Merge pull request #3524 from evazion/feat-hsts

Fix #3522: Enable HSTS

app/controllers/application_controller.rb

@@ -11,7 +11,6 @@ class ApplicationController < ActionController::Base
   before_action :set_safe_mode
   # before_action :secure_cookies_check
   layout "default"
-  force_ssl :if => :ssl_login?
   helper_method :show_moderation_notice?
   before_action :enable_cors
 
@@ -32,10 +31,6 @@ class ApplicationController < ActionController::Base
     CurrentUser.can_approve_posts? && (cookies[:moderated].blank? || Time.at(cookies[:moderated].to_i) < 20.hours.ago)
   end
 
-  def ssl_login?
-    cookies[:ssl_login].present?
-  end
-
   def enable_cors
     response.headers["Access-Control-Allow-Origin"] = "*"
   end

app/controllers/user_upgrades_controller.rb

@@ -1,7 +1,6 @@
 class UserUpgradesController < ApplicationController
   before_action :member_only, :only => [:new, :show]
   helper_method :user
-  force_ssl :if => :ssl_enabled?
   skip_before_action :verify_authenticity_token, only: [:create]
 
   def create
@@ -57,8 +56,4 @@ class UserUpgradesController < ApplicationController
 
     redirect_to user_upgrade_path
   end
-
-  def ssl_enabled?
-    !Rails.env.development? && !Rails.env.test?
-  end
 end

app/controllers/users_controller.rb

@@ -71,12 +71,6 @@ class UsersController < ApplicationController
     respond_with(@user, location: edit_user_path(@user))
   end
 
-  def cache
-    @user = User.find(params[:id])
-    @user.update_cache
-    render plain: ""
-  end
-
   private
 
   def check_privilege(user)

app/logical/session_creator.rb

@@ -28,14 +28,6 @@ class SessionCreator
         }
       end
 
-      if secure
-        cookies.permanent[:ssl_login] = {
-          :value => "1",
-          :secure => true,
-          :httponly => true
-        }
-      end
-
       session[:user_id] = user.id
       user.update_column(:last_ip_addr, ip_addr)
       return true

app/models/user.rb

@@ -191,7 +191,7 @@ class User < ApplicationRecord
     def update_remote_cache
       if saved_change_to_name?
         Danbooru.config.other_server_hosts.each do |server|
-          HTTParty.delete("http://#{server}/users/#{id}/cache", Danbooru.config.httparty_options)
+          delay(queue: server).update_cache
         end
       end
     rescue Exception

app/presenters/post_presenter.rb

@@ -168,7 +168,7 @@ class PostPresenter < Presenter
 
   def safe_mode_message(template)
     html = ["This image is unavailable on safe mode (#{Danbooru.config.app_name}). Go to "]
-    html << template.link_to("Danbooru", "http://danbooru.donmai.us")
+    html << template.link_to("Danbooru", "http://danbooru.donmai.us") # XXX don't hardcode.
     html << " or disable safe mode to view ("
     html << template.link_to("learn more", template.wiki_pages_path(title: "help:user_settings"))
     html << ")."

app/views/layouts/default.html.erb

@@ -48,9 +48,9 @@
         "@context" : "http://schema.org",
         "@type" : "Organization",
         "name" : "<%= Danbooru.config.app_name %>",
-        "url" : "http://<%= Danbooru.config.hostname%>",
+        "url" : "<%= root_url %>",
         "sameAs" : [
-          "http://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>"
+          "https://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>"
         ]
       }
     </script>
@@ -59,10 +59,10 @@
   {
     "@context": "http://schema.org",
     "@type": "WebSite",
-    "url" : "http://<%= Danbooru.config.hostname %>",
+    "url" : "<%= root_url %>",
     "potentialAction": [{
       "@type": "SearchAction",
-      "target": "http://<%= Danbooru.config.hostname %>/posts?tags={search_term_string}",
+      "target": "<%= posts_url %>?tags={search_term_string}",
       "query-input": "required name=search_term_string"
     }]
   }
@@ -73,7 +73,7 @@
     "@type": "WebSite",
     "name": "<%= Danbooru.config.app_name %>",
     "alternateName": "<%= Danbooru.config.description %>",
-    "url" : "http://<%= Danbooru.config.hostname %>"
+    "url" : "<%= root_url %>"
   }
   </script>
 </head>

app/views/legacy/create_post.xml.erb

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" ?>
 <response>
   <post-id>0</post-id>
-  <location>http://<%= Danbooru.config.hostname %>/uploads/<%= @upload.id %></location>
+  <location><%= upload_url(@upload) %></location>
 </response>

app/views/static/mrtg.html.erb

@@ -2,37 +2,37 @@
 
 <h3>5 min</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_27-day.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_27-day.png">
 
