Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
514 views
in Technique[技术] by (71.8m points)

node.js - HTTPS + SSL on Heroku - Node + Express

I've created a self-signed certificate, added it to Heroku, and provisioned an SSL endpoint on Heroku, and I log heroku certs:info it seems to be there.

I'm creating my server on Express like so:

var server = require('http').createServer(app);

And then redirecting to https like so:

app.use(function(req, res, next) {
    var reqType = req.headers["x-forwarded-proto"];
    reqType == 'https' ? next() : res.redirect("https://" + req.headers.host + req.url);
});

The server runs fine, however I came across this code snippet on S.O. to create an https server:

var keys_dir = './sslcert/';
var server_options = { 
  key  : fs.readFileSync(keys_dir + 'server.key'),
  ca   : fs.readFileSync(keys_dir + 'server.csr'), 
  cert : fs.readFileSync(keys_dir + 'server.crt') 
}

var server = require('https').createServer(server_options,app);

I don't point to the certs/keys like this example, and my site is running on https (although the lock is red since it's self-signed).

  • So my question is, how does my server know about my keys/certs without me explicitly pointing to them like the code snippet with server_options? Is this taken care of by Heroku behind the scenes?

  • How does the SSL Endpoint I setup on Heroku interact with the http server I created with var server = require('http').createServer(app);?


EDIT

I just so this answer on another question:

"SSL termination occurs at Heroku's load balancers; they send your app plain (non-SSL) traffic, so your app should create a non-HTTPS server."

  • What does they send your app plain (non-SSL) traffic mean exactly? Does this mean that I don't have to redirect to https in my app?
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

SSL termination is done on Heroku servers/load-balancers before the traffic gets to your application. The "thing" you added your cert to was not your dyno, but rather a Heroku-controlled server.

So when SSL (https) traffic comes in, it is "stopped" (terminated) at the server. That server opens a new http connection to your dyno, and whatever is gets it sends back over https to the client.

So on your dyno you don't need to "mess" with certs etc, and you will be seeing only incoming http traffic: whether directly from http clients, or from Heroku servers who talk https to clients and http to you.

Redirecting to https is a different matter: if a client "comes" to your app with http, and you prefer they use https, by all means redirect. They will issue a new request, this time https, and go thru Heroku's SSL termination and then to your app. But now you know that the path between the client and Heroku is secure (due to the client using https), and the path between the Heroku SSL termination and your dyno is presumably secure (if you trust Heroku...)

HTH


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...