I'm developping an intranet, to do so I'm using Node.JS without Express and until now I was using the http module with createServer but I noticed when I connect using localhost everything is fine, but when I connect to my server using the IP instead (from my machine or another device on the network) I get a warning in Chrome in the top-left corner saying that my site is not secured. I think this is because I'm using http instead of https but in order to use https.createServer I need to provide a SSL certificate, and I don't have one because I'm making an Intranet so it's not a website that need to be hella-secured since it will be deployed on a personal network only accessible from like 6 people.
I saw on tutorials that the options needs to look like :
options = {
pfx: fs.readFileSync("ssl/crt.pfx"),
passphrase: "password"
}
But I don't have any and I don't quite get how those work, I just want the message to disappear.
You can't create HTTPS server without a SSL certificate, but you can use tools to do so, like OpenSSL, but the certificate will appear invalid.
Related
My objective is to create a http(s) proxy in Node.js so when the browser is pointed to it and makes a request, to respond with HTML from proxy server instead of response from website, for both http and https protocols on any domain.
For websites accessed through http:// protocol, this was done quite easily. I setup a express.js web server and pointed the browser to it. Now any website I was accessing with http://, response came from the express.js server. The fun started when trying to access websites with the https:// protocol (which makes sense, that's it's purpose).
Initially I was getting an empty response when accessing websites with https://, because of the CONNECT request made by the browser. I managed to sort this out by handling the CONNECT event on the http server and forwarding it to the (separated) https server.
At this point, I had to generate SSL CA and certificate in order to start the https server and I added the CA in the browser. This worked, I was able to get the response in browser from the https server, but with a warning. I was seeing NET::ERR_CERT_COMMON_NAME_INVALID in Chrome, because the domain accessed was not defined in the certificate. Was able to get over that by clicking Advanced -> Proceed to example.net. Even with this, the browser shows in address bar the warning Not secure, but I don't really want that. I would like the website load without any warnings, as it would normally.
I tried lots of things here for a while, and found this gist that put me on the right track.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = fake1.local
DNS.3 = example.net
The gist helped me generate the certificate needed to make the warning disappear. The key was setting the domain name in the alt_names section. By adding example.net inside alt_names, I was able to access https://example.net without any warning, nice !
But that meant in order to access other domains like https://second-example.net, I would need to regenerate the SSL certificate with second-example.net added in alt_names section, restart the https proxy server and then it would work.
I can't really add (actually I don't know them) all the domains inside alt_names section.
I was looking at regex for setting the alt_names, but looks like it works only for subdomains.
All this is running on my own machine and I can install any (certificate, etc) inside the browser if needed.
I know this is possible because I've seen this somewhere else but can't say for sure how it works in the backend. I was thinking it might be possible to generate the certificate on the fly, but haven't found anything online about this and I don't think it's possible without any proxy down-time.
Any suggestions would be appreciated !
I am working on a 2-player card game. The two client facing pages are hosted on Github pages and the node server is running on AWS.
Everything works fine when I view my client side pages locally, but when I try to open them on Github pages I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
So then I change the connection url to include https like this:
var socket = io.connect("https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000");
And I get this error:
index.js:83 GET https://ec2-18-191-142-129.us-east-2.compute.amazonaws.com:3000/socket.io/?EIO=3&transport=polling&t=N71Cs6c net::ERR_SSL_PROTOCOL_ERROR
Here are my security groups:
Do I need to do something with an SSL certificate? Is it even possible with my current setup as I don't have access to the domain I am hosting on (Github Pages). If it's not possible are there any online services I can host my client code on and get an SSL certificate, or do I have to buy a domain and hosting? Any help welcome, but please try to explain it because I am very new to all this. Thank you.
Ec2 doesn't support https like this ("out of the box").
There is several way of doing it, but I suggest you should create a application load balancer (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) and then configure https on it (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html).
Other solution can be using Cloudfront, or configure https directly on the instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html).
Hope that makes sense.
