Taxonomy Icon

Node.js

Recently I’ve been dealing with broken parts in my older Node.js applications that used Watson services and other designed features of IBM Cloud which had recently made some security updates. I had to modify my applications to match these updates.

Basically, the broken parts involved redirecting from http to https. The web is moving fast in making https as their default connection protocol. Keep in mind that the URL redirect mechanism doesn’t support the https redirects.

For this reason, this how-to will cover what implementations can be done to fix this problem. I’ve also provided other useful links at the end of this how-to for additional deep dive information if needed.

Learning objectives

After completing this how-to guide, the user will be able to:

  • Understand the differences between http and https
  • application vs. server redirections
  • Apply fixes on server level
  • Apply proxy fixes to redirect Node.js applications

Prerequisites

Knowledge of Node.js folder structures. Here are some starting points:

Estimated time

To go through this guide and to read and apply code changes, approximately 30 minutes.

Steps

In Node.js, the app starts from a server file and listens on a dedicated port (e.g. 3000) for a connection. The app will come back with responses to requests to the root URL (e.g. / or /login). Or, for a wrong path, it will post a 404 Not Found message.

Using proxies on headers, we can can check the incoming protocol requests and re-direct the page accordingly. You only need to implement redirection, and not SSL or any type of encryption, because https behaves the same as http but its requests are transmitted over a secure TLS/SSL connection. This means that the encryption negotiation and the send request/receive response between the client and web server is still the same but it is done over TLS/SSL.

There are multiple ways to address the proxy switch. Let’s list few approaches:

app.get("*", function(request, response){
  response.redirect("https://" + request.headers.host + request.url);
});

Or,

app.use(function(request, response){
  if(!request.secure){
    response.redirect("https://" + request.headers.host + request.url);
  }
});

Another way to do it is to wrap the redirect around if(request.protocol === "http"){} instead of if(!request.secure){}.

You can also enable a trust proxy to use x-Forwarded-* headers when using a front-facing proxy. For that, just add the following code to the above:

app.enable("trust proxy");

On server level, it is better to run Node.js Express behind a reverse proxy like Nginx or HAProxy specifically in production as it usually bulk redirects. For Nginx, SSL configuration is needed:

server {
  listen 443 ssl;
  server_name example.com www.example.com;

  # ssl configuration
  ssl on;
  ssl_certificate /path/to/certificate.crt;
  ssl_certificate_key /path/to/private.key;

  if ($http_host = www.example.com) {
    return 301 https://example.com$request_uri;
  }
}

It’s important to mention that the above settings are used when you run the application in production. When you run the application locally, you should disable these setups.

Summary

There are many ways to handle URL redirection or setting up a route to redirect http to https. Hopefully this how-to guide will help you to find the most appropriate for your case.

Stay tuned for upcoming additional related solutions in another how-to guide on how to resolve this issue with the latest solutions besides those mentioned here.