# Redirect non HTTPS requests on LSST the Docs to TLS

XMLWordPrintable

#### Details

• Type: Story
• Status: Done
• Resolution: Done
• Fix Version/s: None
• Component/s:
• Labels:
• Story Points:
0.7
• Team:
SQuaRE

#### Activity

Hide
Jonathan Sick added a comment - - edited

Note that last stable Fastly config is #14.

In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on.

Thus I get errors like this

  NoSuchBucket The specified bucket does not exist ltd-keeper.lsst.io 84EB8067055D80D4  dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ=   

Show
Jonathan Sick added a comment - - edited Note that last stable Fastly config is #14. In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on. Thus I get errors like this < Error > < Code >NoSuchBucket</ Code > < Message >The specified bucket does not exist</ Message > < BucketName >ltd-keeper.lsst.io</ BucketName > < RequestId >84EB8067055D80D4</ RequestId > < HostId > dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ= </ HostId > </ Error >
Hide
Jonathan Sick added a comment -

 

sub vcl_error {
#--FASTLY ERROR BEGIN

if (obj.status == 801) {
set obj.status = 301;
set obj.response = "Moved Permanently";
set obj.http.Location = "https://" req.http.host req.url;
synthetic

{""}

;
return (deliver);
}

}

{no format}

I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;

Show
Jonathan Sick added a comment -   sub vcl_error { #--FASTLY ERROR BEGIN if (obj.status == 801) { set obj.status = 301; set obj.response = "Moved Permanently"; set obj.http.Location = "https://" req.http.host req.url; synthetic {""} ; return (deliver); } } {no format} I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;
Hide
Jonathan Sick added a comment -

Emailed Fastly:

Hi Fastly,

My service is *********** (*************). This is a question about version #14 -> #15 of my configuration.

In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3).

The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines:

set req.http.Fastly-Orig-Host = req.http.host;
set req.http.host = “*************.s3.amazonaws.com";

I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.)

Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site#
I tried this in version #15 of my service config.

The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting.

The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist.

What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point?

Thanks!
Jonathan

Show
Jonathan Sick added a comment - Emailed Fastly: Hi Fastly, My service is *********** (*************). This is a question about version #14 -> #15 of my configuration. In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3 ). The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines: set req.http.Fastly-Orig-Host = req.http.host; set req.http.host = “*************.s3.amazonaws.com"; I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.) Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site# I tried this in version #15 of my service config. The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting. The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist. What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point? Thanks! Jonathan
Hide
Jonathan Sick added a comment -

Thanks for input from Fastly support I got this solved

1. Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header.
2. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3.

 # Request Condition: Not TLS Prio: 4  if( !req.http.Fastly-SSL ) {      # Header rewrite Reset original host for HTTPS redirect : 4      set req.http.host = req.http.Fastly-Orig-Host;            }  #end condition  # Request Condition: Always true Prio: 5  if( req.url ) {      if (!req.http.Fastly-SSL) {  error 801 "Force SSL";  }    if (!req.http.Fastly-FF) {  if (req.http.X-Forwarded-For) {  set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip;  } else {  set req.http.Fastly-Temp-XFF = client.ip;  }  } else {  set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For;  }        set req.grace = 60s;         } 

Show
Jonathan Sick added a comment - Thanks for input from Fastly support I got this solved Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3. # Request Condition: Not TLS Prio: 4 if( !req.http.Fastly-SSL ) { # Header rewrite Reset original host for HTTPS redirect : 4 set req.http.host = req.http.Fastly-Orig-Host; } #end condition # Request Condition: Always true Prio: 5 if( req.url ) { if (!req.http.Fastly-SSL) { error 801 "Force SSL"; } if (!req.http.Fastly-FF) { if (req.http.X-Forwarded-For) { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip; } else { set req.http.Fastly-Temp-XFF = client.ip; } } else { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For; } set req.grace = 60s; }
Hide
Jonathan Sick added a comment -

Shipped as v #17 of the Fastly config.

Show
Jonathan Sick added a comment - Shipped as v #17 of the Fastly config.

#### People

Assignee:
Jonathan Sick
Reporter:
Jonathan Sick
Watchers:
Jonathan Sick