enforce HTTPS
Redirect HTTP links to HTTPS and set HSTS correctly.
This is specific to the godoc.org set up (with nginx passing a X-Scheme
header back) and without fixing up api.godoc.org.
Fixes #304.
diff --git a/gddo-server/https.go b/gddo-server/https.go
new file mode 100644
index 0000000..c2b20c0
--- /dev/null
+++ b/gddo-server/https.go
@@ -0,0 +1,19 @@
+package main
+
+import "net/http"
+
+type httpsEnforcerHandler struct {
+ h http.Handler
+}
+
+func (h httpsEnforcerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+ if r.Host == "godoc.org" {
+ w.Header().Add("Strict-Transport-Security", "max-age=631138519; includeSubdomains; preload")
+ if r.Header.Get("X-Scheme") != "https" {
+ r.URL.Scheme = "https"
+ http.Redirect(w, r, r.URL.String(), http.StatusFound)
+ return
+ }
+ }
+ h.h.ServeHTTP(w, r)
+}
diff --git a/gddo-server/main.go b/gddo-server/main.go
index 486addd..31f9abb 100644
--- a/gddo-server/main.go
+++ b/gddo-server/main.go
@@ -898,7 +898,11 @@
cacheBusters.Handler = mux
- if err := http.ListenAndServe(*httpAddr, hostMux{{"api.", apiMux}, {"", mux}}); err != nil {
+ allMux := httpsEnforcerHandler{
+ hostMux{{"api.", apiMux}, {"", mux}},
+ }
+
+ if err := http.ListenAndServe(*httpAddr, allMux); err != nil {
log.Fatal(err)
}
}
