Redirect http to https on authenticated services #346
Comments
istreeter
added a commit
that referenced
this issue
Mar 3, 2022
istreeter
added a commit
that referenced
this issue
Mar 3, 2022
istreeter
added a commit
that referenced
this issue
Mar 7, 2022
istreeter
added a commit
that referenced
this issue
Mar 7, 2022
istreeter
added a commit
that referenced
this issue
Apr 25, 2022
istreeter
added a commit
that referenced
this issue
Apr 25, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If Mini is deployed behind a load balancer, then a common setup is to route http and https requests to Mini's port 80. In these setups, it would be nice to serve the secure services (e.g. Kibana, Elasticsearch) for https requests only. This would avoid several potential security problems with http and Mini
Better security practice is for Mini to redirect from http to https for the secure services, to avoid sending username/password or customer data in plain text. Caddy should use the
X-Forwarded-Protoheader to decide if the original request was http or https.This change cannot be the default, because we also need to support setups where it is desired behaviour to use http only (e.g. anything on localhost).
My suggestion is for caddy to open a new port 8443, as well as the existing port 80.
Port 80
Keep previous behaviour. Requests matching a secure service (e.g.
/kibana) get routed to the service no matter if they were http or https requests.Port 8443
Http requests matching a secure route (e.g.
/kibana) issue a 302 redirect to https. Https requests matching a secure route are routed to the service, and protected by authentication. All other requests (http or https) are routed to the collector.The text was updated successfully, but these errors were encountered: