serverless-dns icon indicating copy to clipboard operation
serverless-dns copied to clipboard

Published 20 hours ago verified publisher icon serverless-dns

nodejs: Upgrade / 302 redirect `http` to `https`

Open amithm7 opened this issue 3 years ago • 8 comments

NodeJS server on http://max.rethinkdns.com/ currently sends Empty reply.

amithm7 avatar Dec 07 '21 16:12 amithm7

Yikes. Better yet, set HSTS (despite its shortcomings): https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

For TLD rethinkdns.com HSTS can be enabled from the Cloudflare dashboard.

ignoramous avatar Dec 07 '21 19:12 ignoramous

@ignoramous Have enabled HSTS on rethinkdns.com and subdomains.

It works! For http://max.rethinkdns.com, response is:

HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS

(In the browser only; not via curl, though)

But I am confused how Cloudflare is inserting these headers, as max even has a different NS!

Have set max-age: 1 month (needed for subdomains). If everything looks good, it may be set to 6 months as recommended or 1 year?

amithm7 avatar Dec 08 '21 06:12 amithm7

But I am confused how Cloudflare is inserting these headers, as max even has a different NS!

NS in general has no bearing on TLS certificate issuance. It is just that the ACME protocol ties in TLS with NS. CDNs usually vend certs via ALPN challenges.

Cloudflare "controls" the rethinkdns.com TLD, and can issue certs for all its immediate subdomains, *.rethinkdns.com, which they do (or Workers and Pages wouldn't work over HTTPS).

ignoramous avatar Dec 08 '21 10:12 ignoramous

If everything looks good, it may be set to 6 months as recommended or 1 year?

1yr sounds good to me.

ignoramous avatar Dec 08 '21 11:12 ignoramous

Have set max-age to 1 year.

amithm7 avatar Dec 08 '21 18:12 amithm7

@ignoramous

HSTS redirect to https from http only works when browser knows of HSTS on the domain.

To Reproduce, try opening http://max.rethinkdns.com/ from Incognito Window in Chrome, no redirects to https happen. But once you open https://max.rethinkdns.com/, redirects start working again.

I guess these Response headers come from browser itself:

HTTP/1.1 307 Internal Redirect
Location: https://max.rethinkdns.com/
Non-Authoritative-Reason: HSTS

Maybe HSTS Preload also needs to be enabled? https://hstspreload.org/?domain=rethinkdns.com

amithm7 avatar Dec 09 '21 07:12 amithm7

Preload lists are the achilles-heel of HSTS.

HSTS could be used in addition to the 3xx redirect? I am not sure:

  1. If DoH clients ever use non HTTPS endpoints.
  2. If DoH clients ever follow HTTP redirects.

ignoramous avatar Dec 09 '21 10:12 ignoramous

@ignoramous No, DoH clients weren't my concern.

https upgrade is needed for when someone would paste in a DoT hostname like 1-EAABAAA.max.rethinkdns.com in the browser and by default (in most browsers), it would try to connect over http. That's how I noticed this problem.

amithm7 avatar Dec 09 '21 11:12 amithm7