HTTPSProtection works wrong on Google App Engine

[urakozz]

On Google app engine application always returns error

{code:3, error:"Please use HTTPS connection"}

on http and on https

[pjebs]

Can you send me the code you used.

[pjebs]

In the meantime, you can use the prior commit (https://github.com/pjebs/restgate/commit/f74619a6f98c2313f588b58c191afcae321d0d3b) and use https://github.com/unrolled/secure

[urakozz]

@pjebs

app := negroni.New()
    app.Use(negroni.NewRecovery())
    app.Use(negroni.NewLogger())
    app.Use(restgate.New(
        "X-Auth-Key",
        "X-Auth-Secret",
        restgate.Static,
        restgate.Config{
            Context: C,
            Key: []string{"12345"},
            Secret: []string{"secret"},
        },
    ))
    app.UseHandler(router)
    http.Handle("/", context.ClearHandler(app))

Using https validation in Authenticational Middleware is an archtectural overhead. Protocol verification is responsibility of a Load Balancer (or sepatated package), internal communications happens via TCP or HTTP.

[pjebs]

if you want to disable: pass HTTPSProtectionOff=true in Config.

[pjebs]

Let me try and reproduce the bug in GAE.

[urakozz]

To be honest I have already wrote own implementation with injectable authenticator like that:

   middleware.NewAuthMiddleware(
        "X-Auth-Key",
        "X-Auth-Secret",
        middleware.AuthConfig{
            Context: func(r *http.Request, authenticatedKey string) {
                context.Set(r, 0, authenticatedKey)
            },
            Authenticator: func(key, secret string) bool {
                sec := driver.Client.HGet("keys", key).Val()
                return sec == secret
            },
        },
    )

[pjebs]

I tested it on GAE. I simply can't reproduce the error. Are you using GAE or a Managed Environment with Google Cloud Platform?

[pjebs]

Are you using a load-balancer such as nginx outside of GAE which communicates to its GAE instances in HTTP and changes the Header to X-Forwarded-Proto": "https" to indicate that it was originally HTTPS?

That message you are receiving can only possibly occur if you DON'T set HTTPSProtectionOff (which you aren't). The above reason could explain the issue.

[pjebs]

I used Restgate on GAE-Flexible Environment for first time (previously Managed Environment). I can confirm this bug. The bug is not present in the GAE-Standard Environment.

On the Flexible Environment, the only way to detect if the original request is HTTPS is via the custom header: X-AppEngine-Https set to on (https://cloud.google.com/appengine/docs/flexible/nodejs/runtime#https_and_forwarding_proxies)

For this reason, I recommend turning off HTTPS Protection on restgate: eg restgate.Config{HTTPSProtectionOff: true...} and securing the url endpoint via the app.yaml file (https://cloud.google.com/appengine/docs/flexible/go/configuring-your-app-with-app-yaml#security) eg.

handlers:
- url: /api
  script: _go_app
  secure: always

Alternative, test for HTTPS on each and every handler under restgate by testing X-AppEngine-Https

[pjebs]

I have updated package to support GAE-Flexible environment. Just set config like this: restgate.New("X-Auth-Key", "X-Auth-Secret", restgate.Static, restgate.Config{GAE_FlexibleEnvironment: true,...}

THE ADVICE IN ABOVE POST IS VALID BUT NO LONGER RECOMMENDED