Add a setting to disallow HTTP to HTTPS redirects

Mirrorbits doens't respect the incoming protocol *strictly*, instead the
behavior is as such:
- HTTPS request: HTTPS redirect
- HTTP  request: HTTP or HTTPS redirect

So it doesn't try to respect the HTTP protocol, and is happy to redirect
HTTP requests to HTTPS. Which makes sense if mirrorbits is meant to
serve files downloaded from a web browser, where HTTPS is the norm.

However for Linux distro, for a package repository, it's important to
respect the incoming protocol. There are minimal systems that don't have
HTTPS support out of the box. For Debian (and Debian-like), the standard
Docker image doesn't have CA certificates pre-installed, and apt is
configured to use HTTP repositories. The first command to run is `apt
update`, and if ever that gets redirected to HTTPS, apt fails.

With this commit, we can now change this behavior, and ask mirrorbits to
respect the protocol strictly. As a bonus point, having it in
mirrobits.conf allows to document a rather obscure (but important)
aspect of mirrorbits behavior.

Note that, by default, the setting is true, so the default behavior of
mirrorbits is still the same: redirect HTTP to HTTPS is allowed.

Author: elboulangero

config/config.go

@@ -37,6 +37,7 @@ func defaultConfig() Configuration {
 		OutputMode:             "auto",
 		ListenAddress:          ":8080",
 		Gzip:                   false,
+		AllowHTTPToHTTPSRedirects: true,
 		SameDownloadInterval:   600,
 		RedisAddress:           "127.0.0.1:6379",
 		RedisPassword:          "",
@@ -71,6 +72,7 @@ type Configuration struct {
 	OutputMode              string     `yaml:"OutputMode"`
 	ListenAddress           string     `yaml:"ListenAddress"`
 	Gzip                    bool       `yaml:"Gzip"`
+	AllowHTTPToHTTPSRedirects bool     `yaml:"AllowHTTPToHTTPSRedirects"`
 	SameDownloadInterval    int        `yaml:"SameDownloadInterval"`
 	RedisAddress            string     `yaml:"RedisAddress"`
 	RedisPassword           string     `yaml:"RedisPassword"`

http/context.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+
+	. "github.com/etix/mirrorbits/config"
 )
 
 // RequestType defines the type of the request
@@ -67,11 +69,14 @@ func NewContext(w http.ResponseWriter, r *http.Request, t Templates) *Context {
 	}
 
 	// Check for HTTPS requirements
-	proto := r.Header.Get("X-Forwarded-Proto")
-	if strings.ToLower(proto) == "https" {
+	proto := strings.ToLower(r.Header.Get("X-Forwarded-Proto"))
+	if proto == "https" {
 		c.secureOption = WITHTLS
+	} else if proto == "http" && GetConfig().AllowHTTPToHTTPSRedirects == false {
+		c.secureOption = WITHOUTTLS
 	}
 
+	// Check if the query sets (thus overrides) HTTPS requirements
 	v, ok := c.v["https"]
 	if ok {
 		if v[0] == "1" {

mirrorbits.conf

@@ -30,6 +30,11 @@
 ## Enable Gzip compression
 # Gzip: false
 
+## Allow redirecting HTTP requests to HTTPS mirrors. If ever a mirror supports
+## both, HTTPS is favored. In other words, this setting forces HTTPS when
+## possible, thus making the implicit assumption that the client supports it.
+# AllowHTTPToHTTPSRedirects: true
+
 ## Interval in seconds between which 2 range downloads of a given file
 ## from a same origin (hashed (IP, user-agent) couple) are considered
 ## to be the same download. In particular, download statistics are not