Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to enable HSTS with node-http-proxy?

Tags:

node.js

https

node-http-proxy

Under node.js 0.8, I'm using node-http-proxy in "router table" mode configured like so:

var httpProxy = require("http-proxy");
var config = require("./config");

proxyServer = httpProxy.createServer({
    hostnameOnly: true,
    router: {
        "one.example.com": "localhost:9000",
        "two.example.com": "localhost:9001"
    },
    https: {
        key: config.key,
        cert: config.cert,
        // mitigate BEAST: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
        honorCipherOrder: true,
        ciphers: "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"
    }
})
proxyServer.listen(8000)

I'd like to add HSTS (HTTP Strict Transport Security) so that compliant browsers will be told to always use SSL. To do this, I need to get http-proxy to add the header:

Strict-Transport-Security: max-age=60000

(or other max-age). How can I ask node-http-proxy to efficiently append this header?

like image 505
user85461 Avatar asked Oct 04 '22 16:10

user85461

1 Answers

For your example, I'm not sure as it seems this older question is using [email protected]. However, here's what I've done with [email protected]:

var httpProxy = require('http-proxy');

// https server to decrypt TLS traffic and direct to a normal HTTP backend
var proxy = httpProxy.createProxyServer({
  target: {
    host: 'localhost',
    port: 9009 // or whatever port your local http proxy listens on
  },
  ssl: {
    key: fs.readFileSync('valid-ssl-key.pem', 'utf8'),
    cert: fs.readFileSync('valid-ssl-cert.pem', 'utf8')
  }
}).listen(443); // HTTPS listener for the real server

// http server that redirects all requests to their corresponding
// https urls, and allows standards-compliant HTTP clients to 
// prevent future insecure requests.
var server = http.createServer(function(req, res) {
  res.statusCode = 301;
  res.setHeader('Location', 'https://' + req.headers.host.split(':')[0] + req.url);
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  return res.end();
});

server.listen(80); // HTTP listener for the old HTTP clients
like image 91
Eric Martindale Avatar answered Oct 13 '22 11:10

Eric Martindale
Sign in to Comment

Related questions

Why does Node.js accept IP addresses in certificates only for SAN, not for CN?
How to pass variables to a view in Express?
PassportJS - how to get session object
Sending data from flash to node.js server with socket.io
How to set update timestamp in upsert operation in Mongoose?
lock global npm packages
One to Many relationship in CompoundJS
Passing data to view in node + express
Implementing inheritance in node.js bindings
Authentication and authorization with Flatiron's Resourceful & Restful
node-ffi - callback extraction of EnumWindows
Publish Angular 6 library to npmjs with README.md
Should I have npm as dependency in package.json?
Using process.env vars in Ember
Kicking off mocha describes in parallel
how to check if mongoose (MongoDb) is installed or not
Native JavaScript sort performing slower than implemented mergesort and quicksort
How do I move a frameless window in Electron without using -webkit-app-region
Session-only cookie for Express.js
redis performance, store json object as a string

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!