected Versions
All

## Context

In our deployments we use [HAProxy BOSH-release](https://github.com/cloudfoundry/haproxy-boshrelease) as a front-end proxy before Gorouter. HAProxy also [supports redirects](https://github.com/cloudfoundry/haproxy-boshrelease/blob/master/jobs/haproxy/spec#L213) but it's hard to know there which domains should be redirected. The reason why redirects should not be "blind" is [potential security threats](https://portswigger.net/web-security/host-header) of cache poisoning and others if such systems are used. 

Gorouter on the other hand, knows all routes because it receives them from NATS, so it would be the better candidate to serve "verified" redirects as it knows if a given host header exists on the platform or not.

## Steps to Reproduce

1. `curl -H 'host: cat-videos.cf-app.com' http://cf-app.com`

## Expected result

```
HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://cat-videos.cf-app.com/
```

## Current result

Either
```
Connection refused
```
or
```
<cat videos served from port 80>
```

## Possible Fix

- Introduce a new spec property `enable_redirect_to_ssl: <bool>` (default false)

The first property will be read by a new middleware in gorouter that comes after `lookup.go` and will return a 301 to the client with the domain presented in the host header. The middleware will send the redirect if either
- the request came in via http, or
- the request contains a `x-forwarded-proto: http` header



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Gorouter should be able to redirect HTTP to HTTPS traffic #386

Is this a security vulnerability?

Issue

Affected Versions

Context

Steps to Reproduce

Expected result

Current result

Possible Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Gorouter should be able to redirect HTTP to HTTPS traffic #386

Description

Is this a security vulnerability?

Issue

Affected Versions

Context

Steps to Reproduce

Expected result

Current result

Possible Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions