From: Dan Fuhry <dan@fuhry.com>
Date: Sun, 23 Mar 2025 02:20:03 +0000 (-0400)
Subject: [http/samlproxy] listener address in yaml; add unsecure listener for http->https... 
X-Git-Url: https://go.fuhry.dev/?a=commitdiff_plain;h=42354d672e88cb091212b747f10c3cb2961cdff9;p=runtime.git

[http/samlproxy] listener address in yaml; add unsecure listener for http->https redirections
---

diff --git a/http/samlproxy.go b/http/samlproxy.go
index 610ab62..da87141 100644
--- a/http/samlproxy.go
+++ b/http/samlproxy.go
@@ -74,6 +74,8 @@ type SAMLServiceProvider struct {
 type SAMLListener struct {
 	*SAMLServiceProvider `yaml:"saml"`
 
+	Addr         string                      `yaml:"listen"`
+	InsecureAddr string                      `yaml:"listen_insecure"`
 	Certificate  string                      `yaml:"cert"`
 	VirtualHosts map[string]*SAMLVirtualHost `yaml:"virtual_hosts"`
 }
@@ -236,8 +238,14 @@ func (sp *SAMLProxy) NewHTTPServerWithContext(ctx context.Context) (*http.Server
 		return nil, err
 	}
 
+	addr := sp.Listener.Addr
+	if addr == "" {
+		addr = "[::]:8443"
+	}
+
 	lm := log.NewLoggingMiddlewareWithLogger(handler, sp.logger)
 	server := &http.Server{
+		Addr:    addr,
 		Handler: lm.HandlerFunc(),
 	}
 
@@ -253,6 +261,37 @@ func (sp *SAMLProxy) NewHTTPServerWithContext(ctx context.Context) (*http.Server
 	return server, nil
 }
 
+func (sp *SAMLProxy) NewHTTPSRedirectorWithContext(ctx context.Context) *http.Server {
+	addr := sp.Listener.InsecureAddr
+	if addr == "" {
+		addr = "[::]:8080"
+	}
+
+	server := &http.Server{
+		Addr: addr,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			host := r.Host
+			if host == "" {
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			if _, ok := sp.Listener.VirtualHosts[host]; !ok {
+				w.WriteHeader(http.StatusMisdirectedRequest)
+				return
+			}
+
+			newUrl := *r.URL
+			newUrl.Scheme = "https"
+			newUrl.Host = host
+			w.Header().Set("location", newUrl.String())
+			w.WriteHeader(http.StatusFound)
+		}),
+	}
+
+	return server
+}
+
 func (sp *SAMLServiceProvider) Metadata() (*saml.EntityDescriptor, error) {
 	var err error
 	sp.metadataOnce.Do(func() {
diff --git a/http/samlproxy/main.go b/http/samlproxy/main.go
index b8daa03..50ff0ab 100644
--- a/http/samlproxy/main.go
+++ b/http/samlproxy/main.go
@@ -59,7 +59,8 @@ func main() {
 	flag.StringVar(&vhost.Backend.Host, "backend.host", "127.0.0.1", "backend host")
 	flag.IntVar(&vhost.Backend.Port, "backend.port", 0, "backend port")
 	flag.StringVar(&vhost.Backend.Identity, "backend.mtls-id", "", "backend mTLS identity; omit to disable TLS to backend")
-	listen := flag.String("listen", "[::]:8443", "address for auth proxy to listen on")
+	flag.StringVar(&sp.Listener.Addr, "listen", "[::]:8443", "address for auth proxy to listen on")
+	flag.StringVar(&sp.Listener.InsecureAddr, "listen.http", "[::]:8080", "address for http-to-https redirector")
 
 	flag.Parse()
 
@@ -71,9 +72,11 @@ func main() {
 	if err != nil {
 		log.Panic(err)
 	}
-	server.Addr = *listen
 	go server.ListenAndServeTLS("", "")
 
+	unsecureServer := sp.NewHTTPSRedirectorWithContext(ctx)
+	go unsecureServer.ListenAndServe()
+
 	daemon.SdNotify(false, daemon.SdNotifyReady)
 
 	<-ctx.Done()