Heroku 上的 HTTPS + SSL - Node + Express [英] HTTPS + SSL on Heroku - Node + Express
问题描述
我创建了一个自签名证书,将其添加到 Heroku,并在 Heroku 上配置了 SSL 端点,我记录了 heroku certs:info它似乎在那里.
I've created a self-signed certificate, added it to Heroku, and provisioned an SSL endpoint on Heroku, and I log heroku certs:info it seems to be there.
我正在像这样在 Express 上创建我的服务器:
I'm creating my server on Express like so:
var server = require('http').createServer(app);
然后像这样重定向到https:
app.use(function(req, res, next) {
var reqType = req.headers["x-forwarded-proto"];
reqType == 'https' ? next() : res.redirect("https://" + req.headers.host + req.url);
});
服务器运行良好,但是我在 S.O. 上遇到了这个代码片段.创建一个 https 服务器:
The server runs fine, however I came across this code snippet on S.O. to create an https server:
var keys_dir = './sslcert/';
var server_options = {
key : fs.readFileSync(keys_dir + 'server.key'),
ca : fs.readFileSync(keys_dir + 'server.csr'),
cert : fs.readFileSync(keys_dir + 'server.crt')
}
var server = require('https').createServer(server_options,app);
我没有像这个例子那样指向证书/密钥,我的网站在 https 上运行(虽然锁是红色的,因为它是自签名的).
I don't point to the certs/keys like this example, and my site is running on https (although the lock is red since it's self-signed).
所以我的问题是,如果我没有像带有
server_options的代码片段那样明确地指向它们,我的服务器如何知道我的密钥/证书?这是 Heroku 在幕后处理的吗?
So my question is, how does my server know about my keys/certs without me explicitly pointing to them like the code snippet with
server_options? Is this taken care of by Heroku behind the scenes?
我在 Heroku 上设置的 SSL 端点如何与我使用 var server = require('http').createServer(app); 创建的 http 服务器交互代码>?
How does the SSL Endpoint I setup on Heroku interact with the http server I created with var server = require('http').createServer(app);?
编辑
我只是这样回答另一个问题:
SSL 终止发生在 Heroku 的负载均衡器上;它们向您的应用发送纯(非 SSL)流量,因此您的应用应创建非 HTTPS 服务器."
"SSL termination occurs at Heroku's load balancers; they send your app plain (non-SSL) traffic, so your app should create a non-HTTPS server."
他们向您的应用发送普通(非 SSL)流量究竟是什么意思?这是否意味着我不必在我的应用中重定向到https?
- What does
they send your app plain (non-SSL) trafficmean exactly? Does this mean that I don't have to redirect tohttpsin my app?
推荐答案
SSL 终止是在流量到达您的应用程序之前在 Heroku 服务器/负载平衡器上完成的.您添加证书的东西"不是您的 dyno,而是 Heroku 控制的服务器.
SSL termination is done on Heroku servers/load-balancers before the traffic gets to your application. The "thing" you added your cert to was not your dyno, but rather a Heroku-controlled server.
因此,当 SSL (https) 流量进入时,它会在服务器上停止"(终止).该服务器打开一个新的 http 连接到您的 dyno,然后通过 https 发送回客户端.
So when SSL (https) traffic comes in, it is "stopped" (terminated) at the server. That server opens a new http connection to your dyno, and whatever is gets it sends back over https to the client.
因此,在您的 dyno 上,您不需要弄乱"证书等,并且您只会看到传入的 http 流量:无论是直接来自 http 客户端,还是来自使用 https 的 Heroku 服务器给客户,http 给你.
So on your dyno you don't need to "mess" with certs etc, and you will be seeing only incoming http traffic: whether directly from http clients, or from Heroku servers who talk https to clients and http to you.
重定向到 https 是另一回事:如果客户端通过 http来到"您的应用程序,并且您更喜欢他们使用 https,则一定要重定向.他们将发出一个新请求,这次是 https,然后通过 Heroku 的 SSL 终止,然后到达您的应用程序.但是现在您知道客户端和 Heroku 之间的路径是安全的(由于客户端使用 https),并且 Heroku SSL 终止和您的 dyno 之间的路径大概是安全的(如果您信任 Heroku...)
Redirecting to https is a different matter: if a client "comes" to your app with http, and you prefer they use https, by all means redirect. They will issue a new request, this time https, and go thru Heroku's SSL termination and then to your app. But now you know that the path between the client and Heroku is secure (due to the client using https), and the path between the Heroku SSL termination and your dyno is presumably secure (if you trust Heroku...)
HTH
这篇关于Heroku 上的 HTTPS + SSL - Node + Express的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
