This commit is contained in:
AJ ONeal 2015-07-07 17:19:44 -06:00
parent f4fd6c3dae
commit 8d55d4910e
4 changed files with 147 additions and 1 deletions

View File

@ -2,18 +2,57 @@
Redirect from HTTP to HTTPS using meta redirects
## Installation and Usage
```bash
npm install --save redirect-https
```
```js
'use strict';
var express = require('express');
var app = express();
app.use('/', require('redirect-https')({
body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
}));
module.exports = app;
```
## Options
```
{ port: 443 // defaults to 443
, body: '' // defaults to an html comment to use https
, trustProxy: true // useful if you haven't set this option in express
}
```
* This module will call `next()` if the connection is already tls / https.
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
* If you use `{{URL}}` in the body text it will be replaced with the url
## Demo
```javascript
'use strict';
var http = require('http');
var server = http.createServer();
var securePort = 8443;
var insecurePort = process.argv[2] || 8080;
server.on('request', require('redirect-https')({
port: 443
port: securePort
, body: '<!-- Hello! Please use HTTPS instead -->'
, trustProxy: true // default is false
}));
server.listen(insecurePort, function () {
console.log('Listening on http://localhost.daplie.com:' + server.address().port);
});
```
# Why meta redirects?
@ -33,3 +72,12 @@ Using a meta redirect will break requests from `curl` and api calls from a progr
# Other strategies
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
# Security
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
so that no malicious links of this sort will yield unexpected behavior:
* `http://localhost.daplie.com:8080/"><script>alert('hi')</script>`
* `http://localhost.daplie.com:8080/';URL=http://example.com`
* `http://localhost.daplie.com:8080/;URL=http://example.com`

15
example.js Normal file
View File

@ -0,0 +1,15 @@
'use strict';
var http = require('http');
var server = http.createServer();
var port = process.argv[2] || 8080;
server.on('request', require('./')({
port: 8443
, body: '<a href="{{URL}}">{{URL}}</a>'
, trustProxy: true // default is false
}));
server.listen(port, function () {
console.log('Listening on http://localhost.daplie.com:' + server.address().port);
});

52
index.js Normal file
View File

@ -0,0 +1,52 @@
'use strict';
module.exports = function (opts) {
var escapeHtml = require('escape-html');
if (!opts) {
opts = {};
}
if (isNaN(opts.port)) {
opts.port = 443;
}
if (!('body' in opts)) {
opts.body = "<!-- Hello Mr Developer! We don't serve insecure resources around here."
+ "\n Please use HTTPS instead. -->";
}
opts.body = opts.body.replace(/{{\s+PORT\s+}}/i, opts.port);
return function (req, res, next) {
if (req.connection.encrypted
|| 'https' === req.protocol
|| (opts.trustProxy && 'https' === req.headers['x-forwarded-proto'])
) {
next();
return;
}
var url = req.url;
var host = req.headers.host || '';
var newLocation = 'https://'
+ host.replace(/:\d+/, ':' + opts.port) + url
;
//var encodedLocation = encodeURI(newLocation);
var escapedLocation = escapeHtml(newLocation);
var body = opts.body
.replace(/{{\s*URL\s*}}/ig, escapedLocation)
.replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation)
;
var metaRedirect = ''
+ '<html>\n'
+ '<head>\n'
//+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+ ' <META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'">\n'
+ '</head>\n'
+ '<body">\n' + body + '\n</body>\n'
+ '</html>\n'
;
res.setHeader('Content-Type', 'text/html; charset=utf-8');
res.end(metaRedirect);
};
};

31
package.json Normal file
View File

@ -0,0 +1,31 @@
{
"name": "redirect-https",
"version": "1.0.0",
"description": "Redirect from HTTP to HTTPS using meta redirects",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"repository": {
"type": "git",
"url": "git+https://github.com/Daplie/node-redirect-https.git"
},
"keywords": [
"https",
"http",
"redirect",
"force",
"upgrade",
"location",
"meta"
],
"author": "AJ ONeal <coolaj86@gmail.com> (http://coolaj86.com/)",
"license": "Apache-2.0",
"bugs": {
"url": "https://github.com/Daplie/node-redirect-https/issues"
},
"homepage": "https://github.com/Daplie/node-redirect-https#readme",
"dependencies": {
"escape-html": "^1.0.2"
}
}