Hello,
I have setup my SSL certificates in src/server.js and so I am now able to successfully connect to my app over HTTPS. I am running the /api as an internal API on localhost:3030. My connection between src/server.js and api/api.js is, I believe, over HTTP, not HTTPS, because I am not setting the secure field of http-proxy in src/server.js. Additionally api/api.js is not using express's https module, and instead just uses http:
const server = new http.Server(app);
However, since the API is running internally, when I try to visit http://mydomain/api/myaction the connection is declined. But https://mydomain/api/myaction works correctly, thus it seems HTTPS is being enforced because the API is internal and thus it doesn't matter that the connection between src/server.js and api/api.js is over HTTP. Is that correct? Is it safe to do it like this?
Lastly, on a slightly separate note, if my website is setup with HTTPS as described above, is it important that cookies are secure (as in HTTPS)? How would I do this? Like how can I modify this starter kit to use secure cookies? I assume it's something with express-session in api/api.js, however I've been unable to get it to work thus far.
Thank you for any help!
@leopoldjoy,
By 'internal API' do you mean that the API server is only listening on localhost? If so, your description of the communications is correct. I don't see any problems running this way.
After some difficulty, I was able to get secure cookies to work. It was pretty much as documented by express-session, plus adding a X-Forwarded-Proto in the application server.
api.js:
const sess = {
// session config
cookie: {
// cookie config
},
}
if (appServerIsHttps) {
app.set('trust proxy', 1);
sess.cookie.secure = true;
}
app.use(session(sess));
ApiClient.js:
if (__SERVER__) {
// needed for secure cookies
request.set('X-Forwarded-Proto', req.protocol);
if (req.get('cookie')) {
request.set('cookie', req.get('cookie'));
}
}
server.js:
// Proxy to API server
app.use('/api', (req, res) => {
// needed for secure cookies
req.headers['X-Forwarded-Proto'] = req.protocol;
apiProxy.web(req, res, {target: apiTargetUrl});
});
The last two blocks are needed because the API request can come directly from the app server or from the client and proxied by the app server.
Let me know if this isn't clear. Don't forget to clear the cookie when switching from http to https.
@roof12 Thank you so much! Worked perfectly!
Most helpful comment
@leopoldjoy,
By 'internal API' do you mean that the API server is only listening on localhost? If so, your description of the communications is correct. I don't see any problems running this way.
After some difficulty, I was able to get secure cookies to work. It was pretty much as documented by express-session, plus adding a X-Forwarded-Proto in the application server.
api.js:
ApiClient.js:
server.js:
The last two blocks are needed because the API request can come directly from the app server or from the client and proxied by the app server.
Let me know if this isn't clear. Don't forget to clear the cookie when switching from http to https.