Skip to content

jonahgeorge/force-ssl-heroku

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

.github

.github

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

forcessl.go

forcessl.go

 
 

forcessl_test.go

forcessl_test.go

 
 

go.mod

go.mod

 
 

Repository files navigation

force-ssl-heroku

Golang middleware that redirects unencrypted HTTP requests to HTTPS on Heroku instances.

Heroku does SSL termination at its load balancer. However, the app can tell if the original request was made with HTTP by inspecting headers inserted by Heroku. We can use this to redirect to the HTTPS Heroku url.

Installation

go get github.com/jonahgeorge/force-ssl-heroku

Usage

package main

import (
	"net/http"

        heroku "github.com/jonahgeorge/force-ssl-heroku"
)

func helloWorldHandler(w http.ResponseWriter, r *http.Request) {
	w.Write([]byte("Hello World"))
}

func main() {
	r := http.NewServeMux()
	r.HandleFunc("/", helloWorldHandler)

	http.ListenAndServe(":8080", heroku.ForceSsl(r))
}

Caveat

It works because Heroku exposes your app through a reverse proxy which is used for load-balancing and other things. This reverse proxy does SSL termination and forwards to your app which should only accept connections from localhost. The middleware detects this situation by inspecting headers inserted by Heroku's reverse proxy; since headers can be spoofed, you should not use this middleware anywhere that's not behind such a proxy!

About

Golang middleware that redirects HTTP requests to HTTPS on Heroku instances.

Topics

heroku middleware balance golang-middleware ssl-termination inspecting-headers-inserted

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v1.0.1 Latest
May 9, 2020

Packages

No packages published

Contributors 2

  •  
  •  

Languages