I have a website running on HTTPS which uses Prizmdoc API. The website makes call to the Prizmdoc API using "http://:3000", where 3000 is the port used by Prizmdoc API to accept the calls.
Since my website is running on HTTPS, this call is deemed insecure by browser. And there is no way for me to select HTTPS in Prizmdoc as far as I know.
I need to change the Prizmdoc API address to "https://:3000" instead.
I tried checking firewall settings, but there is no option to allow HTTPS connections for a specific port. I tried reinstalling the Prizmdoc API client to see if it allows using HTTPS, but no luck.
I also thought about using IIS url rewrite, but prizmdoc API is not even hosted on IIS. So, I am unable to figure out how is that API accepting the requests over port 3000, and how can I allow HTTPS calls to that port.
Other option that I can try is to serve HTTP requests instead of HTTPS, but I am not sure if it is possible in C#.
Since both my website and Prizmdoc API are hosted on the same server, it should be possible for the website to make calls to a different port using SSL. But simply put, I am out of ideas to try.
TL;DR
Website and a third party API running on same server. Website makes call to the API using IP address and the port. Browser thinks it is a mixed content request and blocks the same.
You might try this: set up a secure reverse proxy that listens for requests over HTTPS and then turns around and relays the requests to the port 3000. I have used this trick to secure an insecure API call. It should be good enough to pass the browsers' security checks as well.
Here are some IIS examples:
https://weblogs.asp.net/owscott/creating-a-reverse-proxy-with-url-rewrite-for-iis
https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/
Related
Recently i learned about https module in nodejs,
Like How to use it and generating certificate and key for it.
But there is also http module which most of the tutor teaches at beginning.
But the main question is,
when i create back-end server with http module.
and hosted on website like heroku after deploying we get by default https protocol for our website and its secure.
and even same for using https module
so what's the difference/advantage we get by using http/https module on one over another protocol?
does it make difference?
and which module to prefer while writing server code?
When you are running in a hosting environment like heroku that puts you behind a proxy and that proxy handles the https to the outside world for you, then that's all you need. There is no need to use https on your server directly between you and the proxy as it already has https to the outside world via the proxy and you don't need https between your server and the proxy as that's local to the secure network of the hosting facility.
If you are not running behind such a proxy, then you will want your own server to be https.
In order to ensure secure communication with users of your Express.js applications, you can make all traffic to use HTTPS, by forcing a redirect from HTTP.
I have an https website (using LAMP stack) and I want to send an http request to port 3000 of a separate node.js server when you click a button (using an AJAX call and jsonp). It worked when my website was not secured (http), but after I switched to using a load balancer to make it secure (I'm using Amazon Lightsail), the http request no longer works. Is this because an https website does not allow http requests since all information on the website is supposed to be secure? And if so, should I send an https request instead? This would require me to make the node.js server https-secured by adding it to the load balancer. However, would this prevent me from requesting to port 3000 since load balancers only accept requests to ports 80 (http) and 443 (https)? I've looked into listeners but it seems like Amazon Lightsail does not support listeners with its load balancers.
Put that node server behind the same load balancer as a reverse proxy with another route or dns and it will probably work for you.
A web application i developed is sitting on a server that serves it under https, some of my js code requires to open a socket to another server (nodejs) who is currently not set for https. and thus browser wont allow it to run.
all i want is a simple way without getting involved with certificates just to initiate a https socket connection, i don't mind the lack of security,
just need app to run.
The certificates are not your problem. Your problem is CORS. You need to configure your server to answer with a header allows foreign-origin
res.header('Access-Control-Allow-Origin', 'example.com');
because in your case the technical difference between http (port 80) and https (443) is the port.
EDIT: ... I mean from the browsers point of view
I have a website behind cloudflare. I need to enable websockets over SSL without turning off cloudflare support. I have a PRO plan and hence won't get the new websocket support. I am using Nginx to proxy a SSL connection to a web socket running on a node server. Now, I read somewhere that cloudflare could work with approved ports would support websockets. Hence, I'm using 8443 for the Nginx port and another port for the node server. Using wscat it returns a 200 error.
$ wscat -c wss://xyz.com:8443
error: Error: unexpected server response (200)
I know that the websocket is expecting a 101 code. However, if I visit https://xyz.com:8443, I can see the page displayed by the node server telling me proxy is working. Also, once I turn off cloudflare support, the websocket starts working. Any clues to get this working. I know I can create a subdomain but I'd prefer running the websocket behind cloudflare.
If you're trying to access this through CloudFlare's network you'd need to explicitly have web sockets enabled on your domain before they will work -- regardless of the port. As in, even if the port can pass through our network, that won't automatically mean that web sockets will be enabled or accessible on your domain.
You can try contacting our support team to request an exception to see if they can enable it for your domain, but typically this is still only available at the business and enterprise levels.
Disclaimer: I work at CloudFlare.
I'm just setting up an SSL area of a website, and was just wondering... is it as simple as adding HTTPS on the url?
(this is presuming I have a valid certificate of the hosting company?)
Or is there something more to it?
Thanks.
You have to setup the server to allow ssl connections. That includes generating a signed server request. You send this CSR to the cert authority (Verisign etc), and they send you a cert to install on the server. If you are behind a firewall you need to open port 443.
If you don't control the server i.e. shared hosting, there is probably a page in your control panel to do it all for you using a GUI.
When you replace http: in a URL with https: you are asking your web browser to do two things:
To attempt an encrypted (SSL) connection
To change which port to use on the remote server if none is specified in the URL
Most web browsers use port 80 for unencrypted traffic and port 443 for encrypted traffic by default. So, the first thing you need is a web server that is listening on port 443. If you are using a hosting company, this is probably already the case or becomes the case when you configure SSL.
You do not have to use port 443 but that is where browsers will be looking when users do not specify a port. You could also force everybody that connects at port 80 to use SSL as well though with the right configuration. That means that ALL traffic to your site would be encrypted.
To get the encryption up and running you generally need three things: a certificate, an encryption key, and a server request (CSR).
How you configure these is extremely dependent on how you are hosting the web server. Most hosting companies have 'control panels' that you log into for configuration. Common ones are Plex and CPanel. If either of those ring a bell you can post more information to get a better answer.
If you are managing the server yourself the big question is whether you are hosting on Windows or Linux. If it is windows, you are most likely going to want to configure IIS (Internet Information Server) while if it is on Linux you are probably going to configure Apache.
If you are using IIS, this link might help:
http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm
If it is Apache, Byron gave a good link above:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
You can use other web servers. For example, I use nginx:
http://rubypond.com/blog/setting-up-nginx-ssl-and-virtual-hosts
So, I guess the real step one is finding out more about your server. :-)
Once your web server has the SSL cert installed, it is as easy as using HTTPS on the URLs. There are some considerations to be aware of:
Port 443 must be open between the user and web server. (obvious)
Browser caching will be reduced to in-memory session cache and not stored on disk. Also, caching proxies in between will not be able to cache anything, since everything is encrypted. This means an increase in load times and bandwidth requirements of the web server.
When using HTTPS to receive sensitive data, be sure to disallow its use over HTTP. e.g. If you have a page that accepts credit card numbers in a POST, the app should fail validation if it was not done over HTTPS. This can be done in your code or in web server configuration. This prevents a bug or malware from systematically sending sensitive data in the clear without the user knowing.