v1.0.0
This commit is contained in:
parent
f4fd6c3dae
commit
8d55d4910e
50
README.md
50
README.md
|
@ -2,18 +2,57 @@
|
|||
|
||||
Redirect from HTTP to HTTPS using meta redirects
|
||||
|
||||
## Installation and Usage
|
||||
|
||||
```bash
|
||||
npm install --save redirect-https
|
||||
```
|
||||
|
||||
```js
|
||||
'use strict';
|
||||
|
||||
var express = require('express');
|
||||
var app = express();
|
||||
|
||||
app.use('/', require('redirect-https')({
|
||||
body: '<!-- Hello Mr Developer! Please use HTTPS instead -->'
|
||||
}));
|
||||
|
||||
module.exports = app;
|
||||
```
|
||||
|
||||
## Options
|
||||
|
||||
```
|
||||
{ port: 443 // defaults to 443
|
||||
, body: '' // defaults to an html comment to use https
|
||||
, trustProxy: true // useful if you haven't set this option in express
|
||||
}
|
||||
```
|
||||
|
||||
* This module will call `next()` if the connection is already tls / https.
|
||||
* If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called.
|
||||
* If you use `{{URL}}` in the body text it will be replaced with the url
|
||||
|
||||
## Demo
|
||||
|
||||
```javascript
|
||||
'use strict';
|
||||
|
||||
var http = require('http');
|
||||
var server = http.createServer();
|
||||
var securePort = 8443;
|
||||
var insecurePort = process.argv[2] || 8080;
|
||||
|
||||
server.on('request', require('redirect-https')({
|
||||
port: 443
|
||||
port: securePort
|
||||
, body: '<!-- Hello! Please use HTTPS instead -->'
|
||||
, trustProxy: true // default is false
|
||||
}));
|
||||
|
||||
server.listen(insecurePort, function () {
|
||||
console.log('Listening on http://localhost.daplie.com:' + server.address().port);
|
||||
});
|
||||
```
|
||||
|
||||
# Why meta redirects?
|
||||
|
@ -33,3 +72,12 @@ Using a meta redirect will break requests from `curl` and api calls from a progr
|
|||
# Other strategies
|
||||
|
||||
If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside
|
||||
|
||||
# Security
|
||||
|
||||
The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it
|
||||
so that no malicious links of this sort will yield unexpected behavior:
|
||||
|
||||
* `http://localhost.daplie.com:8080/"><script>alert('hi')</script>`
|
||||
* `http://localhost.daplie.com:8080/';URL=http://example.com`
|
||||
* `http://localhost.daplie.com:8080/;URL=http://example.com`
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
'use strict';
|
||||
|
||||
var http = require('http');
|
||||
var server = http.createServer();
|
||||
var port = process.argv[2] || 8080;
|
||||
|
||||
server.on('request', require('./')({
|
||||
port: 8443
|
||||
, body: '<a href="{{URL}}">{{URL}}</a>'
|
||||
, trustProxy: true // default is false
|
||||
}));
|
||||
|
||||
server.listen(port, function () {
|
||||
console.log('Listening on http://localhost.daplie.com:' + server.address().port);
|
||||
});
|
|
@ -0,0 +1,52 @@
|
|||
'use strict';
|
||||
|
||||
module.exports = function (opts) {
|
||||
var escapeHtml = require('escape-html');
|
||||
|
||||
if (!opts) {
|
||||
opts = {};
|
||||
}
|
||||
if (isNaN(opts.port)) {
|
||||
opts.port = 443;
|
||||
}
|
||||
if (!('body' in opts)) {
|
||||
opts.body = "<!-- Hello Mr Developer! We don't serve insecure resources around here."
|
||||
+ "\n Please use HTTPS instead. -->";
|
||||
}
|
||||
opts.body = opts.body.replace(/{{\s+PORT\s+}}/i, opts.port);
|
||||
|
||||
return function (req, res, next) {
|
||||
if (req.connection.encrypted
|
||||
|| 'https' === req.protocol
|
||||
|| (opts.trustProxy && 'https' === req.headers['x-forwarded-proto'])
|
||||
) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
|
||||
var url = req.url;
|
||||
var host = req.headers.host || '';
|
||||
var newLocation = 'https://'
|
||||
+ host.replace(/:\d+/, ':' + opts.port) + url
|
||||
;
|
||||
//var encodedLocation = encodeURI(newLocation);
|
||||
var escapedLocation = escapeHtml(newLocation);
|
||||
var body = opts.body
|
||||
.replace(/{{\s*URL\s*}}/ig, escapedLocation)
|
||||
.replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation)
|
||||
;
|
||||
|
||||
var metaRedirect = ''
|
||||
+ '<html>\n'
|
||||
+ '<head>\n'
|
||||
//+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
|
||||
+ ' <META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'">\n'
|
||||
+ '</head>\n'
|
||||
+ '<body">\n' + body + '\n</body>\n'
|
||||
+ '</html>\n'
|
||||
;
|
||||
|
||||
res.setHeader('Content-Type', 'text/html; charset=utf-8');
|
||||
res.end(metaRedirect);
|
||||
};
|
||||
};
|
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
"name": "redirect-https",
|
||||
"version": "1.0.0",
|
||||
"description": "Redirect from HTTP to HTTPS using meta redirects",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
"test": "echo \"Error: no test specified\" && exit 1"
|
||||
},
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "git+https://github.com/Daplie/node-redirect-https.git"
|
||||
},
|
||||
"keywords": [
|
||||
"https",
|
||||
"http",
|
||||
"redirect",
|
||||
"force",
|
||||
"upgrade",
|
||||
"location",
|
||||
"meta"
|
||||
],
|
||||
"author": "AJ ONeal <coolaj86@gmail.com> (http://coolaj86.com/)",
|
||||
"license": "Apache-2.0",
|
||||
"bugs": {
|
||||
"url": "https://github.com/Daplie/node-redirect-https/issues"
|
||||
},
|
||||
"homepage": "https://github.com/Daplie/node-redirect-https#readme",
|
||||
"dependencies": {
|
||||
"escape-html": "^1.0.2"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue