Redirect Insecure Requests with the X-Forwarded-Proto header

oauthproxy.go

@@ -19,7 +19,10 @@ import (
 	"github.com/mbland/hmacauth"
 )
 
-const SignatureHeader = "GAP-Signature"
+const (
+	SignatureHeader       = "GAP-Signature"
+	XForwardedProtoHeader = "X-Forwarded-Proto"
+)
 
 var SignatureHeaders []string = []string{
 	"Content-Length",
@@ -457,6 +460,7 @@ func getRemoteAddr(req *http.Request) (s string) {
 }
 
 func (p *OAuthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	p.redirectInsecureRequest(rw, req)
 	switch path := req.URL.Path; {
 	case path == p.RobotsPath:
 		p.RobotsTxt(rw)
@@ -607,6 +611,12 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 	}
 }
 
+func (p *OAuthProxy) redirectInsecureRequest(rw http.ResponseWriter, req *http.Request) {
+	if req.Header.Get(XForwardedProtoHeader) == "http" {
+		http.Redirect(rw, req, fmt.Sprintf("https://%v%v", req.Host, req.URL), http.StatusMovedPermanently)
+	}
+}
+
 func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int {
 	var saveSession, clearSession, revalidated bool
 	remoteAddr := getRemoteAddr(req)

oauthproxy_test.go

@@ -836,3 +836,18 @@ func TestRequestSignaturePostRequest(t *testing.T) {
 	assert.Equal(t, 200, st.rw.Code)
 	assert.Equal(t, st.rw.Body.String(), "signatures match")
 }
+
+func TestRedirectInsecureRequest(t *testing.T) {
+	opts := NewOptions()
+	opts.Validate()
+
+	proxy := NewOAuthProxy(opts, func(string) bool { return true })
+	rw := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.Host = "example.com"
+	req.Header.Set("X-Forwarded-Proto", "http")
+	proxy.ServeHTTP(rw, req)
+
+	assert.Equal(t, http.StatusMovedPermanently, rw.Code)
+	assert.Equal(t, "https://example.com/", rw.Header().Get("Location"))
+}