I am running a node.js express server on my aws ac2 linux instance. I need to expose it through https to work properly with the react app that pulls data from it. I was able to generate my own ssl certificate but it will not be recognized by other users and the client app will through an error.
Could you please explain how can i get a public ssl certificate just for the node server. The server uses an ip address like xxx.xx.xx.xx:4500/endpoint. Aws seems to offer ssl but only if you pay for its load balancer and I do not want to do that.
Is there a way to verify the certificate that i generated with openssl so i can use it publicly?
Here is my basic setup:
const express = require('express');
const cors = require('cors');
const mysql = require('mysql');
const moment = require('moment');
var fs = require('fs');
const https = require('https')
const app = express();
xxx
https.createServer({key: fs.readFileSync('server.key'),
cert: fs.readFileSync('server.cert')}, app).listen(4500, () => {
console.log('Listening...')
})
Thank you in advance!
OpenSSL itself is a tool to create self-signed certificates. Those certificates are never trusted by the browser.
Instead, you can use Let's Encrypt with this command:
apt install certbot
certbot certonly --standalone -d example.com
Let's Encrypt is a trusted entity, so their certificates are valid.
Your new certificates will be on a path like this:
/etc/letsencrypt/live/example.com
As others suggested, you will need one domain. You can get one free on sites like Freenom.
Your self-signed certificate won't be trusted by the browser.
One solution would be to get yourself a domain and then a free SSL certificate issued by Let's Encrypt. This would remove the error because Let's Encrypt certificates are trusted by all major browsers.
Another solution is to get the free plan of Cloudflare, which includes an SSL certificate. More info here.
There is the possibility to secure your IP with an SSL certificate but there are no free solutions for this.
If you in a region where Amazon Certificate Manager is suported, You can get a SSL certificate for free.
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
In order to apply ssl certificate, The easiest way is to use it on a load balancer. Check my answer to this question Apollo Server on Ubuntu 18.04 EC2 instance with HTTPS.
If you want to use the certificate directly on EC2. try the following. I haven't tried this myself.
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-export-private.html
Also i have seen people using https://letsencrypt.org/ to get certs.
Related
I'm having issues setting up a wss server (Secure Websocket Server) in node.js.
When we run the server and test it using an online websocket tester and connect to wss://localhost:8888 it works. But when we connect to wss://my_ip:8888 (ip found with ifconfig) it results in the error index.js:15 WebSocket connection to 'wss://192.168.1.217:8888/' failed.
I've made a git repository for easy testing: https://github.com/DaanS8/wss_error
Possible useful info
We pinged the ip on the port 8888 with `telnet my_ip 8888` which was successful. Any other port fails, which means it is listening?
Chrome behaves differently then Firefox, in chrome localhost works but in Firefox localhost doesn't even work whilst using the same tests on the online websocket tester.
The code is running on a ubuntu vm on a windows machine. It seems the ubuntu vm doesn't have its own firwall (sudo ufw status results in error), just turning of the windows firewall doesn't change the errors.
The certificates were generated with the following commands:
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key:
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Vlaams-Brabant
Locality Name (eg, city) []:Leuven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:KU Leuven
Organizational Unit Name (eg, section) []:Pno
Common Name (e.g. server FQDN or YOUR name) []:Team x
Email Address []:xxxx#xxxxxxxx.be
openssl rsa -in myCA.key -text > private.pem
My main sources:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
How to Create Secure(TLS/SSL) Websocket Server
main.ts was copied from a blog post that I temporarily can't find anymore
Code
main.ts:
// Minimal amount of secure websocket server
var fs = require('fs');
// read ssl certificate
var privateKey = fs.readFileSync('certs/private.pem', 'utf8');
var certificate = fs.readFileSync('certs/myCA.pem', 'utf8');
var credentials = { key: privateKey, cert: certificate };
var https = require('https');
//pass in your credentials to create an https server
var httpsServer = https.createServer(credentials);
httpsServer.listen(8888);
var WebSocketServer = require('ws').Server;
var wss = new WebSocketServer({
server: httpsServer
});
wss.on('connection', function connection(ws) {
ws.on('message', function incoming(message) {
console.log('received: %s', message);
ws.send('reply from server : ' + message)
});
ws.send('something');
});
See github for keys etc.
Your "online websocket tester" doesn't provide easily readible source code, so it is not clear what is failing. My guess: TLS cert validation is failing. (Browsers may have own rules for localhost, so it may be working for localhost in some browsers).
You are connecting to the IP, but cert is generated Common Name: Team x. Correct TLS client implementation should reject this kind of TLS connection, because server name is not matching TLS CN name ('IP'!='Team x').
Solutions:
1.) Generate proper TLS certificate, where Common Name is matching used IP. This is a proper secure solution for your use case (usually server FQDN is used, because domain is used for connection and not the server IP).
2.) Use websocket client, which provides option to disable cert verification.
3.) Open https://IP:8888 and add browser TLS exception for used cert. Exception should be applied also for wss protocol then.
