How can I configure expressjs to handle both http and https? - node.js

I've scoured stackoverflow and the express google group, but I'm still coming up short.
From what I gather, I can do one of two things:
1) create an instance of an http server and an https server and set the two to listen to two different ports. In the routes, redirect the http request to the https port.
//app
var app = express.createServer();
var app_secure = express.createServer({key: key, cert: cert});
app.listen(8080);
app_secure.listen(8443);
//routes
app.get("unsecure/path", function(req, res) {
...
}
app.get("secure/path", function(req, res) {
res.redirect("https://domain" + req.path);
}
app_secure.get("secure/path", function(req, res) {
res.send("secure page");
}
2) do what TJ Hollowaychuk says: https://gist.github.com/1051583
var http = require("http");
var https = require("https");
var app = express.createServer({key: key, cert: cert});
http.createServer(app.handle.bind(app)).listen(8080);
https.createServer(app.handle.bind(app)).listen(8443);
When I do 1, there are generally no problems. However, it feels clunky to manage two servers and I really feel like there should be a better way.
When I do 2, I get this:
(node SSL) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Of course, I can just default to option 1, but I really, really want to know why I'm getting that "no shared cipher error" when I do option 2. And option 2 would be my preferred route.

Following #ypocat 's comment you can enable https in your express.js application like so
var http = require('http');
var https = require('https');
var express = require('express');
var fs = require('fs');
var app = express.createServer();
// cutomize your app as ususal
app.configure( function () { ... });
app.configure('production', function () { ... });
// ....
// attach express handler function to TWO servers, one for http and one for https
http.createServer(app.handle.bind(app)).listen(8080);
https.createServer({
ca: fs.readFileSync('./server.ca-bundle'),
key: fs.readFileSync('./server.key'),
cert: fs.readFileSync('./server.crt')
}, app.handle.bind(app)).listen(8081);
Note that you should receive server.ca-bundle, server.key and server.crt from a certificate authority.
Also as you will probably run node without sudo you need to make sure port 80(http) and 443(https) are open
# in Ubuntu
sudo ufw status
sudo ufw allow 80
sudo ufw allow 443
and to forward requests on 8080 to 80 and from 8081 to 443 respectively
# in Ubuntu
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8081
Hope this helps

Is your certificate an RSA certificate rather than a DSA one? It sounds like the ciphers your browser supports are not supported by your nodejs server - you many need to update your OpenSSL and recompile NodeJS?

Related

How do you write an SSL redirect in NodeJS running on AWS EC2 without using port 80 (http) or port 43 (https)?

I have two node servers on a single host. One HTTP server with the responsibility of redirecting to HTTPS, and one HTTPS server responsible for serving my application:
const express = require('express');
const https = require('https');
const http = require('http')
const fs = require('fs');
const app = express();
const httpsOptions = {
key: fs.readFileSync('./local-ssl/key.pem'),
cert: fs.readFileSync('./local-ssl/cert.pem'),
passphrase: '*****'
}
//other stuff
http.createServer(function (req, res) {
res.writeHead(301, { "Location": "https://" + req.headers['host'] + req.url });
res.end();
}).listen(80);
https.createServer(httpsOptions, app).listen(443)
This works great locally.
The issue is, when I deploy this code and run these servers on AWS EC2 you cannot start servers on ports 80 and 443. I am trying to figure out how I can get around this issue. If I run them on different ports, the servers will not respond, and worse, redirect incorrectly.
Example:
If I serve HTTP on 8081 and HTTPS on 8443, when a redirect occurs, the code redirects to
https://my-fun-url.com:8081
which of course does not work because I am not responding to HTTPS on port 8081.
Now, I've explored the option of port forwarding, but how would this work? If I forward ports 80 and 443 to internal ports (let's say) 3000 and 4000 the same redirection problem will occur.
I have scoured the internet for so long and to me this is a simple requirement for any web-app. I would very much appreciate some detailed guidance on my strategy.
If you want to keep ports 8081 and 8443, then you simply replace 8081 with 8443 in the host header:
httpsHost = req.headers.host.replace('8081', '8443');
res.writeHead(301, {
"Location": "https://" + httpsHost + req.url
});
Now, I've explored the option of port forwarding, but how would this work? If I forward ports 80 and 443 to internal ports (let's say) 3000 and 4000 the same redirection problem will occur.
Not exactly. When someone navigates to http://my-fun-url.com (80) the request is forwarded to 3000. Your http server will respond with a redirect to https://my-fun-url.com (443) which will be forwarded to 4000, and the https server will take it from there.
The difference between the two methods is that with ports 80 and 443 being the default, they are implied and therefore can be left out from the host part of the URL. Which makes the redirect easier as there's no port in the host to replace in the first place, just the protocol part (HTTP/HTTPS).

