I am New to node.js and express.js. I Created one application with http sever. It's working fine but it is not secure. I want to create https server in that application
var privateKey = fs.readFileSync('privatekey.pem').toString();
var certificate = fs.readFileSync('certificate.pem').toString();
I got a solution: create https server like above syntaxes. How to get privateKey.pem and certificate.pem files?
Please help me!
You will need to generate your key and certificate. For these to work for real users, you will need to get these from a source like LetsEncrypt. However, for development purposes you can create "self signed" certificates and keys for this. With this you will get an "insecure" alert from your browser but since they're yours anyway you can click "proceed anyway".
There are many ways for generating these and many guides around for doing so. You can use this one to get a key and pem file for development purposes, and then follow the LetsEncrypt advice for production certificates.
With those, you will get your key and cert pem files generated and you will be able to read those in with the code you have above.
Related
I have been learning more about web development so this is likely a dumb question or I do not have the knowledge to search for the answer properly.
I am revamping my current personal website (hosted on Github pages). I am making a React frontend which will be served via Github pages and with an Express backend (likely through cyclic). I want to add SSL/TSL Encryption for encrypted communication between the frontend and backend.
To my knowledge, SSL works via the server sending it's certificate to the client. It also will send it's public key so that the client can use the key to encrypt the message, send it to the server which uses the private key to decrypt said message. To me this means that I definitely would need to get a certificate for my backend.
However, I have some knowledge into how RSA encryption works (I know this is not the same) but it seems like this means that messages from the server to the client would not be secure. Would this mean that if I needed messages to be encrypted going that way that I would need to add a certificate. I personally cannot think of an example but I am sure there might be one.
First, is my assumption correct? If this is the case, how would I do so in both the general sense and with the services I am using?
Thank you for any help and I apologize for any mistakes I made, I figured to put out my thought process.
GitHub pages will do the SSL/HTTPS for you but you as part of configuring your custom domain. See Securing your GitHub Pages site with HTTPS.
In the "Code and automation" section of the sidebar, click Pages.
Under "GitHub Pages," select Enforce HTTPS.
If you were using your own servers, most people use Nginx to terminate SSL. Node.js can do it but most often Nginx is used as a reverse-proxy and SSL termination point.
I wanted to migrate my Angular - Node js server to https. I have generated certificates from OpenSSL. I added them to both Node js server.ts and angular.json. I am facing couple of problems:-
1). I am able to run Angular app without the certificates and also with the wrong certificates. I am not sure why its allowing without handshake? What is the use of adding cert in angular if it allows without certs?
2). I want to encrypt my password field, how can i encrypt password at Angular with my certificate and decrypt at Nodejs with the key.
Updating the question as i see how to read the file.
Yes angular has a file reader
Eg : let fileReader = new FileReader();
This can help you Running Angular CLI over HTTPS with a Trusted Certificate
Consider we run the following request:
url="https://secretsub.example.com/secretpath/post.php"
payload = {'secretmessage1' : 'foo','secretmessage2' : 'bar'}
r = requests.post(url,data=payload,verify=True)
The language (python) is just arbitrary but it can be a request on any other language (NodeJs, Java, Php...)
Notice that the url is using https, which means that the connection is secured over SSL. Assuming that I compile this program into binary (.exe), would it be possible for computer to read the payloads through a software in plain text?
I know that packet sniffing software (like WireShark), will only reveal the domain name (example.com) in plain text but not the secrepath nor the payload which will be encrypted.
If I run this code in a web browser however (assuming that it is written in Javascript), I will be able to access the payload and the secretpath in plain text inside the browser console. I assume that the browser only encrypts it only after the request is logged in its console. But if this code is run outside the browser, is there a way a for the computer host to intercept those data in plain text? (some sort of packet sniffing tools)
It is only possible to see the domain name, the payload and path are encrypted and can only be decrypted by the session key as negotiated between the client and webserver. But malware on your computer could be able to access it, for instance by having access to the memory used by the application or by using an insecure programming library with some kind of backdoor.
What the https is doing is initiating a certificate exchange so your client will recieve a certificate from the server that validates the server is who thay say they are and allows the client to encrypt the data through the channell (network).
The first bit - validating the server is who they claim to be - relies on something called a certificate chain. The certificate you recieve will have been signed with an issuers private key. Your client should check this certificate using the issuers public key that you should "already have".
Most operating systems have a list of trusted root certificates. In windows you can see them in the certificate manager.
Without knowing python - #Patrick Mevzek hints that you can ship a root CA (certificate authority) or use the OS one. if your using the OS one - you might need to check its going to be there.
I would expect all this to be automatic - its part of the protocol that you've specified i.e. https. However - you might want to confirm that with a python person.
Most people kind of ignore all this bit - but it is very important. If you do not validate the certificate then you are susceptabe to a "Man in the Middle" attack or DNS spoofing.
Basically I can issue a cert for secretsub.example.com using a couple of tools on my desktop. It will not be signed by a valid CA but if you don't check it then I can either place that cert in a proxy (Man in the Middle) - and when you make your requet my proxy will get the real cert from the real server, establish the HTTP connection but issue my cert to your application. You will then encrypt to my proxy with my cert so I can read your data and then forward it to the real server - and you'll never know! (Many corporate proxies do exactly this to their employees).
Alternatively if I can change your DNS to point the IP to my server I can do pretty much the same - act as a proxy.
Once that's done the data will then be encrypted accross the network.
So - yes HTTPS will encrypt accross the network - but check the cert is valid.
Obviously as someone points out - the data is in the clear on the client computer - just like it is in your browser now.
Stuart
I am working with self signed certificates for the fist time. I understand that node red does not use the default ca store. The solution to this seems to be to provide a key and self signed certificate when preforming an https request. I would like to uses the standard http request node to do this but i cant find documentation on how to a key, cert, and rejectUnauthorized through the message block. Is this even possible?
Thank you
NodeJS bundles the default CA store into the node binary so you can't just add a file to a dir and have it pick up extra CA certs.
Assuming you are using the HTTP-request node you can add certs/keys by ticking the "Enable secure (SSL/TLS) connection" check box.
This should make a drop down box appear that will let you create a new TLS configuration. In here you can add the certs and keys for the connection.
I've got a client-side cert secured rest endpoint which works when I hit it via curl using a known cert in Linux-land... That is to say, if I console.log(req.connection.getPeerCertificate()), I see a bunch of stuff. Cool.
... however, when one of my teammates tries to hit the same endpoint from a Windows Machine, req.connection.getPeerCertificate() is an empty object, even though they think they're attaching the cert correctly.
What's the best way to tell if they are, indeed, attaching the cert correctly? How should I go about debugging this?
The docs say:
If the peer does not provide a certificate, [getPeerCertificate] returns null or an empty object.
So you already know that the Windows client is not sending a valid certificate because getPeerCertificate() returns an empty object. Check the authorizationError property for additional information about any client certificate errors that may have occurred.
Debug this by finding out why the client isn't sending a certificate. Are you setting requestCert: true in your server options? Is the client properly configured? Is it sending a certificate that can be validated?