yantrashala / loopback-ssl Goto Github PK

Node module enables HTTPS/SSL or Mutual SSL Authentication (trusted peer) in a loopback (http://loopback.io/) application

Home Page: https://www.npmjs.com/package/loopback-ssl

License: MIT License

JavaScript 100.00%

loopback loopback-ssl loopback-application client-certificate ssl

loopback-ssl's Introduction

loopback-ssl

Node module to enable HTTPS/SSL in a loopback application with simple configurations. The module also enables trusted peer authentication.

Features

Enable SSL in Loopback application
Enable mutual SSL authentication in Loopback

Setup

Install loopback:

# install loopback-cli
npm install -g loopback-cli

# create project directory
mkdir <app-name>
cd <app-name>

# create loopback application
lb
# ? What's the name of your application? <app-name>
# ? Which version of LoopBack would you like to use? 3.x (current)
# ? What kind of application do you have in mind? notes

Install loopback-ssl:

npm install loopback-ssl --save

Setup Configuration:

Add the following lines of configuration in 'config.json' in location "<app-dir>/server/config.json"

  "httpMode": false,
  "certConfig": {
    "path": "/certificate/path/",
    "key": "local.pem",
    "cert": "local.crt.pem",
    "ca": [],
    "requestCert": false,
    "rejectUnauthorized": false
  }

Configure server.js

Edit the server.js located at "<app-dir>/server/server.js". Replace the code in server.js with the code below (assuming no prior customizations to the file)

server.js

var loopback = require('loopback');
var boot = require('loopback-boot');
var loopbackSSL = require('loopback-ssl');

var app = module.exports = loopback();

boot(app, __dirname, function(err) {
  if (err) throw err;
});

return loopbackSSL.startServer(app);

Configuration options

Option 1: HTTP (default loopback configuration)

The configuration entry "httpMode": true will enable http (disable https). In this mode the "certConfig": {..} configuration is not required and can be omitted.

  "httpMode": true

Option 2: HTTPS: Loading certificates from files

The configuration entry "httpMode": false will enable https.

  "httpMode": false,
  "certConfig": {
    "path": "/certificate/path/",
    "key": "serverkey.pem",
    "cert": "server-certificate.pem",
    "ca": [],
    "requestCert": false,
    "rejectUnauthorized": false
  }

"path" - folder location where the certificates files will be installed
"key" - server key
"cert" - server certificate

Option 3: HTTPS: Loading certificates from files & Mutual SSL authentication

Will only work with pre-generated certificate files

  "httpMode": false,
  "certConfig": {
    "path": "/certificate/path/",
    "key": "serverkey.pem",
    "cert": "server-certificate.pem",
    "ca": [
        "client-certificate-to-validate.pem"
    ],
    "requestCert": true,
    "rejectUnauthorized": true
  }

The ca[] configuration contains the list of client certificates which the server will authenticate
"requestCert": true enables mutual SSL authentication
"rejectUnauthorized": true enables the authenticity and validity check of client keys
For any reason, if the client certificate is a self signed certificate, "rejectUnauthorized": can be set to false.

Contributing

Want to contribute? Great! Please check this guide.
Fork it ( https://github.com/yantrashala/loopback-ssl/fork )
Create your feature branch (git checkout -b new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin new-feature)
Create new Pull Request

License

MIT.

On a managed server I am unable to access the certificates, because I am lacking the required rights. Is it possible to use this module or to set up loopback in any way that I can use SSL without specifying the path to the certificate? The server is running Apache and in this context ssl is working fine.

custom appStartEvent

startHttp() and startHttps() should be enhacement of app.listen() and not the whole server.js initiation code.

Please make it possible to pass own appStartEvent() callback to them.

