为Express和Nginx配置HTTPS [英] Configuring HTTPS for Express and Nginx
问题描述
我正在尝试为https连接配置ExpressJS应用。 Express服务器运行在localhost:8080和安全的localhost:8443。
I am trying to configure my ExpressJS app for https connection. The Express server runs at localhost:8080 and the secure one localhost:8443.
这是与https相关的server.js代码:
Here is the server.js code related to https:
var app = express();
var https = require('https');
const options = {
cert: fs.readFileSync('/etc/letsencrypt/live/fire.mydomain.me/fullchain.pem'),
key: fs.readFileSync('/etc/letsencrypt/live/fire.mydomain.me/privkey.pem')
};
app.listen(8080, console.log("Server running"));
https.createServer(options, app).listen(8443, console.log("Secure server running on port 8443"));
这是我的Nginx配置:
And here is my Nginx configuration:
server {
listen 80;
listen [::]:80;
server_name fire.mydomain.me;
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 443;
listen [::]:443;
server_name fire.mydomain.me;
location / {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
我做了什么:
- 使用域名fire.mydomain.me的Letsencrypt certonly工具生成SSL证书。
- 配置nginx。
- 配置server.js节点应用程序。
- 在Ufw中为443端口添加TCP规则。
- Generating SSL certificate with Letsencrypt certonly tool for the domain fire.mydomain.me.
- Configuring nginx.
- Configuring the server.js node app.
- Adding TCP rules for the 443 port in Ufw.
我试过
-
评论server.js中的not-ssl服务器行强制连接通过ssl配置:当我尝试访问fire.mydomain.me:443而不是https:// fire.mydomain.me时,这会为页面提供服务。在这两种情况下,都没有SSL。尝试访问https:// fire.mydomain.me会在Google Chrome中生成此消息此网站无法提供安全连接。
Commenting the not-ssl server line in server.js to force the connections to go through ssl configuration: this serve the page when I try to go to fire.mydomain.me:443 but not to "https:// fire.mydomain.me". In both cases, no SSL. Trying to go to https:// fire.mydomain.me generate this message "This website doensn't provide a secure connection" in Google Chrome.
I首先按照本教程设置我的ssl节点配置:
https://medium.com/@yash.kulshrestha/using-lets-encrypt-with-express-e069c7abe625#.93jgjlgsc
I followed this tutorial in the first place to set my ssl node config : https://medium.com/@yash.kulshrestha/using-lets-encrypt-with-express-e069c7abe625#.93jgjlgsc
推荐答案
您不需要在nginx反向代理和运行在同一主机上的Node应用程序之间使用HTTPS。您可以将端口80的HTTP请求和端口443的HTTPS请求代理到Node应用程序中的同一端口 - 在这种情况下为8080 - 在这种情况下您不需要配置TLS证书。
You don't need to use HTTPS between your nginx reverse proxy and Node app running on the same host. You can proxy both HTTP requests to port 80 and HTTPS requests to port 443 to the same port in your Node app - 8080 in this case - and you don't need to configure TLS certificates in that case.
您可以将server.js文件更改为:
You can change your server.js file to:
var app = express();
app.listen(8080, console.log("Server running"));
并使用具有 proxy_pass的nginx配置http:// localhost:8080 ; 用于端口80上的HTTP和端口443上的HTTPS。
and use an nginx config that has proxy_pass http://localhost:8080; for both HTTP on port 80 and HTTPS on port 443.
通常这样做。加密环回接口上的流量不会增加任何安全性,因为要嗅探您需要root访问该框的流量,当您拥有它时,您可以读取证书并解密流量。考虑到 https://nodejs.org/en/blog/vulnerability/ <上的大多数帖子/ a>与OpenSSL有关,可以说在Node中使用SSL会使得在加密环回接口流量的特定情况下安全性降低。有关详细信息,请参阅GitHub上Node项目的此讨论。
This is how it is usually done. Encrypting traffic on the loopback interface doesn't add any security because to sniff the traffic you need root access to the box and when you have it then you can read the certs and decrypt the traffic anyway. Considering the fact that most of the posts on https://nodejs.org/en/blog/vulnerability/ are related to OpenSSL, one could argue that using SSL in Node can make it less secure in that particular case of encrypting loopback interface traffic. See this discussion on the Node project on GitHub for more info.
这篇关于为Express和Nginx配置HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
