0

My environment :

1.) 1 load balance server (nginx)

2.) 2 web servers (express.js running on node.js)

3.) 1 database server

Hello, I am trying to force my user to use https. I look through many tutorials on how to implement https in express.js.

However, as I look through many tutorials, I found 2 ways on how to redirect user http to https.

  1. redirecting user to https on nginx config ( on load balance server )
  2. redirecting user to https on express.js ( on web server )

My question is:

  • which is a better way to implement HSTS for my web app (on a load balance or on a web server)

  • Also please kindly give little information on the advantages and disadvantages of each of the options

Thank you very much :)

pupuupup
  • 265
  • 2
  • 16

1 Answers1

2

You can reduce traffic by enforcing https upstream on the load balancer, if you are only serving content that needs to be encrypted it might be best to restrict http traffic to the web servers from external sources.

Otherwise a http request will pass through the load balancer, be directed to web server 1 where it will respond with a 302 redirect to use the https url. This causes the user to have to make 2 request to get to your website.

Simon
  • 31
  • 3
  • So it is better to force https on a load balance server right? Thanks! – pupuupup Jun 07 '15 at 17:29
  • Yes, load balancer is best. HSTS is for newer browsers (ie11+) for older browsers you'll need a 301 redirect in nginx like this: http://stackoverflow.com/questions/21106998/nginx-redirect-http-to-https-and-non-www-to-ww – Simon Jun 07 '15 at 21:18
  • So in an older browser if I use nginx to redirect https, the use will have to make 2 request to get to my website right? And if I use nginx to force https , this mean my nginx will talk http with node right? Thanks! – pupuupup Jun 08 '15 at 02:18