`http` is not working with plugin

When I enable plugin it's works well with https BUT http is not (with or without "httpMode": true).
My config.local.json

{
  "host": "localhost",
  "url": "http://localhost:8080/",
  "httpMode": true,
  "certConfig": {}
}

My server.js file:

const loopback    = require('loopback');
const boot        = require('loopback-boot');
const loopbackSSL = require('loopback-ssl');

var app = module.exports = loopback();

// Bootstrap the application, configure models, datasources and middleware.
// Sub-apps like REST API are mounted via boot scripts.
boot(app, __dirname, function(err) {
  if (err) throw err;
});

// start the server if `$ node server.js`
if (require.main === module) {
  const http = loopbackSSL.startServer(app);
  app.emit('http:setup', http);
  return http;
}

return app;

Change SSL load from sync to async

Question: http and https?

Thanks for this, https works!

Question: Would it be possible to have both http and https working at the same time?

(typo in the Readme: "httpMode": flase)

Accept "passphrase" option along with certificate and key file

As per the current configuration, loopback-ssl module is not accepting passphrase, and I believe it is a good to have enhancement.
And https module accepts it.

Redirect http to https?

Thanks for this module. Saved me a lot of time.

Any ideas how to manage http to https redirects with this module?

Thanks.

Use this module to force already configured SSL server

If a server is already configured for SSL ..

Can this module be used to force SSL not configuring it?

Upgrade development dependencies

Many of the development dependencies are outdated and would need an upgrade.

CVE-2017-16137 - Debug module is vulnerablity

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

README is confusing for me

httpMode is not correctly described in docs. I'm confused

Setup Configuration (says for SSL it should be `false`)

"httpMode": false

Disable HTTPS (says for SSL it should be `true`)

The configuration entry "httpMode": false will disable https.

Enable SSL (says for SSL it should be `true`)

"httpMode": true

Enable Mutual SSL (says for SSL it should be `true`)

"httpMode": true,

On app start with "httpMode": false (!):

Web server listening at: http://0.0.0.0:8080
Browse your REST API at http://0.0.0.0:8080/explorer

And with "httpMode": true (!):

Web server listening at: https://0.0.0.0:8080
Browse your REST API at https://0.0.0.0:8080/explorer

"path" argument must be of type string

I am getting an undefined TypeError for the path argument. It seems similar to this issue #10, but in my case return loopbackSSL.startServer(app); follows my boot function. See below:

boot(app, __dirname, function (err) {
    if (err) throw err;
    // Start the server if `$ node server.js`.
    if (require.main === module) {
        app.io = require('socket.io')(loopbackSSL.startServer(app));
        require('socketio-auth')(app.io, {
            authenticate: function (socket, value, callback) {
                // We can log the user's info from the socket cookie
                // console.log(socket.handshake.headers.cookie);
                socket.client.accessToken = null;
                socket.client.userId = null;
                if (value && value.userId && value.id) {
                    // Value yields access token and userID.
                    var AccessToken = app.models.AccessToken;
                    // Get credentials sent by the client.
                    var token = AccessToken.findOne({
                        where: {
                            and: [{userId: value.userId}, {id: value.id}]
                        }
                    }, function (err, tokenDetail) {
                        if (err) throw err;
                        if (tokenDetail) {
                            // Add user Id to app connections.
                            socket.client.accessToken = tokenDetail;
                            socket.client.userId = value.userId;
                            callback(null, true);
                        } else {
                            callback(null, true);
                        }
                    });
                } else {
                    // Set to false to disconnect user.
                    callback(null, true);
                }
            },
            postAuthenticate: function (socket, data) {
                console.log("user connected User:", socket.client.userId ? socket.client.userId : "anonymous");
            }
        });
        app.io.on('connection', function (socket) {
            socket.on('disconnect', function () {
                console.log('user disconnected User:', socket.client.userId ? socket.client.userId : "anonymous");
            });
        });
    }
});

return loopbackSSL.startServer(app);

Here's my config (actual server replaced with myserver):

"httpMode": false,
  "certConfig": {
    "path": "/etc/ssl/myserver.com/",
    "key": "myserver.com.pem",
    "cert": "myserver.com.pem",
    "ca": [],
    "requestCert": false,
    "rejectUnauthorized": false
  },

The error reads:

