In order to make customer experience as easy as possible, it is desirable to automatically redirect HTTP calls to the corresponding HTTPS endpoint.

This means the customer does not have to specify HTTPS when addressing the URL, yet they get a secure connection without any additional effort or delay.

Apps deployed on Pivotal Cloud Foundry (PCF) most often make use of the platform's security features and answer exclusively to secure HTTPS calls.

However, if a customer addresses the application and does not explicitly use the "https://" prefix on the URL, then they may unintentionally send an insecure request, since their browser has the default setting of using HTTP.

This could result in sensitive information being sent unencrypted across the network.

The steps involved in using route services to redirect requests to HTTPS are as follows:

You can write a small route service app to test for insecure connections and redirect to the secure endpoint when needed. An example of this app written in Go is available here. Please note this is just an example and should not be used for production.

To deploy this application, you need to cf push the application. Then create a user provided service instance which then must be bound to the application needing the redirect service. This can be done with the following three commands.

cf push http-to-https-rs-app
cf create-user-provided-service http-to-https-rs -r http-to-https-rs-app.my-apps.example.com 
cf bind-route-service my-apps.example.com http-to-https-rs --hostname my-secure-app

For more details on the above commands, see the documentation here. 

The business logic of the redirect example app requires that it test whether the original URL, obtained through the x-cf-forwarded-url header, is secure.

It uses the x-forwarded-proto HTTP header to make this determination. If the protocol is "https", then it passes the request to the gorouter. If not, then it returns the client a 302 redirect with the same URL, but using the secure HTTPS scheme.

Using a service broker

Route services are typically provisioned using a service broker. This makes it easier for a developer to utilize the service, since the developer does not need to manually create a user provided service.

The example explained in the Procedure section of this article takes the user provided service approach. It is less work since it does not require the creation of a service broker and allows you to focus on the route service component.

If you are planning to roll this service out to many developers, then creation of a service broker is recommended. Using a service broker should not change the business logic of the route service app. Refer to this documentation on creating custom service brokers for more information.

Once you have your custom service broker, deploy it to Cloud Foundry. Then a platform operator will need to register the URL of your service broker with the platform. At this point, the broker will be available in the Marketplace and your users will be able to create and bind instances of it to their applications.

For more details on registering the broker, refer to this documentation.
 

Additional Resources

For additional information on route services in PCF, refer to this video tutorial.