diff options
| author | metamuffin <metamuffin@disroot.org> | 2025-09-14 00:37:11 +0200 |
|---|---|---|
| committer | metamuffin <metamuffin@disroot.org> | 2025-09-14 00:37:11 +0200 |
| commit | 06e736c7947e3ae43779d8035542896a78227fa0 (patch) | |
| tree | 8778e2704cbd97773cdd4bbff63a1aa3b7f13912 | |
| parent | 792239a8af9ff0101d259375ec402cc3ee687594 (diff) | |
| download | gnix-06e736c7947e3ae43779d8035542896a78227fa0.tar gnix-06e736c7947e3ae43779d8035542896a78227fa0.tar.bz2 gnix-06e736c7947e3ae43779d8035542896a78227fa0.tar.zst | |
| -rw-r--r-- | readme.md | 7 | ||||
| -rw-r--r-- | src/modules/upgrade_insecure.rs | 25 |
2 files changed, 25 insertions, 7 deletions
@@ -301,6 +301,13 @@ themselves; in that case the request is passed on. - Replies with information about the request to debug. Includes source address, HTTP version, method, URI and headers. +- **module `upgrade_insecure`** + - Redirects requests from HTTP to HTTPS when `Upgrade-Insecure-Requests` is + present in the request. The redirect URI's authority will be the `Host` + header of the request. **Do not use behind another proxy** because requests + will always be HTTP and result in an endless redirect loop. + - Takes a single module (as a single-element array because of a parser limitation) + #### Credentials config format Login credentials for `cookie_auth` and `http_basic_auth` are supplied as either diff --git a/src/modules/upgrade_insecure.rs b/src/modules/upgrade_insecure.rs index e284df0..37fc04e 100644 --- a/src/modules/upgrade_insecure.rs +++ b/src/modules/upgrade_insecure.rs @@ -7,10 +7,13 @@ use super::{Node, NodeContext, NodeKind, NodeRequest, NodeResponse}; use crate::{config::DynNode, error::ServiceError}; use anyhow::Result; use futures::Future; -use http::{uri::Scheme, HeaderValue, Response, StatusCode, Uri}; +use http::{ + uri::{Authority, Scheme}, + HeaderValue, Response, StatusCode, Uri, +}; use http_body_util::BodyExt; use serde::Deserialize; -use std::{pin::Pin, sync::Arc}; +use std::{pin::Pin, str::FromStr, sync::Arc}; pub struct UpgradeInsecureKind; @@ -33,12 +36,20 @@ impl Node for UpgradeInsecure { request: NodeRequest, ) -> Pin<Box<dyn Future<Output = Result<NodeResponse, ServiceError>> + Send + Sync + 'a>> { Box::pin(async move { - if request.headers().contains_key("upgrade-insecure-requests") - && request.uri().scheme() == Some(&Scheme::HTTP) - { + if request.headers().contains_key("upgrade-insecure-requests") && !context.secure { let mut parts = http::uri::Parts::default(); - parts.scheme = request.uri().scheme().cloned(); - parts.authority = request.uri().authority().cloned(); + parts.scheme = Some(Scheme::HTTPS); + parts.authority = Some( + Authority::from_str( + request + .headers() + .get("host") + .ok_or(ServiceError::NoHost)? + .to_str() + .map_err(|_| ServiceError::InvalidUri)?, + ) + .map_err(|_| ServiceError::InvalidUri)?, + ); parts.path_and_query = request.uri().path_and_query().cloned(); let uri = Uri::from_parts(parts).map_err(|_| ServiceError::InvalidUri)?; |