Example Usage

-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Enforce HTTPS in Wai server app safely.
--   
--   Wai middleware enforcing HTTPS protocol on any incoming request. In
--   case of non-encrypted HTTP, traffic is redirected using 301 Permanent
--   Redirect or optionally 307 Temporary Redirect. Middleware has
--   compatibility modes for various reverse proxies (load balancers) and
--   therefore can be used with Heroku, Google Cloud (Ingress), Azure or
--   any other type of PAS or Cloud provider.
@package wai-enforce-https
@version 1.0.0.0


-- | Parsing and Serialization of <a>Forwarded</a> HTTP header values.
module Network.HTTP.Forwarded

-- | Representation of Forwarded header data All field are optional
data Forwarded
Forwarded :: Maybe ByteString -> Maybe ByteString -> Maybe ByteString -> Maybe (CI ByteString) -> Forwarded
[forwardedBy] :: Forwarded -> Maybe ByteString
[forwardedFor] :: Forwarded -> Maybe ByteString
[forwardedHost] :: Forwarded -> Maybe ByteString
[forwardedProto] :: Forwarded -> Maybe (CI ByteString)

-- | Parse <tt>ByteString</tt> to Forwarded header Note that this function
--   works with the values of the header only. Extraction of value from
--   header depends what representation of headers you're using.
--   
--   In case of Wai you can extract headers as following:
--   
--   <pre>
--   :set -XOverloadedStrings
--   import Network.Wai
--   import Network.HTTP.Forwarded
--   getForwarded req = parseForwarded &lt;$&gt; "forwarded" `lookup` requestHeaders req
--   :t getForwarded
--   getForwarded :: Request -&gt; Maybe Forwarded
--   </pre>
parseForwarded :: ByteString -> Forwarded

-- | Serialize <a>Forwarded</a> data type back to ByteString
--   representation.
serializeForwarded :: Forwarded -> ByteString
instance GHC.Show.Show Network.HTTP.Forwarded.Forwarded
instance GHC.Classes.Eq Network.HTTP.Forwarded.Forwarded


-- | Wai Middleware for enforcing encrypted HTTPS connection safely.
--   
--   This module is intended to be imported <tt>qualified</tt>
--   
--   <pre>
--   import qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS
--   </pre>
--   
--   <h1>Example Usage</h1>
--   
--   Following is the most typical config. That is GCP, AWS and Heroku
--   compatible setting using <tt>x-forwarded-proto</tt> header check and
--   default configuration.
--   
--   <pre>
--   {-# LANGUAGE OverloadedStrings #-}
--   
--   module Main where
--   
--   import           Network.HTTP.Types                  (status200)
--   import           Network.Wai                         (Application, responseLBS)
--   import           Network.Wai.Handler.Warp            (runEnv)
--   
--   import qualified Network.Wai.Middleware.EnforceHTTPS as EnforceHTTPS
--   
--   handler :: Application
--   handler _ respond = respond $
--       responseLBS status200 [] "Hello from behind proxy"
--   
--   app :: Application
--   app = EnforceHTTPS.withResolver EnforceHTTPS.xForwardedProto handler
--   
--   main :: IO ()
--   main = runEnv 8080 app
--   </pre>
module Network.Wai.Middleware.EnforceHTTPS

-- | <h3>Configuration</h3>
--   
--   <a>EnforceHTTPSConfig</a> does export constructor which should not
--   collide with any other functions and therefore can be exposed in
--   import
--   
--   <pre>
--   import Network.Wai.Middleware.EnforceHTTPS (EnforceHTTPSConfig(..))
--   </pre>
--   
--   <b>Default configuration is recommended</b> but you're free to
--   override any default value if you need to.
--   
--   Configuration of <a>httpsIsSecure</a> can be set using
--   <a>withResolver</a> function which is preferred way for overwriting
--   default <tt>Resolver</tt>.
data EnforceHTTPSConfig
EnforceHTTPSConfig :: !HTTPSResolver -> !ByteString -> ByteString -> !Int -> !Bool -> !Bool -> !Bool -> ![Method] -> !Status -> EnforceHTTPSConfig