Difference between https://<ip> and <ip>:443

I'm currently trying to understand the difference between 2 similar curl commands.
I spun up an AWS EC2 Ubuntu instance, and installed node.js on the instance. I then created a new directory called test-server. From within this directory, I ran npm init, then npm install express. I then wrote a simple web listener called test-server.js, which looks like this:
const express = require('express')
const app = express()
app.get('/', function(req, res){
console.log('Got a request!')
res.send('Request received!\n')
})
app.listen(443, function(){
console.log('Server started')
})
Finally, I started the server with the command sudo node test-server.js, and the server started successfully.
Using aws ec2 authorize-security-group-ingress, I allowed communication from my local IP address to the instance over port 443. I then attempted to test the connection using the following 2 curl commands: curl <ip>:443 and curl https://<ip>. The first command gave the expected output of Request received!. However, I received this error from the second command: curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <ip>:443.
Now, I'm FAR from a networking expert, but I would have expected both of these commands to function in the same way. Based on this result, I have 2 questions:
What is the difference between these 2 commands?
How can I change the configuration such that the second command works as well as the first?
Your application is serving regular HTTP on 443 port. In order to use https protocol you need to use encryption keys
var fs = require('fs');
var http = require('http');
var https = require('https');
var privateKey = fs.readFileSync('sslcert/server.key', 'utf8');
var certificate = fs.readFileSync('sslcert/server.crt', 'utf8');
var credentials = {key: privateKey, cert: certificate};
var express = require('express');
var app = express();
app.get('/', function(req, res){
console.log('Got a request!')
res.send('Request received!\n')
})
var httpsServer = https.createServer(credentials, app);
httpsServer.listen(443);
Command curl <ip>:443 is opening http connection to port 443 on givenip,curl https://<ip> is opening https connection to given ip.
If you want your traffic to be encrypted, stick to https:// version (and expanded code for server).
What is the difference between these 2 commands?
:443 is simply the port configuration, no different than :80. It just tells the server to serve content on that port. 443 is traditionally the port reserved for HTTPS connections, similar to how 80 is traditionally standard HTTP.
How can I change the configuration such that the second command works as well as the first?
You'll need to install a TLS cert. HTTPS indicates that a certificate is being used to secure the connection, and the absence of that certificate will cause the request to fail.

Socket EADDRINUSE Error

I am trying to set up a working nodeJS socket.io server with express. However, I keep returning this error:
Error: listen EADDRINUSE :::80
I have tried other solutions on this site which told me to search for and kill a process that is already running, but the grep commands return no running process. I can only assume the error is with my setup code:
var express = require("express"),
http = require('http');
var app = express();
var server = http.createServer(app)
var io = require('socket.io')(server, {path: '/folder/socket.io'}).listen(server);
app.get("/folder/", function(req, res){
res.sendFile(__dirname + "/folder/client/index.html");
});
app.use("/folder/client", express.static(__dirname + "/folder/client"));
app.listen(80);
Note that I specify the path folder because I want node to run on a subdirectory instead of the main path /. Is there something I'm doing wrong?
You should use
server.listen(80);
instead of
app.listen(80);
Hope that helps !
What I do on my cloud instances is I redirect port 80 to port 3000 with this command:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000

