Provide HTTP support and insert HSTS header

[yegle]

Without running additional HTTP server at port 80, I have to remember to use https:// for each of the domain proxied by Pomerium, at least for the first use.

It would be great if Pomerium can serve on port 80 and do a simple redirection to HTTPS, and insert HSTS header in the redirect response.

Alternatively maybe there's such an NGINX container exist that will automatically redirect HTTP to HTTPS then add HSTS, but I would rather for Pomerium to support this.

[yegle]

I think it's also a good idea to insert HSTS for HTTPS responses, in addition to HTTP responses.

[desimone]

@yegle I agree, this is something pomerium should do.

However, you should be seeing hsts set for https responses today today.

For example, I see Strict-Transport-Security when I curl / access any https requests.

$ http https://httpbin.corp.beyondperimeter.com/ok


HTTP/1.1 302 Found
Content-Length: 535
Content-Type: text/html; charset=utf-8
Date: Tue, 23 Apr 2019 22:19:04 GMT

...
Request-Id: a2aab0d1-504c-4014-bbe2-36c32a424a4d
Set-Cookie: _pomerium_proxy=; Path=/; Domain=httpbin.corp.beyondperimeter.com; Expires=Tue, 23 Apr 2019 21:19:04 GMT; HttpOnly; Secure

....
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

<a href="https://authenticate.corp.beyondperimeter.com/sign_in?redirect_uri=https%3A%2F%2Fhttpbin.corp.beyondperimeter.com%2F.pomerium%2Fcallback&amp;response_type=code&amp;shared_secret=.....">Found</a>.

[haozhou]

Do we have a way to disable this feature through configuration? For those who doesn’t need http redirect, it conflicts with other services listening on port 80.

[desimone]

@haozhou Yes. And on reflection it occurs to me not having a redirect (and additional service port) should be the default option but I'd like to open that up to more discussion.

Do you mind creating a new issue to track this? Thanks!

[haozhou]

@desimone Sure, thanks.
In the meanwhile, can you offer a workaround like commenting some codes to disable this feature or at least bypassing the listening on port 80?

[haozhou]

Never mind. I end up commenting #92 change in main.go as a temporary workaround.

[yegle]

I think the problem here is that the HTTP port is hardcoded to be port 80 and no way to customize it.

[yegle]

It looks like the HSTS header is missing from the server running the authenticate service.

[desimone]

@yegle I'm seeing it on latest.

http https://authenticate.corp.beyondperimeter.com/robots.txt

HTTP/1.1 200 OK
Content-Length: 25
Content-Security-Policy: default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';
Content-Type: text/plain; charset=utf-8
Date: Tue, 14 May 2019 01:24:37 GMT
Referrer-Policy: Same-origin
Request-Id: ea06c9df-20f6-7c7e-6b51-e8659958d96f
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block

User-agent: *
Disallow: /

[yegle]

I see, I hit a 404 page on my end:

$ curl -I https://nuc.apkay.com
HTTP/2 404
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 19
date: Tue, 14 May 2019 02:45:22

[desimone]

Try robots or ping — 404 skips middleware in go.

…

On May 13, 2019, at 7:46 PM, Yuchen Ying ***@***.***> wrote: I see, I hit a 404 page on my end: $ curl -I https://nuc.apkay.com HTTP/2 404 content-type: text/plain; charset=utf-8 x-content-type-options: nosniff content-length: 19 date: Tue, 14 May 2019 02:45:22 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[desimone]

@yegle I've created an issue. #116