Enforce HTTPS in Bluemix

Cloudservices like Bluemix and Heroku provide a really convenient way of deploying webapps without burdening users with the worry of managing their own servers and infrastructure.

Though it isn't the best use for these services, one may find find themselves deploying a static website on Bluemix, or using the static buildpack as a proxy to some service.

Bluemix provides HTTP and HTTPS endpoints to all created applications. Sometimes you only want users to use https because you need them to authenticate, or simply because the man is watching. :-) Either way, here's a sample nginx config that you can throw into the root folder of your static application:

        worker_processes 1;

        daemon off;



        error_log <%= ENV["APP_ROOT"] %>/nginx/logs/error.log;

        events { worker_connections 1024; }



        http {

          log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';

          access_log <%= ENV["APP_ROOT"] %>/nginx/logs/access.log cloudfoundry;

          default_type application/octet-stream;

          include mime.types;

          sendfile on;



          gzip on;

          gzip_disable "msie6";

          gzip_comp_level 6;

          gzip_min_length 1100;

          gzip_buffers 16 8k;

          gzip_proxied any;

          gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/xml+rss;



          tcp_nopush on;

          keepalive_timeout 30;

          port_in_redirect off; # Ensure that redirects don't include the internal container PORT - <%= ENV["PORT"] %>

          server_tokens off;



          server {

            listen <%= ENV["PORT"] %>;

            server_name localhost;



            if ($http_x_forwarded_proto = "http") {

            return 301 https://$host$request_uri;

            }

            add_header Strict-Transport-Security "max-age=31536000;includeSubdomains";

            location / {

            root <%= ENV["APP_ROOT"] %>/public;

            index index.html index.htm Default.htm;

            <% if File.exists?(File.join(ENV["APP_ROOT"], "nginx/conf/.enable_directory_index")) %>

            autoindex on;

            <% end %>

            <% if File.exists?(auth_file = File.join(ENV["APP_ROOT"], "nginx/conf/.htpasswd")) %>

            auth_basic "Restricted";                                #For Basic Auth

            auth_basic_user_file <%= auth_file %>;  #For Basic Auth

            <% end %>

            <% if ENV["FORCE_HTTPS"] %>

            if ($http_x_forwarded_proto = http) {

              return 301 https://$host$request_uri;

            }

            <% end %>

            }

          }

        }

The major change is a redirect of all http requests to their https counterparts. The script also enforces HSTS, which tells your users to always make https requests. The rest of the conf file is copied from Cloudfoundry's static buildpack.

I hope you find this useful. Happy hacking!