make HTTP->S redirects use same host only for HSTS

1 files changed, 24 insertions, 4 deletions

diff --git a/internal/server/tls.go b/internal/server/tls.go
index 6b64a79..ebf76a2 100644
--- a/internal/server/tls.go
+++ b/internal/server/tls.go
@@ -97,12 +97,32 @@ func (s *Server) serveTLS() (err error) {
 		return errors.Wrap(err, "could not bind plain socket")
 	}
 
-	go func(ln net.Listener) {
-		s.redirectServer.Handler = issuer.HTTPChallengeHandler(s.redirectServer.Handler)
-		if err := s.redirectServer.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
+	go func(ln net.Listener, srv *http.Server) {
+		httpMux := http.NewServeMux()
+		httpMux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			if certmagic.LooksLikeHTTPChallenge(r) && issuer.HandleHTTPChallenge(w, r) {
+				return
+			}
+			url := r.URL
+			url.Scheme = "https"
+			host, _, err := net.SplitHostPort(r.Host)
+			if err != nil {
+				log.Warn("error splitting host and port", "error", err)
+				host = s.config.BaseURL.Hostname()
+			}
+			url.Host = net.JoinHostPort(host, s.config.BaseURL.Port())
+			http.Redirect(w, r, url.String(), http.StatusMovedPermanently)
+		})
+
+		if err := srv.Serve(ln); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			log.Error("error in http handler", "error", err)
 		}
-	}(ln)
+	}(ln, &http.Server{
+		ReadHeaderTimeout: s.ReadHeaderTimeout,
+		ReadTimeout:       s.ReadTimeout,
+		WriteTimeout:      s.WriteTimeout,
+		IdleTimeout:       s.IdleTimeout,
+	})
 
 	log.Debug(
 		"starting certmagic",