Try using cloudflaired
for download : Click here
tutorial : Click here
it may be the problem of firewall rules, and other factors
EDIT:
This program packs a lightweight server that acts as a bridge from your computer to cloudflair servers. This hosts the site on a temporary subdomain for free
if you are having a cloudflair account, it will help with setting and configuring static permanent urls instead of dynamically changing every time
Sorry I don't know about the pricing as I use the free plan
for more info visit the docs
Because of this it can bypass many windows restrictions (like firewall) isp restrictions (like nat), etc. So you can focus on the project
Also this works even out of your lan. Just so you know it also works outside the lan. so to share a quick preview to others.
I developed an application with NextJs then built it. I run it on node server using
'npm run start' at Powershell. it works fine on localhost on port 80, but my server does not accept any request from outside neither by domain name or IP address. how should I configure application or nodejs to accept all request ?
OS is windows server 2019
You need to allow CORS
res.header('Access-Control-Allow-Origin', '*');
Try to this cors npm module - https://www.npmjs.com/package/cors
var cors = require('cors');
var app = express();
app.use(cors());
It provides many features to configure cors setting including domain whitelisting, enabling cors for specific apis and many more.
I'm writing an app in React Native, and I need to make API requests. The server for that is running on a server with a self-signed SSL certificate, so I need Axios and React Native to make the request and accept the response using a self-signed certificate.
I can't get a certificate from an official certificate authority.
I have already tried using https.Agent, however this doesn't seem
to be possible when using React Native (The https module is part of
the node standard library, which is not included in React Native), so
this is also not a valid solution.
I would prefer to continue using Axios, however I would consider
switching libraries if there are any with similar functionality (I've
already tried a few, none provided functionality to allow self-signed
certs).
Here is some example code from my project (url is the IP of the server):
import axios from 'axios';
const instance = axios.create({ });
instance.get(url)
.then(res => {
this.setState({dataSource: res.data});
})
Btw, when I'm using ngrok everything works fine, so the self-signed certificate is definitely the only problem.
I solved this problem today! I too have a react native app, and i use apisauce, an awesome lib that uses axios under the hood.
My API runs on a LAMP stack locally, and I have a fake development domain in /etc/hosts, and Apache is configured with a self signed certificate.
Instead of disabling the SSL verification, trust your certificate!
The instructions will differ on Android, but for iOS I did the following.
Send the selfsigned.crt to my iPhone via Airdrop
Install the profile in the Settings app
Download and launch Proxyman on my dev machine https://proxyman.io/
Set Proxy in Wifi settings on the iPhone (dev machine IP port 9090)
Open Safari and goto proxy.man/ssl, download the certificate
Install the profile in the Settings app
Enable full trust for both certificates in Settings > General > About > Certificate Trust Settings
Now you should be able to access https://your-dev-domain.whatever without any problems, and apisauce/axios will no longer return Network Error 😎
Just remember to go back into your wifi settings and turn the proxy off again when you are finished developing!
I just made a simple chat-service with Node JS and I want to publish It " Online " ; at the time I used Ngrok and Localtunnel , but they are very limited , therefore I saw Apache web Server but I have not found tutorial on how to use it.
Thanks and hope you can help me.
Ngrok and Localtunnel are services which let you open a connection from inside your network to an external server which then forwards traffic back down the tunnel so clients on the Internet can make requests to your service running inside your LAN.
Apache is HTTP server software. It is nothing like Ngrok and Localtunnel.
While you can set up a reverse proxy using it, for that to use useful in this use case you would have to install it in your router … and most routers don't let you install software on them.
You could possibly run it on a computer inside your LAN and then configure port forwarding on the router … but if you are going to do that then you might as well forget about Apache HTTPD and just forward traffic directly to the service you've written using Node.js.
There are security risks and bandwidth considerations to take into account when running services from your LAN. It's almost always a better idea to just invest in a proper hosting service like Amazon AWS, DigitalOcean Droplets, or Heroku.
By "online" I suppose you mean to host it globally. For that my friend you will be in need of a server (preferably a cloude server) and a static IP address. Both of these are provided by a lot of providers like aws, digitalocean etc as a platform as a service, which we can leverage. So pls do the following:
Register for a cloud service (aws, digitalocean, gcp etc.).
Create a server instance of an operating system of your choice (my pref would be a linux instance).
Attach a public static ip to the server.
Log into the server. (SSH is the most secure way and most providers provide this to log into your server).
Install dependencies (in your case NodeJS etc).
Make sure that the port in which the app is hosted is open publicly. Most providers provide a dashboard in which you can configure port settings.
Use Apache or Nginx for configuring a reverse proxy (this is just for keeping your environment secure)
I'm using fetch in a react-native app, and charles proxy to debug my network requests. In order to use charles with SSL, I need to configure fetch to accept a self-signed certificate generated by charles.
How do I tell fetch to ignore errors from self-signed certificates when using https?
I fixed this by setting up the SSL certificates in the simulator: Help > SSL Proxying > Install Charles Root Certificate in iOS Simulators) in charles and be happy!
Thanks https://stackoverflow.com/a/35047215/82156