[http/samlproxy] listener address in yaml; add unsecure listener for http->https...

diff --git a/http/samlproxy.go b/http/samlproxy.go
index 610ab62b510a183df065c3701846b27d18a7a7c3..da87141f2fc69aa5a5d2cb260fc5ba589f21345f 100644 (file)
--- a/http/samlproxy.go
+++ b/http/samlproxy.go
@@ -74,6 +74,8 @@ type SAMLServiceProvider struct {
 type SAMLListener struct {
        *SAMLServiceProvider `yaml:"saml"`
 
+       Addr         string                      `yaml:"listen"`
+       InsecureAddr string                      `yaml:"listen_insecure"`
        Certificate  string                      `yaml:"cert"`
        VirtualHosts map[string]*SAMLVirtualHost `yaml:"virtual_hosts"`
 }
@@ -236,8 +238,14 @@ func (sp *SAMLProxy) NewHTTPServerWithContext(ctx context.Context) (*http.Server
                return nil, err
        }
 
+       addr := sp.Listener.Addr
+       if addr == "" {
+               addr = "[::]:8443"
+       }
+
        lm := log.NewLoggingMiddlewareWithLogger(handler, sp.logger)
        server := &http.Server{
+               Addr:    addr,
                Handler: lm.HandlerFunc(),
        }
 
@@ -253,6 +261,37 @@ func (sp *SAMLProxy) NewHTTPServerWithContext(ctx context.Context) (*http.Server
        return server, nil
 }
 
+func (sp *SAMLProxy) NewHTTPSRedirectorWithContext(ctx context.Context) *http.Server {
+       addr := sp.Listener.InsecureAddr
+       if addr == "" {
+               addr = "[::]:8080"
+       }
+
+       server := &http.Server{
+               Addr: addr,
+               Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+                       host := r.Host
+                       if host == "" {
+                               w.WriteHeader(http.StatusBadRequest)
+                               return
+                       }
+
+                       if _, ok := sp.Listener.VirtualHosts[host]; !ok {
+                               w.WriteHeader(http.StatusMisdirectedRequest)
+                               return
+                       }
+
+                       newUrl := *r.URL
+                       newUrl.Scheme = "https"
+                       newUrl.Host = host
+                       w.Header().Set("location", newUrl.String())
+                       w.WriteHeader(http.StatusFound)
+               }),
+       }
+
+       return server
+}
+
 func (sp *SAMLServiceProvider) Metadata() (*saml.EntityDescriptor, error) {
        var err error
        sp.metadataOnce.Do(func() {

diff --git a/http/samlproxy/main.go b/http/samlproxy/main.go
index b8daa0362e22f394ce4c0906e1e99ab6b7d580f3..50ff0ab262fdd07b42fdc5011753843fec356f43 100644 (file)
--- a/http/samlproxy/main.go
+++ b/http/samlproxy/main.go
@@ -59,7 +59,8 @@ func main() {
        flag.StringVar(&vhost.Backend.Host, "backend.host", "127.0.0.1", "backend host")
        flag.IntVar(&vhost.Backend.Port, "backend.port", 0, "backend port")
        flag.StringVar(&vhost.Backend.Identity, "backend.mtls-id", "", "backend mTLS identity; omit to disable TLS to backend")
-       listen := flag.String("listen", "[::]:8443", "address for auth proxy to listen on")
+       flag.StringVar(&sp.Listener.Addr, "listen", "[::]:8443", "address for auth proxy to listen on")
+       flag.StringVar(&sp.Listener.InsecureAddr, "listen.http", "[::]:8080", "address for http-to-https redirector")
 
        flag.Parse()
 
@@ -71,9 +72,11 @@ func main() {
        if err != nil {
                log.Panic(err)
        }
-       server.Addr = *listen
        go server.ListenAndServeTLS("", "")
 
+       unsecureServer := sp.NewHTTPSRedirectorWithContext(ctx)
+       go unsecureServer.ListenAndServe()
+
        daemon.SdNotify(false, daemon.SdNotifyReady)
 
        <-ctx.Done()