-- | Function to detect if reqest was done over secure protocol
[httpsIsSecure] :: EnforceHTTPSConfig -> !HTTPSResolver

-- | Rewrite rule for host (useful for redirecting between domains)
[httpsHostRewrite] :: EnforceHTTPSConfig -> !ByteString -> ByteString

-- | Port of secure server
[httpsPort] :: EnforceHTTPSConfig -> !Int

-- | Ignore url (path, query) - redirect to just host
[httpsIgnoreURL] :: EnforceHTTPSConfig -> !Bool

-- | Use termporary redirect
[httpsTemporary] :: EnforceHTTPSConfig -> !Bool

-- | Avoid sending explicit port if default (443) is specified
[httpsSkipDefaultPort] :: EnforceHTTPSConfig -> !Bool

-- | Whitelist for methods that should be redirected
[httpsRedirectMethods] :: EnforceHTTPSConfig -> ![Method]

-- | Status to retuned for disallowed methods
[httpsDisallowStatus] :: EnforceHTTPSConfig -> !Status

-- | Default Configuration Default resolver is proxy to <a>isSecure</a>
--   function
--   
--   <ul>
--   <li>uses request <tt>Host</tt> header information to resolve
--   hostname</li>
--   <li>standard HTTPS port <tt>443</tt></li>
--   <li>redirect includes path and url params</li>
--   <li>uses permanent redirect (<tt>301</tt>)</li>
--   <li>doesn't include <tt>port</tt> in <tt>Location</tt> header id port
--   is <tt>443</tt></li>
--   <li>redirects <tt>GET</tt> and <tt>HEAD</tt> methods</li>
--   <li>all <i>other</i> methods are resolved with <tt>405</tt> (Method
--   not Allowed) and with appropriate <tt>Allowed</tt> header</li>
--   </ul>
defaultConfig :: EnforceHTTPSConfig

-- | <a>Middleware</a> with <i>default</i> configuration. See
--   <a>defaultConfig</a> for more details.
def :: Middleware

-- | Construct middleware with provided <tt>Resolver</tt> See `Provided
--   Resolvers` section for more information.
withResolver :: HTTPSResolver -> Middleware

-- | Construct <a>Middleware</a> for specific <a>EnforceHTTPSConfig</a>
withConfig :: EnforceHTTPSConfig -> Middleware

-- | Resolvers are function used for testing if Request is made over secure
--   HTTPS protocol.
--   
--   if <a>True</a> is returned from a <tt>Resolver</tt> function, request
--   is considered to be secure. In case of <a>False</a> value, redirect
--   logic is called.
type HTTPSResolver = Request -> Bool

-- | Resolver checking value of <tt>x-forwarded-proto</tt> HTTP header.
--   This header is for instance used by Heroku or GCP Ingress among many
--   others.
--   
--   Request is secure if value of header is <tt>https</tt> otherwise
--   request is considered not being secure.
xForwardedProto :: HTTPSResolver

-- | Azure is proxying with additional `x-arr-ssl` header if original
--   protocol is HTTPS. This resolver checks for the presence of this
--   header.
azure :: HTTPSResolver

-- | Forwarded HTTP header is relatively new standard which should replaced
--   all <tt>x-*</tt> adhoc headers by standardized one. This resolver is
--   using <tt>proto=foo</tt> part of the header and check for equality
--   with <tt>https</tt> value.
--   
--   More information can be found on <a>MDN</a> Complete implementation of
--   <tt>Forwarded</tt> is located in <tt>Network.HTTP.Forwarded</tt>
--   module
forwarded :: HTTPSResolver

-- | Some reverse proxies (Kong) are using values similar to
--   <tt>x-forwarded-proto</tt> but are using different headers. This
--   resolver allows you to specify name of header which should be used for
--   the check. Like <a>xForwardedProto</a>, request is considered as being
--   secure if value of header is <tt>https</tt>.
customProtoHeader :: ByteString -> HTTPSResolver