Can't seem to enforce HTTPS

[rastenis]

If i set up the target to be "target": "http://localhost:10202", and set "enable", "generate" and "secureOnly" to true, i can:

1. Access it without HTTPS by just going to the address i registered in routerTable
2. Access it with HTTPS by prepending https:// to the address i registered in routerTable

and if i redirect insecure connections to https:// from the application itself, it gets redirected back to http:// indefinitely(until the browser drops out).

Am i missing something here?

[Irrelon]

Hey ya. That definitely doesn't seem right. When you say you can access the address via http, do you mean the source address (external facing) or internal address (only accessible inside your network)?

[rastenis]

Thanks for the reply,

I access my servers via registered domains. Haven't tried LAN IPs yet.

[rastenis]

Yeah, i completely removed the http listener, so it becomes impossible to connect via insecure means. The router, however, accepts the connection and proceeds to relay the connection to the server via https.

*the client keeps operating in http, though (if accessed through http://domain.something). A secure connection is only established if the client connects through https://domain.something .

 "routerTable": {
        "domain.something": {
            "target": "https://localhost:10200",
            "ssl": {
                "enable": true,
                "generate": true,
                "secureOnly": true
            },
            "errorRedirect": "https://www.google.com"
        }
    }

[rastenis]

The issue seems to stem from if (route.ssl && route.ssl.onlySecure) , as route.ssl.onlySecure always seems to be undefined, and so the http prevention never kicks in.

I ended up bodging in https re-routing by removing the http server's ability to call handleRequest , and making it so it 301's the client back to "https://" + req.headers.host + "/" , which in turn establishes a secure connection.

[Irrelon]

If the code is if (route.ssl && route.ssl.onlySecure) but you are using the flag in the config as secureOnly then it will not work - did I put the incorrect name in the config example?

[Irrelon]

So it appears that this is my fault, putting the incorrect config field name in the examples!

[Irrelon]

Are you able to try it with the correct name "onlySecure"?

[rastenis]

I completely missed that. A re-route option would be great for people that don't want their clients to get 404s if they don't specifically type in https://.

Thanks.

[Irrelon]

@Scharkee Agreed on the reroute! If you get a chance it would be great to have a pull request with that feature. Me = swamped at the moment :(

[Irrelon]

@Scharkee Auto-redirecting insecure connections is now done. You have to specify it manually in each ssl section as "insecureRedirect". It can either be a boolean or a string. If set to true, will take the host name and prepend "https://" to it and redirect user there. If a string, will simply redirect user to whatever that string is. Uses 302 redirect so it is not permanent.