Recently i learned about https module in nodejs,
Like How to use it and generating certificate and key for it.
But there is also http module which most of the tutor teaches at beginning.
But the main question is,
when i create back-end server with http module.
and hosted on website like heroku after deploying we get by default https protocol for our website and its secure.
and even same for using https module
so what's the difference/advantage we get by using http/https module on one over another protocol?
does it make difference?
and which module to prefer while writing server code?
When you are running in a hosting environment like heroku that puts you behind a proxy and that proxy handles the https to the outside world for you, then that's all you need. There is no need to use https on your server directly between you and the proxy as it already has https to the outside world via the proxy and you don't need https between your server and the proxy as that's local to the secure network of the hosting facility.
If you are not running behind such a proxy, then you will want your own server to be https.
In order to ensure secure communication with users of your Express.js applications, you can make all traffic to use HTTPS, by forcing a redirect from HTTP.
Related
A React app and Nodejs server which is used to retrieve and manipulate the data are running on the same server. When accessing the app locally it workes fine, but when accessed externally the app is visible but without data. The reason behind this is that the port on which the application is running is open but the port on which the Nodejs server is running is not.
My question is this, what is the best way to solve this issue? The simplest solution would be to open up the other port, but I am assuming that is not the most secure solution.
Any suggestions would be appreciated.
Open to port for the outside world and implement a token-based request verification system.
You can implement CSRF token verification. It always checks that request comes from a trusted source only.
Do this using a reverse proxy server, like nginx, to listen to the open https port. The reverse proxy will handle the https encryption, rather than burdening your nodejs code with it. nginx is multithreaded and can do https efficiently.
The reverse proxy passes along requests to your http://localhost:3000 nodejs. In my experience, this arrangement works very well at large scale.
Explaining how to do this is too much for a stack overflow answer. But you'll find plenty of online advice.
I have a chrome extension which uses an externel socket.io server to connect clients together.
During development I was able to connect to the server via http://localhost:2087 just fine, but right now I need socket.io to work over HTTPS so I can access it from a browser tab being server by HTTPS.
I don't want to deal with certificates, and want to keep the code on the socket.io server mostly the same, so I want to proxy the IP for the server via Cloudflare and establish SSL like that.
But I haven't been able to, the socket.io server uses no other webserver, but I can change it to use the native NodeJS http or https libraries.
But I haven't been able to access the socket.io server via the Cloudflare proxy. Clouflare returns 522 errors, which means a connection timeout.
Apparantly flexible SSL only works with with ports 443->80
Other ports are not supported...
I have a website running on HTTPS which uses Prizmdoc API. The website makes call to the Prizmdoc API using "http://:3000", where 3000 is the port used by Prizmdoc API to accept the calls.
Since my website is running on HTTPS, this call is deemed insecure by browser. And there is no way for me to select HTTPS in Prizmdoc as far as I know.
I need to change the Prizmdoc API address to "https://:3000" instead.
I tried checking firewall settings, but there is no option to allow HTTPS connections for a specific port. I tried reinstalling the Prizmdoc API client to see if it allows using HTTPS, but no luck.
I also thought about using IIS url rewrite, but prizmdoc API is not even hosted on IIS. So, I am unable to figure out how is that API accepting the requests over port 3000, and how can I allow HTTPS calls to that port.
Other option that I can try is to serve HTTP requests instead of HTTPS, but I am not sure if it is possible in C#.
Since both my website and Prizmdoc API are hosted on the same server, it should be possible for the website to make calls to a different port using SSL. But simply put, I am out of ideas to try.
TL;DR
Website and a third party API running on same server. Website makes call to the API using IP address and the port. Browser thinks it is a mixed content request and blocks the same.
You might try this: set up a secure reverse proxy that listens for requests over HTTPS and then turns around and relays the requests to the port 3000. I have used this trick to secure an insecure API call. It should be good enough to pass the browsers' security checks as well.
Here are some IIS examples:
https://weblogs.asp.net/owscott/creating-a-reverse-proxy-with-url-rewrite-for-iis
https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/
i do deploy a website in nginx and translate it from http to https using let's cerbot before. it runs well.
My question is, in my website, i need to access my own Node.js Server using axios. As before, i used http, it goes well expect security.But now, below the Https connect, the browser blocks my http connect.So i tried update my Node Server to support Https connect using Self-signed SSL certificates, but the browser blocks it as well.
Who can tell me how can i fix this problem and make the site work well.Thank you!
You should setup nginx as reverse proxy for nodejs server
A web application i developed is sitting on a server that serves it under https, some of my js code requires to open a socket to another server (nodejs) who is currently not set for https. and thus browser wont allow it to run.
all i want is a simple way without getting involved with certificates just to initiate a https socket connection, i don't mind the lack of security,
just need app to run.
The certificates are not your problem. Your problem is CORS. You need to configure your server to answer with a header allows foreign-origin
res.header('Access-Control-Allow-Origin', 'example.com');
because in your case the technical difference between http (port 80) and https (443) is the port.
EDIT: ... I mean from the browsers point of view