5

Under node.js 0.8, I'm using node-http-proxy in "router table" mode configured like so:

var httpProxy = require("http-proxy");
var config = require("./config");

proxyServer = httpProxy.createServer({
    hostnameOnly: true,
    router: {
        "one.example.com": "localhost:9000",
        "two.example.com": "localhost:9001"
    },
    https: {
        key: config.key,
        cert: config.cert,
        // mitigate BEAST: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
        honorCipherOrder: true,
        ciphers: "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"
    }
})
proxyServer.listen(8000)

I'd like to add HSTS (HTTP Strict Transport Security) so that compliant browsers will be told to always use SSL. To do this, I need to get http-proxy to add the header:

Strict-Transport-Security: max-age=60000

(or other max-age). How can I ask node-http-proxy to efficiently append this header?

user85461
  • 6,510
  • 2
  • 34
  • 40

1 Answers1

4

For your example, I'm not sure as it seems this older question is using http-proxy@0.8. However, here's what I've done with http-proxy@1.0.0:

var httpProxy = require('http-proxy');

// https server to decrypt TLS traffic and direct to a normal HTTP backend
var proxy = httpProxy.createProxyServer({
  target: {
    host: 'localhost',
    port: 9009 // or whatever port your local http proxy listens on
  },
  ssl: {
    key: fs.readFileSync('valid-ssl-key.pem', 'utf8'),
    cert: fs.readFileSync('valid-ssl-cert.pem', 'utf8')
  }
}).listen(443); // HTTPS listener for the real server

// http server that redirects all requests to their corresponding
// https urls, and allows standards-compliant HTTP clients to 
// prevent future insecure requests.
var server = http.createServer(function(req, res) {
  res.statusCode = 301;
  res.setHeader('Location', 'https://' + req.headers.host.split(':')[0] + req.url);
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  return res.end();
});

server.listen(80); // HTTP listener for the old HTTP clients
Eric Martindale
  • 1,106
  • 1
  • 13
  • 26