Update application to support https endpoints

[hoffmabc]

This is a critical security fix for potential MITM attacks against http endpoints. An attacker could hijack the nuts server responses and force users to download vulnerable software unknowingly. This pull request enables an optional (but recommended) https endpoint so that applications will be protected when retrieving updates.

[AaronO]

@hoffmabc You are right that using HTTPS is important. But usually in production, ssl termination is done by nginx, the CDN or a reverse proxy.

So end users can still deploy nuts in production over https without nuts having to do the ssl termination.

The code you submitted isn't mergeable, it will crash if HTTPS_KEYFILE or HTTPS_CERTFILE are undefined, or if they point to files that don't exist. (fs.readFileSync will throw an exception, but that's not handled and you only check if their content is empty after reading them).

What would make more sense is to check that the env values are non empty (!== ""), before calling fs.readFileSync and simply let those fail. If the user specifies those envs but the files are invalid/missing, he'll want the process to crash and know.

So if you can change your code to not crash and not require HTTPS_KEYFILE or HTTPS_CERTFILE, then it would be mergeable.

[hoffmabc]

I can make those fixes. My main concern with the reverse proxy piece is that naive users may not think to do this and supporting it directly in nuts would be an easy, simple option as well, but your point is taken.

[hoffmabc]

How does this work for you @AaronO ?

[heapwolf]

many people terminate with node. +1 on this PR.

[hoffmabc]

Any updates on this?

[juliangruber]

+1 node https support is great for adoption

[loprima-l]

Hi, I merged the project to a new repo to start maintain it, I would be glad if you can put your pull request here : https://github.com/loprima-l/nuts-2