Having express.js or node accept an http connection over port 443

I have a REST API built with node that communicates over SSL. The server is built uses express and makes use of vhosts and cors. I have recently added a listener on port 80 as well so I can force HTTPS. As I test, I tried to access http://manage.domain.com:443/ but the request just hangs. Neither listeners seem to accept it. All I want to do is redirect that request to https.
I assume you already know this, but you'll need an https server (duh) to serve the HTTPS content. It doesn't matter what port you run it on; 443 is just the default port for HTTPS. If you want HTTP requests to redirect to HTTPS, you'll need both an http and an https server. Here's an example of how your app file should look:
var http = require('http'),
https = require('https'),
express = require('express')
fs = require('fs');
var domain = 'localhost';
var app = express();
app.get('*', function(req, res){
// redirect to HTTPS
res.redirect('https://' + domain + req.path);
});
http.createServer(app).listen(80, function(){
console.log('HTTP listening on port 80');
});
var appSecure = express();
// configure your app here
var options = {
key: fs.readFileSync('ssl_key.pem'),
cert: fs.readFileSync('ssl_cert.crt'),
};
https.createServer(options, appSecure).listen(443, function(){
console.log('HTTPS listening on port 443');
});
Obviously, you will need your SSL key and certificate to make this work.
As you probably know, most systems require elevated privileges to open a port less than 1025; so if you use port 80 and port 443, you'll have to run the app server with elevated privileges (if you're running on OSX/Linux/BSD, just do sudo node app.js).

Installing SSL Certificate On Node Server

I created a self-signed certificate and installed it on apache as well as on node.js(port 3000). On localhost both https://localhost and https://localhost:3000 works well.
So, I bought GoDaddy Standard SSL certificate and installed it on the server(http://gatherify.com). Now https://gatherify.com works well, but ssl on node isn't working.
When I access https://gatherify.com:3000 i get "The connection was interrupted".
I executed curl:
root#host [~]# curl -v -s -k https://gatherify.com:3000
* About to connect() to gatherify.com port 3000 (#0)
* Trying 108.160.156.123... connected
* Connected to gatherify.com (108.160.156.123) port 3000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -5938
* Closing connection #0
* SSL connect error
Any suggestions to fix this?
UPDATE
*SERVER SIDE :*
var io = require('socket.io'),
connect = require('connect'),
fs = require('fs'),
var privateKey = fs.readFileSync('cert/server.key').toString();
var certificate = fs.readFileSync('cert/server.crt').toString();
var options = {
key: privateKey,
cert: certificate
};
var app = connect(options).use(connect.static('../htdocs/node/'));
app.listen(3000);
var server = io.listen(app);
server.sockets.on('connection', function(socket) {
console.log("Connected");
});
CLIENT SIDE:
<html> <head>
<script type = "text/javascript" src = "https://gatherify.com:3000/socket.io/socket.io.js"></script>
<script type = "text/javascript">
var socket = io.connect('https://gatherify.com:3000', {secure:true});
</script>
</head><body></body></html>
If you want to run a node.js app on port 3000 with (behind) HTTPS, then you need to set up a proxy service on port 443 to proxy HTTPS requests to port 3000.
You didn't mention what server you have running on port 443 right now (is it Apache?) but you might want to
move that service to a new port (e.g. 4000), then run a node http proxy on port 443 that handles HTTPS.
Then set up a subdomain for the node.js app that you have running on port 3000 (e.g. blah.gatherify.com).
Then, using node http proxy, you will proxy all requests that are made to "gatherify.com" to port 4000, and all requests that are made to "blah.gatherify.com" to port 3000.
When all is set up properly, users can visit "https://gatherify.com" or "https://blah.gatherify.com" (without using :port numbers) and it'll all be secured with SSL. ;)
Install certificates Client Side (in Node.js)
If you need a node.js client to be able to recognize your self-assigned or cheaply-bought SSL certificates you can use ssl-root-cas, which is available on npm.
'use strict';
var https = require('https')
, cas
;
// This will add the well-known CAs
// to `https.globalAgent.options.ca`
require('ssl-root-cas').inject();
cas = https.globalAgent.options.ca;
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '01-cheap-ssl-intermediary-a.pem')));
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '02-cheap-ssl-intermediary-b.pem')));
cas.push(fs.readFileSync(path.join(__dirname, 'ssl', '03-cheap-ssl-site.pem')));
This will make your certs available to the core https module as well as modules that depend on it such as request and socket.io-client without deleting the normal ssl certs (which is the default behavior for some odd reason).

Resources