How do I enforce SSL for my bluemix application?

Question

How do I enforce SSL for my bluemix application?

I notice that when I start my application, I can access it either using http:// or https:// for SSL. However, I want to ensure my users only use https... is there a way always redirect to https please?

node.js
ssl
bluemix

Answer 1

You can do this but it depends on your programming language. I will post an example in Node.JS below. Basically what you need to do is check "x-forwarded-proto" header and if it is http, redirect to your application over https.

var middleware = module.exports,
    url = require("url");

var HTTP = "http:",
    HTTPS = "https:";

middleware.transportSecurity = function () {

    var applicationURL = "https://myapp.bluemix.net/"
        scheme = url.parse(applicationURL).protocol;

    function securityEnabled () {
        if (scheme !== HTTP && scheme !== HTTPS) {
            throw new Error(
                "The application URL scheme must be 'http' or 'https'."
            );
        }
        return scheme === HTTPS;
    }

    function redirectURL (request) {
        return url.resolve(applicationURL, request.originalUrl);
    }

    return function (request, response, next) {
        if (securityEnabled() && !request.secure) {
            response.redirect(301, redirectURL(request));
        }
        else {
            next();
        }
    };

};

app.js

...
middleware = require("./middleware"),

app.use(middleware.transportSecurity());
...

Let me know what programming language you are using and I can post an example for that as well.

Answer 2

Inspired by jssloyer's blog post on the topic (which he summarized in his answer above), I wrote my own post called Redirecting HTTP to HTTPS with Node.js & Express on IBM Bluemix where I provide a slightly different approach. Using Express, I turn on trust proxy and then let the Express framework do the analysis of the x-forwarded-proto header.

I also have a working and deployable sample on GitHub.

Answer 3

I was too having similar doubt for my app,I used below code which was working fine for SSL implementation:

function sslneed(req, res, next) {
if (req.headers && req.headers.$wssc === "80") {
return res.redirect('https://' + req.get('host') + req.url);
}
next();
}
app.use(sslneed);

you need to look at $WSSC specifically.

Answer 4

The Bluemix proxy server terminates the SSL and so all traffic will look like HTTP to your app. However, the proxy also adds a special HTTP header named $WSSC with a value of either http or https. Simply check this header and, if the value is set to http, then redirect to the https version of your page.

I believe the Liberty Profile implementation request.getScheme() is written to check this same header and so Ram's answer is probably the preferred way to do in on Liberty.

UPDATE: The X-Forwarded-Proto header is now set as well.

See https://developer.ibm.com/answers/questions/8617/how-to-tell-if-my-application-was-requested-using-ssl/?community=bluemix for more detail.