fix(security): exempt health endpoint from HTTPS enforcement

Docker health checks and load balancers call /health directly without going through the reverse proxy, so they need HTTP access. This fix exempts /health and /metrics endpoints from HTTPS enforcement in production mode. Fixes the issue where Docker health checks were being redirected to HTTPS and failing because there's no TLS on localhost. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-22 11:45:06 -07:00
parent a4f8a2687f
commit 65d5dfdbd6
2 changed files with 74 additions and 0 deletions
--- a/src/gondulf/middleware/https_enforcement.py
+++ b/src/gondulf/middleware/https_enforcement.py
@@ -12,6 +12,11 @@ from gondulf.config import Config

 logger = logging.getLogger("gondulf.middleware.https_enforcement")

+# Internal endpoints exempt from HTTPS enforcement
+# These are called by Docker health checks, load balancers, and monitoring systems
+# that connect directly to the container without going through the reverse proxy.
+HTTPS_EXEMPT_PATHS = {"/health", "/metrics"}
+

 def is_https_request(request: Request) -> bool:
    """
@@ -93,6 +98,12 @@ class HTTPSEnforcementMiddleware(BaseHTTPMiddleware):
            # Continue processing
            return await call_next(request)

+        # Exempt internal endpoints from HTTPS enforcement
+        # These are used by Docker health checks, load balancers, etc.
+        # that connect directly without going through the reverse proxy.
+        if request.url.path in HTTPS_EXEMPT_PATHS:
+            return await call_next(request)
+
        # Production mode: Enforce HTTPS
        if not is_https_request(request):
            logger.warning(