From 6a7950aa34a7091105f93058033673cbacddc480 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Mon, 18 Sep 2023 12:27:47 +0200 Subject: [PATCH 1/3] Add function domains force https --- .env | 1 + app/config/variables.php | 11 ++++++++++- app/controllers/general.php | 12 +++++++++++- app/views/install/compose.phtml | 2 ++ docker-compose.yml | 2 ++ src/Appwrite/Platform/Tasks/Doctor.php | 6 ++++++ tests/resources/docker/docker-compose.yml | 1 + 7 files changed, 33 insertions(+), 2 deletions(-) diff --git a/.env b/.env index 189095e9e5..9d09b00dff 100644 --- a/.env +++ b/.env @@ -10,6 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled +_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 5d8c0eaa2e..9e99695ef3 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -36,7 +36,16 @@ return [ ], [ 'name' => '_APP_OPTIONS_FORCE_HTTPS', - 'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', + 'description' => 'Allows you to force HTTPS connection to your API. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443, and you have set up wildcard certificates with DNS challenge.', + 'introduction' => '', + 'default' => 'disabled', + 'required' => false, + 'question' => '', + 'filter' => '' + ], + [ + 'name' => '_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', + 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', 'required' => false, diff --git a/app/controllers/general.php b/app/controllers/general.php index d47b863574..6d1b78c0be 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,6 +83,16 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { + if (App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled') === 'enabled') { // Force HTTPS + if ($request->getProtocol() !== 'https') { + if ($request->getMethod() !== Request::METHOD_GET) { + throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); + } + + return $response->redirect('https://' . $request->getHostname() . $request->getURI()); + } + } + $functionId = $route->getAttribute('resourceId'); $projectId = $route->getAttribute('projectId'); @@ -380,7 +390,7 @@ App::init() if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https' && ($swooleRequest->header['host'] ?? '') !== 'localhost' && ($swooleRequest->header['host'] ?? '') !== APP_HOSTNAME_INTERNAL) { // localhost allowed for proxy, APP_HOSTNAME_INTERNAL allowed for migrations if ($request->getMethod() !== Request::METHOD_GET) { - throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP.'); + throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); } return $response->redirect('https://' . $request->getHostname() . $request->getURI()); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index d59f97b9da..a6d9f7ad9e 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,6 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -382,6 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index a6c1018d3c..914ce480e3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,6 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -417,6 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index 423dd78fe7..e5e2e38736 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,6 +93,12 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } + if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled')) { + Console::log('🔴 HTTPS force option is disabled for function domains'); + } else { + Console::log('🟢 HTTPS force option is enabled for function domains'); + } + $providerName = App::getEnv('_APP_LOGGING_PROVIDER', ''); $providerConfig = App::getEnv('_APP_LOGGING_CONFIG', ''); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index 3baae7316d..5377bf0cdc 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,6 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS + - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS From d87dbad7682ca208bc20d7bf5f8d6c8ab7f0a960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 19 Sep 2023 09:31:57 +0200 Subject: [PATCH 2/3] PR review changes --- .env | 2 +- app/config/variables.php | 2 +- app/controllers/general.php | 2 +- app/views/install/compose.phtml | 4 ++-- docker-compose.yml | 4 ++-- src/Appwrite/Platform/Tasks/Doctor.php | 2 +- tests/resources/docker/docker-compose.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.env b/.env index 9d09b00dff..8de3ada7f3 100644 --- a/.env +++ b/.env @@ -10,7 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled -_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS=disabled +_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 9e99695ef3..74339c43ac 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -44,7 +44,7 @@ return [ 'filter' => '' ], [ - 'name' => '_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', + 'name' => '_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', diff --git a/app/controllers/general.php b/app/controllers/general.php index 6d1b78c0be..345ef2d547 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,7 +83,7 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { - if (App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled') === 'enabled') { // Force HTTPS + if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https') { if ($request->getMethod() !