Merge pull request #92 from basecamp/tls-allow-disable-redirect

Add `--tls-disable-redirect`
basecamp · Jan 7, 2025 · d7444e5 · d7444e5
2 parents 545d52c + fa1991f
commit d7444e5
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/internal/cmd/deploy.go b/internal/cmd/deploy.go
@@ -33,6 +33,7 @@ func newDeployCommand() *deployCommand {
 	deployCommand.cmd.Flags().BoolVar(&deployCommand.tlsStaging, "tls-staging", false, "Use Let's Encrypt staging environment for certificate provisioning")
 	deployCommand.cmd.Flags().StringVar(&deployCommand.args.ServiceOptions.TLSCertificatePath, "tls-certificate-path", "", "Configure custom TLS certificate path (PEM format)")
 	deployCommand.cmd.Flags().StringVar(&deployCommand.args.ServiceOptions.TLSPrivateKeyPath, "tls-private-key-path", "", "Configure custom TLS private key path (PEM format)")
+	deployCommand.cmd.Flags().BoolVar(&deployCommand.args.ServiceOptions.TLSDisableRedirect, "tls-disable-redirect", false, "Don't redirect HTTP traffic to HTTPS")
 
 	deployCommand.cmd.Flags().DurationVar(&deployCommand.args.DeployTimeout, "deploy-timeout", server.DefaultDeployTimeout, "Maximum time to wait for the new target to become healthy")
 	deployCommand.cmd.Flags().DurationVar(&deployCommand.args.DrainTimeout, "drain-timeout", server.DefaultDrainTimeout, "Maximum time to allow existing connections to drain before removing old target")

diff --git a/internal/server/service.go b/internal/server/service.go
@@ -68,6 +68,7 @@ type ServiceOptions struct {
 	TLSEnabled         bool   `json:"tls_enabled"`
 	TLSCertificatePath string `json:"tls_certificate_path"`
 	TLSPrivateKeyPath  string `json:"tls_private_key_path"`
+	TLSDisableRedirect bool   `json:"tls_disable_redirect"`
 	ACMEDirectory      string `json:"acme_directory"`
 	ACMECachePath      string `json:"acme_cache_path"`
 	ErrorPagePath      string `json:"error_page_path"`
@@ -351,7 +352,7 @@ func (s *Service) createMiddleware(options ServiceOptions, certManager CertManag
 func (s *Service) serviceRequestWithTarget(w http.ResponseWriter, r *http.Request) {
 	LoggingRequestContext(r).Service = s.name
 
-	if s.options.TLSEnabled && r.TLS == nil {
+	if s.shouldRedirectToHTTPS(r) {
 		s.redirectToHTTPS(w, r)
 		return
 	}
@@ -374,6 +375,10 @@ func (s *Service) serviceRequestWithTarget(w http.ResponseWriter, r *http.Reques
 	target.SendRequest(w, req)
 }
 
+func (s *Service) shouldRedirectToHTTPS(r *http.Request) bool {
+	return s.options.TLSEnabled && !s.options.TLSDisableRedirect && r.TLS == nil
+}
+
 func (s *Service) handlePausedAndStoppedRequests(w http.ResponseWriter, r *http.Request) bool {
 	if s.pauseController.GetState() != PauseStateRunning && s.ActiveTarget().IsHealthCheckRequest(r) {
 		// When paused or stopped, return success for any health check

diff --git a/internal/server/service_test.go b/internal/server/service_test.go
@@ -43,6 +43,24 @@ func TestService_RedirectToHTTPSWhenTLSRequired(t *testing.T) {
 	require.Equal(t, http.StatusOK, w.Result().StatusCode)
 }
 
+func TestService_DontRedirectToHTTPSWhenTLSAndPlainHTTPAllowed(t *testing.T) {
+	service := testCreateService(t, []string{"example.com"}, ServiceOptions{TLSEnabled: true, TLSDisableRedirect: true}, defaultTargetOptions)
+
+	require.True(t, service.options.TLSEnabled)
+
+	req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
+	w := httptest.NewRecorder()
+	service.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusOK, w.Result().StatusCode)
+
+	req = httptest.NewRequest(http.MethodGet, "https://example.com", nil)
+	w = httptest.NewRecorder()
+	service.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusOK, w.Result().StatusCode)
+}
+
 func TestService_UseStaticTLSCertificateWhenConfigured(t *testing.T) {
 	certPath, keyPath := prepareTestCertificateFiles(t)