feat(webserver): add support for force_ssl attribute

Resolves #189
ajgon · Oct 2, 2018 · 3bd46f5 · 3bd46f5
1 parent e8164a1
commit 3bd46f5
Show file tree

Hide file tree

Showing 8 changed files with 77 additions and 6 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -98,6 +98,7 @@
 default['defaults']['webserver']['remove_default_sites'] = %w[
   default default.conf 000-default 000-default.conf default-ssl default-ssl.conf
 ]
+default['defaults']['webserver']['force_ssl'] = false
 
 ## apache2
 

diff --git a/docs/source/attributes.rst b/docs/source/attributes.rst
@@ -593,6 +593,13 @@ webserver
      SSL requests are enabled. Note that SSL itself is controlled by the
      ``app['enable_ssl']`` setting in Opsworks.
 
+-  ``app['webserver']['force_ssl']``
+
+  -  **Supported values:** ``true``, ``false``
+  -  **Default** ``false``
+  -  When this parameter is set to ``true`` all requests passed to http will
+     be redirected to https, with 301 status code.
+
 -  ``app['webserver']['site_config_template']``
 
   -  **Default** ``appserver.apache2.conf.erb`` or ``appserver.nginx.conf.erb``

diff --git a/libraries/drivers_webserver_apache2.rb b/libraries/drivers_webserver_apache2.rb
@@ -8,7 +8,7 @@ class Apache2 < Drivers::Webserver::Base
       packages debian: 'apache2', rhel: %w[httpd24 mod24_ssl]
       output filter: %i[
         dhparams keepalive_timeout limit_request_body log_dir log_level proxy_timeout
-        ssl_for_legacy_browsers extra_config extra_config_ssl port ssl_port
+        ssl_for_legacy_browsers extra_config extra_config_ssl port ssl_port force_ssl
       ]
       notifies :deploy,
                action: :reload, resource: { debian: 'service[apache2]', rhel: 'service[httpd]' }, timer: :delayed

diff --git a/libraries/drivers_webserver_nginx.rb b/libraries/drivers_webserver_nginx.rb
@@ -8,7 +8,7 @@ class Nginx < Drivers::Webserver::Base
       output filter: %i[
         build_type client_body_timeout client_header_timeout client_max_body_size dhparams keepalive_timeout
         log_dir log_level proxy_read_timeout proxy_send_timeout send_timeout ssl_for_legacy_browsers
-        extra_config extra_config_ssl enable_upgrade_method port ssl_port
+        extra_config extra_config_ssl enable_upgrade_method port ssl_port force_ssl
       ]
       notifies :deploy, action: :reload, resource: 'service[nginx]', timer: :delayed
       notifies :undeploy, action: :reload, resource: 'service[nginx]', timer: :delayed

diff --git a/spec/unit/recipes/configure_spec.rb b/spec/unit/recipes/configure_spec.rb
@@ -268,6 +268,21 @@
       expect(chef_run).to create_link("/etc/nginx/sites-enabled/#{aws_opsworks_app['shortname']}.conf")
     end
 
+    it 'creates proper redirects for force ssl' do
+      chef_run = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
+        deploy = node['deploy']
+        deploy[aws_opsworks_app['shortname']]['webserver']['force_ssl'] = true
+        solo_node.set['deploy'] = deploy
+        solo_node.set['nginx'] = node['nginx']
+      end.converge(described_recipe)
+      expect(chef_run)
+        .to render_file("/etc/nginx/sites-available/#{aws_opsworks_app['shortname']}.conf")
+        .with_content('return 301 https://$host$request_uri;')
+      expect(chef_run)
+        .not_to render_file("/etc/nginx/sites-available/#{aws_opsworks_app['shortname']}.conf")
+        .with_content('# http support')
+    end
+
     it 'enables ssl rules for legacy browsers in nginx config' do
       chef_run = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
         deploy = node['deploy']
@@ -625,6 +640,21 @@
       expect(chef_run).to create_link("/etc/apache2/sites-enabled/#{aws_opsworks_app['shortname']}.conf")
     end
 
