New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide HTTP support and insert HSTS header #90
Comments
I think it's also a good idea to insert HSTS for HTTPS responses, in addition to HTTP responses. |
@yegle I agree, this is something pomerium should do. However, you should be seeing For example, I see $ http https://httpbin.corp.beyondperimeter.com/ok
HTTP/1.1 302 Found
Content-Length: 535
Content-Type: text/html; charset=utf-8
Date: Tue, 23 Apr 2019 22:19:04 GMT
...
Request-Id: a2aab0d1-504c-4014-bbe2-36c32a424a4d
Set-Cookie: _pomerium_proxy=; Path=/; Domain=httpbin.corp.beyondperimeter.com; Expires=Tue, 23 Apr 2019 21:19:04 GMT; HttpOnly; Secure
....
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
<a href="https://authenticate.corp.beyondperimeter.com/sign_in?redirect_uri=https%3A%2F%2Fhttpbin.corp.beyondperimeter.com%2F.pomerium%2Fcallback&response_type=code&shared_secret=.....">Found</a>. |
Do we have a way to disable this feature through configuration? For those who doesn’t need http redirect, it conflicts with other services listening on port 80. |
@haozhou Yes. And on reflection it occurs to me not having a redirect (and additional service port) should be the default option but I'd like to open that up to more discussion. Do you mind creating a new issue to track this? Thanks! |
@desimone Sure, thanks. |
Never mind. I end up commenting #92 change in main.go as a temporary workaround. |
I think the problem here is that the HTTP port is hardcoded to be port 80 and no way to customize it. |
It looks like the HSTS header is missing from the server running the authenticate service. |
@yegle I'm seeing it on latest.
HTTP/1.1 200 OK
Content-Length: 25
Content-Security-Policy: default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';
Content-Type: text/plain; charset=utf-8
Date: Tue, 14 May 2019 01:24:37 GMT
Referrer-Policy: Same-origin
Request-Id: ea06c9df-20f6-7c7e-6b51-e8659958d96f
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
User-agent: *
Disallow: / |
I see, I hit a 404 page on my end:
|
Try robots or ping — 404 skips middleware in go.
… On May 13, 2019, at 7:46 PM, Yuchen Ying ***@***.***> wrote:
I see, I hit a 404 page on my end:
$ curl -I https://nuc.apkay.com
HTTP/2 404
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
content-length: 19
date: Tue, 14 May 2019 02:45:22
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Without running additional HTTP server at port 80, I have to remember to use
https://
for each of the domain proxied by Pomerium, at least for the first use.It would be great if Pomerium can serve on port 80 and do a simple redirection to HTTPS, and insert HSTS header in the redirect response.
Alternatively maybe there's such an NGINX container exist that will automatically redirect HTTP to HTTPS then add HSTS, but I would rather for Pomerium to support this.
The text was updated successfully, but these errors were encountered: