I get 'net::ERR_INSECURE_RESPONSE' (getting HTTP back) when making requests to my HTTPS API. The Express documentation seems a bit sparse on this. Maybe I'm missing somewhat about the fairly fundamental here?
I'd like to send HTTPS and respond with HTTPS
let app = express()
app.get('/climbers/:latitude/:longitude', (req, res) => {
const loc = { latitude: req.params.latitude, longitude: req.params.longitude }
const nearbyClimbers = climbers.filter(climber => haversine(climber, loc) < 5)
res.json(nearbyClimbers)
})
let secureServer = https.createServer({
key: fs.readFileSync('./ssl/server.key'),
cert: fs.readFileSync('./ssl/server.crt'),
ca: fs.readFileSync('./ssl/ca.crt'),
requestCert: true,
rejectUnauthorized: false
}, app)
Turns out this was returning HTTPS, I just misunderstood net::ERR_INSECURE_RESPONSE. See https://stackoverflow.com/a/25075349/1340046
I had dealt with this error for the static resources coming from another port (webpack dev server). What I didn't realize was that I'd need to confirm the ssl exception for the API separately. All I had to do was visit the API url through my browser and confirm the exception.
Another option would be to add the personal ssl certificate
Related
I have a REST API running on Node JS with Express.
I keep having issues with CORS because the front end is HTTPS and the backend API is HTTPS which frequently, but not always gets reported as a violation.
I am trying to secure the API with a Let's Encrypt cert but I seem to be missing something.
Here is the code that initializes the express server:
require('dotenv').config();
const https = require("https"),
fs = require("fs");
const app = require("./src/app");
const port = process.env.PORT || 8000;
https
.createServer(
{
key: fs.readFileSync('/etc/letsencrypt/live/myserver.com/privkey.pem', 'utf8'),
cert: fs.readFileSync('/etc/letsencrypt/live/myserver.com/fullchain.pem', 'utf8')
},
app
)
.listen(8000, function() {
console.log('HTTPS listening on PORT 8000');
});
Is there another approach? Or am I just doing it wrong?
CURL still works on HTTP which surprises me. There shouldn't be an HTTP server listening on 8000. GET calls work without the SSL configuration but POSTs always fail.
All the APIs work locally, it's just when I push it to production that it fails. But then, locally, it's not running HTTPS so there is no violation.
I haven't seen posts that address this specifically so I have to wonder what I'm missing. This has to be a common scenario.
Thanks for any help.
Try either of these solutions, whatever suits you:
import * as Cors from 'cors';
const cors = Cors( { origin: true } );
app.use( cors );
var cors = require('cors');
var app = express();
app.use(cors());
I'm trying to make a request with axios to an api endpoint and I'm getting the following error: Error: unable to verify the first certificate
It seems the https module, which axios uses, is unable to verify the SSL certificate used on the server.
When visiting the server with my browser, the certificate is valid and I can see/download it. I can also make requests to the api on my browser through https.
I can work around it by turning off verification. This code works.
const result = await axios.post(
`https://${url}/login`,
body,
{
httpsAgent: new https.Agent({
rejectUnauthorized: false
})
}
)
Problem is, this doesn't verify the SSL certificate and therefore opens up security holes.
How can I configure axios to trust the certificate and correctly verify it?
Old question but chiming in for those who land here. No expert. Please consult with your local security gurus and what not.
Axios is an http(s) client and http clients usually participate in TLS anonymously. In other words, the server accepts their connection without identifying who is trying to connect. This is different then say, Mutual TLS where both the server and client verify each other before completing the handshake.
The internet is a scary place and we want to protect our clients from connecting to spoofed public endpoints. We do this by ensuring our clients identify the server before sending any private data.
// DO NOT DO THIS IF SHARING PRIVATE DATA WITH SERVICE
const httpsAgent = new https.Agent({ rejectUnauthorized: false });
This is often posted (and more egregiously upvoted) as the answer on StackOverflow regarding https client connection failures in any language. And what's worse is that it usually works, unblocks the dev and they move on their merry way. However, while they certainly get in the door, whose door is it? Since they opted out of verifying the server's identity, their poor client has no way of knowing if the connection they just made to the company's intranet has bad actors listening on the line.
If the service has a public SSL cert, the https.Agent usually does not need to be configured further because your operating system provides a common set of publicly trusted CA certs. This is usually the same set of CA certs your browser is configured to use and is why a default axios client can hit https://google.com with little fuss.
