nuts icon indicating copy to clipboard operation
nuts copied to clipboard

Published 20 hours ago verified publisher icon GitbookIO

I have an HTTPS feed but my RELEASE files are returned with HTTP urls for downloads

Open baconbrad opened this issue 8 years ago • 5 comments

Squirrel goes to download my RELEASES file from https://myurl.com:3000/update/win32_x64/0.1.13/RELEASES?id=MyApp&localVersion=0.1.13&arch=amd64.

But it tries to download an update from http://myurl.com:3000/download/0.1.14/MyApp-0.1.14-delta.nupkg. As a result it fails to download since we don't allow Nuts to run over HTTP nor do we want updates served over HTTP.

Going to https://myurl.com:3000/download/0.1.14/MyApp-0.1.14-delta.nupkg I get the file as expected.

Looking at https://myurl.com:3000/update/win32_x64/0.1.13/RELEASES?id=MyApp&localVersion=0.1.13&arch=amd64 in an editor I can see that Nuts is telling Squirrel to download from these HTTP links instead of the proper HTTPS links.

baconbrad avatar Feb 07 '17 22:02 baconbrad

Works fine in development when ran directly from node. It appears the issue is when ran on IIS with IIS-node.

baconbrad avatar Feb 08 '17 19:02 baconbrad

@baconbrad I see this issue when running Nuts within OpenShift. The https request is terminated at the load balancer and nuts is then called via http. Since getFullUrl(req) uses the same protocol as the incoming request you end up with an http instead of https url in the response.

dguettler avatar Apr 19 '18 19:04 dguettler

I also narrowed down the problem to getFullUrl(req). I ended up having to jimmy rig this with a hardcoded fix in nuts.js. I was unable to figure out what in our setup was causing this and we had to get the updater working in production ASAP. Seems to have worked for over a year without issue since.

function getFullUrl(req) {
    return req.protocol + '://' + req.get('host') + req.originalUrl;
}

Was changed to:

function getFullUrl(req) {
    return 'https://' + req.get('host') + req.originalUrl;
}

baconbrad avatar Apr 19 '18 19:04 baconbrad

@dguettler That does clarify things for me though now that I think about it. Node.js applications running on IISNode are actually HTTP servers tunneled through HTTPS. The binding for HTTPS is done through IIS 8.5 and not in the script itself. This must be what is throwing Nuts off.

baconbrad avatar Apr 19 '18 19:04 baconbrad

@baconbrad yes, forked the project and did exactly the same change. It may make sense to be able to set this via an environment variable.

dguettler avatar Apr 22 '18 19:04 dguettler