Reject requests over TLS if it has been disabled

If we were running TLS on a site and then disable it, any active
connections that were made over TLS will still be valid until closed.
This could be confusing if you disable TLS then refresh your browser and
find that it's still working.

Instead, we can reject the request with an error so that the change
applies to active connections as well.

internal/server/service.go

@@ -318,6 +318,11 @@ func (s *Service) serviceRequestWithTarget(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
+	if !s.options.RequireTLS() && r.TLS != nil {
+		SetErrorResponse(w, r, http.StatusServiceUnavailable, nil)
+		return
+	}
+
 	if s.handlePausedAndStoppedRequests(w, r) {
 		return
 	}

internal/server/service_test.go

@@ -42,6 +42,24 @@ func TestService_RedirectToHTTPWhenTLSRequired(t *testing.T) {
 	require.Equal(t, http.StatusOK, w.Result().StatusCode)
 }
 
+func TestService_RejectTLSRequestsWhenNotConfigured(t *testing.T) {
+	service := testCreateService(t, defaultServiceOptions, defaultTargetOptions)
+
+	require.False(t, service.options.RequireTLS())
+
+	req := httptest.NewRequest(http.MethodGet, "http://example.com/", nil)
+	w := httptest.NewRecorder()
+	service.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusOK, w.Result().StatusCode)
+
+	req = httptest.NewRequest(http.MethodGet, "https://example.com", nil)
+	w = httptest.NewRecorder()
+	service.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusServiceUnavailable, w.Result().StatusCode)
+}
+
 func TestService_ReturnSuccessfulHealthCheckWhilePausedOrStopped(t *testing.T) {
 	service := testCreateService(t, defaultServiceOptions, defaultTargetOptions)