Add setting to cause insecure redirect (#1054)

* add support for editor insecure redirect setting

set insecureRedirect: true to cause the editor app to redirect insecure connections

* document insecureRedirect

* use req.originalUrl instead of req.url

url has the path removed, whereas originalUrl preserves the path - ie /red

red/api/index.js

@@ -87,6 +87,16 @@ function init(_server,_runtime) {
         if (!settings.disableEditor) {
             ui.init(runtime);
             var editorApp = express();
+            if (settings.insecureRedirect) {
+                editorApp.enable('trust proxy');
+                editorApp.use(function (req, res, next) {
+                    if (req.secure) {
+                        next();
+                    } else {
+                        res.redirect('https://' + req.headers.host + req.originalUrl);
+                    }
+                });
+            }
             editorApp.get("/",ensureRuntimeStarted,ui.ensureSlash,ui.editor);
             editorApp.get("/icons/:icon",ui.icon);
             theme.init(runtime);

settings.js

@@ -129,6 +129,10 @@ module.exports = {
     //    cert: fs.readFileSync('certificate.pem')
     //},
 
+    // The following property can be used to cause insecure HTTP connections to be redirected
+    // to HTTPS.
+    //insecureRedirect: false
+
     // The following property can be used to disable the editor. The admin API
     // is not affected by this option. To disable both the editor and the admin
     // API, use either the httpRoot or httpAdminRoot properties