From 6e9e694f66c756ae475d1cc57f2838a34ae4e521 Mon Sep 17 00:00:00 2001 From: Paul Slater Date: Wed, 16 Nov 2016 14:17:47 +0000 Subject: [PATCH] Add setting to cause insecure redirect (#1054) * add support for editor insecure redirect setting set insecureRedirect: true to cause the editor app to redirect insecure connections * document insecureRedirect * use req.originalUrl instead of req.url url has the path removed, whereas originalUrl preserves the path - ie /red --- red/api/index.js | 10 ++++++++++ settings.js | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/red/api/index.js b/red/api/index.js index 4200af192..01eee65a3 100644 --- a/red/api/index.js +++ b/red/api/index.js @@ -87,6 +87,16 @@ function init(_server,_runtime) { if (!settings.disableEditor) { ui.init(runtime); var editorApp = express(); + if (settings.insecureRedirect) { + editorApp.enable('trust proxy'); + editorApp.use(function (req, res, next) { + if (req.secure) { + next(); + } else { + res.redirect('https://' + req.headers.host + req.originalUrl); + } + }); + } editorApp.get("/",ensureRuntimeStarted,ui.ensureSlash,ui.editor); editorApp.get("/icons/:icon",ui.icon); theme.init(runtime); diff --git a/settings.js b/settings.js index a4dc8a87c..186352733 100644 --- a/settings.js +++ b/settings.js @@ -129,6 +129,10 @@ module.exports = { // cert: fs.readFileSync('certificate.pem') //}, + // The following property can be used to cause insecure HTTP connections to be redirected + // to HTTPS. + //insecureRedirect: false + // The following property can be used to disable the editor. The admin API // is not affected by this option. To disable both the editor and the admin // API, use either the httpRoot or httpAdminRoot properties