In Ruby/Rack, I'm able to get the scheme of the current request URL from scheme#request
. However, in Go, http.Request.URL.Scheme
returns an empty string:
package main
import (
"fmt"
"log"
"net/http"
)
func main() {
http.HandleFunc("/", handler)
log.Fatal(http.ListenAndServe(":8080", nil))
}
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "%#v\n", r.URL.Scheme) // Always shows empty string
}
How do I get scheme of the current request URL?
A scheme. The scheme identifies the protocol to be used to access the resource on the Internet. It can be HTTP (without SSL) or HTTPS (with SSL). A host. The host name identifies the host that holds the resource.
Url. AbsoluteUri is returning "http://www.somesite.com/default.aspx" , when the Url in the client's browser looks like "http://www.somesite.com/". This small diffrence is causing a redirect loop.
An HTTP request is made by a client, to a named host, which is located on a server. The aim of the request is to access a resource on the server. To make the request, the client uses components of a URL (Uniform Resource Locator), which includes the information needed to access the resource.
To serve HTTP and HTTPS you will need to call both serve functions http.ListenAndServe()
and http.ListenAndServeTLS()
with the same handler
because if you are using only 1 of them like the example of the question then you are only listing on 1 protocol http.ListenAndServe()
for http, and http.ListenAndServeTLS()
for HTTPS, if you will try to contact the server with a different protocol it will not go through,
and because HTTPS is HTTP over TLS the *http.Request
has a TLS
property that will give you back a *tls.ConnectionState
with info about the TLS that was used on this request, then if you want to know how the client contact the server you can check on the request TLS
property,
if the request were made with HTTPS it would not be nil,
if the request was made with HTTP then the TLS
property will be nil
,
because the only way that a request was made with TLS is with the HTTPS protocol
func handler(w http.ResponseWriter, r *http.Request) {
if r.TLS == nil {
// the scheme was HTTP
} else {
// the scheme was HTTPS
}
}
func main() {
http.HandleFunc("/", handler)
go func(){
log.Fatal(http.ListenAndServeTLS(":8443","localhost.crt", "localhost.key", nil))
}()
log.Fatal(http.ListenAndServe(":8080", nil))
}
A quick grep
shows that r.URL.Scheme
is never set to anything other than the empty string anywhere in net/http
. Personally I think it should be, as far as possible, but apparently I have a minority opinion.
If you opened a TLS listener yourself with http.ListenAndServeTLS()
then presumably you know the scheme is https already. You can use a trivial middleware handler that fills in r.URL.Scheme
in this case.
func AlwaysHTTPS(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
r.URL.Scheme = "https"
next.ServeHTTP(w, r)
})
}
If you're running behind a web server, then it may pass the request protocol in a header such as X-Forwarded-Proto
. In this case, you can use a handler like gorilla's handlers.ProxyHeaders() to fill in the missing fields.
An example using gorilla mux:
package main
import (
"log"
"net/http"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
)
func main() {
r := mux.NewRouter()
r.Use(handlers.ProxyHeaders)
http.Handle("/", r)
log.Fatal(http.ListenAndServe("[::]:8009", nil))
}
From its comments:
ProxyHeaders inspects common reverse proxy headers and sets the corresponding fields in the HTTP request struct. These are X-Forwarded-For and X-Real-IP for the remote (client) IP address, X-Forwarded-Proto or X-Forwarded-Scheme for the scheme (http|https) and the RFC7239 Forwarded header, which may include both client IPs and schemes.
NOTE: This middleware should only be used when behind a reverse proxy like nginx, HAProxy or Apache. Reverse proxies that don't (or are configured not to) strip these headers from client requests, or where these headers are accepted "as is" from a remote client (e.g. when Go is not behind a proxy), can manifest as a vulnerability if your application uses these headers for validating the 'trustworthiness' of a request.
Since you use ListenAndServe
and not ListenAndServeTLS
, your scheme can be safely assumed as http. If you use both tls and non tls versions, you can use r.TLS
and check it for null to know whether TLS was established. If your go app is running behind a reverse proxy, then you have to check the documentation on the web server which is forwarding the requests to your app, to learn how to configure it to pass this information as headers. Here's a link describing nginx configuration which accomplishes that. You can easily find configuration guides for other webservers as well.
Better yet, configure HSTS on your main web server, so that you don't have to worry about insecure connections altogether. There are very few, if any, legitimate uses to non-TLS http. For nginx you can find this article useful. And again for other web servers you will easily find configuration guides.
If you're unsure if your site/application needs https I recommend reading this.
localhost is a special case for URL
formation. It is going to be empty anyway if your client is localhost.
net.http package doc:
As a special case, if req.URL.Host is "localhost" (with or without a port number), then a nil URL and nil error will be returned.
The way to get required url/uri information is to get it from http.Request
directly. For example:
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "%s\n", r.Host)
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With