1

I have a nodejs+expressjs application that only needs to operate normally on http. I added a couple of admin views to the app and serve these views via https using authentication and my own self-signed certificates. This means running both http and https servers in my app. On my local system, this works just fine with the https certificates residing in my "donotcheckin" directory.

Now I'm trying to get it running on a load balanced elastic beanstalk setup. I've uploaded the certificate and private key via IAM and that seems to work (both http and https urls for my eb application are reachable).

What I am confused on now is how to deploy the http and https servers in my application code. Please help by shedding some lights on these 2 options (or suggest other options).

  1. Since the load balancer already takes care of https, can I just drop the https server altogether? If so, are is there header info that the load balancer is guaranteed to pass on to the application's standard http server so that it can detect whether admin views are being accessed securely?

  2. I can also leave the certificates on the load-balancer as well as the application's https server. However, in this elastic beanstalk autoscaling environment, what is the right way to give this https server access to the cert and private key files?

Thank you for your help.

lastoneisbearfood
  • 3,955
  • 5
  • 26
  • 25

1 Answers1

0

  1. Like you stated, you may configure the ELB to forward all HTTPS and HTTP traffic to your applications http server, eliminating the need to handle any https configuration in your application. You may refer to the 'X-Forwarded-Proto' header to detect whether the request is coming though as http vs https.

    For my use case, I forward all traffic to https, so I simply redirect if the the header type is http:

    app.use(req, res, next) {
  if(req.headers['x-forwarded-proto'] == 'http' && process.env.NODE_ENV!=="development"){
    res.redirect('https://' + req.headers.host + req.path);
  } else {
    next();
  }
}

  2. If you'd prefer to keep the cert in the App, then it would be as simple as leaving them somewhere in your app directory and loading them when you create the server, like this

Community
  • 1
  • 1
Yousef
  • 401
  • 2
  • 8
  • Thanks for confirming the 1st option. I tried hard during the past few hours to make the dual http/https server option work because that setup is already working for me in development. It's such a uphill battle in the elastic beanstalk environment though. Getting those certificates and private key to each new instance in a secure way is a tricky (but solvable) issue. Even the built-in nginx setup only listens to and forward 1 port so one would have to do some custom hacking of the nginx config. Not worth it :) – lastoneisbearfood Oct 16 '14 at 06:42
  • @lastoneisbearfood, I would highly recommend you go the Opsworks route. We used to deploy in Beanstalk but there was not enough flexibility. Opsworks will let you create your own elastic load balancer via EC2 panel, and then customize the port forwarding. PM if you have any issues – Yousef Oct 16 '14 at 15:24