Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-5938

Redirect non HTTPS requests on LSST the Docs to TLS

    XMLWordPrintable

Details

    Attachments

      Activity

        No builds found.
        jsick Jonathan Sick created issue -
        jsick Jonathan Sick made changes -
        Field Original Value New Value
        Epic Link DM-5858 [ 23985 ]
        jsick Jonathan Sick added a comment - - edited

        Note that last stable Fastly config is #14.

        In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on.

        Thus I get errors like this

        <Error>
        <Code>NoSuchBucket</Code>
        <Message>The specified bucket does not exist</Message>
        <BucketName>ltd-keeper.lsst.io</BucketName>
        <RequestId>84EB8067055D80D4</RequestId>
        <HostId>
        dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ=
        </HostId>
        </Error>
        

        jsick Jonathan Sick added a comment - - edited Note that last stable Fastly config is #14. In Version #15 I followed https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site and made a Force SSL request setting. The problem with this is that it did the 301 redirect to the ‘modified’ S3 origin server, rather than to the original domain, but with https turned on. Thus I get errors like this < Error > < Code >NoSuchBucket</ Code > < Message >The specified bucket does not exist</ Message > < BucketName >ltd-keeper.lsst.io</ BucketName > < RequestId >84EB8067055D80D4</ RequestId > < HostId > dWoySYFFcxz5iJgyKCivhnp2WZ+P572tIl5J1Y60IXj62a5IHoBYZRYLS66qiFTO29B4oNKo5iQ= </ HostId > </ Error >

         

        sub vcl_error {
        #--FASTLY ERROR BEGIN

        if (obj.status == 801) {
        set obj.status = 301;
        set obj.response = "Moved Permanently";
        set obj.http.Location = "https://" req.http.host req.url;
        synthetic

        {""}

        ;
        return (deliver);
        }

        }

        {no format}

        I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;

        jsick Jonathan Sick added a comment -   sub vcl_error { #--FASTLY ERROR BEGIN if (obj.status == 801) { set obj.status = 301; set obj.response = "Moved Permanently"; set obj.http.Location = "https://" req.http.host req.url; synthetic {""} ; return (deliver); } } {no format} I need to find a way to change "https://" req.http.host req.url; to "https://“ req.http.Fastly-Orig-Host req.url;

        Emailed Fastly:

        Hi Fastly,

        My service is *********** (*************). This is a question about version #14 -> #15 of my configuration.

        In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3).

        The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines:

        set req.http.Fastly-Orig-Host = req.http.host;
        set req.http.host = “*************.s3.amazonaws.com";

        I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.)

        Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site#
        I tried this in version #15 of my service config.

        The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting.

        The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist.

        What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point?

        Thanks!
        Jonathan

        jsick Jonathan Sick added a comment - Emailed Fastly: Hi Fastly, My service is *********** (*************). This is a question about version #14 -> #15 of my configuration. In Version #14 I've got it setup correctly to serve from my S3 bucket via S3's HTTPS REST API (following https://docs.fastly.com/guides/integrations/amazon-s3 ). The important part of this setup is that inside the #--FASTLY RECV BEGIN section I've got the lines: set req.http.Fastly-Orig-Host = req.http.host; set req.http.host = “*************.s3.amazonaws.com"; I use req.http.Fastly-Orig-Host to do some regex-based path redirects within the bucket that you can see further down in the vcl_recv section. (e.g., redirect https://ltd-keeper.lsst.io/v/main/index.html to /ltd-keeper/v/main/index.html inside my S3 bucket.) Today I tried to force TLS connections to my sites following https://docs.fastly.com/guides/securing-communications/allowing-only-tls-connections-to-your-site# I tried this in version #15 of my service config. The problem with the VCL in #15 is that I lose the req.http.Fastly-Orig-Host header setting. The net result is that, with my config version #15, when a person visits "http://ltd-keeper.lsst.io" they are redirected to "https://ltd-keeper.lsst.io", but then all of my URL re-write rules break because req.http.Fastly-Orig-Host does not exist. What do you think is the correct way to implement forced TLS? Is turning on custom VCL the right thing to do at this point? Thanks! Jonathan
        jsick Jonathan Sick made changes -
        Story Points 0.4
        jsick Jonathan Sick made changes -
        Status To Do [ 10001 ] In Progress [ 3 ]
        jsick Jonathan Sick made changes -
        Story Points 0.4 0.7

        Thanks for input from Fastly support I got this solved

        1. Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header.
        2. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3.

        # Request Condition: Not TLS Prio: 4
          if( !req.http.Fastly-SSL ) {
                
               
          # Header rewrite Reset original host for HTTPS redirect : 4
          
              
                set req.http.host = req.http.Fastly-Orig-Host;
                      
          
            
          
            
          }
          #end condition
          # Request Condition: Always true Prio: 5
          if( req.url ) {
                
                
            if (!req.http.Fastly-SSL) {
               error 801 "Force SSL";
            }
            
               if (!req.http.Fastly-FF) {
                 if (req.http.X-Forwarded-For) {
                   set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip;
                 } else {
                   set req.http.Fastly-Temp-XFF = client.ip;
                 }
               } else {
                 set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For;
               }
                
          
          
            set req.grace = 60s; 
                  
          
            
          }
        

        jsick Jonathan Sick added a comment - Thanks for input from Fastly support I got this solved Needed to wrap the Force SSL in a condition so that I could set its location. This brought back the Fastly-Orig-Header. Before Force SSL I added a condition to test if SSL was not enabled and then revert the host header back in preparation for the 301 redirect. (otherwise it would issue a redirect with HTTPS into S3. # Request Condition: Not TLS Prio: 4 if( !req.http.Fastly-SSL ) { # Header rewrite Reset original host for HTTPS redirect : 4 set req.http.host = req.http.Fastly-Orig-Host; } #end condition # Request Condition: Always true Prio: 5 if( req.url ) { if (!req.http.Fastly-SSL) { error 801 "Force SSL"; } if (!req.http.Fastly-FF) { if (req.http.X-Forwarded-For) { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For ", " client.ip; } else { set req.http.Fastly-Temp-XFF = client.ip; } } else { set req.http.Fastly-Temp-XFF = req.http.X-Forwarded-For; } set req.grace = 60s; }
        jsick Jonathan Sick made changes -
        Resolution Done [ 10000 ]
        Status In Progress [ 3 ] Done [ 10002 ]

        Shipped as v #17 of the Fastly config.

        jsick Jonathan Sick added a comment - Shipped as v #17 of the Fastly config.

        People

          jsick Jonathan Sick
          jsick Jonathan Sick
          Jonathan Sick
          Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

          Dates

            Created:
            Updated:
            Resolved:

            Jenkins

              No builds found.