Add support for redirecting to 'primary' domain

csmith · csmith · commit d66c24da4b3c · 2025-09-21T10:13:41.000+01:00
If a route has multiple domains, adding the 'redirect-to-primary' directive will redirect any requests to the later domains to the first listed one. This allows you to force users onto a canonical domain, without the upstream being aware of aliases. Closes #205
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 ## Unreleased
 
+## 2.2.0 - 2025-09-21
+
+### New features
+
+- Routes with multiple domains can now have a `redirect-to-primary` directive,
+  which will redirect all requests to the primary (first listed) domain.
+  ([issue #205](https://github.com/csmith/centauri/issues/205))
+
 ## 2.1.1 - 2025-09-17
 
 ### New features
diff --git a/cmd/centauri/frontend.go b/cmd/centauri/frontend.go
@@ -38,23 +38,25 @@ type frontendContext struct {
 
 // createProxy creates a reverse proxy backed by the context's rewriter.
 func (fc *frontendContext) createProxy() http.Handler {
-	return &httputil.ReverseProxy{
-		Rewrite:        fc.rewriter.RewriteRequest,
-		ModifyResponse: fc.recorder.TrackResponse(fc.rewriter.RewriteResponse),
-		ErrorHandler:   fc.recorder.TrackBadGateway(fc.rewriter.RewriteError(handleError)),
-		BufferPool:     newBufferPool(),
-		Transport: &http.Transport{
-			ForceAttemptHTTP2:   false,
-			DisableCompression:  true,
-			MaxIdleConnsPerHost: 100,
-			IdleConnTimeout:     90 * time.Second,
-		},
-	}
+	return proxy.NewDomainRedirector(
+		fc.manager,
+		&httputil.ReverseProxy{
+			Rewrite:        fc.rewriter.RewriteRequest,
+			ModifyResponse: fc.recorder.TrackResponse(fc.rewriter.RewriteResponse),
+			ErrorHandler:   fc.recorder.TrackBadGateway(fc.rewriter.RewriteError(handleError)),
+			BufferPool:     newBufferPool(),
+			Transport: &http.Transport{
+				ForceAttemptHTTP2:   false,
+				DisableCompression:  true,
+				MaxIdleConnsPerHost: 100,
+				IdleConnTimeout:     90 * time.Second,
+			},
+		})
 }
 
 // createRedirector creates a http.Handler that redirects all requests to HTTPS.
 func (fc *frontendContext) createRedirector() http.Handler {
-	return &proxy.Redirector{}
+	return &proxy.HttpRedirector{}
 }
 
 // createTLSConfig creates a new tls.Config following the Mozilla intermediate configuration, and using
diff --git a/cmd/centauri/main_test.go b/cmd/centauri/main_test.go
@@ -408,6 +408,9 @@ func Test_Run_ObtainsCertificatesUsingAcme(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusOK, res.StatusCode)
 		assert.True(t, strings.Contains(res.TLS.PeerCertificates[0].Issuer.CommonName, "Pebble Intermediate CA"))
+
+		signalChan <- os.Interrupt
+		<-doneChan
 		return
 	}
 
