Force HTTPS on Swisscom CloudFoundry

Question

I'm serving my web app using Gunicorn running in a Docker container. Is there a way I can force it to use HTTPS rather than HTTP?

Dockerfile

FROM ubuntu:latest

RUN apt-get update

RUN apt-get install -y python python-pip git
RUN apt-get install -y nodejs npm
RUN apt-get install -y nginx

RUN ln -s /usr/bin/nodejs /usr/bin/node

RUN pip install gunicorn greenlet gevent

RUN npm install --global bower gulp

COPY /flask/requirements.txt /flask/requirements.txt
COPY /flask/package.json /flask/package.json
COPY /flask/bower.json /flask/bower.json

WORKDIR /flask
RUN pip install -r requirements.txt
RUN npm install
RUN bower install --allow-root

WORKDIR /
COPY /flask /flask
COPY /configurations/production/* /flask/

WORKDIR /flask

RUN gulp build --production

EXPOSE 9000
ENTRYPOINT ["gunicorn", "-c", "gunicorn_config.py", "wsgi:app"]

Answer 1

In Swisscoms PaaS the HTTPS is terminated on the load balancer. Therefore, you cannot use the trivial way of just redirecting HTTP to HTTPS as all traffic you see on your app will be HTTP.

What you can do though, is check for the X-Forwarded-Proto HTTP header and return a redirect to HTTPS when the header states that traffic is served over HTTP.

X-Forwarded-Proto X-Forwarded-Proto header gives the scheme of the HTTP request from the client. The scheme is HTTP if the client made an insecure request (on port 80) or HTTPS if the client made a secure request (on port 443). Developers can configure their apps to reject insecure requests by inspecting the HTTP headers of incoming traffic and rejecting traffic that includes X-Forwarded-Proto with the scheme of HTTP.

Source: https://docs.developer.swisscom.com/concepts/http-routing.html