Redirect TLS-only endpoints to TLS if you try to use them raw

pimterry · pimterry · commit 9cb7aa9a7917 · 2026-03-16T16:04:04.000+01:00
diff --git a/src/endpoints/tls-index.ts b/src/endpoints/tls-index.ts
@@ -6,6 +6,7 @@ export type { EndpointMeta, EndpointGroup };
 
 export interface TlsEndpoint {
     sniPart: string;
+    plainTextAllowed?: boolean;
     configureCertOptions?(): CertOptions;
     configureTlsOptions?(tlsOptions: tls.SecureContextOptions): tls.SecureContextOptions;
     configureAlpnPreferences?(preferences: string[]): string[];
diff --git a/src/endpoints/tls/example.ts b/src/endpoints/tls/example.ts
@@ -2,6 +2,7 @@ import { TlsEndpoint } from '../tls-index.js';
 
 export const example: TlsEndpoint = {
     sniPart: 'example',
+    plainTextAllowed: true,
     meta: {
         path: 'example',
         description: 'An example subdomain that serves an exact copy of the classic example.com page as the root page (instead of these docs).',
diff --git a/src/endpoints/tls/no-tls.ts b/src/endpoints/tls/no-tls.ts
@@ -2,6 +2,7 @@ import { TlsEndpoint } from '../tls-index.js';
 
 export const noTls: TlsEndpoint = {
     sniPart: 'no-tls',
+    plainTextAllowed: true,
     configureTlsOptions() {
         throw new Error('Intentionally rejecting TLS connection');
     },
diff --git a/src/http-handler.ts b/src/http-handler.ts
@@ -3,7 +3,7 @@ import * as http from 'http';
 import * as http2 from 'http2';
 import { MaybePromise, StatusError } from '@httptoolkit/util';
 
-import { httpEndpoints } from './endpoints/endpoint-index.js';
+import { httpEndpoints, tlsEndpoints } from './endpoints/endpoint-index.js';
 import { HttpRequest, HttpResponse } from './endpoints/http-index.js';
 import { handleWebSocketUpgrade } from './ws-handler.js';
 import { resolveEndpointChain } from './endpoint-chain.js';
@@ -93,6 +93,31 @@ function createHttpRequestHandler(options: {
             ? url.hostname.slice(0, -options.rootDomain.length - 1)
             : undefined;
 
+        // If this is a plain HTTP request to a TLS-configuring subdomain, redirect it with
+        // a clear message — the TLS settings would be silently ignored over plain HTTP.
+        if (protocol === 'http' && hostnamePrefix) {
+            const prefixParts = hostnamePrefix.includes('--')
+                ? hostnamePrefix.split('--')
+                : hostnamePrefix.split('.');
+
+            const tlsOnlyParts = prefixParts.filter(part => {
+                const endpoint = tlsEndpoints.find(e => e.sniPart === part);
+                return endpoint && !endpoint.plainTextAllowed;
+            });
+
+            if (tlsOnlyParts.length > 0) {
+                const httpsUrl = url.href.replace(/^http:/, 'https:');
+                res.writeHead(301, {
+                    'location': httpsUrl,
+                    'content-type': 'text/plain'
+                });
+                res.end(
+                    `This endpoint requires HTTPS. Redirecting to ${httpsUrl}`
+                );
+                return;
+            }
+        }
+
         // Serve docs at root path for all prefixes except 'example' which has its own root handler
         const endpointPrefixes = ['example'];
         const isEndpointPrefix = hostnamePrefix && endpointPrefixes.includes(hostnamePrefix);
diff --git a/test/root-page.spec.ts b/test/root-page.spec.ts
@@ -32,8 +32,8 @@ describe("Root page endpoint", () => {
         expect(body).to.include('TLS Endpoints');
     });
 
-    it("returns documentation page for prefixed hostnames too", async () => {
-        const address = `http://http1.localhost:${serverPort}/`;
+    it("returns documentation page for prefixed hostnames", async () => {
+        const address = `http://no-tls.localhost:${serverPort}/`;
         const response = await fetch(address);
 
         expect(response.status).to.equal(200);
diff --git a/test/tls-required.spec.ts b/test/tls-required.spec.ts
@@ -0,0 +1,107 @@
+import * as net from 'net';
+import { expect } from 'chai';
+import { DestroyableServer, makeDestroyable } from 'destroyable-server';
+
+import { createServer } from '../src/server.js';
+
+describe("TLS-required endpoints over plain HTTP", () => {
+
+    let server: DestroyableServer;
+    let serverPort: number;
+
+    beforeEach(async () => {
+        server = makeDestroyable(await createServer());
+        await new Promise<void>((resolve) => server.listen(resolve));
+        serverPort = (server.address() as net.AddressInfo).port;
+    });
+
+    afterEach(async () => {
+        await server.destroy();
+    });
+
+    describe("redirects plain HTTP to HTTPS for TLS-configuring subdomains", () => {
+
+        for (const subdomain of [
+            'tls-v1-0',
+            'tls-v1-1',
+            'tls-v1-2',
+            'tls-v1-3',
+            'expired',
+            'revoked',
+            'self-signed',
+            'untrusted-root',
+            'wrong-host',
+            'http2',
+            'http1'
+        ]) {
+            it(`redirects http://${subdomain}.* to HTTPS`, async () => {
+                const response = await fetch(
+                    `http://${subdomain}.localhost:${serverPort}/status/200`,
+                    { redirect: 'manual' }
+                );
+
+                expect(response.status).to.equal(301);
+                expect(response.headers.get('location')).to.equal(
+                    `https://${subdomain}.localhost:${serverPort}/status/200`
+                );
+
+                const body = await response.text();
+                expect(body).to.include('requires HTTPS');
+            });
+        }
+
+    });
+
+    it("redirects combined TLS subdomains to HTTPS", async () => {
+        const response = await fetch(
+            `http://tls-v1-2--expired.localhost:${serverPort}/status/200`,
+            { redirect: 'manual' }
+        );
+
+        expect(response.status).to.equal(301);
+        expect(response.headers.get('location')).to.equal(
+            `https://tls-v1-2--expired.localhost:${serverPort}/status/200`
+        );
+    });
+
+    it("preserves the full path and query in the redirect", async () => {
+        const response = await fetch(
+            `http://tls-v1-2.localhost:${serverPort}/anything?foo=bar`,
+            { redirect: 'manual' }
+        );
+
+        expect(response.status).to.equal(301);
+        expect(response.headers.get('location')).to.equal(
+            `https://tls-v1-2.localhost:${serverPort}/anything?foo=bar`
+        );
+    });
+
+    describe("allows plain HTTP for plainTextAllowed subdomains", () => {
+
+        it("allows http://example.* requests", async () => {
+            const response = await fetch(
+                `http://example.localhost:${serverPort}/`
+            );
+
+            expect(response.status).to.equal(200);
+        });
+
+        it("allows http://no-tls.* requests", async () => {
+            const response = await fetch(
+                `http://no-tls.localhost:${serverPort}/status/200`
+            );
+
+            expect(response.status).to.equal(200);
+        });
+
+    });
+
+    it("allows plain HTTP for requests with no subdomain", async () => {
+        const response = await fetch(
+            `http://localhost:${serverPort}/status/200`
+        );
+
+        expect(response.status).to.equal(200);
+    });
+
+});
