From 63f8e35426b5ebbd22991dce772a9fb2941c7cd9 Mon Sep 17 00:00:00 2001 From: Ondrej Synacek Date: Mon, 4 Nov 2019 20:12:24 +0100 Subject: [PATCH] Do not use HTTPS application routing by default, make it optional via env variable. --- lib/index.js | 7 ++++++- readme.MD | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/index.js b/lib/index.js index 697c984..8c806bd 100644 --- a/lib/index.js +++ b/lib/index.js @@ -18,11 +18,16 @@ const port = process.env.PORT const certEndpoint = process.env.CERT_ENDPOINT || '' const certSecret = process.env.CERT_SECRET || '' const isDevelopment = process.env.NODE_ENV === 'development' +const enforceHTTPS = Boolean(process.env.ENFORCE_HTTPS) const app = express() const appLogger = createAppLogger({ dev: isDevelopment }) -app.use(forceSecure) +// Force app to always redirect to HTTPS +// use when you can't configure web server +if (enforceHTTPS) { + app.use(forceSecure) +} // Server logs app.use(createRouteLogger({ dev: isDevelopment })) diff --git a/readme.MD b/readme.MD index e74bcd6..8df911a 100644 --- a/readme.MD +++ b/readme.MD @@ -30,7 +30,7 @@ The app is automatically set up to create logs in `logs/` directory each day but ### HTTPS -App contains middleware that will redirect all traffic to HTTPS if the requests contain header `X-FORWARDED-PROTO`. +App contains middleware that will redirect all traffic to HTTPS if the requests contain header `X-FORWARDED-PROTO`. For this to work, the middleware has to be enabled by setting environment variable `ENFORCE_HTTPS` to value `1`. There are environment variables for setting pu SSL certificate from Let's Encrypt (acme challenge): `CERT_ENDPOINT` and `CERT_SECRET`.