I am writing a NodeJs application. I need to secure(https) only the login page. Home page should be non-secure(http).
If my domain is www.example.com,
If a http://www.example.com request come it should be redirect to https://www.example.com (secure https)
After user successfully login to the system it should go to the http://www.example.com/home url. not the https://www.example.com/home
When user login out it should be redirect to https://www.example.com (secure https)
Please give me some help for achieve this. or If you have come a cross this king of live situation please let me know.
I would recommend setting up a web server in front of your node app such as nginx or Apache. With nginx for example, you can do a ProxyPass as outlined as in this answer: https://stackoverflow.com/a/10375750/760297
You can then add rules to redirect people to HTTPS or HTTP based on their current path via server configurations and keep your app all one protocol. This reduces the overhead on node and your development.
Related
I have deployed my app to heroku, and I am using their ACM. When I go specifically
to https://www.example.com I have a secure version of my site. But when i just type in www.example.com (which is what a consumer would do) I have the unsecured version of my site.
I want to redirect all http requests to https so the consumer will alway interact with the secure version of the app.
Solutions I have tried so far, which haven't been successful for me are:
heroku-ssl-redirect.
Using an if statement that checks the X-Forwarded-Proto Header to see if it isn't https and then use a redirect, but no luck with this yet. I am unable to actually see this header when I check in the dev tools for it, So I am wondering if this is the cause of that code not working.
Can anyone guide me in the right direction?
I would like all traffic to my site to use https on IIS.
How do I configure a redirect to do that?
(Note: this will be self answered, as there is no correct answer anywhere on this.)
This blog link supposedly answers this question:
However, no-one so far as been able to get it the answer to work, as you end up with an endless loop of a redirect redirecting to a redirect.
So after working with this and resolving it, here is the correct answer:
Install the Http Redirect Feature if it is not already installed.
Create two sites, not one site. The first site is the insecure site which is bound to http only. Do not bind https on this site.
The second site is your secure site. This is bound to https and your security cert.
On the insecure site, add the http redirect: "Redirect requests to this destination: https://example.com" Select status code of Permanent (301).
Test. Any request to http://example.com will be forwarded to https://example.com.
My environment :
1.) 1 load balance server (nginx)
2.) 2 web servers (express.js running on node.js)
3.) 1 database server
Hello, I am trying to force my user to use https. I look through many tutorials on how to implement https in express.js.
However, as I look through many tutorials, I found 2 ways on how to redirect user http to https.
redirecting user to https on nginx config ( on load balance server )
redirecting user to https on express.js ( on web server )
My question is:
which is a better way to implement HSTS for my web app (on a load balance or on a web server)
Also please kindly give little information on the advantages and disadvantages of each of the options
Thank you very much :)
You can reduce traffic by enforcing https upstream on the load balancer, if you are only serving content that needs to be encrypted it might be best to restrict http traffic to the web servers from external sources.
Otherwise a http request will pass through the load balancer, be directed to web server 1 where it will respond with a 302 redirect to use the https url. This causes the user to have to make 2 request to get to your website.
Say I have an url that is served over HTTPS, but in my .htaccess I rewrite proxy it to another domain that is on the same server like so:
RewriteRule /https-url/(.*) http://www.somesite.com/$1 [P,L]
Is this a secure situation? I would assume it is, because the browser is communicating with an SSL secured url and the rewriting is done on the server where nobody can interfere.
EDIT: I just went on and tried it. It works just fine, you can just redirect people to https if they approach the http url directly. This has also saved me some money since I only had to buy an SSL certificate for one domain.
If www.somesite.com is hosted on the same server that the rule is being applied on, then it's network traffic is never leaving the server. That means a 3rd party not on the server won't be able to "eavesdrop" the contents of the request and response (or masquerade as a trusted party) so it doesn't matter if it's unencrypted. The assumption here is that if someone can get access to this traffic, they've already compromised the server so the reverse proxy may be the least of your worries.
how can i change my http sensitive pages to https while i don't now what is difference between http and https and how to do that
HTTPS is the secure version of HTTP:
traffic gets encrypted,
the user knows for sure that the site
he is talking to is the real deal
Depending on your webserver, you'll have to add support for HTTPS in the configuration file. For example, for the Apache Webserver, you need to edit use the mod_ssl module.