0

I have set up www.myapp.io which connects to a MEAN-stack application hosted by nginx. I just added SSL (by let's encrypt) to it, and set Full in Cloudflare. Now, https://www.myapp.io works and http://www.myapp.io is redirected to https://www.myapp.io.

However, the small exclamatory mark in the address bar of Chrome shows Your connection to this site is not fully secure.

Does anyone know where is the problem?

Note that, when I developped this MEAN-stack application in my MAC with localhost, I needed to call https://localhost:3000, to achieve this, I have followed this approach, including adding the following block in www:

var fs = require("fs");
var config = {
    key: fs.readFileSync('key.pem'),
    cert: fs.readFileSync('cert.pem')
};
var server = https.createServer(config, app).listen(3000);

So I don't know if I need to (and how to) change this.

Given my current server block of nginx has already the .pem information, if I write var server = https.createServer(app).listen(3000), the npm start works, whereas https://www.myapp.io considers the server is offline.

Could anyone help?

Edit 1: I just realised that different pages may have different security information, even for the same domain. For example,

https://www.myapp.io/#/new shows secure:

enter image description here

Whereas, https://www.myapp.io/#/home shows not fully secure:

enter image description here

Community
  • 1
  • 1
SoftTimur
  • 5,630
  • 38
  • 140
  • 292

1 Answers1

0

It is meaningless to debug where Cloudflare pointing domain name to dev Mac as server with HSTS, ssl stapling verify on. There can be mixed content to cookie related issue. There are really lot of matters around CA and localhost.

You can use Hurricane electric free DNS as normal DNS and/or free tier of any PaaS like IBM Bluemix MEAN stack to crosscheck your dev setup.

Still if you want localhost, you should have easy Nginx config like written in this guide or this guide.Comment out these on your config and try : 

    # ssl_prefer_server_ciphers on;
    # ssl_stapling on;
    # ssl_stapling_verify on;
    # add_header Strict-Transport-Security max-age=15768000;
    # ssl_session_timeout 1d;

Stapling is complicated matter and keeping it to ON even with full correct full config can bring OSCP Stapling Error like I explained -- OSCP Stapling Error. Except real server, more strict will be the security, more will be difficulty to find a basic error. Not fully secure is explained here.

I understand my answer possibly does not fix your question in easy way. But there are too many variables. I would suggest to either ignore error on localhost or use free PaaS for dev.

Abhishek Ghosh
  • 1,161
  • 9
  • 19
  • Sorry, I was not very clear... Now, I don't mind what happens to `localhost`, and I just want to make all `https://www.myapp.io/#/...` fully secure. How should I fix my application or nginx server block or Cloudflare? – SoftTimur Apr 14 '17 at 20:01
  • No problem. I think your application is fine. I deployed a sample app to test - https://nodejs-abhishekghosh.rhcloud.com/#!/ – Abhishek Ghosh Apr 15 '17 at 11:40
  • Your site is `fully secure` on my Chrome. How do you write your nginx server block and `https.createServer...` in the server? – SoftTimur Apr 15 '17 at 11:48
  • For my site, I don't understand how possible one page (ie, `.../#/new`) is fully secure whereas another page (ie, `.../#/home`) is not... – SoftTimur Apr 15 '17 at 11:50
  • I got it... as the [link](https://security.stackexchange.com/a/147931) states, there is an `img` in my home page ` – SoftTimur Apr 15 '17 at 14:21
  • Great one. Mixed content :) – Abhishek Ghosh Apr 19 '17 at 15:30