maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Merge pull request #5959 from spalger/implement/redirectHttpToHttps

Browse source 
[https] automatically redirect http traffic to https
This commit is contained in:
Spencer 2016-01-21 15:50:43 -07:00
commit 931892fe18
3 changed files with 71 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
package.json
View file

@ -104,6 +104,7 @@
"good-squeeze": "2.1.0",
"gridster": "0.5.6",
"hapi": "8.8.1",
"httpolyglot": "0.1.1",
"imports-loader": "0.6.4",
"jade": "1.11.0",
"jade-loader": "0.7.1",

85
src/server/http/setup_connection.js
View file

@ -1,13 +1,19 @@
import fs from 'fs';
import { readFileSync } from 'fs';
import { format as formatUrl } from 'url';
import httpolyglot from 'httpolyglot';
import tlsCiphers from './tls_ciphers';
export default function (kbnServer, server, config) {
// this mixin is used outside of the kbn server, so it MUST work without a full kbnServer object.
kbnServer = null;
// Create a new connection
var connectionOptions = {
host: config.get('server.host'),
port: config.get('server.port'),
const host = config.get('server.host');
const port = config.get('server.port');
const connectionOptions = {
host,
port,
state: {
strictHeader: false
},
@ -19,42 +25,39 @@ export default function (kbnServer, server, config) {
}
};
// enable tls if ssl key and cert are defined
if (config.get('server.ssl.key') && config.get('server.ssl.cert')) {
connectionOptions.tls = {
key: fs.readFileSync(config.get('server.ssl.key')),
cert: fs.readFileSync(config.get('server.ssl.cert')),
// The default ciphers in node 0.12.x include insecure ciphers, so until
// we enforce a more recent version of node, we craft our own list
// @see https://github.com/nodejs/node/blob/master/src/node_constants.h#L8-L28
ciphers: [
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'DHE-RSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'HIGH',
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!SRP',
'!CAMELLIA'
].join(':'),
// We use the server's cipher order rather than the client's to prevent
// the BEAST attack
honorCipherOrder: true
};
// enable tlsOpts if ssl key and cert are defined
const useSsl = config.get('server.ssl.key') && config.get('server.ssl.cert');
// not using https? well that's easy!
if (!useSsl) {
server.connection(connectionOptions);
return;
}
server.connection(connectionOptions);
server.connection({
...connectionOptions,
tls: true,
listener: httpolyglot.createServer({
key: readFileSync(config.get('server.ssl.key')),
cert: readFileSync(config.get('server.ssl.cert')),
ciphers: tlsCiphers,
// We use the server's cipher order rather than the client's to prevent the BEAST attack
honorCipherOrder: true
})
});
server.ext('onRequest', function (req, reply) {
if (req.raw.req.socket.encrypted) {
reply.continue();
} else {
reply.redirect(formatUrl({
port,
protocol: 'https',
hostname: host,
pathname: req.url.pathname,
search: req.url.search,
}));
}
});
}

26
src/server/http/tls_ciphers.js Normal file
View file

@ -0,0 +1,26 @@
// The default ciphers in node 0.12.x include insecure ciphers, so until
// we enforce a more recent version of node, we craft our own list
// @see https://github.com/nodejs/node/blob/master/src/node_constants.h#L8-L28
export default [
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'DHE-RSA-AES256-SHA384',
'ECDHE-RSA-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'HIGH',
'!aNULL',
'!eNULL',
'!EXPORT',
'!DES',
'!RC4',
'!MD5',
'!PSK',
'!SRP',
'!CAMELLIA'
].join(':');