Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-5938

Redirect non HTTPS requests on LSST the Docs to TLS

    XMLWordPrintable

    Details

      Attachments

        Activity

        Hide
        jsick Jonathan Sick added a comment - - edited

        Note that last stable Fastly config is #14.

        In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on.

        Thus I get errors like this

        <Error>
        <Code>NoSuchBucket</Code>
        <Message>The specified bucket does not exist</Message>
        <BucketName>ltd-keeper.lsst.io</BucketName>
        <RequestId>84EB8067055D80D4</RequestId>
        <HostId>
        dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ=
        </HostId>
        </Error>
        

        Show
        jsick Jonathan Sick added a comment - - edited Note that last stable Fastly config is #14. In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on. Thus I get errors like this < Error > < Code >NoSuchBucket</ Code > < Message >The specified bucket does not exist</ Message > < BucketName >ltd-keeper.lsst.io</ BucketName > < RequestId >84EB8067055D80D4</ RequestId > < HostId > dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ= </ HostId > </ Error >
        Hide
        jsick Jonathan Sick added a comment -

         

        sub vcl_error {
        #--FASTLY ERROR BEGIN

        if (obj.status == 801) {
        set obj.status = 301;
        set obj.response = "Moved Permanently";
        set obj.http.Location = "https://" req.http.host req.url;
        synthetic

        {""}

        ;
        return (deliver);
        }

        }

        {no format}

        I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;

        Show
        jsick Jonathan Sick added a comment -   sub vcl_error { #--FASTLY ERROR BEGIN if (obj.status == 801) { set obj.status = 301; set obj.response = "Moved Permanently"; set obj.http.Location = "https://" req.http.host req.url; synthetic {""} ; return (deliver); } } {no format} I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;
        Hide
        jsick Jonathan Sick added a comment -

        Emailed Fastly:

        Hi Fastly,

        My service is *********** (*************). This is a question about version #14 -> #15 of my configuration.

        In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3).

        The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines:

        set req.http.Fastly-Orig-Host = req.http.host;
        set req.http.host = “*************.s3.amazonaws.com";

        I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.)

        Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site#
        I tried this in version #15 of my service config.

        The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting.

        The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist.

        What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point?

        Thanks!
        Jonathan

        Show
        jsick Jonathan Sick added a comment - Emailed Fastly: Hi Fastly, My service is *********** (*************). This is a question about version #14 -> #15 of my configuration. In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3 ). The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines: set req.http.Fastly-Orig-Host = req.http.host; set req.http.host = “*************.s3.amazonaws.com"; I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.) Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site# I tried this in version #15 of my service config. The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting. The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist. What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point? Thanks! Jonathan
        Hide
        jsick Jonathan Sick added a comment -

        Thanks for input from Fastly support I got this solved

        1. Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header.
        2. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3.

        # Request Condition: Not TLS Prio: 4
          if( !req.http.Fastly-SSL ) {
                
               
          # Header rewrite Reset original host for HTTPS redirect : 4
          
              
                set req.http.host = req.http.Fastly-Orig-Host;
                      
          
            
          
            
          }
          #end condition
          # Request Condition: Always true Prio: 5
          if( req.url ) {
                
                
            if (!req.http.Fastly-SSL) {
               error 801 "Force SSL";
            }
            
               if (!req.http.Fastly-FF) {
                 if (req.http.X-Forwarded-For) {
                   set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip;
                 } else {
                   set req.http.Fastly-Temp-XFF = client.ip;
                 }
               } else {
                 set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For;
               }
                
          
          
            set req.grace = 60s; 
                  
          
            
          }
        

        Show
        jsick Jonathan Sick added a comment - Thanks for input from Fastly support I got this solved Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3. # Request Condition: Not TLS Prio: 4 if( !req.http.Fastly-SSL ) { # Header rewrite Reset original host for HTTPS redirect : 4 set req.http.host = req.http.Fastly-Orig-Host; } #end condition # Request Condition: Always true Prio: 5 if( req.url ) { if (!req.http.Fastly-SSL) { error 801 "Force SSL"; } if (!req.http.Fastly-FF) { if (req.http.X-Forwarded-For) { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip; } else { set req.http.Fastly-Temp-XFF = client.ip; } } else { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For; } set req.grace = 60s; }
        Hide
        jsick Jonathan Sick added a comment -

        Shipped as v #17 of the Fastly config.

        Show
        jsick Jonathan Sick added a comment - Shipped as v #17 of the Fastly config.

          People

          Assignee:
          jsick Jonathan Sick
          Reporter:
          jsick Jonathan Sick
          Watchers:
          Jonathan Sick
          Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

            Dates

            Created:
            Updated:
            Resolved:

              CI Builds

              No builds found.