feat(serverHandler): add https redirect and HSTS

- use `--hsts` to enable HSTS(HTTP Strict Transport Security)
- use `--to-https` to indicate https port redirects to

Author: marjune163

README.md

@@ -223,6 +223,14 @@ server [options]
 -t|--template <file>
     Use a custom template file for rendering pages, instead of builtin template.
 
+--hsts
+    Enable HSTS(HTTP Strict Transport Security).
+    Only available if current virtual host listens both plain HTTP and TLS on standard ports.
+--to-https [<target-port>]
+    Redirect plain HTTP request to HTTPS TLS port.
+    Target port must be exists in --listen-tls of current virtual host.
+    If target port is omitted, the first item from --listen-tls will be used.
+
 -S|--show <wildcard> ...
 -SD|--show-dir <wildcard> ...
 -SF|--show-file <wildcard> ...

README.zh-CN.md

@@ -221,6 +221,14 @@ server [选项]
 -t|--template <模板文件>
     指定用于渲染页面的自定义模板，代替内建模板。
 
+--hsts
+    启用HSTS(HTTP Strict Transport Security)。
+    仅当当前虚拟主机的纯HTTP和TLS模式都监听在标准端口上时才有效。
+--to-https [<目标端口>]
+    将纯HTTP请求重定向到HTTPS端口。
+    目标端口必须存在于当前虚拟主机--listen-tls中。
+    如果省略目标端口，则使用--listen-tls中的第一项。
+
 -S|--show <通配符> ...
 -SD|--show-dir <通配符> ...
 -SF|--show-file <通配符> ...

src/param/cli.go

@@ -135,6 +135,12 @@ func init() {
 	err = options.AddFlagsValue("template", []string{"-t", "--template"}, "GHFS_TEMPLATE", "", "custom template file for page")
 	serverErrHandler.CheckFatal(err)
 
+	err = options.AddFlag("globalhsts", "--hsts", "GHFS_HSTS", "enable HSTS(HTTP Strict Transport Security)")
+	serverErrHandler.CheckFatal(err)
+
+	err = options.AddFlagValue("globalhttps", "--to-https", "GHFS_TO_HTTPS", "", "redirect http:// to https://, with optional target port")
+	serverErrHandler.CheckFatal(err)
+
 	err = options.AddFlagsValues("shows", []string{"-S", "--show"}, "GHFS_SHOW", nil, "show directories or files match wildcard")
 	serverErrHandler.CheckFatal(err)
 	err = options.AddFlagsValues("showdirs", []string{"-SD", "--show-dir"}, "GHFS_SHOW_DIR", nil, "show directories match wildcard")
@@ -274,17 +280,6 @@ func doParseCli() []*Param {
 			serverErrHandler.CheckFatal(errors.New("missing certificate key file"))
 		}
 
-		// normalize listen
-		listens, _ := result.GetStrings("listens")
-		param.Listens = append(param.Listens, listens...)
-
-		listenRests := result.GetRests()
-		param.Listens = append(param.Listens, listenRests...)
-
-		param.ListensPlain, _ = result.GetStrings("listensplain")
-
-		param.ListensTLS, _ = result.GetStrings("listenstls")
-
 		// normalize aliases
 		arrAlias, _ := result.GetStrings("aliases")
 		param.Aliases = normalizePathMaps(arrAlias)
@@ -356,6 +351,31 @@ func doParseCli() []*Param {
 			serverErrHandler.CheckFatal(fmt.Errorf("duplicated usernames: %q", dupUserNames))
 		}
 
