v1.0.0
This commit is contained in:
		
							parent
							
								
									f4fd6c3dae
								
							
						
					
					
						commit
						8d55d4910e
					
				
							
								
								
									
										50
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										50
									
								
								README.md
									
									
									
									
									
								
							| @ -2,18 +2,57 @@ | ||||
| 
 | ||||
| Redirect from HTTP to HTTPS using meta redirects | ||||
| 
 | ||||
| ## Installation and Usage | ||||
| 
 | ||||
| ```bash | ||||
| npm install --save redirect-https | ||||
| ``` | ||||
| 
 | ||||
| ```js | ||||
| 'use strict'; | ||||
| 
 | ||||
| var express = require('express'); | ||||
| var app = express(); | ||||
| 
 | ||||
| app.use('/', require('redirect-https')({ | ||||
|   body: '<!-- Hello Mr Developer! Please use HTTPS instead -->' | ||||
| })); | ||||
| 
 | ||||
| module.exports = app; | ||||
| ``` | ||||
| 
 | ||||
| ## Options | ||||
| 
 | ||||
| ``` | ||||
| { port: 443           // defaults to 443 | ||||
| , body: ''            // defaults to an html comment to use https | ||||
| , trustProxy: true    // useful if you haven't set this option in express | ||||
| } | ||||
| ``` | ||||
| 
 | ||||
| * This module will call `next()` if the connection is already tls / https. | ||||
| * If `trustProxy` is true, and `X-Forward-Proto` is https, `next()` will be called. | ||||
| * If you use `{{URL}}` in the body text it will be replaced with the url | ||||
| 
 | ||||
| ## Demo | ||||
| 
 | ||||
| ```javascript | ||||
| 'use strict'; | ||||
| 
 | ||||
| var http = require('http'); | ||||
| var server = http.createServer(); | ||||
| var securePort = 8443; | ||||
| var insecurePort = process.argv[2] || 8080; | ||||
| 
 | ||||
| server.on('request', require('redirect-https')({ | ||||
|   port: 443 | ||||
|   port: securePort | ||||
| , body: '<!-- Hello! Please use HTTPS instead -->' | ||||
| , trustProxy: true // default is false | ||||
| })); | ||||
| 
 | ||||
| server.listen(insecurePort, function () { | ||||
|   console.log('Listening on http://localhost.daplie.com:' + server.address().port); | ||||
| }); | ||||
| ``` | ||||
| 
 | ||||
| # Why meta redirects? | ||||
| @ -33,3 +72,12 @@ Using a meta redirect will break requests from `curl` and api calls from a progr | ||||
| # Other strategies | ||||
| 
 | ||||
| If your application is properly separated between static assets and api, then it would probably be more beneficial to return a 200 OK with an error message inside | ||||
| 
 | ||||
| # Security | ||||
| 
 | ||||
| The incoming URL is already URI encoded by the browser but, just in case, I run an html escape on it | ||||
| so that no malicious links of this sort will yield unexpected behavior: | ||||
| 
 | ||||
|   * `http://localhost.daplie.com:8080/"><script>alert('hi')</script>` | ||||
|   * `http://localhost.daplie.com:8080/';URL=http://example.com` | ||||
|   * `http://localhost.daplie.com:8080/;URL=http://example.com` | ||||
|  | ||||
							
								
								
									
										15
									
								
								example.js
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								example.js
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,15 @@ | ||||
| 'use strict'; | ||||
| 
 | ||||
| var http = require('http'); | ||||
| var server = http.createServer(); | ||||
| var port = process.argv[2] || 8080; | ||||
| 
 | ||||
| server.on('request', require('./')({ | ||||
|   port: 8443 | ||||
| , body: '<a href="{{URL}}">{{URL}}</a>' | ||||
| , trustProxy: true // default is false
 | ||||
| })); | ||||
| 
 | ||||
| server.listen(port, function () { | ||||
|   console.log('Listening on http://localhost.daplie.com:' + server.address().port); | ||||
| }); | ||||
							
