Enabling HTTPS on express.js

问题:

I'm trying to get HTTPS working on express.js for node, and I can't figure it out.

This is my app.js code.

var express = require('express'); var fs = require('fs');  var privateKey = fs.readFileSync('sslcert/server.key'); var certificate = fs.readFileSync('sslcert/server.crt');  var credentials = {key: privateKey, cert: certificate};   var app = express.createServer(credentials);  app.get('/', function(req,res) {     res.send('hello'); });  app.listen(8000); 

When I run it, it seems to only respond to HTTP requests.

I wrote simple vanilla node.js based HTTPS app:

var   fs = require("fs"),       http = require("https");  var privateKey = fs.readFileSync('sslcert/server.key').toString(); var certificate = fs.readFileSync('sslcert/server.crt').toString();  var credentials = {key: privateKey, cert: certificate};  var server = http.createServer(credentials,function (req, res) {   res.writeHead(200, {'Content-Type': 'text/plain'});   res.end('Hello World\n'); });  server.listen(8000); 

And when I run this app, it does respond to HTTPS requests. Note that I don't think the toString() on the fs result matters, as I've used combinations of both and still no es bueno.

---

EDIT TO ADD:

For production systems, you're probably better off using Nginx or HAProxy to proxy requests to your nodejs app. You can setup nginx to handle the ssl requests and just speak http to your node app.js.

EDIT TO ADD (4/6/2015)

For systems on using AWS, you are better off using EC2 Elastic Load Balancers to handle SSL Termination, and allow regular HTTP traffic to your EC2 web servers. For further security, setup your security group such that only the ELB is allowed to send HTTP traffic to the EC2 instances, which will prevent external unencrypted HTTP traffic from hitting your machines.

---

回答1:

In express.js (since version 3) you should use that syntax:

var fs = require('fs'); var http = require('http'); var https = require('https'); var privateKey  = fs.readFileSync('sslcert/server.key', 'utf8'); var certificate = fs.readFileSync('sslcert/server.crt', 'utf8');  var credentials = {key: privateKey, cert: certificate}; var express = require('express'); var app = express();  // your express configuration here  var httpServer = http.createServer(app); var httpsServer = https.createServer(credentials, app);  httpServer.listen(8080); httpsServer.listen(8443); 

In that way you provide express middleware to the native http/https server

If you want your app running on ports below 1024, you will need to use sudo command (not recommended) or use a reverse proxy (e.g. nginx, haproxy).

回答2:

I ran into a similar issue with getting SSL to work on a port other than port 443. In my case I had a bundle certificate as well as a certificate and a key. The bundle certificate is a file that holds multiple certificates, node requires that you break those certificates into separate elements of an array.

    var express = require('express');     var https = require('https');     var fs = require('fs');      var options = {       ca: [fs.readFileSync(PATH_TO_BUNDLE_CERT_1), fs.readFileSync(PATH_TO_BUNDLE_CERT_2)],       cert: fs.readFileSync(PATH_TO_CERT),       key: fs.readFileSync(PATH_TO_KEY)     };      app = express()      app.get('/', function(req,res) {         res.send('hello');     });      var server = https.createServer(options, app);      server.listen(8001, function(){         console.log("server running at https://IP_ADDRESS:8001/")     }); 

In app.js you need to specify https and create the server accordingly. Also, make sure that the port you're trying to use is actually allowing inbound traffic.

回答3:

Including Points:

1. SSL setup
   1. In config/local.js
   2. In config/env/production.js

HTTP and WS handling

1. The app must run on HTTP in development so we can easily debug our app.
2. The app must run on HTTPS in production for security concern.
3. App production HTTP request should always redirect to https.

SSL configuration

In Sailsjs there are two ways to configure all the stuff, first is to configure in config folder with each one has their separate files (like database connection regarding settings lies within connections.js ). And second is configure on environment base file structure, each environment files presents in config/env folder and each file contains settings for particular env.

Sails first looks in config/env folder and then look forward to config/ *.js

Now lets setup ssl in config/local.js.

var local = {    port: process.env.PORT || 1337,    environment: process.env.NODE_ENV || 'development' };  if (process.env.NODE_ENV == 'production') {     local.ssl = {         secureProtocol: 'SSLv23_method',         secureOptions: require('constants').SSL_OP_NO_SSLv3,         ca: require('fs').readFileSync(__dirname + '/path/to/ca.crt','ascii'),         key: require('fs').readFileSync(__dirname + '/path/to/jsbot.key','ascii'),         cert: require('fs').readFileSync(__dirname + '/path/to/jsbot.crt','ascii')     };     local.port = 443; // This port should be different than your default port }  module.exports = local; 

Alternative you can add this in config/env/production.js too. (This snippet also show how to handle multiple CARoot certi)

Or in production.js

module.exports = {     port: 443,     ssl: {         secureProtocol: 'SSLv23_method',         secureOptions: require('constants').SSL_OP_NO_SSLv3,         ca: [             require('fs').readFileSync(__dirname + '/path/to/AddTrustExternalCARoot.crt', 'ascii'),             require('fs').readFileSync(__dirname + '/path/to/COMODORSAAddTrustCA.crt', 'ascii'),             require('fs').readFileSync(__dirname + '/path/to/COMODORSADomainValidationSecureServerCA.crt', 'ascii')         ],         key: require('fs').readFileSync(__dirname + '/path/to/jsbot.key', 'ascii'),         cert: require('fs').readFileSync(__dirname + '/path/to/jsbot.crt', 'ascii')     } }; 

http/https & ws/wss redirection

Here ws is Web Socket and wss represent Secure Web Socket, as we set up ssl then now http and ws both requests become secure and transform to https and wss respectively.

There are many source from our app will receive request like any blog post, social media post but our server runs only on https so when any request come from http it gives “This site can’t be reached” error in client browser. And we loss our website traffic. So we must redirect http request to https, same rules allow for websocket otherwise socket will fails.

So we need to run same server on port 80 (http), and divert all request to port 443(https). Sails first compile config/bootstrap.js file before lifting server. Here we can start our express server on port 80.

In config/bootstrap.js (Create http server and redirect all request to https)

module.exports.bootstrap = function(cb) {     var express = require("express"),         app = express();      app.get('*', function(req, res) {           if (req.isSocket)              return res.redirect('wss://' + req.headers.host + req.url)            return res.redirect('https://' + req.headers.host + req.url)       }).listen(80);     cb(); }; 

Now you can visit http://www.yourdomain.com, it will redirect to https://www.yourdomain.com

文章来源: Enabling HTTPS on express.js