Http/server: don't response if not TLS

a0ab1d3564 · May 5, 2021, 2:33am

Hi all,

I’m looking for a way to make TLS server not response if the caller didn’t use TLS.

golang/go/blob/master/src/net/http/server.go#L1842


			c.rwc.SetReadDeadline(time.Now().Add(d))
		}
		if d := c.server.WriteTimeout; d > 0 {
			c.rwc.SetWriteDeadline(time.Now().Add(d))
		}
		if err := tlsConn.HandshakeContext(ctx); err != nil {
			// If the handshake failed due to the client not speaking
			// TLS, assume they're speaking plaintext HTTP and write a
			// 400 response on the TLS conn's underlying net.Conn.
			if re, ok := err.(tls.RecordHeaderError); ok && re.Conn != nil && tlsRecordHeaderLooksLikeHTTP(re.RecordHeader) {
				io.WriteString(re.Conn, "HTTP/1.0 400 Bad Request\r\n\r\nClient sent an HTTP request to an HTTPS server.\n")
				re.Conn.Close()
				return
			}
			c.server.logf("http: TLS handshake error from %s: %v", c.rwc.RemoteAddr(), err)
			return
		}
		c.tlsState = new(tls.ConnectionState)
		*c.tlsState = tlsConn.ConnectionState()
		if proto := c.tlsState.NegotiatedProtocol; validNextProto(proto) {
			if fn := c.server.TLSNextProto[proto]; fn != nil {

for example when you try to enter http://google.com:443 it will not response.

you can test it with:

package main
  
import (
        "net/http"
        "log"
)

func main() {
        http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request){
                w.Write([]byte("test"))
        })
        err := http.ListenAndServeTLS(":443", "cert.pem", "key.key", nil)
        if err != nil {
                log.Println(err)
        }
}

and go to browser an enter http:// localhost: 443

BR

lutzhorn · May 6, 2021, 8:16am

The code in the Go library doesn’t support this.
Why do you want to not at least return a 400 HTTP response?

a0ab1d3564 · May 6, 2021, 12:34pm

Thank you for the replay.
It’s a fingerprint for a Go web server.

Other websites like google. com, cisco. com, apple. com will not response to http request using https port like http://google.com:443.

Some other services will redirect to https like golang.org.

I would like to control this behavior in Go if I can.

lutzhorn · May 6, 2021, 12:57pm

Your observation is not quite correct. Compare these two:

❯ curl -v http://golang.org
* Rebuilt URL to: http://golang.org/
*   Trying 172.217.23.17...
* Connected to golang.org (172.217.23.17) port 80 (#0)
> GET / HTTP/1.1
> Host: golang.org
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Thu, 06 May 2021 12:45:08 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 42
< Location: https://golang.org/
< Via: 1.1 google
<
<a href="https://golang.org/">Found</a>.

That’s what is expected: A HTTP request is redirected to a HTTPS request. But:

❯ curl -v http://golang.org:443
* Rebuilt URL to: http://golang.org:443/
*   Trying 172.217.23.17...
* Connected to golang.org (172.217.23.17) port 443 (#0)
> GET / HTTP/1.1
> Host: golang.org:443
> User-Agent: curl/7.43.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0

A HTTP request for the HTTPS port 443 is rejected.

I think it is a matter of taste if you prefer this “Connection reset by peer” behaviour or the 400 Bad Request response that the Go standard library implements.

In any case, put a HTTP reverse proxy like NGINX in front of your Go code if you want to have more control over how HTTP requests are handled.

a0ab1d3564 · May 6, 2021, 1:32pm

“I think it is a matter of taste”

lutzhorn · May 6, 2021, 1:42pm

system · August 4, 2021, 1:42pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.