0

I have been searching high an low for this and have not been able to find a solution. I have the following code in the server:

import express from 'express';
import { createServer } from 'https';
import { Server } from "socket.io";
import fs from 'fs';

const app = express();

const credentials = {
        key: fs.readFileSync('../key.pem'),
        cert: fs.readFileSync('../cert.pem')
};

// create http/https server
const server = createServer(credentials, app);

const io = new Server(server);

io.on('connection', (socket) => {
  console.log('a user connected');
});

server.listen(3000, () => {
        console.log('listening on localhost:3000');
});

Now in the client side I have:

import { io } from "socket.io-client";
import fs from "fs";

const socket = io("https://localhost:3000", {
        rejectUnauthorized: false,
        ca: fs.readFileSync("../cert.pem") 
});

socket.on("connect", () => console.log("connected to server"));

If I change the server side to import to:

import { createServer } from 'http';

instead of:

import { createServer } from 'https';

and I change the client side to:

const socket = io("http://localhost:3000");

instead of:

const socket = io("https://localhost:3000");

I socket io is able to communicate just fine

It is just the https. I tried to add certs and to set

rejectUnauthorized: false

with no avail. I found this question, but nothing there has worked. The socket io documentation has not been much help. What can I try next?

halfer
  • 19,824
  • 17
  • 99
  • 186
Salty Salamander
  • 1
  • 1

2 Answers2

1

As HTTPS will try to reject at 127.0.0.1, WSS will as well but off the bat no way to bypass correct?

In development most users hit this wall initially till they have more time to set this up correctly.

Insert this code into your web socket server file.

process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;

Only in development do you use this, it's not to EVER be used in production.

BGPHiJACK
  • 1,277
  • 1
  • 8
  • 16
  • Please check for duplicates before posting an answer –  Oct 15 '21 at 08:09
  • I know, I did but non of the other questions solved my problem. – Salty Salamander Oct 15 '21 at 08:12
  • Generally just an issue with bypassing secure features; your certs provided as well may not be suitable for local-development, I've seen this a few times thus not allowing secure connection at all even if bypassed. So in other words if you didn't produce those certs ditch them rewrite new ones for testing and get busy. :) – BGPHiJACK Oct 15 '21 at 08:15
  • @blanknamefornow, Thank you for the answer. Although it still doesn't work. Do you think it has something to do with the self-signed certificate? would it work with an an other type of certificate? – Salty Salamander Oct 15 '21 at 08:19
  • Yeah, I have produced generated the certs twice already. – Salty Salamander Oct 15 '21 at 08:21
  • maybe I will just disable https on development until I can find a way to solve this issue, hopefully before production. – Salty Salamander Oct 15 '21 at 08:23
  • It's unlikely but sometimes tutorials provide incorrect files or your generate them wrong. A bit confusing to go into details. – BGPHiJACK Oct 15 '21 at 08:24
  • Your client side has a CA, it shouldn't need one! The client is going to request security it shouldn't need to provide the CA. – BGPHiJACK Oct 15 '21 at 08:25
  • @blanknamefornow, thank you for still bearing with me. I user the [offical nodejs https docs](https://nodejs.org/en/knowledge/HTTP/servers/how-to-create-a-HTTPS-server/) to generate the certs. – Salty Salamander Oct 15 '21 at 08:27
  • I'd honestly remove in the client-side the attributes set for socket.io. rejectUnauthorized and the ca completely. You should be able to connect normally like a browser would and can without any of that! Beyond that, with the fix above just have it sit first line in code both client/server files to test. – BGPHiJACK Oct 15 '21 at 08:30
  • no avail. I guess I am just pretty... salty. – Salty Salamander Oct 15 '21 at 08:33
  • Must be something silly, but you'll get it you're not doing anything wrong by initial looks. Lots of things you can do in development to correctly get this going for your needs and get it going production no issue. – BGPHiJACK Oct 15 '21 at 08:37
  • @blanknamefornow, thank you. I truly appreciate your input. I hope this does not come to bite me in the future. – Salty Salamander Oct 15 '21 at 08:54
  • Just use CloudFlare or something practical when it comes to that. Only story I have is when my chat-servers were on self-generated certificates I had forgotten and they expired many users at midnight were not able to connect when this happened. Took about a good minute to realize and removed it completely. Trouble shooting like this now saves you later. – BGPHiJACK Oct 15 '21 at 09:10
1

The best option to implement https in your application is to do it on a "real" http server. E.g.: nginx, Apache, ...

What you get directly from Node is sufficient for development purposes, but it is not recommended using it in a real environment. If only because it handles Keep-Alive connections on average. (This is what you'll experience the fastest.)

Next come the issues of performance and scalability. You must remember that the Node application is basically single-threaded. With many customers, even the "stupid" cors request takes resources that could be spent on actual customer service.

Did you know you can run multiple instances of a Node application? (it is enough to properly manage the shared data) This can be done e.g. via upstream in nginx. Or use e.g. Phusion Passenger (Which will immediately manage application restarts after an unexpected crash, instead of managers like pm2)

bato3
  • 2,695
  • 1
  • 18
  • 26
  • Thanks @Bato3, this are amazing tips. I definitely use them when deploying in the server. ! – Salty Salamander Oct 15 '21 at 18:18
  • And yeah,I kind of gave up trying to get HTTPS working in development. I had the notion that this was a issue I might have to solve now better than later, but now I realize that it might be easier to actually solve it later. Thank you for input. – Salty Salamander Oct 15 '21 at 18:20