Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: It is recommended to add an optional https downgrade access prompt #49310

Open
mzky opened this issue Nov 3, 2021 · 8 comments
Open

net/http: It is recommended to add an optional https downgrade access prompt #49310

mzky opened this issue Nov 3, 2021 · 8 comments

Comments

@mzky
Copy link

@mzky mzky commented Nov 3, 2021

What version of Go are you using (go version)?

$ go version
go version go1.17.2 linux/amd64

Does this issue reproduce with the latest release?

yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/root/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/root/go"
GOPRIVATE=""
GOPROXY="https://goproxy.cn"
GOROOT="/var/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/var/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.2"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/root/go/src/net/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1909543103=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Start the HTTPS service written in golang, and the user accesses the HTTP address.

What did you expect to see?

Display localized language information or customize html page or automatically jump to https address.

What did you see instead?

  1. Chrome and Firefox:
    display the following information
    image

  2. Other browsers:
    The IE browser prompts a 400 error, and the instructional content is not displayed.
    Browsers using the Chromium kernel do not display any visible content.
    image
    Users will not be able to understand the current situation.

P.S.
Adding custom options to net/http can solve this problem:
https://github.com/mzky/go/blob/dev.boringcrypto.go1.17/src/net/http/server.go
./make.bash verification is normal

P.P.S.
Use reference:

var tlsBadRequest := `HTTP/1.1 301 Moved Permanently

<!DOCTYPE html>
<html><head><meta charset="UTF-8">
<title>Automatically jump to HTTPS</title
<script type="text/javascript">url = window.location.href.replace("http:", "https:");window.location.replace(url);</script>
</head>
<body></body>
</html>`

http.ListenAndServeTLS2(addr, serverPem, serverKey, tlsBadRequest, Handler)

@mzky mzky changed the title net/http It is recommended to add an optional https downgrade access prompt net/http: It is recommended to add an optional https downgrade access prompt Nov 3, 2021
@thanm thanm added this to the Backlog milestone Nov 3, 2021
@thanm
Copy link
Contributor

@thanm thanm commented Nov 3, 2021

Thanks for raising the issue.

From my read this sounds more like a feature request as opposed to a bug, correct?

@neild

Loading

@neild
Copy link
Contributor

@neild neild commented Nov 3, 2021

The feature request is to respond to an HTTP request on an HTTPS port with a configurable error message.

Testing several major websites (www.google.com, www.amazon.com, www.microsoft.com), none of them respond with an error message to an HTTP request on port 443. Two close the connection without response, one leaves the connection open but does not respond.

I have not checked any other HTTPS server implementations (Apache, nginx, etc.) to see how they handle this condition. It would be interesting to know if any attempt to report an error to the peer in this case.

In the absence of evidence that this is a common feature, I don't think we should add this.

Loading

@mzky
Copy link
Author

@mzky mzky commented Nov 4, 2021

Hi ! This is a feature request, not a bug.

I found some examples of Nginx configuring HTTP redirection to HTTPS:https://linuxize.com/post/redirect-http-to-https-in-nginx/

  1. Old version Parameters:
    ···
    rewrite ^(.*)$ https://$host$1 permanent;
    ···
  2. New version Parameters:
    ···
    return 301 https://$server_name$request_uri;
    ···

I want to replace nginx's auto-jump feature with Golang.
Of course, this is just a suggestion, the changes will not affect the original functions.

Loading

@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented Nov 4, 2021

HTTP redirection is different from the filed issue. It's already possible by listening on both HTTP and HTTPS ports and handling the redirection within the handlers

go http.ListenAndServe(":80", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        // handle redirect here
}))
http.ListenAndServeTLS(":443", "...", "...", nil)

Loading

@mzky
Copy link
Author

@mzky mzky commented Nov 5, 2021

HTTP redirection is different from the filed issue. It's already possible by listening on both HTTP and HTTPS ports and handling the redirection within the handlers

go http.ListenAndServe(":80", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
        // handle redirect here
}))
http.ListenAndServeTLS(":443", "...", "...", nil)

Yes, different port forwarding is also possible, but I need a forwarding on the same port

Loading

@mzky
Copy link
Author

@mzky mzky commented Nov 15, 2021

They all jump to https with the same port:
image
image
image
image

Loading

@mzky
Copy link
Author

@mzky mzky commented Nov 15, 2021

Go language simulates google:

image

image

Loading

@neild
Copy link
Contributor

@neild neild commented Nov 15, 2021

They all jump to https with the same port:

An https:// URL with no port uses a default port of 443, not 80. All these are redirecting from HTTP on port 80 to HTTPS on port 443.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants