[#1889]

Introduce SSL plugin for managing HTTPS settings and fix https redirect bypass when a client was whitelisted
2026-05-24 09:28:37 +00:00 · 2025-01-13 12:14:32 +01:00 · 2025-01-13 12:14:32 +01:00 · d61c10e8e0
commit d61c10e8e0
parent 5749947b62
6 changed files with 72 additions and 43 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,8 +2,10 @@

 ## v1.6.0-rc2 - ????/??/??

+- [BUGFIX] Whitelisting a client no longer bypasses https redirect settings as the `ssl` plugin is now executed before the `whitelist` plugin
 - [UI] Fixed condition when validating the setup wizard form when a custom certificate is used
 - [FEATURE] Add extra validation of certificates in `customcert` plugin
+- [FEATURE] Introduce new `SSL` plugin to manage SSL/TLS settings without tweaking the `misc` plugin
 - [DEPS] Updated libmaxminddb version to v1.12.2

 ## v1.6.0-rc1 - 2025/01/10
--- a/src/common/core/misc/misc.lua
+++ b/src/common/core/misc/misc.lua
@ -7,7 +7,6 @@ local misc = class("misc", plugin)
 local ngx = ngx
 local HTTP_NOT_ALLOWED = ngx.HTTP_NOT_ALLOWED
 local HTTP_BAD_REQUEST = ngx.HTTP_BAD_REQUEST
-local HTTP_MOVED_PERMANENTLY = ngx.HTTP_MOVED_PERMANENTLY
 local get_security_mode = utils.get_security_mode
 local regex_match = utils.regex_match

@ -17,21 +16,6 @@ function misc:initialize(ctx)
 end

 function misc:access()
-	-- Check if we need to redirect to HTTPS
-	if
-		self.ctx.bw.scheme == "http"
-		and (
-			(self.ctx.bw.https_configured == "yes" and self.variables["AUTO_REDIRECT_HTTP_TO_HTTPS"] == "yes")
-			or self.variables["REDIRECT_HTTP_TO_HTTPS"] == "yes"
-		)
-	then
-		return self:ret(
-			true,
-			"redirect to HTTPS",
-			HTTP_MOVED_PERMANENTLY,
-			"https://" .. self.ctx.bw.http_host .. self.ctx.bw.request_uri
-		)
-	end
 	-- Check if method is valid
 	local method = self.ctx.bw.request_method
 	if not method or not regex_match(method, "^[A-Z]+$") then
--- a/src/common/core/misc/plugin.json
+++ b/src/common/core/misc/plugin.json
@ -23,24 +23,6 @@
      "regex": "^(yes|no)$",
      "type": "check"
    },
-    "REDIRECT_HTTP_TO_HTTPS": {
-      "context": "multisite",
-      "default": "no",
-      "help": "Redirect all HTTP request to HTTPS.",
-      "id": "redirect-http-to-https",
-      "label": "Redirect HTTP to HTTPS",
-      "regex": "^(yes|no)$",
-      "type": "check"
-    },
-    "AUTO_REDIRECT_HTTP_TO_HTTPS": {
-      "context": "multisite",
-      "default": "yes",
-      "help": "Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case.",
-      "id": "auto-redirect-http-to-https",
-      "label": "Auto redirect HTTP to HTTPS",
-      "regex": "^(yes|no)$",
-      "type": "check"
-    },
    "ALLOWED_METHODS": {
      "context": "multisite",
      "default": "GET|POST|HEAD",
@ -77,15 +59,6 @@
      "regex": "^(/[\\w. \\-]+)*/?$",
      "type": "text"
    },
-    "SSL_PROTOCOLS": {
-      "context": "multisite",
-      "default": "TLSv1.2 TLSv1.3",
-      "help": "The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons.",
-      "id": "https-protocols",
-      "label": "HTTPS protocols",
-      "regex": "^(?! )( ?TLSv1\\.[0-3])*$",
-      "type": "text"
-    },
    "HTTP2": {
      "context": "multisite",
      "default": "yes",
--- a/src/common/core/order.json
+++ b/src/common/core/order.json
@ -33,6 +33,7 @@
    "selfsigned"
  ],
  "access": [
+    "ssl",
    "whitelist",
    "letsencrypt",
    "blacklist",
--- a/src/common/core/ssl/plugin.json
+++ b/src/common/core/ssl/plugin.json
@ -0,0 +1,36 @@
+{
+  "id": "ssl",
+  "name": "SSL",
+  "description": "Handle SSL/TLS related settings.",
+  "version": "1.0",
+  "stream": "yes",
+  "settings": {
+    "REDIRECT_HTTP_TO_HTTPS": {
+      "context": "multisite",
+      "default": "no",
+      "help": "Redirect all HTTP request to HTTPS.",
+      "id": "redirect-http-to-https",
+      "label": "Redirect HTTP to HTTPS",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
+    "AUTO_REDIRECT_HTTP_TO_HTTPS": {
+      "context": "multisite",
+      "default": "yes",
+      "help": "Try to detect if HTTPS is used and activate HTTP to HTTPS redirection if that's the case.",
+      "id": "auto-redirect-http-to-https",
+      "label": "Auto redirect HTTP to HTTPS",
+      "regex": "^(yes|no)$",
+      "type": "check"
+    },
+    "SSL_PROTOCOLS": {
+      "context": "multisite",
+      "default": "TLSv1.2 TLSv1.3",
+      "help": "The supported version of TLS. We recommend the default value TLSv1.2 TLSv1.3 for compatibility reasons.",
+      "id": "https-protocols",
+      "label": "HTTPS protocols",
+      "regex": "^(?! )( ?TLSv1\\.[0-3])*$",
+      "type": "text"
+    }
+  }
+}
--- a/src/common/core/ssl/ssl.lua
+++ b/src/common/core/ssl/ssl.lua
@ -0,0 +1,33 @@
+local class = require "middleclass"
+local plugin = require "bunkerweb.plugin"
+
+local ssl = class("ssl", plugin)
+
+local ngx = ngx
+local HTTP_MOVED_PERMANENTLY = ngx.HTTP_MOVED_PERMANENTLY
+
+function ssl:initialize(ctx)
+	-- Call parent initialize
+	plugin.initialize(self, "ssl", ctx)
+end
+
+function ssl:access()
+	-- Check if we need to redirect to HTTPS
+	if
+		self.ctx.bw.scheme == "http"
+		and (
+			(self.ctx.bw.https_configured == "yes" and self.variables["AUTO_REDIRECT_HTTP_TO_HTTPS"] == "yes")
+			or self.variables["REDIRECT_HTTP_TO_HTTPS"] == "yes"
+		)
+	then
+		return self:ret(
+			true,
+			"redirect to HTTPS",
+			HTTP_MOVED_PERMANENTLY,
+			"https://" .. self.ctx.bw.http_host .. self.ctx.bw.request_uri
+		)
+	end
+	return self:ret(true, "no redirect to HTTPS needed")
+end
+
+return ssl