Error reading certificates TypeError [ERR_INVALID_ARG_TYPE]: The "path" argument must be of type string. Received type undefined
    at assertPath (path.js:39:11)
    at Object.resolve (path.js:1085:7)
    at getServerOptions (/var/www/api/node_modules/loopback-ssl/lib/loopback-ssl.js:64:23)
    at Object.startHttps (/var/www/api/node_modules/loopback-ssl/lib/loopback-ssl.js:30:15)
    at Object.startServer (/var/www/api/node_modules/loopback-ssl/index.js:14:24)
    at /var/www/api/server/server.js:48:51
    at /var/www/api/node_modules/loopback-boot/lib/executor.js:65:5
    at /var/www/api/node_modules/loopback-boot/node_modules/async/lib/async.js:251:17
    at /var/www/api/node_modules/loopback-boot/node_modules/async/lib/async.js:154:25
    at /var/www/api/node_modules/loopback-boot/node_modules/async/lib/async.js:248:21
    at /var/www/api/node_modules/loopback-boot/node_modules/async/lib/async.js:612:34
    at process._tickCallback (internal/process/next_tick.js:61:11)
    at Function.Module.runMain (internal/modules/cjs/loader.js:745:11)
    at startup (internal/bootstrap/node.js:283:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:743:3)

I guess this could be something related to my boot function using socket.io, or an incorrect implementation of loopbackSSL.startServer(app);, which relates to #35. We need to have some examples of using this package with modified boot scripts and appStartEvents.

How to avoid getting Red Warnings on browsers (because of self-signed certificate)

Hi, i followed all the instructions here, wich btw, are pretty clear but i cant get my loopback API to work.

I have used the following script:

#!/bin/bash

# https://github.com/strongloop/loopback-gateway/blob/master/server/private/ssl-keygen.sh

KEY_LENGTH=2048

# Generate CA
# openssl genrsa -des3 -out ca.key $KEY_LENGTH
# openssl req -new -key ca.key -out ca.csr
# openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key

# Generate server key
openssl genrsa -passout pass:1234 -des3 -out server.key $KEY_LENGTH
openssl req -passin pass:1234 -new -key server.key -out server.csr

# Remove the passphrase
cp server.key server.key.org
openssl rsa -passin pass:1234 -in server.key.org -out server.key

# Generate server certificate
openssl x509 -req -days 730 -in server.csr -signkey server.key -out server.pem
cp server.pem certificate.pem
cp server.key privatekey.pem
rm server.pem server.key server.key.org server.csr

Wich generates privatekey.pem and certificate.pem files.

And once added on my config.json we have this block:

"httpMode": false,
  "certConfig": {
    "path": "server/ssl/",
    "key": "privatekey.pem",
    "cert": "certificate.pem",
    "ca": [],
    "requestCert": false,
    "rejectUnauthorized": false
  }

But i keep getting these erros:

Whay can i do to fix that?

My shared hosting provider auto-generates SSL certificates with letsencrypt and there is one generated for my subdomain (api.mywebsite.com) but those files are in a folder called SSL and inside are three folders certs, csrs(empty) and keys and inside those folders there are files that end with an extension of .crt and .key but i dont know how to use them nor the ones generated with openssl.

Any hints?

yantrashala / loopback-ssl Goto Github PK

loopback-ssl's Introduction

loopback-ssl

Features

Setup

Install loopback:

Install loopback-ssl:

Setup Configuration:

Configure server.js

server.js

Configuration options

Option 1: HTTP (default loopback configuration)

Option 2: HTTPS: Loading certificates from files

Option 3: HTTPS: Loading certificates from files & Mutual SSL authentication

Contributing

License

See Also

loopback-ssl's People

Contributors

Stargazers

Watchers

Forkers

loopback-ssl's Issues

Setup Configuration (says for SSL it should be false)

Disable HTTPS (says for SSL it should be true)

Enable SSL (says for SSL it should be true)

Enable Mutual SSL (says for SSL it should be true)

Recommend Projects

Recommend Topics

Recommend Org

Setup Configuration (says for SSL it should be `false`)

Disable HTTPS (says for SSL it should be `true`)

Enable SSL (says for SSL it should be `true`)

Enable Mutual SSL (says for SSL it should be `true`)