								
								
									
										52
									
								
								index.js
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										52
									
								
								index.js
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,52 @@ | ||||
| 'use strict'; | ||||
| 
 | ||||
| module.exports = function (opts) { | ||||
|   var escapeHtml = require('escape-html'); | ||||
| 
 | ||||
|   if (!opts) { | ||||
|     opts = {}; | ||||
|   } | ||||
|   if (isNaN(opts.port)) { | ||||
|     opts.port = 443; | ||||
|   } | ||||
|   if (!('body' in opts)) { | ||||
|     opts.body = "<!-- Hello Mr Developer! We don't serve insecure resources around here." | ||||
|       + "\n    Please use HTTPS instead. -->"; | ||||
|   } | ||||
|   opts.body = opts.body.replace(/{{\s+PORT\s+}}/i, opts.port); | ||||
| 
 | ||||
|   return function (req, res, next) { | ||||
|     if (req.connection.encrypted | ||||
|       || 'https' === req.protocol | ||||
|       || (opts.trustProxy && 'https' === req.headers['x-forwarded-proto']) | ||||
|     ) { | ||||
|       next(); | ||||
|       return; | ||||
|     } | ||||
| 
 | ||||
|     var url = req.url; | ||||
|     var host = req.headers.host || ''; | ||||
|     var newLocation = 'https://' | ||||
|       + host.replace(/:\d+/, ':' + opts.port) + url | ||||
|       ; | ||||
|     //var encodedLocation = encodeURI(newLocation);
 | ||||
|     var escapedLocation = escapeHtml(newLocation); | ||||
|     var body = opts.body | ||||
|           .replace(/{{\s*URL\s*}}/ig, escapedLocation) | ||||
|           .replace(/{{\s*UNSAFE_URL\s*}}/ig, newLocation) | ||||
|           ; | ||||
| 
 | ||||
|     var metaRedirect = '' | ||||
|       + '<html>\n' | ||||
|       + '<head>\n' | ||||
|       //+ '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
 | ||||
|       + '  <META http-equiv="refresh" content="0;URL=\'' + escapedLocation + '\'">\n' | ||||
|       + '</head>\n' | ||||
|       + '<body">\n' + body + '\n</body>\n' | ||||
|       + '</html>\n' | ||||
|       ; | ||||
| 
 | ||||
|     res.setHeader('Content-Type', 'text/html; charset=utf-8'); | ||||
|     res.end(metaRedirect); | ||||
|   }; | ||||
| }; | ||||
							
								
								
									
										31
									
								
								package.json
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								package.json
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,31 @@ | ||||
| { | ||||
|   "name": "redirect-https", | ||||
|   "version": "1.0.0", | ||||
|   "description": "Redirect from HTTP to HTTPS using meta redirects", | ||||
|   "main": "index.js", | ||||
|   "scripts": { | ||||
|     "test": "echo \"Error: no test specified\" && exit 1" | ||||
|   }, | ||||
|   "repository": { | ||||
|     "type": "git", | ||||
|     "url": "git+https://github.com/Daplie/node-redirect-https.git" | ||||
|   }, | ||||
|   "keywords": [ | ||||
|     "https", | ||||
|     "http", | ||||
|     "redirect", | ||||
|     "force", | ||||
|     "upgrade", | ||||
|     "location", | ||||
|     "meta" | ||||
|   ], | ||||
|   "author": "AJ ONeal <coolaj86@gmail.com> (http://coolaj86.com/)", | ||||
|   "license": "Apache-2.0", | ||||
|   "bugs": { | ||||
|     "url": "https://github.com/Daplie/node-redirect-https/issues" | ||||
|   }, | ||||
|   "homepage": "https://github.com/Daplie/node-redirect-https#readme", | ||||
|   "dependencies": { | ||||
|     "escape-html": "^1.0.2" | ||||
|   } | ||||
| } | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user