How to run a secure shieldsio server locally

Question

I don't know if it is even possible to do this easily and I haven't found any documentation about how one can run shieldsio in a secure (HTTPS) way locally.

I've followed this description and I've successfully deployed a working server, but it listens only on HTTP.

I thought that maybe I need only some small reconfiguration and it will work securely, so what I did is to modify config/production.yaml

  public:
    bind:
      address: '0.0.0.0'
      port: 5443

    ssl:
      isSecure: true
      key: 'https.key'
      cert: 'https.crt'

The steps what I used to generate the secrets are:

openssl genrsa -out https.key
openssl req -new -key https.key -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey https.key -out https.crt
rm csr.pem

After rebuilding the docker image and deploying it again the server starts to listen but after the first HTTP GET I'm getting an error:

  internal/buffer.js:958
      super(bufferOrLength, byteOffset, length);
      ^

  RangeError: Invalid typed array length: -4095
      at new Uint8Array (<anonymous>)
      at new FastBuffer (internal/buffer.js:958:5)
      at Handle.onStreamRead [as onread] (internal/stream_base_commons.js:187:19)
      at Stream.<anonymous> (/usr/src/app/node_modules/spdy/node_modules/handle-thing/lib/handle.js:120:12)
      at Stream.emit (events.js:412:35)
      at Stream.emit (domain.js:475:12)
      at endReadableNT (/usr/src/app/node_modules/readable-stream/lib/_stream_readable.js:1010:12)
      at processTicksAndRejections (internal/process/task_queues.js:82:21)

and the client side curl command returns with:

  curl -k https://127.0.0.1:5443
  curl: (52) Empty reply from server

Does anyone tried to achieve the same thing and had success with it? Maybe I'm missing something obvious, I'm not too familiar with nodejs. I appreciate any help.

Thanks, SilverTux

Answer 1

If someone would like to achieve the same thing as I, I've found a workaround for this problem thanks to the developers of shields.

You can't use the config to deploy shields as an HTTPS site, but you can deploy an nginx proxy which forwards HTTPS requests to the HTTP shields server. To do so you need the following config for the nginx:

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;
    server_name <your_domain_name>;

    ssl_certificate /etc/ssl/certs/<your_domain_name>.crt;
    ssl_certificate_key /etc/ssl/private/<your_domain_name>.key;

    location / {
        root  /usr/share/nginx/html;
        index index.html index.htm;

        proxy_set_header  Host $host;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;

        proxy_pass  http://<your_domain_name>:<port_where_shieldsio_listens>;
    }

    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
        root  /usr/share/nginx/html;
    }
}

Using this config the deployed nginx will handle HTTPS connections and the content will be still provided by the running shieldsio server.