@@ -493,6 +496,94 @@ func Test_Run_ValidateFlag_WorksWithDifferentConfigPaths(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func Test_Run_RedirectsToPrimaryDomain(t *testing.T) {
+	upstream := startStaticServer(8701)
+	defer upstream.stop(context.Background())
+
+	signalChan := make(chan os.Signal, 1)
+	doneChan := make(chan struct{}, 1)
+
+	go func() {
+		err := runTest(
+			signalChan,
+			"CONFIG", testdata.Path("domain-redirect.conf"),
+			"PROVIDER", "selfsigned",
+			"FRONTEND", "tcp",
+			"HTTP_PORT", "8702",
+			"HTTPS_PORT", "8703",
+		)
+		assert.NoError(t, err)
+		doneChan <- struct{}{}
+	}()
+
+	time.Sleep(2 * time.Second)
+
+	// Test HTTPS redirect from www.example.com to example.com
+	res, err := proxyGet(8703, "https://www.example.com/test?param=value")
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusPermanentRedirect, res.StatusCode)
+	assert.Equal(t, "https://example.com/test?param=value", res.Header.Get("Location"))
+
+	// Test that requests to primary domain (example.com) are not redirected
+	res, err = proxyGet(8703, "https://example.com/test")
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, res.StatusCode)
+
+	b, _ := io.ReadAll(res.Body)
+	defer res.Body.Close()
+	assert.Contains(t, string(b), "This is the upstream on port 8701")
+
+	signalChan <- os.Interrupt
+	<-doneChan
+}
+
+func Test_Run_RedirectsHttpToHttps(t *testing.T) {
+	upstream := startStaticServer(8701)
+	defer upstream.stop(context.Background())
+
+	signalChan := make(chan os.Signal, 1)
+	doneChan := make(chan struct{}, 1)
+
+	go func() {
+		err := runTest(
+			signalChan,
+			"CONFIG", testdata.Path("simple-proxy.conf"),
+			"PROVIDER", "selfsigned",
+			"FRONTEND", "tcp",
+			"HTTP_PORT", "8702",
+			"HTTPS_PORT", "8703",
+		)
+		assert.NoError(t, err)
+		doneChan <- struct{}{}
+	}()
+
+	time.Sleep(2 * time.Second)
+
+	// Test HTTP to HTTPS redirect
+	res, err := getClientProxy(8702).Get("http://example.com/test?param=value")
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusPermanentRedirect, res.StatusCode)
+	assert.Equal(t, "https://example.com/test?param=value", res.Header.Get("Location"))
+
+	// Test HTTP to HTTPS redirect strips port
+	res, err = getClientProxy(8702).Get("http://example.com:80/test")
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusPermanentRedirect, res.StatusCode)
+	assert.Equal(t, "https://example.com/test", res.Header.Get("Location"))
+
+	// Test that invalid host header returns 400
+	req, err := http.NewRequest(http.MethodGet, "http://example.com/test", nil)
+	assert.NoError(t, err)
+	req.Host = "invalid..domain"
+
+	res, err = getClientProxy(8702).Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusBadRequest, res.StatusCode)
+
+	signalChan <- os.Interrupt
+	<-doneChan
+}
+
 func runTest(signalChan <-chan os.Signal, cfg ...string) error {
 	flag.CommandLine.VisitAll(func(f *flag.Flag) {
 		if !strings.HasPrefix(f.Name, "test") {
@@ -560,6 +651,9 @@ func getClientProxy(realPort int) *http.Client {
 				InsecureSkipVerify: true,
 			},
 		},
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
 	}
 }
 
diff --git a/cmd/centauri/testdata/domain-redirect.conf b/cmd/centauri/testdata/domain-redirect.conf
@@ -0,0 +1,3 @@
+route example.com www.example.com
+    upstream 127.0.0.1:8701
+    redirect-to-primary
diff --git a/config/parser.go b/config/parser.go
@@ -61,6 +61,17 @@ func Parse(reader io.Reader) (routes []*proxy.Route, fallback *proxy.Route, err
 				return nil, nil, fmt.Errorf("multiple fallback routes specified: %s and %s", route.Domains, fallback.Domains)
 			}
 			fallback = route
+		case "redirect-to-primary":
+			if route == nil {
+				return nil, nil, fmt.Errorf("redirect-to-primary without route: %s", line)
+			}
+			if route.RedirectToPrimary {
+				return nil, nil, fmt.Errorf("multiple redirect-to-primary options specified in route %s", route.Domains)
+			}
+			if len(route.Domains) < 2 {
+				return nil, nil, fmt.Errorf("redirect-to-primary specified with only a single domain in route %s", route.Domains)
+			}
+			route.RedirectToPrimary = true
 		case "#":
 			// Ignore comments
 		default:
diff --git a/config/parser_test.go b/config/parser_test.go
@@ -287,3 +287,43 @@ route example.net
 
 	assert.ErrorContains(t, err, "multiple fallback routes specified")
 }
+
+func Test_Parse_RedirectToPrimary_OutsideRoute(t *testing.T) {
+	_, _, err := Parse(bytes.NewBuffer([]byte(`redirect-to-primary`)))
+
+	assert.ErrorContains(t, err, "redirect-to-primary without route")
+}
+
+func Test_Parse_RedirectToPrimary_MultipleDomains(t *testing.T) {
+	routes, _, err := Parse(bytes.NewBuffer([]byte(`
+route example.com www.example.com
+	upstream localhost:8080
+	redirect-to-primary
+`)))
+
+	assert.NoError(t, err)
+	assert.NotNil(t, routes)
+
+	assert.True(t, routes[0].RedirectToPrimary)
+}
+
+func Test_Parse_RedirectToPrimary_SingleDomain(t *testing.T) {
+	_, _, err := Parse(bytes.NewBuffer([]byte(`
+route example.com
+	upstream localhost:8080
+	redirect-to-primary
+`)))
+
+	assert.ErrorContains(t, err, "redirect-to-primary specified with only a single domain")
+}
+
+func Test_Parse_RedirectToPrimary_Repeated(t *testing.T) {
+	_, _, err := Parse(bytes.NewBuffer([]byte(`
+route example.com example.net
+	redirect-to-primary
+	upstream localhost:8080
+	redirect-to-primary
+`)))
+
+	assert.ErrorContains(t, err, "multiple redirect-to-primary options specified")
+}
diff --git a/docs/routes.md b/docs/routes.md
@@ -96,6 +96,15 @@ This may only be specified on one route. Centauri's normal behaviour is
 to close connections for non-matching requests, as it won't be able to
 provide a valid certificate for that connection.
 
