diff --git a/core/server/middleware/index.js b/core/server/middleware/index.js index 3c9ca2557e..fd703b1114 100644 --- a/core/server/middleware/index.js +++ b/core/server/middleware/index.js @@ -5,6 +5,7 @@ var middleware = require('./middleware'), express = require('express'), _ = require('underscore'), + url = require('url'), when = require('when'), slashes = require('connect-slashes'), errors = require('../errorHandling'), @@ -161,6 +162,33 @@ function redirectToSignup(req, res, next) { }); } +// checkSSL helper +function redirectSSL(req, res, next) { + // Check if X-Forarded-Proto headers are sent, if they are check for https. If they are not assume true to avoid infinite redirect loop. + // If the X-Forwarded-Proto header is missing and Express cannot automatically sense HTTPS the redirect will not be made. + var httpsHeader = req.header('X-Forwarded-Proto') !== 'undefined' ? req.header('X-Forwarded-Proto').toLowerCase() === 'https' ? true : false : true; + if (!req.secure && !httpsHeader) { + return res.redirect(301, url.format({ + protocol: 'https:', + hostname: url.parse(config().url).hostname, + pathname: req.path, + query: req.query + })); + } + next(); +} + +// Check to see if we should +function checkSSL(req, res, next) { + var forceSSL = url.parse(config().url).protocol === 'https:' ? true : false, + forceAdminSSL = (res.isAdmin && config().forceAdminSSL); + + if (forceSSL || forceAdminSSL) { + return redirectSSL(req, res, next); + } + next(); +} + module.exports = function (server, dbHash) { var oneYear = 31536000000, root = config.paths().webroot, @@ -194,6 +222,9 @@ module.exports = function (server, dbHash) { // First determine whether we're serving admin or theme content expressServer.use(manageAdminAndTheme); + // Force SSL + server.use(checkSSL); + // Admin only config expressServer.use(root + '/ghost', middleware.whenEnabled('admin', express['static'](path.join(corePath, '/client/assets'))));