If the service has a private SSL cert (self signed for testing purposes or one signed by your company's private CA to protect their internal secrets), the https agent must be configured to trust the private CA used to sign the server cert:
const httpsAgent = new https.Agent({ ca: MY_CA_BUNDLE });
where MY_CA_BUNDLE is an array of CA certs with both the server cert for the endpoint you want to hit and that cert's complete cert chain in .pem format. You must include all certs in the chain up to the trust root.
Where are these options documented?
HTTPS is the HTTP protocol over TLS/SSL. In Node.js this is implemented as a separate module.
Therefore options passed to the https.Agent are a merge of the options passed to tls.connect() and tls.createSecureContext().
Create a custom agent with SSL certificate:
const httpsAgent = new https.Agent({
rejectUnauthorized: false, // (NOTE: this will disable client verification)
cert: fs.readFileSync("./usercert.pem"),
key: fs.readFileSync("./key.pem"),
passphrase: "YYY"
})
axios.get(url, { httpsAgent })
// or
const instance = axios.create({ httpsAgent })
From https://github.com/axios/axios/issues/284
For me, when my application is running in development mode, I have disabled rejectUnauthorized directly in axios.defaults.options. This works very well. be careful and use this only in developer mode.
import https from 'https'
import axios from 'axios'
import config from '~/config'
/**
* Axios default settings
*/
axios.defaults.baseURL = config.apiURL
/**
* Disable only in development mode
*/
if (process.env.NODE_ENV === 'development') {
const httpsAgent = new https.Agent({
rejectUnauthorized: false,
})
axios.defaults.httpsAgent = httpsAgent
// eslint-disable-next-line no-console
console.log(process.env.NODE_ENV, `RejectUnauthorized is disabled.`)
}
These configuration worked for me (In a Mutual Authentication scenario).
const httpsAgent = new https.Agent({
ca: fs.readFileSync("./resource/bundle.crt"),
cert: fs.readFileSync("./resrouce/thirdparty.crt"),
key: fs.readFileSync("./resource/key.pem"),
})
Note: bundle.crt was prepared from provided certificates (root,intermediate,end entry certificate). Unfortunately no clear documentation found in this regards.
This is very dirty, but at the top of your script, just put:
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';
This basically tells node to not check SSL certificates, which is very convenient when you get self signed certificates rejected in development.
Please don't use this in production.
This what worked for me , using axios with nodejs + express
exports.test_ssl = async (req,res) => {
let cert_file = fs.readFileSync("./ssl/my_self_signed_certificate.crt")
let ca_file = fs.readFileSync("./ssl/my_self_signed_certificate_ca.crt")
const agent = new https.Agent({
requestCert: true,
rejectUnauthorized: true,
cert: cert_file,
ca: ca_file
});
const options = {
url: `https://51.195.45.154/test`, // <---this is a fake ip do not bother
method: "POST",
httpsAgent : agent,
headers: {
'Accept': 'application/json',
'Content-Type': 'application/txt;charset=UTF-8'
},
data: {}
};
console.log(cert_file.toString())
axios(options)
.then(response => {
payload = response.data ;
return res.status(200).send({"status":1});
}).catch(err => {
console.log(err);
return false
});
}
This worked for me:
import axios from 'axios'
import https from 'https'
const headers = {};
const httpsAgent = new https.Agent({
ca: fs.readFileSync('./certs/cert.pem'),
cert: fs.readFileSync('./certs/cert.pem'),
})
const data = await axios.get(url, { httpsAgent, headers })
const https = require('https');
const axios = require('axios')
const CA = "-----BEGIN CERTIFICATE-----$$$$$-----END CERTIFICATE-----"
const url = "bla"
const httpsAgent = new https.Agent({
ca: CA
});
const response = await axios.get(url, { httpsAgent });
This is what work for me.
|Greetings|
We are developing an application using nest.js and socket.io, and I'd like to know whether it's possible to create an SSL connection for this environment.
Here's the link to the repo: https://github.com/nokia/skilltree
( the latest attempts have been made in the David branch )
I tried this one, but the socket.io still doesn't use SSL connection:
https://blog.cloudboost.io/everything-about-creating-an-https-server-using-node-js-2fc5c48a8d4e
They suggest this:
var options = {
key: key,
cert: cert,
ca: ca
};
var https = require('https');
https.createServer(options, app).listen(443);
Thank you for any help in advance
Nest takes an option object as second parameter, which also contains https options, like:
const app = await NestFactory.create(AppModule, {
httpsOptions: {
key: 'key',
ca: 'ca',
cert: 'cert',
},
});
await app.listen(3000);
So there should be no need to create the express instance yourself.