 <h3>30 min</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_27-week.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_27-week.png">
 
 <h3>2 hour</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_27-month.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_27-month.png">
 
 <h3>1 day</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_27-year.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_27-year.png">
 
 <h1>hijiribe</h1>
 
 <h3>5 min</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_29-day.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_29-day.png">
 
 <h3>30 min</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_29-week.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_29-week.png">
 
 <h3>2 hour</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_29-month.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_29-month.png">
 
 <h3>1 day</h3>
 
-<img src="http://mrtg.vinax.net/switch3/switch3_29-year.png">
+<img src="https://mrtg.vinax.net/switch3/switch3_29-year.png">
 
 <% content_for(:page_title) do %>
   MRTG - <%= Danbooru.config.app_name %>

app/views/users/edit.html.erb

@@ -93,7 +93,7 @@
 
         <%= f.input :disable_responsive_mode, :as => :select, :collection => [["No", "false"], ["Yes", "true"]], :include_blank => false, :hint => "Disable alternative layout for mobile and tablet" %>
 
-        <%= f.input :custom_style, :label => "Custom <a href='http://en.wikipedia.org/wiki/Cascading_Style_Sheets'>CSS</a> style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %>
+        <%= f.input :custom_style, :label => "Custom <a href='https://en.wikipedia.org/wiki/Cascading_Style_Sheets'>CSS</a> style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %>
       </fieldset>
 
       <%= f.button :submit, "Submit" %>

config/application.rb

@@ -6,11 +6,13 @@ if defined?(Bundler)
 end
 Bundler.require(*Rails.groups)
 
+require_relative "danbooru_default_config"
+require_relative "danbooru_local_config"
+
 module Danbooru
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
     config.load_defaults 5.1
-    
     config.active_record.schema_format = :sql
     config.encoding = "utf-8"
     config.filter_parameters += [:password]
@@ -24,6 +26,17 @@ module Danbooru
     config.action_mailer.perform_deliveries = true
     config.log_tags = [lambda {|req| "PID:#{Process.pid}"}]
     config.action_controller.action_on_unpermitted_parameters = :raise
+    config.force_ssl = true
+
+    if Rails.env.production? && Danbooru.config.ssl_options.present?
+      config.ssl_options = Danbooru.config.ssl_options
+    else
+      config.ssl_options = {
+        hsts: false,
+        secure_cookies: false,
+        redirect: { exclude: ->(request) { true } }
+      }
+    end
 
     if File.exists?("#{config.root}/REVISION")
       config.x.git_hash = File.read("#{config.root}/REVISION").strip

config/danbooru_default_config.rb

@@ -198,6 +198,26 @@ module Danbooru
       1.week.ago
     end
 
+    # Permanently redirect all HTTP requests to HTTPS.
+    #
+    # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+    # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html
+    def ssl_options
+      {
+        redirect: { exclude: ->(request) { request.subdomain == "insecure" } },
+        hsts: {
+          expires: 1.year,
+          preload: true,
+          subdomains: false,
+        },
+      }
+    end
+
+    # Disable the forced use of HTTPS.
+    # def ssl_options
+    #   false
+    # end
+
     # The name of the server the app is hosted on.
     def server_host
       Socket.gethostname
@@ -772,4 +792,10 @@ module Danbooru
       end
     end
   end
+
+  def config
+    @configuration ||= EnvironmentConfiguration.new
+  end
+
+  module_function :config
 end

config/initializers/danbooru_config.rb

@@ -1,10 +0,0 @@
-require "#{Rails.root}/config/danbooru_default_config"
-require "#{Rails.root}/config/danbooru_local_config"
-
-module Danbooru
-  def config
-    @configuration ||= EnvironmentConfiguration.new
-  end
-
-  module_function :config
-end

config/routes.rb

@@ -291,10 +291,6 @@ Rails.application.routes.draw do
       get :search
       get :custom_style
     end
-
-    member do
-      delete :cache
-    end
   end
   resource :user_upgrade, :only => [:new, :create, :show]
   resources :user_feedbacks do

script/install/nginx.danbooru.conf

@@ -71,7 +71,7 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_redirect off;
     proxy_set_header Host $host:$server_port;
-    proxy_set_header X-Forwarded-Proto http;
+    proxy_set_header X-Forwarded-Proto $scheme;
   }
 
   location / {