+### `redirect-to-primary`
+
+```
+redirect-to-primary
+```
+
+When applied to routes with multiple domains, redirects any requests from
+the secondary domains to the primary. The primary domain is the first listed.
+
 ## Comments and whitespace
 
 Lines that are empty or start with a `#` character are ignored, as is
@@ -134,4 +143,12 @@ route placeholder.example.com
     upstream server1:8082
     upstream server1:8083
     fallback
+
+# This route will answer requests made to `example.org`, `www.example.org` and
+# `www1.example.org`. Requests to `example.org` will be proxied to
+# `server1:8084`. Requests to the other domains will be redirected to
+# `example.org`
+route example.org www.example.org www1.example.org
+    upstream server1:8084
+    redirect-to-primary
 ```
diff --git a/proxy/redirector.go b/proxy/redirector.go
@@ -7,11 +7,11 @@ import (
 	"net/url"
 )
 
-// Redirector is a http.Handler that redirects all requests to HTTPS.
-type Redirector struct {
+// HttpRedirector is a http.Handler that redirects all requests to HTTPS.
+type HttpRedirector struct {
 }
 
-func (r *Redirector) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+func (h *HttpRedirector) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	// Remove any port that may be along for the ride
 	host, _, err := net.SplitHostPort(request.Host)
 	if err != nil {
@@ -28,3 +28,52 @@ func (r *Redirector) ServeHTTP(writer http.ResponseWriter, request *http.Request
 	targetUrl := url.URL{Scheme: "https", Host: host, Path: request.URL.Path, RawQuery: request.URL.RawQuery}
 	http.Redirect(writer, request, targetUrl.String(), http.StatusPermanentRedirect)
 }
+
+// RouteProvider is the surface used by DomainRedirector to obtain routes for
+// a given domain name.
+type RouteProvider interface {
+	RouteForDomain(domain string) *Route
+}
+
+// DomainRedirector is a http.Handler that redirects requests to a primary
+// domain name.
+type DomainRedirector struct {
+	routeProvider RouteProvider
+	next          http.Handler
+}
+
+// NewDomainRedirector creates a new DomainRedirector which will obtain routes
+// from the given provider. If the request does not need to be redirected, it is
+// passed to the `next` handler.
+func NewDomainRedirector(provider RouteProvider, next http.Handler) *DomainRedirector {
+	return &DomainRedirector{
+		routeProvider: provider,
+		next:          next,
+	}
+}
+
+func (d *DomainRedirector) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
+	host := d.hostForRequest(request)
+	route := d.routeProvider.RouteForDomain(host)
+	if route != nil && route.RedirectToPrimary && route.Domains[0] != host {
+		newAddress := request.URL
+		newAddress.Host = route.Domains[0]
+		if request.TLS != nil {
+			newAddress.Scheme = "https"
+		} else {
+			newAddress.Scheme = "http"
+		}
+		http.Redirect(writer, request, newAddress.String(), http.StatusPermanentRedirect)
+	} else {
+		d.next.ServeHTTP(writer, request)
+	}
+}
+
+// hostForRequest returns the hostname the given request was for, without any port information.
+func (d *DomainRedirector) hostForRequest(req *http.Request) string {
+	host, _, err := net.SplitHostPort(req.Host)
+	if err != nil {
+		return req.Host
+	}
+	return host
+}
diff --git a/proxy/redirector_test.go b/proxy/redirector_test.go
diff --git a/proxy/route.go b/proxy/route.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+route example.com www.example.com`
	`2`	`+ upstream 127.0.0.1:8701`
	`3`	`+ redirect-to-primary`