+		// normalize listen
+		listens, _ := result.GetStrings("listens")
+		param.Listens = append(param.Listens, listens...)
+
+		listenRests := result.GetRests()
+		param.Listens = append(param.Listens, listenRests...)
+
+		param.ListensPlain, _ = result.GetStrings("listensplain")
+
+		param.ListensTLS, _ = result.GetStrings("listenstls")
+
+		// hsts & https
+		if len(param.ListensTLS) > 0 {
+			param.GlobalHsts = result.HasKey("globalhsts")
+			if param.GlobalHsts {
+				param.GlobalHsts = validateHstsPort(param.ListensPlain, param.ListensTLS)
+			}
+
+			param.GlobalHttps = result.HasKey("globalhttps")
+			if param.GlobalHttps {
+				httpsPort, _ := result.GetString("globalhttps")
+				param.HttpsPort, param.GlobalHttps = normalizeHttpsPort(httpsPort, param.ListensTLS)
+			}
+		}
+
 		// shows
 		shows, err := WildcardToRegexp(result.GetStrings("shows"))
 		serverErrHandler.CheckFatal(err)

src/param/main.go

@@ -56,6 +56,10 @@ type Param struct {
 	HostNames    []string
 	Template     string
 
+	GlobalHsts  bool
+	GlobalHttps bool
+	HttpsPort   string
+
 	Shows     *regexp.Regexp
 	ShowDirs  *regexp.Regexp
 	ShowFiles *regexp.Regexp

src/param/strUtil.go

@@ -97,3 +97,58 @@ func normalizeFilenames(inputs []string) []string {
 
 	return outputs
 }
+
+func validateHstsPort(listensPlain, ListensTLS []string) bool {
+	var fromOK, toOK bool
+
+	for _, listen := range listensPlain {
+		port := util.ExtractListenPort(listen)
+		if len(port) == 0 || port == "80" {
+			fromOK = true
+			break
+		}
+	}
+
+	for _, listen := range ListensTLS {
+		port := util.ExtractListenPort(listen)
+		if len(port) == 0 || port == "443" {
+			toOK = true
+			break
+		}
+	}
+
+	return fromOK && toOK
+}
+
+func normalizeHttpsPort(httpsPort string, ListensTLS []string) (string, bool) {
+	if len(httpsPort) > 0 {
+		httpsPort = util.ExtractListenPort(httpsPort)
+		if len(httpsPort) == 0 {
+			return "", false
+		}
+	} else if len(ListensTLS) > 0 {
+		httpsPort = util.ExtractListenPort(ListensTLS[0])
+	}
+
+	lenHttpsPort := len(httpsPort)
+	httpsColonPort := ":" + httpsPort
+	for _, listen := range ListensTLS {
+		if lenHttpsPort == 0 && len(listen) == 0 {
+			return "", true
+		}
+
+		port := util.ExtractListenPort(listen)
+		if lenHttpsPort == 0 && len(port) == 0 {
+			return "", true
+		}
+		if httpsPort == port {
+			return httpsColonPort, true
+		}
+
+		if httpsPort == "443" && port == "" {
+			return "", true
+		}
+	}
+
+	return "", false
+}

src/param/strUtil_test.go

@@ -52,3 +52,88 @@ func TestNormalizeFilenames(t *testing.T) {
 		t.Fail()
 	}
 }
+
+func TestNormalizeHttpsPort(t *testing.T) {
+	var httpsPort string
+	var ok bool
+
+	httpsPort, ok = normalizeHttpsPort("123", []string{"123"})
+	if !ok || httpsPort != ":123" {
+		t.Error("1")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("234", []string{":234"})
+	if !ok || httpsPort != ":234" {
+		t.Error("2")
+	}
+
+	httpsPort, ok = normalizeHttpsPort(":345", []string{"345"})
+	if !ok || httpsPort != ":345" {
+		t.Error("3")
+	}
+
+	httpsPort, ok = normalizeHttpsPort(":456", []string{":456"})
+	if !ok || httpsPort != ":456" {
+		t.Error("4")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{""})
+	if !ok || httpsPort != "" {
+		t.Error("5")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("65536", []string{"65536"})
+	if ok || httpsPort != "" {
+		t.Error("6", httpsPort)
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{"567"})
+	if !ok || httpsPort != ":567" {
+		t.Error("7")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{":678"})
+	if !ok || httpsPort != ":678" {
+		t.Error("8")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("789", []string{":890"})
+	if ok || httpsPort != "" {
+		t.Error("9")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("789", []string{"127.0.0.1:890"})
+	if ok || httpsPort != "" {
+		t.Error("10")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("789", []string{"[::1]:890"})
+	if ok || httpsPort != "" {
+		t.Error("11")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{":443"})
+	if !ok || httpsPort != ":443" {
+		t.Error("12")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{"127.0.0.1"})
+	if !ok || httpsPort != "" {
+		t.Error("13")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("", []string{"[::1]"})
+	if !ok || httpsPort != "" {
+		t.Error("14")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("443", []string{"127.0.0.1"})
+	if !ok || httpsPort != "" {
+		t.Error("15")
+	}
+
+	httpsPort, ok = normalizeHttpsPort("443", []string{"[::1]"})
+	if !ok || httpsPort != "" {
+		t.Error("16")
+	}
+}

