Since at the moment this succeeds, and also isn't redirected: http://treeherder-heroku.herokuapp.com/
Ordinarily we'd just use the variety of new Django v1.8 options to make the redirect and set the HSTS header: https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SECURE_SSL_REDIRECT https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SECURE_PROXY_SSL_HEADER https://docs.djangoproject.com/en/1.8/ref/settings/#secure-hsts-seconds https://docs.djangoproject.com/en/1.8/ref/middleware/#django.middleware.security.SecurityMiddleware However since the UI is served via WhiteNoise, the requests would never make it that far. As such, I've opened an issue against WhiteNoise asking if they would be open to adding support in WhiteNoise: https://github.com/evansd/whitenoise/issues/53 Failing that we can always handle this specifically in our custom WhiteNoise class. (We're slightly abusing WhiteNoise by using it to serve the homepage, since it's mainly intended for static assets not in the site root, and definitely not on '<domain>/'), It's worth noting we'll need to observe the X-Forwarded-Proto header to determine whether a request was made via HTTP to the Heroku router, since both HTTP and HTTPS requests end up being proxied to the same port on the web dyno. Example implementation: https://github.com/kennethreitz/flask-sslify/blob/master/flask_sslify.py
Ah he's suggested wsgi-sslify (which wasn't returned in my searches), which looks to be just what we need: https://github.com/jacobian/wsgi-sslify
Assignee: nobody → emorley
Created attachment 8701586 [details] [review] [treeherder] mozilla:heroku-force-https > mozilla:master
Attachment #8701586 - Flags: review?(cdawson) → review+
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/a221cf1b45a42bbed9757fb62dfed03d0fb24459 Bug 1203597 - Heroku: Redirect HTTP to HTTPS and set an HSTS header Since Heroku doesn't use nginx/Apache we must perform this via wsgi middleware. We cannot use Django's HTTPS/HSTS features since they won't help with requests that were served by WhiteNoise directly (eg the site homepage). Instead we use wsgi-sslify, as recommended by: https://github.com/evansd/whitenoise/issues/53#issuecomment-166972824 We only enable it when IS_HEROKU is set, since stage/prod is handled by Apache, and for local development we have to use HTTP.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.