Update application to support https endpoints #78
Conversation
This is a critical security fix for potential MITM attacks against http endpoints. An attacker could hijack the nuts server responses and force users to download vulnerable software unknowingly. This pull request enables an optional (but recommended) https endpoint so that applications will be protected when retrieving updates.
|
@hoffmabc You are right that using HTTPS is important. But usually in production, ssl termination is done by So end users can still deploy The code you submitted isn't mergeable, it will crash if What would make more sense is to check that the env values are non empty ( So if you can change your code to not crash and not require |
|
I can make those fixes. My main concern with the reverse proxy piece is that naive users may not think to do this and supporting it directly in nuts would be an easy, simple option as well, but your point is taken. |
hoffmabc
changed the title
|
How does this work for you @AaronO ? |
|
many people terminate with node. +1 on this PR. |
|
Any updates on this? |
|
|
||
| if (process.env.HTTPS_KEYFILE !== 'undefined') { | ||
| try { | ||
| key = fs.readFileSync(process.env.HTTPS_KEYFILE); |
There was a problem hiding this comment.
i would just throw here in any case, if the env var is set and there's an error reading the file, fail hard
| @@ -17,6 +20,36 @@ if (process.env.ANALYTICS_TOKEN) { | |||
| analytics = new Analytics(process.env.ANALYTICS_TOKEN); | |||
| } | |||
|
|
|||
| // Set up for https termination | |||
| var key = "", cert = "" | |||
|
+1 node https support is great for adoption |
|
Hi, I merged the project to a new repo to start maintain it, I would be glad if you can put your pull request here : https://github.com/loprima-l/nuts-2 |
This is a critical security fix for potential MITM attacks against http endpoints. An attacker could hijack the nuts server responses and force users to download vulnerable software unknowingly. This pull request enables an optional (but recommended) https endpoint so that applications will be protected when retrieving updates.