14

I've followed the answer of this: Redirect from http to https in google cloud but it does not seem to be currently accurate any more. The anchor referenced ( https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml#security ) seems to have been removed but without a note of a replacement.

For reference, I am serving NodeJS over a Google App (flex) Engine. As per the answer I've got in my app.yaml: 

handlers:
- url: /.*
  script: IGNORED
  secure: always

Since HTTPS is obviously terminated before it hits my Express engine (and redirection on there would be useless); how is it currently correctly implemented?

Potentially helpful, I have an external domain attached via the "Custom domains" tab in the console, and there is indeed a SSL certificate configured (so if a user manually goes to https://.com everything is fine)

Dan Cornilescu
  • 39,470
  • 12
  • 57
  • 97
Art
  • 592
  • 3
  • 10
  • What's your current problem? It should redirect to https as expected. – Tatsuyuki Ishi Mar 14 '17 at 04:40
  • Correct. I want HTTP request to redirect to HTTPS, though this is not currently working (i.e. I just access HTTP normally without redirection when accessing the domain I have connected to this environment) – Art Mar 14 '17 at 04:42
  • 2
    `handlers: - url: /.* script: auto secure: always redirect_http_response_code: 301` – Robert Mihai Ionas May 23 '19 at 12:08
  • @RobertMihaiIonas You saved my life. That works. It redirects my naked domain ("example.com") to "https://example.com" and all other to https. Amazing. No more HTTP! Thank you. – Mr_Spock Oct 12 '21 at 20:51

3 Answers3

20

The flexible environment does not current support handlers in the app.yaml. If you want https:// redirection, you have a few options:

  • Use helmet to do to HSTS stuff for you, and implement your own initial redirect.
  • I wrote a happy little library to always forces SSL on all routes for express yes-https

We are considering auto-redirecting all traffic to SSL by default. Do you think that would be a good thing for your apps?

Justin Beckwith
  • 7,686
  • 1
  • 33
  • 55
  • Thanks Justin, that did the trick! I am indeed considering to prefer -all- traffic is transported over https. Given the site's setup (just a 1-pager with a single form containing PII) that would make the most sense. – Art Mar 15 '17 at 02:23
  • Can you please look at my https://stackoverflow.com/questions/47453220/http-requests-not-getting-routed-to-https-nodejs actually yes-https is not working for me. – Sudhanshu Gaur Nov 23 '17 at 19:37
  • Are you there ?? – Sudhanshu Gaur Nov 25 '17 at 16:04
  • I used Justin's happy little library and it's dead simple and easy, and it works. – Cheeso Jun 20 '18 at 15:01
  • @Justin Thank you so much! This has been driving me nuts :) – kashiB Jun 27 '18 at 04:21
9

Pulling Justin's yes-https library, I was able to get this to work:

var app = express();
app.use(function(req, res, next){
  if (req.host != 'localhost' && req.get('X-Forwarded-Proto') == 'http') {
    res.redirect(`https://${req.host}${req.url}`);
    return;
  }

  app.router(req, res, next);
});

At first I thought I had to do that since I was on an appengine subdomain and couldn't use HSTS. Then I learned HSTS works fine for subdomains. :) Regardless, I thought people might want to see what the magic bit to use was if they didn't want to use yes-https for some reason.

Justin, auto-redirecting all traffic to SSL by default sounds great to me. I just spent hours trying to figure out how to do so before I found this post because I was trying to get my app to get Chrome's add to homescreen install banner as per https://developers.google.com/web/fundamentals/engage-and-retain/app-install-banners/.

Ojan
  • 91
  • 1
  • Can you please look at my https://stackoverflow.com/questions/47453220/http-requests-not-getting-routed-to-https-nodejs actually yes-https is not working for me. – Sudhanshu Gaur Nov 23 '17 at 19:37
1

GCP This should be as easy to just use the gcloud app cli and configure a header (Strict-Transport-Security) or redirect rule. Perhaps the push is to force us to Firebase Hosting instead which is forcing HTTPS already. For a quick solution for Single Page apps (static content) with React, Angular etc, we can use this JS snippet.

It ignores localhost environments. You can change localhost with a host name that you would like to exclude. It then redirects using https as protocol.

 if ( location.host.indexOf("localhost") < 0 && location.protocol.toLowerCase() !== "https:"){
     const url= `https://${location.host}`;
    location.replace(url);    
  }
Dharman
  • 30,962
  • 25
  • 85
  • 135
ozkary
  • 2,436
  • 1
  • 21
  • 20