通过Express / Node中的https强制请求 [英] Force requests over https in Express/Node

问题描述

我有一个运行在端口3100上的Express.js（v 2.5.8）（节点v0.6.12）服务器。它由Nginx前端，代理端口3100的http和https请求。

我想强制某些网址通过https。这是一个例子（应用程序是我的Express服务器）：

  app.get（'/ applyNow'，ensureSec，secure.showApplication） ; 
  

ensureSec是我试图用来检查连接是否超过ssl的功能： p>

  function ensureSec（req，res，next）{
 if（req.session.ssl == true）{
 return next（）; 
} else {
 req.session.ssl = true; 
 res.redirect（'https：//'+ url.parse（req.headers.referer）.host + 
 url.parse（req.url）.pathname）; 
} 
} 
  

重定向工作但节点（超时后）抛出一个错误，表示无法GET / applyNow

重定向到ssl的正确方法是什么？

解决方案

据了解，您正在使用nginx协商SSL，并将HTTP和HTTPS请求代理到您的Express应用程序。我会选择在nginx中解决这个问题，如果可能的话，如果nginx不知道哪个路径应该被保护（即只有通过https可以使用），或者你想在你的快速应用程序中做其他的一些原因，这里有一些信息：

您应该从nginx获取 X-Forwarded-Proto ，设置为 https ，只有原始协议是https。以下是在nginx中执行此操作的方法：

  proxy_set_header X-Forwarded-Proto https; 
  

我还会转发主机标题：

  proxy_set_header主机$ http_host; 
  

在您的快速应用程序中，检查，或重定向到标题中的主机和请求的路径（表达解析到 req.path ，所以你不必）：

  function ensureSec（req，res，next）{
 if（req.headers ['x-forwarding-proto'] =='https'）{
 return next（）; 
} else {
 res.redirect（'https：//'+ req.headers.host + req.path）; 
} 
} 
  

I have a Express.js (v 2.5.8) (node v0.6.12) server running on port 3100. It is front ended by Nginx, which proxies both http and https requests to port 3100.

I want to force certain urls over https. Here's an example (app is my Express server):

app.get('/applyNow', ensureSec, secure.showApplication );

ensureSec is the function that I'm trying to use to check if connection is over ssl:

function ensureSec(req, res, next) {
    if (req.session.ssl == true) { 
        return next(); 
    } else {
        req.session.ssl = true;
        res.redirect('https://' + url.parse(req.headers.referer).host +
        url.parse(req.url).pathname);
    }
}

The redirect works but node (after it times out) throws an error saying `Cannot GET /applyNow

What's the proper way of redirect to ssl?

解决方案

As I understand it, you are using nginx to negotiate SSL and proxying both http and https requests to your Express app. I would opt to solve this in nginx instead, if possible, but if nginx can't know which paths should be protected (i.e. only available through https) or you want to do this in your express app for some other reason, here is some information:

You should get the X-Forwarded-Proto from nginx, set to https only when the original protocol was https. Here's how you do this in nginx:

proxy_set_header X-Forwarded-Proto https;

I would also forward the Host header:

proxy_set_header Host $http_host;

In your express app, check for that, or redirect to the host in the headers and the requested path (express parses that to req.path so you don't have to):

function ensureSec(req, res, next) {
    if (req.headers['x-forwarded-proto'] == 'https') { 
        return next(); 
    } else {
        res.redirect('https://' + req.headers.host + req.path);
    }
}

这篇关于通过Express / Node中的https强制请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！