I'm trying to implement HTTPS on my Node.js server (Expressjs framework). I have my signed certificate and key, as well as a self-signed cert/key for testing/development:
if(process.env.NODE_ENV == 'production'){
var app = module.exports = express.createServer({
key: fs.readFileSync('./ssl/nopass_server.key'),
cert: fs.readFileSync('./ssl/server.crt')
});
} else {
var app = module.exports = express.createServer({
key: fs.readFileSync('./ssl/self_signed/nopass_server.key'),
cert: fs.readFileSync('./ssl/self_signed/server.crt')
});
}
I've also setup SSL Endpoint on Heroku. Everything works fine on localhost, and Endpoint seems to be working properly, but when I run the app in production (on Heroku) I get an H13 application error. Interestingly (or not) if I tell express to create an HTTP server instead: var app = module.exports = express.createServer() it works, but then Chrome complains that the page at https://mydomain.com ran insecure content from http://mydomain.com.
Can I not/should I not be creating an HTTPS server in express for production? If I should, is there something extra I need to make it work on Heroku (e.g. I'm trusting it to set the correct port with var port = process.env.PORT)? If not, how can I serve "secure" content if its not running an https server so browsers won't complain?
I'm using the following to take care of any non-https requests:
app.get('*',function(req,res,next){
if(req.headers['x-forwarded-proto'] != 'https'){
res.redirect('https://mydomain.com'+req.url);
} else next();
});
This is currently located just above the rest of my routes, could this be the issue/should this be somewhere else?
I have very limited experience with https in general so I'm probably missing something obvious.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
