SSL settings for Nginx + express

Question

I am building a web server using Nginx and express.

By redirecting requests from port 80 to port 443, Nginx only allows encrypted connections. And Port 443 forwards the request to express.

Nginx's conf settings are:

server {
    listen 80;
    server_name api.domain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api.domain.com;

    ssl_certificate /path
    ssl_certificate_key /path

    ...

    location / {
        proxy_pass http://localhost:3000;
    }
}

express uses CORS middleware.

var app = express();

var cors = require('cors');
app.use(cors());

var server = http.createServer(app).listen(3000, 'localhost', function() { ... });

I tried something like https://www.steemcoinpan.com/sct/@morning/express-nginx-proxy-ssl-websocket, but it still doesn't work.

What settings do I need?

※ Added

If I call an API like 'http://api.domain.com/login', [Access to XMLHttpRequest at'http://api.domain.com/login' from origin'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.] error message is displayed.

This looks like a valid setup too me. What's is the problem you are trying to solve? — n9iels, Aug 04 '20 at 10:58
Does this answer your question? [Configuring HTTPS for Express and Nginx](https://stackoverflow.com/questions/42761992/configuring-https-for-express-and-nginx) — Rob, Aug 04 '20 at 11:20
If I call an API like 'http://api.domain.com/login', [Access to XMLHttpRequest at'http://api.domain.com/login' from origin'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.] error message is displayed. @n9iels — jae seung yang, Aug 04 '20 at 13:09
The above link forwards HTTP and HTTPS requests to express respectively. However, I only want to forward HTTPS requests to express. @Rob — jae seung yang, Aug 04 '20 at 13:10

score 1 · Answer 1 · answered Aug 04 '20 at 13:14

1

The problem you are describing has nothing to do with your SSL settings or Nginx config. You need to configure a CORS policy. In sort, make sure that the response includes a Access-Control-Allow-Origin header.

In your case, since you are trying to access the API from localhost:3000, something like Access-Control-Allow-Origin https://localhost:3000 will do. Configure this in the Nginx config with proxy_set_header, or in you NodeJs application and configure Nginx that this header is passed with proxy_pass_header.

answered Aug 04 '20 at 13:14

n9iels

867
7
21

Should I also run Node.js server with HTTPS? – jae seung yang Aug 04 '20 at 13:44
That depends on the environment. In you setup, there is a secure connection from the client (eg. browser) to Nginx. The internal connection from Nginx to you Node.js app is not secured. This is perfectly fine, however keep in mind that other persons with access to your server can potentially intercept this traffic. – n9iels Aug 04 '20 at 13:50

SSL settings for Nginx + express

1 Answers1