Preparing Loopback to use SSL

Question

I am using loopback to run the business logic of a web app, using wordpress as a front end. At the moment, when I am testing, I connect to the same server, and start loopback in a different directory, running on port 3000 at the moment. I have also opened port 3000 to remote connections

I can then connect to "example.com:3000" and "example.com:3000/explorer"

I have successfully set up the wordpress site to use the SSL certificate, and I am now looking to set loopback up the same, so that I can connect to the endpoints via https.

I have followed the directions in the following repository:

https://github.com/strongloop/loopback-example-ssl

specifically I have

Created a directory named private under the server directory.

Ran the following commands in that directory

$ openssl genrsa -out privatekey.pem 1024
$ openssl req -new -key privatekey.pem -out certrequest.csr
$ openssl x509 -req -in certrequest.csr -signkey privatekey.pem -out certificate.pem

Note that I am not familiar with these commands. I did some searching, and answered the questions for the cert as best as I could

Copied the following file into the server directory as ssl-config.js

var path = require('path');
var fs = require('fs');

exports.privateKey = fs.readFileSync(path.join(__dirname, './private/privatekey.pem')).toString();
exports.certificate = fs.readFileSync(path.join(__dirname, './private/certificate.pem')).toString();

And finally I have copied over server/server.js from the example as follows

var loopback = require('loopback');
var boot = require('loopback-boot');

var http = require('http');
var https = require('https');
var sslConfig = require('./ssl-config');

var app = module.exports = loopback();

// boot scripts mount components like REST API
boot(app, __dirname);

app.start = function(httpOnly) {
  if (httpOnly === undefined) {
    httpOnly = process.env.HTTP;
  }
  var server = null;
 if (!httpOnly) {
    var options = {
      key: sslConfig.privateKey,
      cert: sslConfig.certificate,
    };
    server = https.createServer(options, app);
  } else {
    server = http.createServer(app);
  }
  server.listen(app.get('port'), function() {
    var baseUrl = (httpOnly ? 'http://' : 'https://') + app.get('host') + ':' + 
app.get('port');
    app.emit('started', baseUrl);
    console.log('LoopBack server listening @ %s%s', baseUrl, '/');
    if (app.get('loopback-component-explorer')) {
      var explorerPath = app.get('loopback-component-explorer').mountPath;
      console.log('Browse your REST API at %s%s', baseUrl, explorerPath);
    }
  });
  return server;
};

// start the server if `$ node server.js`
if (require.main === module) {
  app.start();
}

When I start loopback, it tells me that it is running on https://0.0.0.0:3000

When I connect to https://www.example.com:3000 or https://www.example.com:3000/explorer, the endpoints are available but chrome is telling me that the connection is not secure.

I would very much like to have the wordpress site, as well as loopback using https only, but only because I understand that this is the best place to start for making the app secure.

***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. — jww, Dec 25 '17 at 05:24
Thank you very much for responding to my question! Your post has been much help already. — Nick Carson, Dec 26 '17 at 17:31
Chrome is telling you that the connection is not secure because it isn't. What the first set of commands do is generate a _self-signed_ certificate. This is fine, but since you are not a known certificate issuer (think Verisign, etc) Chrome still does not trust the certificate. You should still be able to access the endpoints by clicking "Advanced" and then proceed to x — Ross Deane, Jan 31 '18 at 08:59
Easier way of setting the SSL for Loopback is using this dependency: [https://www.npmjs.com/package/loopback-ssl](https://www.npmjs.com/package/loopback-ssl) If you have self-signed certificate, it will always show connection not secure, as mentioned in the comments for your question. But your API will work. — mrRobot, Mar 19 '19 at 14:11

Preparing Loopback to use SSL

0 Answers0