DEV Community

Node, Express, SSL Certificate: Run HTTPS Server from scratch in 5 steps

Ömer Gülen on January 02, 2020

Node, Express, SSL Certificate: Run HTTPS Server from scratch in 5 steps I've decided to write about this tutorial after I struggled while I was...
Collapse
 
radulle profile image
Nikola Radulaški

It is best practice to put Node behind Nginx or Apache for several reasons:

  1. Offloading encryption
  2. Offloading Node when serving static content
  3. Handling errors when Node crashed or is restarting
  4. Load balancing
  5. Cache control ...
Collapse
 
omergulen profile image
Ömer Gülen

Thanks!

Collapse
 
rahmatalimalik5 profile image
RahmatAliMalik5

Well in my experience, it is much better to run Node server behind the defense line of Apache or Nginx server.

Both provides easy way of handling multiple web apps of different kinds with a most trusted security around the world ;)...

Collapse
 
omergulen profile image
Ömer Gülen

It's probably a better way to do, yet tutorial is about serving directly on Node with a certificate. Thanks :)

Collapse
 
0xdanny profile image
Daniel Etuk

Followed every single step. Great article.

Collapse
 
omergulen profile image
Ömer Gülen

Thanks! I'm glad.

Collapse
 
naskkotech profile image
Olohundare Nasirudeen

Why don't use nginx instead ?

Thread Thread
 
naskkotech profile image
Olohundare Nasirudeen

or is there any advantage of this over nginx ?

Thread Thread
 
omergulen profile image
Ömer Gülen

I don't think this is a better way, this way is only for the cases Apache or nginx is not available to use, I've used this approach for quick and dirty development + staging environment when I've recently created one of my test projects.

I recommend to put express server behind another layer such as nginx in production as @rahmatalimalik5 mentioned.

Collapse
 
sheburdos profile image
Andrey Shipilov

Why not to wrap components into containers (docker), start them as a stack and add one more component - proxy server based on smth like Caddy, that will give you pretty simple and smooth https with built in certificates from let's encrypt?

Collapse
 
omergulen profile image
Ömer Gülen • Edited

Maybe it's simpler or not. I am not experienced on that, please do write a tutorial about it so I can use it in the future, too. Thanks!

Collapse
 
spock123 profile image
Lars Rye Jeppesen

Personally I would avoid handling certs in Node, if possible.. that stuff should be handled by the webserver forwarding traffic to your Node application.

Collapse
 
omergulen profile image
Ömer Gülen

Can you give further details about your reasons, please? I would like to learn more about the reason behind it.

Collapse
 
spock123 profile image
Lars Rye Jeppesen

Hi, sorry for my late reply.
So there are a lot of reasons for taking out certificate handling from your application.

I could list many of the reasons here, but it's easier for me to refer to this article which explains lots of the issues: medium.com/intrinsic/why-should-i-...

tldr; :

  • use a reverse proxy to send requests to your Node application
  • let the proxy handle certificates
  • this scales much better (think multiple servers)
  • performance is better (check benchmarks, it's remarkable)
  • enables easier http->https handling
Thread Thread
 
omergulen profile image
Ömer Gülen

Thanks for your further explanation, I will check them out!

Collapse
 
awakanto profile image
awakanto

Hi Omer, very great article and guide - very generous of you. My only little issue with this is the oversight from your part to suggest, as pointed out in the comments, that there is another evidently better method of handling ssl certificates in a node.js setup.

I was about to delve in and start searching for the location of my private keys and certificate in my vps (for it already has an installed and paid for certificate) till I decided to check the comments here and realized that indeed there is a better way than exposing my private keys in my app and its many third party packages.

Please suggest to future readers, preferably at the top of the article, that there is another method of implementing this and it is recommended for performance, security and scalability.

Thank you for your effort and great article.

Collapse
 
jmashore profile image
Jim Mashore

This thread is pretty old, but just for the sake of saying it, I believe the author was just trying to demonstrate a method of add SSL to Express NodeJs. It was not about good practice in a production environment. It was meant to simply show someone a quick and dirty way to spin up SSL in Express.

As professional developers I think sometimes we forget that not everyone has access to the same resources we may or may not take for granted. I read these articles because I can spend two minutes and get to the nut of what I"m looking for. if we all had to spend 500 words in disclaimer in each article then I for one would simply start skipping the first 500 words and read on.

Just please remember these articles are just about How-To, not Best To.

Thank you for your contribution and I'm sure their are a great many people that have found your explanation most helpful !!!

Collapse
 
mohammadp007 profile image
Mohammad Pakivand

I'm having problem accessing my app with https, I'm getting ERR_SSL_PROTOCOL_ERROR.
could you please help me fix it

Collapse
 
prashantnirgun profile image
Prashant Nirgun

hey article is in depth, really a good content. I need to use http2 with SSL can you guide us.

Collapse
 
rdfrutuoso profile image
rd-frutuoso

Thank you very much for the article, it helped me a lot!

Collapse
 
fischgeek profile image
fischgeek

Thanks! Though, it looks like you've added this bit twice causing an error:

const app = express();
app.use(cors());