使用 node.js/express 自动 HTTPS 连接/重定向 [英] Automatic HTTPS connection/redirect with node.js/express

问题描述

我一直在尝试使用我正在处理的 node.js 项目设置 HTTPS.对于此示例，我基本上遵循了 node.js 文档:

I've been trying to get HTTPS set up with a node.js project I'm working on. I've essentially followed the node.js documentation for this example:

// curl -k https://localhost:8000/
var https = require('https');
var fs = require('fs');

var options = {
  key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
  cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem')
};

https.createServer(options, function (req, res) {
  res.writeHead(200);
  res.end("hello world
");
}).listen(8000);

现在，当我这样做时

curl -k https://localhost:8000/

我明白了

hello world

正如预期的那样.但如果我这样做

as expected. But if I do

curl -k http://localhost:8000/

我明白了

curl: (52) Empty reply from server

回想起来，这似乎很明显它会以这种方式工作，但与此同时，最终访问我的项目的人不会输入 https://yadayada，而我想要从他们访问网站的那一刻起，所有流量都是 https.

In retrospect this seems obvious that it would work this way, but at the same time, people who eventually visit my project aren't going to type in https://yadayada, and I want all traffic to be https from the moment they hit the site.

我怎样才能让节点(以及我正在使用的框架 Express)将所有传入流量移交给 https，而不管它是否被指定?我找不到任何解决此问题的文档.或者只是假设在生产环境中，node 前面有一些东西(例如 nginx)来处理这种重定向?

How can I get node (and Express as that is the framework I'm using) to hand off all incoming traffic to https, regardless of whether or not it was specified? I haven't been able to find any documentation that has addressed this. Or is it just assumed that in a production environment, node has something that sits in front of it (e.g. nginx) that handles this kind of redirection?

这是我第一次涉足网络开发，所以如果这很明显，请原谅我的无知.

This is my first foray into web development, so please forgive my ignorance if this is something obvious.

推荐答案

Ryan，感谢您为我指明了正确的方向.我用一些代码充实了你的答案(第 2 段)，并且它有效.在这种情况下，这些代码片段放在我的 express 应用中:

Ryan, thanks for pointing me in the right direction. I fleshed out your answer (2nd paragraph) a little bit with some code and it works. In this scenario these code snippets are put in my express app:

// set up plain http server
var http = express();

// set up a route to redirect http to https
http.get('*', function(req, res) {  
    res.redirect('https://' + req.headers.host + req.url);

    // Or, if you don't want to automatically detect the domain name from the request header, you can hard code it:
    // res.redirect('https://example.com' + req.url);
})

// have it listen on 8080
http.listen(8080);

https express 服务器在 3000 上侦听 ATM.我设置了这些 iptables 规则，以便节点不必以 root 身份运行:

The https express server listens ATM on 3000. I set up these iptables rules so that node doesn't have to run as root:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3000

总的来说，这完全符合我的要求.

All together, this works exactly as I wanted it to.

要防止通过 HTTP 窃取 cookie，请参阅这个答案(来自评论)或使用此代码:

To prevent theft of cookies over HTTP, see this answer (from the comments) or use this code:

const session = require('cookie-session');
app.use(
  session({
    secret: "some secret",
    httpOnly: true,  // Don't let browser javascript access cookies.
    secure: true, // Only use cookies over https.
  })
);

这篇关于使用 node.js/express 自动 HTTPS 连接/重定向的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！