Heroku + node. js + HTTPS

Yesterday I upgraded biz-to-me to support HTTPS, and for this we studied how to get the node. JS application running on Heroku to support HTTPS. I find that there is no article describing this specific process, only fragmented information, so record it here.

First, the Heroku application to support HTTPS must be paid for the level, the cheapest is the monthly $7 Hobby level. Once the app has been upgraded to the Hobby level, the domain name we added in the app settings will automatically get the SSL certificate, which is fully automated and requires no manual action. (Automatic does not mean real-time, every time you add a new domain name will have to wait a while to see "ACM status" this column into "ok" state.) The actual use of the certificate issuing authority behind is actually let's Encrypt. ）

General Heroku Application of "dns target" is app-name.herokuapp.com , it is necessary to note that once the upgrade to support SSL, the contents of this column will change, that is app.example.com.herokudns.com , herokudns.com before adding the entire domain name of the application. If the CNAME of the previous DNS points to or is herokuapp.com , then you must remember to update it herokudns.com , otherwise the herokuapp.com correct SSL certificate will not be used to provide the service. ( herokuapp.com the certificate is always used only to *.herokuapp.com provide services, and the herokudns.com correct certificate is selected based on the prefix.) ）

In most cases, the application code does not need to be updated when the Heroku app is upgraded to support HTTPS, because the SSL connection is terminated in the Heroku load balancer, and the load balancer is connected to the application using plaintext HTTP, so the application itself does not need to have the ability to handle HTTPS. (node. JS has a https module, but it requires access to the certificate's private key, so it's easier to use a http module.) If you need to determine whether an upstream request is HTTPS in node. js, you can do so by reading the X-Forwarded-Proto header, the header value can be "http" or "https" , for example, in Biz-to-me I pass this line of code to judge.

Finally, briefly describe how to verify the configuration is successful. The simplest way is to test if the HTTPS service is working properly. Biz-to-me's service is simple, if I open an HTTP (s)://*.catchen.biz/* URL, it returns 301 redirect me to http (s)://*.catchen.me/*. The URL of this article is that https://chinese.catchen.me/2018/07/heroku-nodejs-https.html if my curl -i corresponding catchen.biz URL can get the correct 301 redirect that is successful.

$ curl -i https://chinese.catchen.biz/2018/07/heroku-nodejs-https.htmlHTTP/1.1 301 Moved PermanentlyServer: CowboyConnection: keep-aliveLocation: https://chinese.catchen.me/2018/07/heroku-nodejs-https.htmlDate: Sun, 01 Jul 2018 21:29:36 GMTTransfer-Encoding: chunkedVia: 1.1 vegurPermanently moved to <a href="https://chinese.catchen.me/2018/07/heroku-nodejs-https.html">https://chinese.catchen.me/2018/07/heroku-nodejs-https.html</a>.

Note that Location the header value is the beginning of HTTPS, not HTTP, because we can get a similar 301 response before the node. JS code is updated to support HTTPS, but it's Location always just HTTP.

If curl -i An error occurs because the certificate is incorrect, you can use it curl --insecure to ignore the certificate validation node. JS Code. Then use curl -v it to view the certificate and see why the certificate is wrong. curl -vthe results of the key look at this paragraph:

* Server certificate:*  subject: CN=cantonese.catchen.biz*  start date: Jul  1 04:44:37 2018 GMT*  expire date: Sep 29 04:44:37 2018 GMT*  subjectAltName: host "chinese.catchen.biz" matched cert‘s "chinese.catchen.biz"*  issuer: C=US; O=Let‘s Encrypt; CN=Let‘s Encrypt Authority X3*  SSL certificate verify ok.

If the Heroku app only adds a domain name, the subject domain name of the row must be the unique domain name. If you see subject that line showing *.herokuapp.com , that means we need to change the domain name CNAME herokudns.com , or the domain name change has not yet taken effect. (If the change is not yet in the local DNS, it can be curl --resolve forcibly overwritten locally.) If the Heroku app has more than one domain name, it will be one subject , but subjectAltName there will be multiple domain names, at least one pair should be found.

Finally, if you like my article, you are welcome to subscribe to my blog via email or rss/atom.

Heroku + node. js + HTTPS