feat: enforce https for all operations

superfly · Feb 29, 2024 · aaf26cc · aaf26cc
1 parent a8ef2e4
commit aaf26cc
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 28 deletions.
diff --git a/dockerproxy/main.go b/dockerproxy/main.go
@@ -39,6 +39,7 @@ var (
 	noDockerd = os.Getenv("NO_DOCKERD") == "1"
 	noAuth    = os.Getenv("NO_AUTH") == "1"
 	noAppName = os.Getenv("NO_APP_NAME") == "1"
+	noHttps   = os.Getenv("NO_HTTPS") == "1"
 
 	// build variables
 	gitSha    string
@@ -103,9 +104,9 @@ func main() {
 
 	httpMux := http.NewServeMux()
 
-	httpMux.Handle("/", handlers.LoggingHandler(log.Writer(), authRequest(proxy())))
-	httpMux.Handle("/flyio/v1/prune", handlers.LoggingHandler(log.Writer(), authRequest(pruneHandler(dockerClient))))
-	httpMux.Handle("/flyio/v1/extendDeadline", handlers.LoggingHandler(log.Writer(), authRequest(extendDeadline())))
+	httpMux.Handle("/", wrapCommonMiddlewares(dockerProxy()))
+	httpMux.Handle("/flyio/v1/prune", wrapCommonMiddlewares(pruneHandler(dockerClient)))
+	httpMux.Handle("/flyio/v1/extendDeadline", wrapCommonMiddlewares((extendDeadline())))
 
 	httpServer := &http.Server{
 		Addr:    ":8080",
@@ -212,7 +213,7 @@ func extendDeadline() http.Handler {
 	})
 }
 
-func proxy() http.Handler {
+func dockerProxy() http.Handler {
 	reverseProxy := httputil.NewSingleHostReverseProxy(&url.URL{
 		Scheme: DOCKER_SCHEME,
 		Host:   DOCKER_LISTENER,
@@ -240,3 +241,24 @@ func pruneHandler(client *client.Client) http.HandlerFunc {
 		w.WriteHeader(http.StatusOK)
 	})
 }
+
+func upgradeToHTTPs(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !noHttps && r.Header.Get("X-Forwarded-Proto") == "http" {
+			http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusMovedPermanently)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
+func wrapCommonMiddlewares(h http.Handler) http.Handler {
+	return handlers.LoggingHandler(
+		log.Writer(),
+		upgradeToHTTPs(
+			authRequest(
+				h,
+			),
+		),
+	)
+}
diff --git a/etc/docker/daemon.json b/etc/docker/daemon.json
@@ -10,8 +10,8 @@
             "size": 24
         }
     ],
-    "debug": true,
-    "log-level": "debug",
+    "debug": false,
+    "log-level": "info",
     "features": {
         "buildkit": true
     },

diff --git a/fly.toml b/fly.toml
@@ -1,31 +1,40 @@
-# fly.toml file generated for rchab on 2021-01-08T16:05:33-05:00
+app = 'rchab'
+primary_region = 'ams'
+kill_signal = 'SIGINT'
+kill_timeout = '5s'
 
-app = "rchab"
+[build]
 
-kill_signal = "SIGINT"
-kill_timeout = 5
+[env]
+  ALLOW_ORG_SLUG = 'fly'
+  DATA_DIR = '/data'
+  LOG_LEVEL = 'info'
 
 [[mounts]]
-source = "data"
-destination = "/data"
+  source = 'data'
+  destination = '/data'
 
-[[services]]
-internal_port = 8080
-protocol = "tcp"
+[http_service]
+  internal_port = 8080
+  force_https = true
+  auto_stop_machines = false
+  auto_start_machines = true
+  min_machines_running = 0
+  processes = ['app']
 
-[services.concurrency]
-hard_limit = 25
-soft_limit = 20
+  [http_service.http_options]
+    h2_backend = true
+
+  [http_service.tls_options]
+    alpn = ['h2']
 
-[[services.ports]]
-handlers = ["tls"]
-port = 10000
 
-[env]
-ALLOW_ORG_SLUG = "fly"
-LOG_LEVEL = "debug"
-DATA_DIR = "/data"
 
-[metrics]
-port = 9323
-path = "/metrics"
+[[vm]]
+  memory = '4gb'
+  cpu_kind = 'shared'
+  cpus = 4
+
+[[metrics]]
+  port = 9323
+  path = '/metrics'