Add HSTS to caddy configuration

snowplow · Jan 29, 2024 · 5d531a9 · 5d531a9
1 parent 06c001b
commit 5d531a9
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/provisioning/resources/control-plane/add_hsts_header.go b/provisioning/resources/control-plane/add_hsts_header.go
@@ -0,0 +1,39 @@
+/**
+ * Copyright (c) 2024-present Snowplow Analytics Ltd. All rights reserved.
+ *
+ * This software is made available by Snowplow Analytics, Ltd.,
+ * under the terms of the Snowplow Limited Use License Agreement, Version 1.0
+ * located at https://docs.snowplow.io/limited-use-license-1.0
+ * BY INSTALLING, DOWNLOADING, ACCESSING, USING OR DISTRIBUTING ANY PORTION
+ * OF THE SOFTWARE, YOU AGREE TO THE TERMS OF SUCH LICENSE AGREEMENT.
+ */
+
+package main
+
+import (
+	"io/ioutil"
+  "strings"
+)
+
+func addHstsHeader(configPath string) error {
+  currentConfig, err := ioutil.ReadFile(configPath)
+
+  if err != nil {
+		return err
+	}
+  toReplacePattern :=
+`
+      handle @isHttps {
+        import handleProtectedPaths
+      }
+`
+  replaceWithHsts :=
+`
+      handle @isHttps {
+        import handleProtectedPaths
+        header Strict-Transport-Security max-age=31536000; includeSubDomains
+      }
+`
+  newCaddyConfig := strings.Replace(string(currentConfig), toReplacePattern, replaceWithHsts, 1)
+	return ioutil.WriteFile(configPath, []byte(newCaddyConfig), 0644)
+}
diff --git a/provisioning/resources/control-plane/main.go b/provisioning/resources/control-plane/main.go
@@ -47,6 +47,7 @@ func main() {
 	http.HandleFunc("/version", getSpminiVersion)
 	http.HandleFunc("/telemetry", manageTelemetry)
 	http.HandleFunc("/reset-service", resetService)
+	http.HandleFunc("/add-hsts", addHsts)
 	log.Fatal(http.ListenAndServe(":10000", nil))
 }
 
@@ -131,6 +132,21 @@ func resetService(resp http.ResponseWriter, req *http.Request) {
 	}
 }
 
+func addHsts (resp http.ResponseWriter, req *http.Request) {
+  if req.Method == "PUT" {
+		err := addHstsHeader(config.Dirs.Config+"/"+config.ConfigNames.Caddy)
+		if err != nil {
+			http.Error(resp, err.Error(), 500)
+		} else {
+			resp.WriteHeader(http.StatusOK)
+			io.WriteString(resp, "OK")
+		}
+	} else {
+		// Return 404 for other methods
+		http.Error(resp, "", 404)
+	}
+}
+
 func uploadEnrichments(resp http.ResponseWriter, req *http.Request) {
 	if req.Method == "POST" {
 		// maxMemory bytes of body's file parts are stored in memory,