Copyright | (c) Marek Fajkus |
---|---|
License | BSD3 |
Maintainer | marek.faj@gmail.com |
Safe Haskell | None |
Language | Haskell2010 |
Wai Middleware for enforcing encrypted HTTPS connection safely.
This module is intended to be imported qualified
import qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS
Synopsis
- def :: Middleware
- withResolver :: HTTPSResolver -> Middleware
- xForwardedProto :: HTTPSResolver
- azure :: HTTPSResolver
- forwarded :: HTTPSResolver
- customProtoHeader :: ByteString -> HTTPSResolver
- data EnforceHTTPSConfig = EnforceHTTPSConfig {
- httpsIsSecure :: HTTPSResolver
- httpsHostname :: Maybe ByteString
- httpsPort :: Int
- httpsIgnoreURL :: Bool
- httpsTemporary :: Bool
- httpsSkipDefaultPort :: Bool
- httpsRedirectMethods :: [Method]
- httpsDisallowStatus :: Status
- defaultConfig :: EnforceHTTPSConfig
- withConfig :: EnforceHTTPSConfig -> Middleware
Documentation
def :: Middleware Source #
Middleware
with default configuration.
See defaultConfig
for more details.
withResolver :: HTTPSResolver -> Middleware Source #
Construct middleware with provided Resolver
See Resolver
section for information.
xForwardedProto :: HTTPSResolver Source #
Resolver checking value of x-forwarded-proto
HTTP header.
This header is for instance used by Heroku or GCP Ingress
among many others.
Request is secure if value of header is https
otherwise request is considered not being secure.
azure :: HTTPSResolver Source #
Azure is proxying with additional `x-arr-ssl` header if original protocol is HTTPS. This resolver checks for the presence of this header.
forwarded :: HTTPSResolver Source #
Forwarded HTTP header is relatively new standard
which should replaced all x-*
adhoc headers by
standardized one.
This resolver is using proto=foo
part of the header
and check for equality with https
value.
More information can be found on MDN
Complete implementation of Forwarded
is located in
Network.HTTP.Forwarded
module
customProtoHeader :: ByteString -> HTTPSResolver Source #
Some reverse proxies (Kong) are using
values similar to x-forwarded-proto
but are using different headers.
This resolver allows you to specify name of header
which should be used for the check.
Like xForwardedProto
, request is considered
as being secure if value of header is https
.
data EnforceHTTPSConfig Source #
Configuration
EnforceHTTPSConfig
does export constructor
which should not collide with ny other functions
and therefore can be exposed in import
import Network.Wai.Middleware.EnforceHTTPS (EnforceHTTPSConfig(..))
Default configuration is recommended but you're free to override any default value if you need to.
Configuration of httpsIsSecure
can be set using withResolver
function which is preferred way for overwriting default Resolver
.
EnforceHTTPSConfig | |
|
defaultConfig :: EnforceHTTPSConfig Source #
Default Configuration
Default resolver is proxy to Network.Wai.isSecure
function
- uses request
Host
header information to resolve hostname - standard HTTPS port
443
- redirect includes path and url params
- uses permanent redirect (
301
) - doesn't include
port
inLocation
header id port is443
- redirects
GET
andHEAD
methods - all other methods are resolved with
405
(Method not Allowed) and with appropriateAllowed
header
withConfig :: EnforceHTTPSConfig -> Middleware Source #
Construct Middleware
for specific EnforceHTTPSConfig