Add setting to automatically redirect http requests to the https port

Change-Id: I33966b8292434c10ffd623838d09527aaebaca5f

releases.moxie

@@ -26,6 +26,7 @@ r20: {
 	- Removed "show readme" setting in favor of automatic detection
 	- Support plain text "readme" files
 	- Determine best commit id (e.g. "master") for the tree and docs pages and use that in links
+	- By default GO will now bind to all interfaces for both http and https connectors.  This simplifies setup for first-time users.
     additions:
 	- Added branch graph image servlet based on EGit's branch graph renderer (issue-194)
 	- Added option to render Markdown commit messages (issue-203)
@@ -35,6 +36,7 @@ r20: {
 	- Support intradocument linking in Markdown content using [[WikiLinks]] syntax (issue-324)
 	- Added setting to globally disable anonymous pushes in the receive pack
 	- Added a normalized diffstat display to the commit, commitdiff, and compare pages
+	- Added GO setting to automatically redirect all http requests to the secure https connector
     dependencyChanges:
 	- updated to Jetty 7.6.13
 	- updated to JGit 3.1.0
@@ -45,6 +47,7 @@ r20: {
 	- { name: 'git.defaultAccessRestriction', defaultValue: 'PUSH' }
 	- { name: 'web.commitMessageRenderer', defaultValue: 'plain' }
 	- { name: 'web.showBranchGraph', defaultValue: 'true' }
+	- { name: 'server.redirectToHttpsPort', defaultValue: 'true' }
     contributors:
 	- James Moger
 	- Robin Rosenberg

src/main/distrib/data/gitblit.properties

@@ -1545,6 +1545,16 @@ server.httpsPort = 8443
 # RESTART REQUIRED
 server.ajpPort = 0
 
+# Automatically redirect http requests to the secure https connector.
+#
+# This setting requires that you have configured server.httpPort and server.httpsPort.
+# Unless you are on a private LAN where you trust all client connections, it is
+# recommended to use https for all communications.
+#
+# SINCE 1.4.0
+# RESTART REQUIRED
+server.redirectToHttpsPort = true
+
 # Specify the interface for Jetty to bind the standard connector.
 # You may specify an ip or an empty value to bind to all interfaces.
 # Specifying localhost will result in Gitblit ONLY listening to requests to
@@ -1552,7 +1562,7 @@ server.ajpPort = 0
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.httpBindInterface = localhost
+server.httpBindInterface =
 
 # Specify the interface for Jetty to bind the secure connector.
 # You may specify an ip or an empty value to bind to all interfaces.
@@ -1561,7 +1571,7 @@ server.httpBindInterface = localhost
 #
 # SINCE 0.5.0
 # RESTART REQUIRED
-server.httpsBindInterface = localhost
+server.httpsBindInterface =
 
 # Specify the interface for Jetty to bind the AJP connector.
 # You may specify an ip or an empty value to bind to all interfaces.

src/main/java/com/gitblit/GitBlitServer.java

@@ -36,6 +36,8 @@ import java.util.List;
 import java.util.Scanner;
 
 import org.eclipse.jetty.ajp.Ajp13SocketConnector;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.bio.SocketConnector;
@@ -44,6 +46,7 @@ import org.eclipse.jetty.server.session.HashSessionManager;
 import org.eclipse.jetty.server.ssl.SslConnector;
 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 import org.eclipse.jetty.server.ssl.SslSocketConnector;
+import org.eclipse.jetty.util.security.Constraint;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.webapp.WebAppContext;
 import org.eclipse.jgit.storage.file.FileBasedConfig;
@@ -213,6 +216,14 @@ public class GitBlitServer {
 			if (params.port < 1024 && !isWindows()) {
 				logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
 			}
+			if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+				// redirect HTTP requests to HTTPS
+				if (httpConnector instanceof SelectChannelConnector) {
+					((SelectChannelConnector) httpConnector).setConfidentialPort(params.securePort);
+				} else {
+					((SocketConnector) httpConnector).setConfidentialPort(params.securePort);
+				}
+			}
 			connectors.add(httpConnector);
 		}
 
@@ -380,6 +391,24 @@ public class GitBlitServer {
 		// Set the server's contexts
 		server.setHandler(rootContext);
 
+		// redirect HTTP requests to HTTPS
+		if (params.port > 0 && params.securePort > 0 && settings.getBoolean(Keys.server.redirectToHttpsPort, true)) {
+			logger.info(String.format("Configuring automatic http(%1$s) -> https(%2$s) redirects", params.port, params.securePort));
+			// Create the internal mechanisms to handle secure connections and redirects
+			Constraint constraint = new Constraint();
+			constraint.setDataConstraint(Constraint.DC_CONFIDENTIAL);
+
+			ConstraintMapping cm = new ConstraintMapping();
+			cm.setConstraint(constraint);
+			cm.setPathSpec("/*");
+
+			ConstraintSecurityHandler sh = new ConstraintSecurityHandler();
+			sh.setConstraintMappings(new ConstraintMapping[] { cm });
+
+			// Configure this context to use the Security Handler defined before
+			rootContext.setHandler(sh);
+		}
+
 		// Setup the GitBlit context
 		GitBlit gitblit = getGitBlitInstance();
 		gitblit.configureContext(settings, baseFolder, true);

src/site/setup_go.mkd

@@ -5,8 +5,7 @@
 2. The server itself is configured through a simple text file.
 Open `data/gitblit.properties` in your favorite text editor and make sure to review and set:
     - *server.httpPort* and *server.httpsPort*
-    - *server.httpBindInterface* and *server.httpsBindInterface*  
-	- *server.storePassword*
+    - *server.storePassword*
     **https** is strongly recommended because passwords are insecurely transmitted form your browser/git client using Basic authentication!
     - *git.packedGitLimit* (set larger than the size of your largest repository)
     - *git.streamFileThreshold* (set larger than the size of your largest committed file)