Using Express HTTPS API in Production on IIS with Signed Cert

Question

I am preparing my http Angular/ Express/ Node app and API to run on port 8443 https in production, deployed to IIS on windows server. Currently my app is running on https (8443) in prod with correct cert from site binding setting in IIS, but the express server is not responding correctly on API calls. (Can the API and main app both use port 8443 in PROD?, in dev I use 4200 & 8080). Please note port 443 is an entirely different app currently set up using the same cert.

Pretty much every example of making Express run on HTTPS I can find involves creating a self signed cert, packaging cert in code, and passing relative location as a setting for express at creation. See Enabling HTTPS on express.js

However production information is a bit harder to come by, still, most seem to be packaging prod cert in with code and exchanging at build/ run time via an environment variable.

However, In my case, IIS in production has the cert that I need to use and I do not know the location of it. How can I direct express to use this cert? Possibly by using a rewrite in web.config?

Here is my server.js:

/* set up the server configuration */
const http = require('http');
var https = require('https');
const app = require('./app.js');
const port = process.env.PORT || 8080;
var httpServer = http.createServer(app);
var httpsServer = https.createServer(app);

httpServer.listen(port, '0.0.0.0');
httpsServer.listen(8443);

my web.config on IIS:

<configuration>
<system.webServer>
  <rewrite>
    <rules>
      <rule name="Redirect all requests" stopProcessing="true">
        <match url=".*" />
        <conditions logicalGrouping="MatchAll">
            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
        </conditions>
        <action type="Rewrite" url="/" />
        <!--<action type="Rewrite" url="/" />-->
        </rule>
    </rules>
  </rewrite>
      <security>
         <requestFiltering>
            <verbs applyToWebDAV="false" allowUnlisted="true" />
         </requestFiltering>
      </security>
    <modules>
       <remove name="WebDAVModule"/>
    </modules>
</system.webServer>
</configuration>

score 0 · Accepted Answer · answered Mar 05 '20 at 23:34

Her were my solutions:

(Can the API and main app both use port 8443 in PROD?, in dev I use 4200 & 8080). Please note port 443 is an entirely different app currently set up using the same cert.

A different site on 443 will not interfere as long as your app doesn't try and use it. Using 4200 (app) and 8080 (express) on local is fine. Using 8443 in production for app and express works great. Ensure web.config redirects urls without /api/ in route to server,js file. while app requests go to /. See below:

 <rewrite>
            <rules>
                <!-- Don't interfere with requests for node-inspector debugging -->
                <rule name="NodeInspector" patternSyntax="ECMAScript" stopProcessing="true">
                    <match url="^server.js\/debug[\/]?"/>
                </rule>

                <!-- First we consider whether the incoming URL matches a physical file in the /public folder -->
                <rule name="StaticContent" patternSyntax="Wildcard">
                    <action type="Rewrite" url="public/{R:0}" logRewrittenUrl="true"/>
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true"/>
                    </conditions>
                    <match url="*.*"/>
                </rule>
                <!-- All other URLs are mapped to the Node.js application entry point -->
                <rule name="API Requests">
                        <match url="api*" />
                    <conditions>
                        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="True"/>
                    </conditions>
                    <action type="Rewrite" url="server.js"/>
                </rule>
                <rule name="SocketIO" patternSyntax="ECMAScript">
                    <match url="socket.io.+"/>
                    <action type="Rewrite" url="server.js"/>
                </rule>
                        <rule name="Redirect all requests" stopProcessing="true">
                <match url=".*" />
                    <conditions logicalGrouping="MatchAll">
                      <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                      <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
                    </conditions>
                <action type="Rewrite" url="/" />
                <!--<action type="Rewrite" url="/" />-->
              </rule>
            </rules>
        </rewrite>

However, In my case, IIS in production has the cert that I need to use and I do not know the location of it. How can I direct express to use this cert? Possibly by using a rewrite in web.config?

When using a cert in PROD with express/ IIS one does not need the location of cert and it is not managed in web.config. Rather, express does not need to interface or be aware of cert and you can use IIS Manager to set up bindings to cert in production.

Using Express HTTPS API in Production on IIS with Signed Cert

1 Answers1