New congig option to redirect HTTP to HTTPS

lorawan_server.config

@@ -9,8 +9,11 @@
     % {http_admin_listen_ssl, [
     %     {port, 8443},
     %     {certfile, "cert.pem"},
+    %     {cacertfile, "cacert.pem"},
     %     {keyfile, "key.pem"}
     % ]},
+    % redirect all http traffic to https (when both http and https are enabled)
+    {http_admin_redirect_ssl, true},
     % default username and password for the admin interface
     {http_admin_credentials, {<<"admin">>, <<"admin">>}},
     % amount of rxframes retained for each device/node

src/lorawan_admin_logger.erl

@@ -50,7 +50,7 @@ add_security_headers(Headers) ->
         <<"content-security-policy">> => ContentSecurity
     }.
 
-log_error(Status, _Peer, _Path) when Status == 304; Status == 401 ->
+log_error(Status, _Peer, _Path) when Status == 301; Status == 304; Status == 401 ->
     ok;
 log_error(Status, {IP, _Port}, Path) ->
     lorawan_utils:throw_warning(server, {http_error, {Status, binary_to_list(Path), IP}}).

src/lorawan_admin_redirect.erl

@@ -0,0 +1,15 @@
+%
+% Copyright (c) 2016-2018 Petr Gotthard <petr.gotthard@centrum.cz>
+% All rights reserved.
+% Distributed under the terms of the MIT License. See the LICENSE file.
+%
+-module(lorawan_admin_redirect).
+
+-export([init/2]).
+
+init(Req0, Target) ->
+    URI = cowboy_req:uri(Req0, Target),
+    Req = cowboy_req:reply(301, #{<<"location">> => URI}, Req0),
+    {ok, Req, Target}.
+
+% end of file

src/lorawan_app.erl

@@ -15,24 +15,24 @@ start() ->
 start(_Type, _Args) ->
     ok = ensure_erlang_version(19),
     lorawan_db:ensure_tables(),
-    Dispatch = cowboy_router:compile([
-        {'_', lorawan_http_registry:static_routes()}
-    ]),
-    case application:get_env(lorawan_server, http_admin_listen, undefined) of
-        undefined ->
-            ok;
-        HttpOpts ->
-            {ok, _} = cowboy:start_clear(http, HttpOpts, #{
-                env => #{dispatch => Dispatch},
-                stream_handlers => [lorawan_admin_logger, cowboy_compress_h, cowboy_stream_h]})
-    end,
-    case application:get_env(lorawan_server, http_admin_listen_ssl, undefined) of
-        undefined ->
+    case {application:get_env(lorawan_server, http_admin_listen, []),
+            application:get_env(lorawan_server, http_admin_listen_ssl, [])} of
+        {[], []} ->
+            lager:warning("Web-admin does not listen on any port"),
             ok;
-        SslOpts ->
-            {ok, _} = cowboy:start_tls(https, SslOpts, #{
-                env => #{dispatch => Dispatch},
-                stream_handlers => [lorawan_admin_logger, cowboy_compress_h, cowboy_stream_h]})
+        {HttpOpts, []} ->
+            start_http(HttpOpts, normal_dispatch());
+        {[], SslOpts} ->
+            start_https(SslOpts, normal_dispatch());
+        {HttpOpts, SslOpts} ->
+            start_https(SslOpts, normal_dispatch()),
+            start_http(HttpOpts,
+                case application:get_env(lorawan_server, http_admin_redirect_ssl, true) of
+                    false ->
+                        normal_dispatch();
+                    true ->
+                        redirect_dispatch()
+                end)
     end,
     lorawan_sup:start_link().
 
@@ -47,4 +47,25 @@ ensure_erlang_version(Min) ->
         _Else -> {error, prerequisite_failed}
     end.
 
+normal_dispatch() ->
+    cowboy_router:compile([
+        {'_', lorawan_http_registry:static_routes()}
+    ]).
+
+redirect_dispatch() ->
+    Port = ranch:get_port(https),
+    lager:info("Redirecting to HTTPS port ~B", [Port]),
+    cowboy_router:compile([{'_',
+        [{'_', lorawan_admin_redirect, #{scheme => <<"https">>, port => Port}}]}]).
+
+start_http(Opts, Dispatch) ->
+    {ok, _} = cowboy:start_clear(http, Opts, #{
+        env => #{dispatch => Dispatch},
+        stream_handlers => [lorawan_admin_logger, cowboy_compress_h, cowboy_stream_h]}).
+
+start_https(Opts, Dispatch) ->
+    {ok, _} = cowboy:start_tls(https, Opts, #{
+        env => #{dispatch => Dispatch},
+        stream_handlers => [lorawan_admin_logger, cowboy_compress_h, cowboy_stream_h]}).
+
 % end of file

src/lorawan_http_registry.erl

@@ -53,17 +53,22 @@ code_change(_OldVsn, State, _Extra) ->
 
 update_routes(State) ->
     Dispatch = compile_routes(State),
-    case application:get_env(lorawan_server, http_admin_listen, undefined) of
-        undefined ->
+    case {application:get_env(lorawan_server, http_admin_listen, []),
+            application:get_env(lorawan_server, http_admin_listen_ssl, [])} of
+        {[], []} ->
             ok;
-        _HttpOpts ->
-            cowboy:set_env(http, dispatch, Dispatch)
-    end,
-    case application:get_env(lorawan_server, http_admin_listen_ssl, undefined) of
-        undefined ->
-            ok;
-        _SslOpts ->
-            cowboy:set_env(https, dispatch, Dispatch)
+        {_HttpOpts, []} ->
+            cowboy:set_env(http, dispatch, Dispatch);
+        {[], _SslOpts} ->
+            cowboy:set_env(https, dispatch, Dispatch);
+        {_HttpOpts, _SslOpts} ->
+            cowboy:set_env(https, dispatch, Dispatch),
+            case application:get_env(lorawan_server, http_admin_redirect_ssl, true) of
+                false ->
+                    cowboy:set_env(http, dispatch, Dispatch);
+                true ->
+                    ok
+            end
     end.
 
 compile_routes(Dict) ->

src/lorawan_server.app.src

@@ -22,6 +22,7 @@
         ]},
         {packet_forwarder_listen, [{port, 1680}]},
         {http_admin_listen, [{port, 8080}]},
+        {http_admin_redirect_ssl, true},
         {http_admin_credentials, {<<"admin">>, <<"admin">>}},
         {http_content_security, <<"default-src * data: 'unsafe-inline' 'unsafe-eval';">>},
         {frames_before_adr, 50},