Haven't tested, but it should actually work. :)
See also: HttpOptions Interface NestJs
Spent entire day with exactly the same issue, here the best solution I could find:
const httpsOptions = {
key: key,
cert: cert,
ca: ca
};
const expressInstance: express.Express = express();
const app: NestApplication = await NestFactory.create(
MainModule,
expressInstance,
{ httpsOptions }
);
await app.listen(Environment.PORT);
With this approach secure websockets work just fine for me
I've setup a simple HTTPS server to handle the following to situations:
Requests to https://localhost:5000/ that have a matching file in my directory are served via connect.static(__dirname). This works great for everything like my index.html and my CSS files and is working exactly as I need.
Requests to https://localhost:5000/api should redirect to https://subdomain.mydomain.com:443/api.
The proxy is properly transferring everything over HTTPS and the SSL handshake part seems to be working exactly as I would expect. The problem is that my API uses the subdomain to determine what database to connect to and what data to return. So, my API sees the request
https://localhost:5000/api/something
instead of
https://subdomain.mydomain.com/api/something
and is throwing an error telling me I have to supply the subdomain.
How can I tell the node proxy to forward (or use) the domain/subdomain when doing the proxy?
Here is my code:
var fs = require('fs');
var connect = require('connect'),
https = require('https'),
httpProxy = require('http-proxy'),
options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
},
endpoint = {
host: 'subdomain.mydomain.com',
port: 443,
prefix: '/api',
target: { https: true }
};
var proxy = new httpProxy.RoutingProxy();
var app = connect()
.use(connect.logger('dev'))
.use(function(req, res, next) {
if (req.url.indexOf(endpoint.prefix) === 0) {
proxy.proxyRequest(req, res, endpoint);
} else {
next();
}
})
.use(connect.static(__dirname));
https.createServer(options, app).listen(5000);
console.log('Listening on port 5000');
Just in case someone bumps into this old question, you should use http-proxy's changeOrigin option.
I want to create a reverse proxy in node js, where I can require client certificates for certain parts of the site.
The /secure section should require a client cert.
The /nosecure section does not require a client cert.
The user should be able to retry the client cert validation if he didn't provide a valid one before.
var options = {
key: fs.readFileSync(__dirname + '/key.pem'),
cert: fs.readFileSync(__dirname + '/cert.pem'),
ca: fs.readFileSync(__dirname + '/clientCA.pem'),
requestCert: true
};
https.createServer(options, function (req, res) {
//parse url
req.parsedUrl = url.parse(req.url);
//handle urls
switch(req.parsedUrl.pathname) {
case '/nosecure':
/*
* This location does not require a client cert
*/
res.end('nosecure');
break;
case '/secure':
/*
* This location requires a client certificate, which can be checked by getPeerCertificate()
* If no certificate is provided, the user will be redirected to secureError
*/
res.end('secure');
break;
case '/secureError':
/*
* This location does not require a client cert
* It displays the error page, in case the client cert was not provided/validated on /secure.
*/
res.end('Certificate validation failed. Try again');
break;
default:
res.end('not found');
break;
}
}).listen(9000);
Normally you can only set these requirements on server level.
But I could manually check the cert in the secure section.
The problem however remains. I can not ask the client browser to send me the cert again.
This only happens once, when the SSL session is started.
Any ideas on how to fix this?
I'm a noob myself but I'm playing around with the same thing.
Maybe something like
if (req.parsedUrl.pathname == '/secure' && !req.connection.getPeerCertificate().valid_to) req.parsedUrl.pathname = '/secureError';
I think you can simply allow unauthorized connections, and then logically check for authorization in order to allow access to some parts of your application.
Minimal Reproduceable Example
const fs = require('fs')
const https = require('https')
const opts = {
key: fs.readFileSync('some_key.pem'),
cert: fs.readFileSync('some_cert.pem'),
ca: [ fs.readFileSync('potentially_different_cert.pem') ],
requestCert: true,
rejectUnauthorized: false, // allow insecure connections
}
https.createServer(opts, (req, res) => {
const cert = req.connection.getPeerCertificate()
if (req.client.authorized) {
//secure
} else {
//insecure
}
}).listen(9000)