src/serverHandler/hsts.go

@@ -0,0 +1,44 @@
+package serverHandler
+
+import (
+	"../util"
+	"net/http"
+)
+
+func (h *handler) hsts(w http.ResponseWriter, r *http.Request) (needRedirect bool) {
+	_, port := util.ExtractHostnamePort(r.Host)
+
+	if len(port) > 0 {
+		return
+	}
+
+	header := w.Header()
+	header.Set("Strict-Transport-Security", "max-age=31536000")
+
+	if r.TLS != nil {
+		return
+	}
+
+	location := "https://" + r.Host + r.RequestURI
+	http.Redirect(w, r, location, http.StatusMovedPermanently)
+	return true
+}
+
+func (h *handler) https(w http.ResponseWriter, r *http.Request) (needRedirect bool) {
+	if r.TLS != nil {
+		return
+	}
+
+	hostname, _ := util.ExtractHostnamePort(r.Host)
+
+	var targetPort string
+	if len(h.httpsPort) > 0 && h.httpsPort != ":443" {
+		targetPort = h.httpsPort
+	}
+
+	targetHost := hostname + targetPort
+
+	location := "https://" + targetHost + r.RequestURI
+	http.Redirect(w, r, location, http.StatusMovedPermanently)
+	return true
+}

src/serverHandler/main.go

@@ -14,6 +14,9 @@ import (
 type handler struct {
 	root        string
 	emptyRoot   bool
+	globalHsts  bool
+	globalHttps bool
+	httpsPort   string // with prefix ":"
 	defaultSort string
 	urlPrefix   string
 
@@ -62,6 +65,16 @@ type handler struct {
 func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	go h.logRequest(r)
 
+	// hsts redirect
+	if h.globalHsts && h.hsts(w, r) {
+		return
+	}
+
+	// https redirect
+	if h.globalHttps && h.https(w, r) {
+		return
+	}
+
 	// asset
 	const assetPrefix = "asset="
 	if strings.HasPrefix(r.URL.RawQuery, assetPrefix) {
@@ -149,6 +162,9 @@ func NewHandler(
 	h := &handler{
 		root:        root,
 		emptyRoot:   emptyRoot,
+		globalHsts:  p.GlobalHsts,
+		globalHttps: p.GlobalHttps,
+		httpsPort:   p.HttpsPort,
 		defaultSort: p.DefaultSort,
 		urlPrefix:   urlPrefix,
 

src/util/digits.go

@@ -0,0 +1,12 @@
+package util
+
+func IsDigits(input string) bool {
+	for i, length := 0, len(input); i < length; i++ {
+		b := input[i]
+		if b < '0' || b > '9' {
+			return false
+		}
+	}
+
+	return true
+}

src/util/digits_test.go

@@ -0,0 +1,16 @@
+package util
+
+import "testing"
+
+func TestIsDigits(t *testing.T) {
+	var str string
+	str = "12345"
+	if !IsDigits(str) {
+		t.Fail()
+	}
+
+	str = "x12345"
+	if IsDigits(str) {
+		t.Fail()
+	}
+}