cors-anywhere icon indicating copy to clipboard operation
cors-anywhere copied to clipboard

Published 20 hours ago verified publisher icon Rob--W

How to setup for https

Open seacrawler11 opened this issue 8 years ago • 11 comments

How do I setup https? thanks

seacrawler11 avatar Apr 21 '17 13:04 seacrawler11

The default server.js does not provide this functionality, you need to create a node script that imports my library and pass the key and certificate to the httpsOptions option (this is documented at the end of the README, https://github.com/Rob--W/cors-anywhere#server):

httpsOptions - If set, a https.Server will be created. The given options are passed to the https.createServer method.

There is an example in the unit tests: https://github.com/Rob--W/cors-anywhere/blob/97c6e53020da622b006842ef112bc721cac0c47d/test/test.js#L385-L390 First you need the certificate and key (the unit tests use NODE_TLS_REJECT_UNAUTHORIZED because of the self-signed certificate for development, you should NOT use this environment variable in production). The "createServer" function that you see in the unit test can be accessed through require('cors-anywhere').createServer.

Rob--W avatar Apr 24 '17 10:04 Rob--W

@seacrawler11:

This works with Let's Encrypt Cert:

certbot certonly --standalone -d example.com
chmod -R 0770 /etc/letsencrypt/archive/
chown -R root:node /etc/letsencrypt/archive/

var fs = require('fs');

var host = process.env.HOST || '0.0.0.0';
var port = process.env.PORT || 1234;

var cors_proxy = require('cors-anywhere');
cors_proxy.createServer({
    httpsOptions: {
        key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
        cert: fs.readFileSync('/etc/letsencrypt/live/example.com/fullchain.pem')
    },
    originWhitelist: ["https://www.somesite.com"], // Allow all origins
    requireHeader: ['origin', 'x-requested-with'],
    removeHeaders: ['cookie', 'cookie2'],
    checkRateLimit: "1 100 www.somesite.com"
}).listen(port, host, function() {
    console.log('Running CORS Anywhere on ' + host + ':' + port);
});

tmikaeld avatar Jun 15 '17 10:06 tmikaeld

@tmikaeld Have tried your solution but am seeing a "Not Secure" https certificate when I visit the ip address? Is there something I am doing wrong?

Jack-Collins avatar Aug 26 '17 14:08 Jack-Collins

@Jack-Collins You need a domain name, also called common name when issuing the certificate. A self-signed certificate is not enough to get rid of the "Non secure" warning.

tmikaeld avatar Aug 26 '17 14:08 tmikaeld

I am running a local version of cors-anywhere on localhost:8081. The website I am developing is running on localhost:8080. When I try to proxy my API call, I am getting an SSL error, even though I am using port 443 as mentioned in the provided example of the repo.

Error: GET https://localhost:8081/https://www.food2fork.com:443/api/search?key=b56ac31b92e495b234bd7321b5afa1f5q=pizza net::ERR_SSL_PROTOCOL_ERROR

As I understand it, shouldn't I be automatically using ssl if I make a request in the form: http://localhost:8080/google.com:443

Shahrukh95 avatar Jul 08 '19 12:07 Shahrukh95

@Shahrukh95 The error message suggests that you're requesting the URL via httpS://localhost:8081/, but that the (proxy) server does not support httpS. Either add https support (by configuring a certificate as documented above), or use http://localhost:8081/ instead (http instead of https).

Rob--W avatar Jul 08 '19 16:07 Rob--W 

originWhitelist

Note that if you use an .env file you should format the url's without quotes and brackets like:

CORSANYWHERE_WHITELIST = https://google.com, https://yourdomain.com

guusvandewal avatar Oct 21 '19 11:10 guusvandewal

This is my working example code

                      `// must install load dotenv to be able to use .env file

require('dotenv').config();

var fs = require('fs');

// Listen on a specific host via the HOST environment variable var host = process.env.HOST || '0.0.0.0'; // Listen on a specific port via the PORT environment variable var port = process.env.PORT || 8080; // for http

var port_https = process.env.PORT_https || 8080; // for https

// Grab the blacklist from the command-line so that we can update the blacklist without deploying // again. CORS Anywhere is open by design, and this blacklist is not used, except for countering // immediate abuse (e.g. denial of service). If you want to block all origins except for some, // use originWhitelist instead. var originBlacklist = parseEnvList(process.env.CORSANYWHERE_BLACKLIST); var originWhitelist = parseEnvList(process.env.CORSANYWHERE_WHITELIST); function parseEnvList(env) { if (!env) { return []; } return env.split(','); }

console.log('port, http, https : ', port, port_https) console.log('originWhitelist', originWhitelist)

// Set up rate-limiting to avoid abuse of the public CORS Anywhere server. var checkRateLimit = require('./lib/rate-limit')(process.env.CORSANYWHERE_RATELIMIT);

// ************** http ***************************

    var cors_proxy = require('./lib/cors-anywhere');


    cors_proxy.createServer({

      originBlacklist: originBlacklist,
      originWhitelist: originWhitelist,
      requireHeader: ['origin', 'x-requested-with'],
      checkRateLimit: checkRateLimit,
      removeHeaders: [
        'cookie',
        'cookie2',
        // Strip Heroku-specific headers
        'x-heroku-queue-wait-time',
        'x-heroku-queue-depth',
        'x-heroku-dynos-in-use',
        'x-request-start',
      ],
      redirectSameOrigin: true,
      httpProxyOptions: {
        // Do not add X-Forwarded-For, etc. headers, because Heroku already adds it.
        xfwd: false,
      },
    }).listen(port, host, function() {
      console.log('Running CORS Anywhere http :  ' + host + ':' + port);
    });

// ************** end ************* http ***************************

// ************** https *************************** var cors_proxy_https = require('./lib/cors-anywhere');

    cors_proxy_https.createServer({

    // add https support  
    //https://github.com/Rob--W/cors-anywhere/issues/74



      httpsOptions: {
        key: fs.readFileSync(__dirname + '/private.key', 'utf8'),
        cert: fs.readFileSync(__dirname + '/public.cert', 'utf8')
      },

// ********** end **** https ***************************

originBlacklist: originBlacklist, originWhitelist: originWhitelist, requireHeader: ['origin', 'x-requested-with'], checkRateLimit: checkRateLimit, removeHeaders: [ 'cookie', 'cookie2', // Strip Heroku-specific headers 'x-heroku-queue-wait-time', 'x-heroku-queue-depth', 'x-heroku-dynos-in-use', 'x-request-start', ], redirectSameOrigin: true, httpProxyOptions: { // Do not add X-Forwarded-For, etc. headers, because Heroku already adds it. xfwd: false, }, }).listen(port_https, host, function() { console.log('Running CORS Anywhere https ' + host + ':' + port_https); });`

hoogw avatar Feb 04 '20 23:02 hoogw

my working code here

https://stackoverflow.com/questions/60066942/cors-anywhere-how-to-add-https-support/60067028#60067028

hoogw avatar Feb 05 '20 15:02 hoogw

FWIW I had to change tmikaeld's response to use port 443 and then things worked for me.

steveklebanoff avatar Jul 31 '20 23:07 steveklebanoff 

chmod -R 0770 /etc/letsencrypt/archive/
chown -R root:node /etc/letsencrypt/archive/

Is it "live" or "archive" folder? the nodejs uses live folder but you have mentioned archive folder

namelessperson0 avatar Jun 07 '22 11:06 namelessperson0