I have started creating my own nodejs app (for the first time) that I hope to deploy at some point, perhaps to Heroku or another platform.
I need for my app to encrypt traffic namely for user passwords and sessions (note there is no other obviously sensitive data).
I started looking into serving my app using HTTPS (SSL) however I am now wondering if I need this. If my app is to be hosted and deployed using Heroku/other platform won't all requests be trafficked through their servers presumably using HTTPS by default? I am guessing that the request will then be routed using HTTP to my application, although I am struggling to understand how this works. Ultimately I would like to know if I can ignore worrying about paying for SSL certification and such like when it will not matter in this hosting environment?
Help much appreciated. Matt.
If you are using heroku then you must be using paid dyno( hobby or professional) and heroku provides free SSL to all paid dynos. Furthermore if you think that at some point you can switch hosting then there is always freessl available via Let's encrypt.
Heroku serves all requests with and without SSL in default herokuapp url.
Use cloudflare free plan. Open a free account in cloudflare, Copy the DNS. Then set the DNS in your domain service provider (godaddy or sth), then change the Cname config for the website inside cloudflare. Now you have a free certificate.
Related
I'm making a hobby project and it involves a NodeJS http server that I access via a web browser (through GET and POST requests). The HTML/CSS/JS part of the webpage is local, not on the NodeJS server.
I understand I need to generate SSL certificates but those ask for things like domain names and stuff.
I simply want to enable HTTPS on my NodeJS server. Right now I'm manually encrypting all messages sent back and forth through AES, but I trust the https security more, I'm not a cryptographer.
Is there an easy way to get those certificates? My NodeJS server is accessible via the internet but only by IP address (port forwarded), and through the express module using HTTP requests.
Do I need to pay for them?
In this case you can take services from Digital Ocean, you can buy subscription as per your choice and deploy your Nodejs app with free SSL certificate.(let's encrypt)
However I recommend you to understand following concepts
Reverse proxy (nginx)
Process managements (pm2)
SSL certificates
I am sure, You would love to go though with starter tutorials from DigitalOcean
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
As Its a hobby project, otherwise I would have recommended other options.
I have a Heroku app which is on a free plan like myappsucks.herokuapp.com but recently that website is showing a not secure warning when I open it on my browser. Can anyone help me out how can I fix this at free of cost coz I heard Heroku is a free platform where u can deploy your Nodejs app.
Any answer is appreciated =)
Heroku free apps do not use SSL. You will need to change to a paid plan to get it.
However, as a workaround, if you want to see "secure" in the browser, you can use free cloudflare account, using cloudflare as a dns proxy. Cloudflare will use HTTPS (secure) when your site is proxied through them, and can use HTTP when it retrieves your site.
It is not secure at all between cloudflare and heroku, but is an easy workaround for demo apps etc.
Here is what the SSL setting should look like:
and the DNS record:
I have set up an application gateway(AG) to eventually protect my web app using this link but with the difference that the AG's public IP will forward the requests to my web app and I won't be using any jump box.
This diagram should give you a better idea.
Now on my web app, I have added couple of domains under the Custom domains and I don't have any SSL binding thinking that the AG will do the work. Basically I have added the SSL cert to the AG's Front End IP--->Listener. I also redirect the HTTP to HTTPs on AG using the listeners, and on the web app I am not forcing HTTPS.
My questions are:
Is this roughly the right way to protect a web app (Please note that in the future I intend to enable WAF and the DDOS protection on AG)?
Is having the AG do the encryption/decryption going to slow things down?
EDIT: I actually removed the two domains from the web app's custom domains and it seems to work fine without it but I still have the above two questions. :)
Yes, this is the way of doing it, if you want to can configure end-to-end ssl (a bit more secure)
Obviously it will, but negligible.
Researching past posts makes it seem like you have to use a service like DNSimple in order to have a naked domain (i.e. "example.com") for Heroku apps. I am wondering if that is still true, or if I can achieve this using only my app server.
I am using Namecheap BasicDNS and my app is a node/express app hosted on Heroku.
Thanks in advance for any tips. I am just trying to make sure before I purchase. Thank you.
You can't point your apex domain to an hostname (hence to Heroku), because you can't use a CNAME for the apex.
Consequently, the only way to point your root domain to a service like Heroku is by using a DNS provider that provides a CNAME-like feature for the root domain, that is what DNSimple calls ALIAS.
You can also find more information in the Heroku documentation.
I developed a website that will be hosted on a webhosting server with dedicated IP in order to be able to use SSL (https).
This website makes some calls to a node.js app running on a VPS i am hiring. In this VPS i have some sensible data (database) and in the app i have a sensible user and password. I would like to know if the frontend uses SSL is enough to secure my VPS and app.js, or if there are some other actions i should perform.
Also i would be grateful if you can advise which is the best solution to hire: Dedicated IP WebHosting(frontend) + VPS (backend) Versus VPS (backedn and frontend). It's my first website and I need some experienced advices.
Regards,
If Node.js will be running with ssl certificate, then please use passphrase for ssl certificate that will be asked if you run node.js server. This will provide additional security.
Also, you can request for client certificate and reject unauthorized that provide additional layer of security and prevent from man-in-middle attack.