Block/redirect non-HTTPS connection to Heroku instance

RESOLVED FIXED

Status

P3
normal
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: emorley, Assigned: emorley)

Tracking

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
Since at the moment this succeeds, and also isn't redirected:
http://treeherder-heroku.herokuapp.com/
(Assignee)

Comment 1

3 years ago
Ordinarily we'd just use the variety of new Django v1.8 options to make the redirect and set the HSTS header:
https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SECURE_SSL_REDIRECT
https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SECURE_PROXY_SSL_HEADER
https://docs.djangoproject.com/en/1.8/ref/settings/#secure-hsts-seconds
https://docs.djangoproject.com/en/1.8/ref/middleware/#django.middleware.security.SecurityMiddleware

However since the UI is served via WhiteNoise, the requests would never make it that far. As such, I've opened an issue against WhiteNoise asking if they would be open to adding support in WhiteNoise:
https://github.com/evansd/whitenoise/issues/53

Failing that we can always handle this specifically in our custom WhiteNoise class. (We're slightly abusing WhiteNoise by using it to serve the homepage, since it's mainly intended for static assets not in the site root, and definitely not on '<domain>/'),

It's worth noting we'll need to observe the X-Forwarded-Proto header to determine whether a request was made via HTTP to the Heroku router, since both HTTP and HTTPS requests end up being proxied to the same port on the web dyno. Example implementation:
https://github.com/kennethreitz/flask-sslify/blob/master/flask_sslify.py
(Assignee)

Comment 2

3 years ago
Ah he's suggested wsgi-sslify (which wasn't returned in my searches), which looks to be just what we need:
https://github.com/jacobian/wsgi-sslify
Assignee: nobody → emorley
Created attachment 8701586 [details] [review]
[treeherder] mozilla:heroku-force-https > mozilla:master
(Assignee)

Updated

3 years ago
Attachment #8701586 - Flags: review?(cdawson)

Updated

3 years ago
Attachment #8701586 - Flags: review?(cdawson) → review+

Comment 4

3 years ago
Commit pushed to master at https://github.com/mozilla/treeherder

https://github.com/mozilla/treeherder/commit/a221cf1b45a42bbed9757fb62dfed03d0fb24459
Bug 1203597 - Heroku: Redirect HTTP to HTTPS and set an HSTS header

Since Heroku doesn't use nginx/Apache we must perform this via wsgi
middleware. We cannot use Django's HTTPS/HSTS features since they won't
help with requests that were served by WhiteNoise directly (eg the site
homepage).

Instead we use wsgi-sslify, as recommended by:
https://github.com/evansd/whitenoise/issues/53#issuecomment-166972824

We only enable it when IS_HEROKU is set, since stage/prod is handled by
Apache, and for local development we have to use HTTP.
(Assignee)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.