== Request::METHOD_GET) { throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index a6d9f7ad9e..86208bf48c 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,7 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -383,7 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index 914ce480e3..345e814cdd 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,7 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -418,7 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index e5e2e38736..89b195c1d7 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,7 +93,7 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } - if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_FUNCTIONS_HTTPS', 'disabled')) { + if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled')) { Console::log('🔴 HTTPS force option is disabled for function domains'); } else { Console::log('🟢 HTTPS force option is enabled for function domains'); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index 5377bf0cdc..d9c2a21414 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,7 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_FUNCTIONS_HTTPS + - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS From 8926d24a0d79082458f33c0897eb41942d3a0a3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Ba=C4=8Do?= Date: Tue, 19 Sep 2023 09:35:32 +0200 Subject: [PATCH 3/3] One more env var rename --- .env | 2 +- app/config/variables.php | 2 +- app/controllers/general.php | 2 +- app/views/install/compose.phtml | 4 ++-- docker-compose.yml | 4 ++-- src/Appwrite/Platform/Tasks/Doctor.php | 2 +- tests/resources/docker/docker-compose.yml | 2 +- 7 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.env b/.env index 8de3ada7f3..c1ccc71182 100644 --- a/.env +++ b/.env @@ -10,7 +10,7 @@ _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io _APP_SYSTEM_RESPONSE_FORMAT= _APP_OPTIONS_ABUSE=disabled _APP_OPTIONS_FORCE_HTTPS=disabled -_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS=disabled +_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS=disabled _APP_OPENSSL_KEY_V1=your-secret-key _APP_DOMAIN=localhost _APP_DOMAIN_FUNCTIONS=functions.localhost diff --git a/app/config/variables.php b/app/config/variables.php index 74339c43ac..7685f3f735 100644 --- a/app/config/variables.php +++ b/app/config/variables.php @@ -44,7 +44,7 @@ return [ 'filter' => '' ], [ - 'name' => '_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', + 'name' => '_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'description' => 'Allows you to force HTTPS connection to function domains. This feature redirects any HTTP call to HTTPS and adds the \'Strict-Transport-Security\' header to all HTTP responses. By default, set to \'enabled\'. To disable, set to \'disabled\'. This feature will work only when your ports are set to default 80 and 443.', 'introduction' => '', 'default' => 'disabled', diff --git a/app/controllers/general.php b/app/controllers/general.php index 345ef2d547..6da34cf1c2 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -83,7 +83,7 @@ function router(App $utopia, Database $dbForConsole, SwooleRequest $swooleReques $type = $route->getAttribute('resourceType'); if ($type === 'function') { - if (App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled') === 'enabled') { // Force HTTPS + if (App::getEnv('_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'disabled') === 'enabled') { // Force HTTPS if ($request->getProtocol() !== 'https') { if ($request->getMethod() !== Request::METHOD_GET) { throw new AppwriteException(AppwriteException::GENERAL_PROTOCOL_UNSUPPORTED, 'Method unsupported over HTTP. Please use HTTPS instead.'); diff --git a/app/views/install/compose.phtml b/app/views/install/compose.phtml index 86208bf48c..be43debd3f 100644 --- a/app/views/install/compose.phtml +++ b/app/views/install/compose.phtml @@ -85,7 +85,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -383,7 +383,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/docker-compose.yml b/docker-compose.yml index 345e814cdd..752a23fd38 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -106,7 +106,7 @@ services: - _APP_SYSTEM_RESPONSE_FORMAT - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_TARGET @@ -418,7 +418,7 @@ services: - _APP_FUNCTIONS_CPUS - _APP_FUNCTIONS_MEMORY - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_DOMAIN - _APP_STORAGE_DEVICE - _APP_STORAGE_S3_ACCESS_KEY diff --git a/src/Appwrite/Platform/Tasks/Doctor.php b/src/Appwrite/Platform/Tasks/Doctor.php index 89b195c1d7..739a23aaf4 100644 --- a/src/Appwrite/Platform/Tasks/Doctor.php +++ b/src/Appwrite/Platform/Tasks/Doctor.php @@ -93,7 +93,7 @@ class Doctor extends Action Console::log('🟢 HTTPS force option is enabled'); } - if ('enabled' !== App::getEnv('_APP_OPTIONS_FORCE_HTTPS_FUNCTIONS', 'disabled')) { + if ('enabled' !== App::getEnv('_APP_OPTIONS_FUNCTIONS_FORCE_HTTPS', 'disabled')) { Console::log('🔴 HTTPS force option is disabled for function domains'); } else { Console::log('🟢 HTTPS force option is enabled for function domains'); diff --git a/tests/resources/docker/docker-compose.yml b/tests/resources/docker/docker-compose.yml index d9c2a21414..19e63c5313 100644 --- a/tests/resources/docker/docker-compose.yml +++ b/tests/resources/docker/docker-compose.yml @@ -67,7 +67,7 @@ services: - _APP_ENV - _APP_OPTIONS_ABUSE - _APP_OPTIONS_FORCE_HTTPS - - _APP_OPTIONS_FORCE_HTTPS_FUNCTIONS + - _APP_OPTIONS_FUNCTIONS_FORCE_HTTPS - _APP_OPENSSL_KEY_V1 - _APP_DOMAIN - _APP_DOMAIN_FUNCTIONS