14

I've followed the answer of this: Redirect from http to https in google cloud but it does not seem to be currently accurate any more. The anchor referenced ( https://cloud.google.com/appengine/docs/flexible/nodejs/configuring-your-app-with-app-yaml#security ) seems to have been removed but without a note of a replacement.

For reference, I am serving NodeJS over a Google App (flex) Engine. As per the answer I've got in my app.yaml: 

handlers: - url: /.* script: IGNORED secure: always

Since HTTPS is obviously terminated before it hits my Express engine (and redirection on there would be useless); how is it currently correctly implemented?

Potentially helpful, I have an external domain attached via the "Custom domains" tab in the console, and there is indeed a SSL certificate configured (so if a user manually goes to https://.com everything is fine)

Improve this question
4
  • What's your current problem? It should redirect to https as expected. Commented Mar 14, 2017 at 4:40
  • Correct. I want HTTP request to redirect to HTTPS, though this is not currently working (i.e. I just access HTTP normally without redirection when accessing the domain I have connected to this environment) Commented Mar 14, 2017 at 4:42
  • 2
    handlers: - url: /.* script: auto secure: always redirect_http_response_code: 301 Commented May 23, 2019 at 12:08
  • @RobertMihaiIonas You saved my life. That works. It redirects my naked domain ("example.com") to "example.com" and all other to https. Amazing. No more HTTP! Thank you. Commented Oct 12, 2021 at 20:51

3 Answers 3

Reset to default
20

The flexible environment does not current support handlers in the app.yaml. If you want https:// redirection, you have a few options:

  • Use helmet to do to HSTS stuff for you, and implement your own initial redirect.
  • I wrote a happy little library to always forces SSL on all routes for express yes-https

We are considering auto-redirecting all traffic to SSL by default. Do you think that would be a good thing for your apps?

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Thanks Justin, that did the trick! I am indeed considering to prefer -all- traffic is transported over https. Given the site's setup (just a 1-pager with a single form containing PII) that would make the most sense.
Can you please look at my stackoverflow.com/questions/47453220/… actually yes-https is not working for me.
Are you there ??
I used Justin's happy little library and it's dead simple and easy, and it works.
@Justin Thank you so much! This has been driving me nuts :)
9

Pulling Justin's yes-https library, I was able to get this to work:

var app = express(); app.use(function(req, res, next){ if (req.host != 'localhost' && req.get('X-Forwarded-Proto') == 'http') { res.redirect(`https://${req.host}${req.url}`); return; } app.router(req, res, next); });

At first I thought I had to do that since I was on an appengine subdomain and couldn't use HSTS. Then I learned HSTS works fine for subdomains. :) Regardless, I thought people might want to see what the magic bit to use was if they didn't want to use yes-https for some reason.

Justin, auto-redirecting all traffic to SSL by default sounds great to me. I just spent hours trying to figure out how to do so before I found this post because I was trying to get my app to get Chrome's add to homescreen install banner as per https://developers.google.com/web/fundamentals/engage-and-retain/app-install-banners/.

Improve this answer

1 Comment

Can you please look at my stackoverflow.com/questions/47453220/… actually yes-https is not working for me.
1

GCP This should be as easy to just use the gcloud app cli and configure a header (Strict-Transport-Security) or redirect rule. Perhaps the push is to force us to Firebase Hosting instead which is forcing HTTPS already. For a quick solution for Single Page apps (static content) with React, Angular etc, we can use this JS snippet.

It ignores localhost environments. You can change localhost with a host name that you would like to exclude. It then redirects using https as protocol.

 if ( location.host.indexOf("localhost") < 0 && location.protocol.toLowerCase() !== "https:"){ const url= `https://${location.host}`; location.replace(url); }
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.