Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: configurable error message for Client sent an HTTP request to an HTTPS server. #49310

Open
mzky opened this issue Nov 3, 2021 · 8 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@mzky
Copy link

mzky commented Nov 3, 2021

What version of Go are you using (go version)?

$ go version
go version go1.17.2 linux/amd64

Does this issue reproduce with the latest release?

yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://goproxy.cn"
GOROOT="/var/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/var/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.2"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/root/go/src/net/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1909543103=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Start the HTTPS service written in golang, and the user accesses the HTTP address.

What did you expect to see?

Display localized language information or customize html page or automatically jump to https address.

What did you see instead?

  1. Chrome and Firefox:
    display the following information
    image

  2. Other browsers:
    The IE browser prompts a 400 error, and the instructional content is not displayed.
    Browsers using the Chromium kernel do not display any visible content.
    image
    Users will not be able to understand the current situation.

P.S.
Adding custom options to net/http can solve this problem:
https://github.com/mzky/go/blob/dev.boringcrypto.go1.17/src/net/http/server.go
./make.bash verification is normal

P.P.S.
Use reference:

var tlsBadRequest := `HTTP/1.1 301 Moved Permanently

<!DOCTYPE html>
<html><head><meta charset="UTF-8">
<title>Automatically jump to HTTPS</title
<script type="text/javascript">url = window.location.href.replace("http:", "https:");window.location.replace(url);</script>
</head>
<body></body>
</html>`

http.ListenAndServeTLS2(addr, serverPem, serverKey, tlsBadRequest, Handler)

@mzky mzky changed the title net/http It is recommended to add an optional https downgrade access prompt net/http: It is recommended to add an optional https downgrade access prompt Nov 3, 2021
@thanm thanm added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 3, 2021
@thanm thanm added this to the Backlog milestone Nov 3, 2021
@thanm
Copy link
Contributor

thanm commented Nov 3, 2021

Thanks for raising the issue.

From my read this sounds more like a feature request as opposed to a bug, correct?

@neild

@neild
Copy link
Contributor

neild commented Nov 3, 2021

The feature request is to respond to an HTTP request on an HTTPS port with a configurable error message.

Testing several major websites (www.google.com, www.amazon.com, www.microsoft.com), none of them respond with an error message to an HTTP request on port 443. Two close the connection without response, one leaves the connection open but does not respond.

I have not checked any other HTTPS server implementations (Apache, nginx, etc.) to see how they handle this condition. It would be interesting to know if any attempt to report an error to the peer in this case.

In the absence of evidence that this is a common feature, I don't think we should add this.

@mzky
Copy link
Author

mzky commented Nov 4, 2021

Hi ! This is a feature request, not a bug.

I found some examples of Nginx configuring HTTP redirection to HTTPS:https://linuxize.com/post/redirect-http-to-https-in-nginx/

  1. Old version Parameters:
    ···
    rewrite ^(.*)$ https://$host$1 permanent;
    ···
  2. New version Parameters:
    ···
    return 301 https://$server_name$request_uri;
    ···

I want to replace nginx's auto-jump feature with Golang.
Of course, this is just a suggestion, the changes will not affect the original functions.

@seankhliao
Copy link
Member

seankhliao commented Nov 4, 2021

HTTP redirection is different from the filed issue. It's already possible by listening on both HTTP and HTTPS ports and handling the redirection within the handlers

go http.ListenAndServe(":80", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        // handle redirect here
}))
http.ListenAndServeTLS(":443", "...", "...", nil)

@mzky
Copy link
Author

mzky commented Nov 5, 2021

HTTP redirection is different from the filed issue. It's already possible by listening on both HTTP and HTTPS ports and handling the redirection within the handlers

go http.ListenAndServe(":80", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        // handle redirect here
}))
http.ListenAndServeTLS(":443", "...", "...", nil)

Yes, different port forwarding is also possible, but I need a forwarding on the same port

@mzky
Copy link
Author

mzky commented Nov 15, 2021

They all jump to https with the same port:
image
image
image
image

@mzky
Copy link
Author

mzky commented Nov 15, 2021

Go language simulates google:

image

image

@neild
Copy link
Contributor

neild commented Nov 15, 2021

They all jump to https with the same port:

An https:// URL with no port uses a default port of 443, not 80. All these are redirecting from HTTP on port 80 to HTTPS on port 443.

@seankhliao seankhliao changed the title net/http: It is recommended to add an optional https downgrade access prompt net/http: configurable error message for Client sent an HTTP request to an HTTPS server. Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants