ruk·si

🟢 Node
HTTPS

Updated at 2015-07-25 15:51

First you need to get a certificate, they range between $9 and $20 per domain per year.

I personally use or SSLMate, depending the use case.

  • sslmate, Apex + Single Subdomain through command line: $15/year
  • SSLs, Apex + Single Subdomain: $4/year (3 years)
  • Namecheap, Apex + Single Subdomain: $9/year
  • Namecheap, Unlimited Subdomains: $94/year

Get a certificate from there or install the SSLMate program to automatically update your certificates.

sslmate buy example.com
# You specify the contact email, must be accessible for the activation code.
# Or use DNS approval: https://sslmate.com/help/approval/dns.
# Confirm.
# Check the provided email.
# Certificates are placed in the directory you initiated the command.

Copy certificates to /etc/ssl/private or other designated directory on all of your front-end servers.

Enable HTTPS on the server software.

# For Apache and nginx, you can use this.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
// e.g. for node you can use https standard library
// it is a good idea to save SSL file paths to env variables
var options = {
    key: fs.readFileSync(process.env.NODE_SSL_KEY),
    cert: fs.readFileSync(process.env.NODE_SSL_CERT)
};
require('https').createServer(options, requestHandler).listen(port);

Make sure your intra-site URLSs are defined without protocol or are relative.

FROM    <script src="http://example.com/jquery.js"></script>
TO      <script src="//example.com/jquery.js"></script>
OR      <script src="/jquery.js"></script>

Redirect all HTTP (80) calls to HTTPS (443).

var redirectPort = 80;
var redirectHandler = function (req, res) {
    var head = { "Location": "https://" + req.headers['host'] + req.url };
    res.writeHead(301, redirectHandler);
    res.end();
};
require('http').createServer(redirectHandler).listen(redirectPort);
console.log("Redirect server running at: " + redirectPort);

Turn on Strict Transport Security and Secure Cookies: