Use a wildcard for redirect domains (#2029)

There's a limit of 50 path_matchers on a url map. Fortunately it supports wildcards :). This properly allows any subdomain to redirect to the https version. It doesn't 100% prevent host-header injection, but it does prevent an attacker from redirecting to an arbitrary host; it's only possible to redirect to another host on the same domain (which we control and does not serve user content). This also changes redirects from 301 -> 302. In testing, my browser cached the redirect, which was somewhat annoying. Given that we may change these, 302 feels more appropriate.
google · Apr 13, 2021 · 25c03b1 · 25c03b1
1 parent c97aecb
commit 25c03b1
Showing 1 changed file with 14 additions and 17 deletions.
diff --git a/terraform/redirect-lb.tf b/terraform/redirect-lb.tf
@@ -38,27 +38,20 @@ resource "google_compute_url_map" "enx-redirect-urlmap-http" {
   provider = google-beta
   project  = var.project
 
-  // path rule for each known redirect domain
-  dynamic "host_rule" {
-    for_each = local.enx_domains
-
-    content {
-      path_matcher = split(".", host_rule.value)[0]
-      hosts        = toset([host_rule.value])
-    }
+  host_rule {
+    hosts        = toset(formatlist("*.%s", local.redirect_root_domains))
+    path_matcher = "enx-http-https-redirect"
   }
 
-  dynamic "path_matcher" {
-    for_each = local.enx_domains
+  path_matcher {
+    name = "enx-http-https-redirect"
 
-    content {
-      name = split(".", path_matcher.value)[0]
+    default_url_redirect {
+      https_redirect = true
+      strip_query    = false
 
-      default_url_redirect {
-        host_redirect  = path_matcher.value
-        https_redirect = true
-        strip_query    = false
-      }
+      // Use a 302 response code in case we ever need to change the redirect.
+      redirect_response_code = "FOUND"
     }
   }
 
@@ -67,6 +60,10 @@ resource "google_compute_url_map" "enx-redirect-urlmap-http" {
     path_redirect  = "/ens"
     strip_query    = false
     https_redirect = true
+
+    // Use a 302 response code. We want to avoid a client caching a domain that
+    // may actually exist in the future.
+    redirect_response_code = "FOUND"
   }
 
   depends_on = [