mitigate CRLF HTTP Header Injection

Fixes the following:

curl -i http://conway-hi-poc.herokuapp.com/%0d%0aset-cookie:%20test=123;

HTTP/1.1 301 Moved Permanently
Connection: keep-alive
Server: nginx
Date: Wed, 06 Jul 2016 23:44:00 GMT
Content-Type: text/html
Content-Length: 178
Location: https://conway-hi-poc.herokuapp.com/
Set-Cookie: test=123
Via: 1.1 vegur
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

scripts/config/templates/nginx.conf.erb

@@ -60,7 +60,7 @@ http {
 
   <% if https_only %>
     if ($http_x_forwarded_proto != "https") {
-      return 301 https://$host$uri;
+      return 301 https://$host$request_uri;
     }
   <% end %>
 

spec/simple_spec.rb

@@ -130,6 +130,16 @@ RSpec.describe "Simple" do
         expect(response.body.chomp).to eq("foobar")
       end
     end
+
+    context "CRLF HTTP Header injection" do
+      let(:cookie) { "malicious=1" }
+
+      it "should not expose cookie" do
+        app.run do
+          response = app.get("/foo.html#{URI.escape("\r\nSet-Cookie: #{cookie}")}")
+          expect(response['set-cookie']).not_to eq(cookie)
+        end
+      end
     end
   end