HTTP to HTTPS redirection on App Engine Flexible

14
votes

I've followed the answer of this: Redirect from http to https in google cloud but it does not seem to be currently accurate any more. The anchor referenced ( https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml#security ) seems to have been removed but without a note of a replacement.

For reference, I am serving NodeJS over a Google App (flex) Engine. As per the answer I've got in my app.yaml: 

handlers:
- url: /.*
  script: IGNORED
  secure: always

Since HTTPS is obviously terminated before it hits my Express engine (and redirection on there would be useless); how is it currently correctly implemented?

Potentially helpful, I have an external domain attached via the "Custom domains" tab in the console, and there is indeed a SSL certificate configured (so if a user manually goes to https://.com everything is fine)

3
node.jsgoogle-app-enginegoogle-cloud-platform
What's your current problem? It should redirect to https as expected.Tatsuyuki Ishi
Correct. I want HTTP request to redirect to HTTPS, though this is not currently working (i.e. I just access HTTP normally without redirection when accessing the domain I have connected to this environment)Art
handlers: - url: /.* script: auto secure: always redirect_http_response_code: 301Robert Mihai Ionas

3 Answers

20
votes

The flexible environment does not current support handlers in the app.yaml. If you want https:// redirection, you have a few options:

  • Use helmet to do to HSTS stuff for you, and implement your own initial redirect.
  • I wrote a happy little library to always forces SSL on all routes for express yes-https

We are considering auto-redirecting all traffic to SSL by default. Do you think that would be a good thing for your apps?

9
votes

Pulling Justin's yes-https library, I was able to get this to work:

var app = express();
app.use(function(req, res, next){
  if (req.host != 'localhost' && req.get('X-Forwarded-Proto') == 'http') {
    res.redirect(`https://${req.host}${req.url}`);
    return;
  }

  app.router(req, res, next);
});

At first I thought I had to do that since I was on an appengine subdomain and couldn't use HSTS. Then I learned HSTS works fine for subdomains. :) Regardless, I thought people might want to see what the magic bit to use was if they didn't want to use yes-https for some reason.

Justin, auto-redirecting all traffic to SSL by default sounds great to me. I just spent hours trying to figure out how to do so before I found this post because I was trying to get my app to get Chrome's add to homescreen install banner as per https://developers.google.com/web/fundamentals/engage-and-retain/app-install-banners/.

1
votes

GCP This should be as easy to just use the gcloud app cli and configure a header (Strict-Transport-Security) or redirect rule. Perhaps the push is to force us to Firebase Hosting instead which is forcing HTTPS already. For a quick solution for Single Page apps (static content) with React, Angular etc, we can use this JS snippet.

It ignores localhost environments. You can change localhost with a host name that you would like to exclude. It then redirects using https as protocol.

 if ( location.host.indexOf("localhost") < 0 && location.protocol.toLowerCase() !== "https:"){
     const url= `https://${location.host}`;
    location.replace(url);    
  }