Add function domains force https

2024-06-13 16:24:47 +12:00 · 2023-09-18 12:27:47 +02:00 · 2023-09-18 12:27:47 +02:00 · 6a7950aa34
parent 9ba609c46e
commit 6a7950aa34
7 changed files with 33 additions and 2 deletions
--- a/.env
+++ b/.env
@ -10,6 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io
 _APP_SYSTEM_RESPONSE_FORMAT=
 _APP_OPTIONS_ABUSE=disabled
 _APP_OPTIONS_FORCE_HTTPS=disabled
+_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS=disabled
 _APP_OPENSSL_KEY_V1=your-secret-key
 _APP_DOMAIN=localhost
 _APP_DOMAIN_FUNCTIONS=functions.localhost
--- a/app/config/variables.php
+++ b/app/config/variables.php
@ -36,7 +36,16 @@ return [
            ],
            [
                'name' => '_APP_OPTIONS_FORCE_HTTPS',
-                'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.',
+                'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443, and you have set up wildcard certificates with DNS challenge.',
+                'introduction' => '',
+                'default' => 'disabled',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
+            [
+                'name' => '_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS',
+                'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.',
                'introduction' => '',
                'default' => 'disabled',
                'required' => false,
--- a/app/controllers/general.php
+++ b/app/controllers/general.php
@ -83,6 +83,16 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques
    $type = $route->getAttribute('resourceType');

    if ($type === 'function') {
+        if (App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
+            if ($request->getProtocol() !== 'https') {
+                if ($request->getMethod() !== Request::METHOD_GET) {
+                    throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.');
+                }
+
+                return $response->redirect('https://' . $request->getHostname() . $request->getURI());
+            }
+        }
+
        $functionId = $route->getAttribute('resourceId');
        $projectId = $route->getAttribute('projectId');

@ -380,7 +390,7 @@ App::init()
        if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS
            if ($request->getProtocol() !== 'https' && ($swooleRequest->header['host'] ?? '') !== 'localhost' && ($swooleRequest->header['host'] ?? '') !== APP_HOSTNAME_INTERNAL) { // localhost allowed for proxy, APP_HOSTNAME_INTERNAL allowed for migrations
                if ($request->getMethod() !== Request::METHOD_GET) {
-                    throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP.');
+                    throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.');
                }

                return $response->redirect('https://' . $request->getHostname() . $request->getURI());
--- a/app/views/install/compose.phtml
+++ b/app/views/install/compose.phtml
@ -85,6 +85,7 @@ services:
      - _APP_SYSTEM_RESPONSE_FORMAT
      - _APP_OPTIONS_ABUSE
      - _APP_OPTIONS_FORCE_HTTPS
+      - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS
      - _APP_OPENSSL_KEY_V1
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
@ -382,6 +383,7 @@ services:
      - _APP_FUNCTIONS_CPUS
      - _APP_FUNCTIONS_MEMORY
      - _APP_OPTIONS_FORCE_HTTPS
+      - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS
      - _APP_DOMAIN
      - _APP_STORAGE_DEVICE
      - _APP_STORAGE_S3_ACCESS_KEY
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -106,6 +106,7 @@ services:
      - _APP_SYSTEM_RESPONSE_FORMAT
      - _APP_OPTIONS_ABUSE
      - _APP_OPTIONS_FORCE_HTTPS
+      - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS
      - _APP_OPENSSL_KEY_V1
      - _APP_DOMAIN
      - _APP_DOMAIN_TARGET
@ -417,6 +418,7 @@ services:
      - _APP_FUNCTIONS_CPUS
      - _APP_FUNCTIONS_MEMORY
      - _APP_OPTIONS_FORCE_HTTPS
+      - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS
      - _APP_DOMAIN
      - _APP_STORAGE_DEVICE
      - _APP_STORAGE_S3_ACCESS_KEY
--- a/src/Appwrite/Platform/Tasks/Doctor.php
+++ b/src/Appwrite/Platform/Tasks/Doctor.php
@ -93,6 +93,12 @@ class Doctor extends Action
            Console::log('🟢 HTTPS force option is enabled');
        }

+        if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled')) {
+            Console::log('🔴 HTTPS force option is disabled for function domains');
+        } else {
+            Console::log('🟢 HTTPS force option is enabled for function domains');
+        }
+
        $providerName = App::getEnv('_APP_LOGGING_PROVIDER', '');
        $providerConfig = App::getEnv('_APP_LOGGING_CONFIG', '');

--- a/tests/resources/docker/docker-compose.yml
+++ b/tests/resources/docker/docker-compose.yml
@ -67,6 +67,7 @@ services:
      - _APP_ENV
      - _APP_OPTIONS_ABUSE
      - _APP_OPTIONS_FORCE_HTTPS
+      - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS
      - _APP_OPENSSL_KEY_V1
      - _APP_DOMAIN
      - _APP_DOMAIN_FUNCTIONS