+    it 'creates proper redirects for force ssl' do
+      chef_run = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
+        deploy = node['deploy']
+        deploy[aws_opsworks_app['shortname']]['webserver']['adapter'] = 'apache2'
+        deploy[aws_opsworks_app['shortname']]['webserver']['force_ssl'] = true
+        solo_node.set['deploy'] = deploy
+      end.converge(described_recipe)
+      expect(chef_run)
+        .to render_file("/etc/apache2/sites-available/#{aws_opsworks_app['shortname']}.conf")
+        .with_content('RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]')
+      expect(chef_run)
+        .not_to render_file("/etc/apache2/sites-available/#{aws_opsworks_app['shortname']}.conf")
+        .with_content('# http support')
+    end
+
     it 'enables ssl rules for legacy browsers in apache2 config' do
       chefrun = ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
         deploy = node['deploy']

diff --git a/templates/default/appserver.apache2.passenger.conf.erb b/templates/default/appserver.apache2.passenger.conf.erb
@@ -10,6 +10,17 @@ Header always unset "X-Powered-By"
   ServerName <%= node['hostname'] %>
   ServerAlias <%= @application[:domains].join(" ") %>
 
+<% if @application[:enable_ssl] && @out[:force_ssl] %>
+<% if @out[:ssl_port].to_i == 443 %>
+  RewriteEngine On
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
+<% else %>
+  RewriteEngine On
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}:<%= @out[:ssl_port] %>/$1 [R=301,L]
+<% end %>
+
+<% else %>
+  # http support
   DocumentRoot <%= File.join(@deploy_dir, 'current', 'public') %>
 
   <Directory <%= File.join(@deploy_dir, 'current') %>>
@@ -52,13 +63,14 @@ Header always unset "X-Powered-By"
   </Location>
 
   RewriteEngine on
+<% end %>
 
   <%= @out[:extra_config] %>
 
 </VirtualHost>
 
 <% if @application[:enable_ssl] %>
-<% unless @out[:ssl_port] == 443 %>
+<% unless @out[:ssl_port].to_i == 443 %>
 Listen <%= @out[:ssl_port] %>
 <% end -%>
 

diff --git a/templates/default/appserver.apache2.upstream.conf.erb b/templates/default/appserver.apache2.upstream.conf.erb
@@ -8,6 +8,17 @@ Listen <%= @out[:port] %>
   ServerName <%= node['hostname'] %>
   ServerAlias <%= @application[:domains].join(" ") %>
 
+<% if @application[:enable_ssl] && @out[:force_ssl] %>
+<% if @out[:ssl_port].to_i == 443 %>
+  RewriteEngine On
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
+<% else %>
+  RewriteEngine On
+  RewriteRule ^/?(.*) https://%{SERVER_NAME}:<%= @out[:ssl_port] %>/$1 [R=301,L]
+<% end %>
+
+<% else %>
+  # http support
   DocumentRoot <%= File.join(@deploy_dir, 'current', 'public') %>
 
   <Directory <%= File.join(@deploy_dir, 'current') %>>
@@ -54,13 +65,13 @@ Listen <%= @out[:port] %>
     Order deny,allow
     Allow from all
   </Proxy>
+<% end %>
 
   <%= @out[:extra_config] %>
-
 </VirtualHost>
 
 <% if @application[:enable_ssl] %>
-<% unless @out[:ssl_port] == 443 %>
+<% unless @out[:ssl_port].to_i == 443 %>
 Listen <%= @out[:ssl_port] %>
 <% end -%>
 

diff --git a/templates/default/appserver.nginx.conf.erb b/templates/default/appserver.nginx.conf.erb
@@ -19,6 +19,15 @@ server {
   keepalive_timeout <%= @out[:keepalive_timeout] || '15' %>;
   send_timeout <%= @out[:send_timeout] || '10' %>;
 
+<% if @application[:enable_ssl] && @out[:force_ssl] %>
+# Force all http requests to https
+<% if @out[:ssl_port].to_i == 443 %>
+  return 301 https://$host$request_uri;
+<% else %>
+  return 301 https://$host:<%= @out[:ssl_port] %>$request_uri;
+<% end %>
+<% else %>
+  # http support
   location / {
     try_files $uri/index.html $uri/index.htm @<%= @name %>;
   }
@@ -51,7 +60,8 @@ server {
       proxy_pass http://<%= @name %>_<%= @application[:domains].first %>;
       break;
     }
-  }
+}
+<% end %>
 
   location /nginx_status {
     stub_status on;