As mentioned by alcyon, changing from HTTP to HTTPS does not enable your application to run over HTTPS. There are many ways to achieve this. Checkout the detailed guide by AWS for your use-case at https://aws.amazon.com/premiumsupport/knowledge-center/configure-acm-certificates-ec2/ .
I am injecting some script tags in a website, with source such as http:localhost:3000/css/my-page-css.css . While its working on almost all sites, there's this particular website that is somehow sending all my http requests as https. How do I handle such a case?
I have configured an https server also on my nodejs app which listens to port 8443 and http listens to 3000. But, when I inject my script tags, they have src URLS which point to port 3000. So even if I have an https configured on my nodejs app, it won't work since it would be listening to a different port.
You are using HTTP Strict Transport Security (HSTS)
Using the securityheader.com website on your URL, or Chrome Developer tools we see the following HTTP Header is sent back by your site:
Strict-Transport-Security max-age=7889238
This HTTP Header will be configured in your webserver and is a way of your webserver telling the browser "For the next 7889238 seconds only use HTTPS on this domain. If someone tries to use HTTP (either by typing or by clicking on a link) then automatically switch HTTP to HTTPS before you send it on to the server."
This is a security feature as currently the default (if a scheme is not explicitly given) is HTTP. This allows website owners to switch the default and, even strong that that, prevents it being able to be switched back.
HSTS is set at a domain level and it is not possible to have it on for one port (e.g. 443) but not for another (e.g. 3000) - it's either on for that domain or off.
If you really want to use HTTP then you need to remove this header and remove the remembered value of this header from your browser. While chrome allows you to do this by typing chrome://net-internals/#hsts in the URL and using the delete option, the easiest way to do this is to change the max age from 7889238 to 0, and then load the website again. And then remove the header completely.
This can be especially annoying for sites like localhost where you proxy requests and inadvertently set it for that dummy host name. You should see if your node proxy server allows you to strip off that HTTP header. Some might say it would be better if browser makers ignored HSTS for localhost, however I think it would be better if developers just stopped fighting HTTPS and used that even for development environments using a self-signed certificate that is added to your local trust store. This was you can avoid problems like mixed content, and also use features that are HTTPS only (including Brotli, HTTP/2, Geo Location...etc.) while developing (though some browsers like Chrome still allow these on http://localhost).
Alternatively set up a local DNS alias for each of your dev sites and use that with or without HTTPS as appropriate for the site in question.
I recently enabled SSL for my Heroku-hosted website, wildcodemonkey.com, but when I visit it in Chrome I see the error "ERR_SSL_PROTOCOL_ERROR".
My research indicated that the SSL connection terminates at Heroku's router, which then passes the request along via HTTP to my express/node site. Consequently, I did not set up 'https' in my server and have been expecting standard HTTP connections.
My SSL configuration is such that my CSR, key and cert were passed along to Heroku. I'm using the SSL option baked into Heroku, not a third-party resource/addon. After enabling SSL in my app's settings I changed my DNS to reflect the new endpoint (wildcodemonkey.com.herokudns.com instead of wildcodemonkey.com.herokuapp.com), this is the endpoint I was told to use when I configured SSL on Heroku, directly copied and pasted from the settings page after setting up ssl.
I do see morgan logging GET requests when I hit the domain, so it does look like everything is making it end to end, so I'm not sure where the issue is occurring.
Any assistance would be greatly appreciated. Thanks ahead of time.
According to the SSLLabs report the certificate chain of this site is incomplete. While desktop browsers often but not always will work around this problem mobile browsers and other applications will usually not. Check the documentation provided by your CA which chain certificates need to be configured.
I want to make my app public, but I don't have validate SSL cert and hosting with unique IP for it. I read that the changes ommiting https:// will come in October. How can I change my app to working by http until October's changes?
Generally problem for now is: when i enter to facebook via https and go to app, there is a error about untrust cert and apps isn't loaded.
If there is no way to avoid "migration" changes, can any1 tell me is there any chance to run MySQL database on Heroku?