SSL from letsencrypt

[eldyvoon]

Please implement an option for free ssl provided by letsencrypt for express generator.

[dougwilson]

Hi @eldyvoon you're welcome to make a pull request!

[dougwilson]

The article https://medium.com/@yash.kulshrestha/using-lets-encrypt-with-express-e069c7abe625#.rzhg57t80 may help provide the how to for getting this done :)

[gokaygurcan]

Hello, I just don't understand what needs to be done for this issue. Is this a request for SSL for general or implementing something strictly related to Let's Encrypt? I normally manage SSL operations over Nginx. I believe no one just exposes Node.js app/Express app directly to the web. So, what's the point of bloating the generator instead of keeping it as bare minimum?

If you can explain the details a little bit more, I'll be volunteer to work on it.

[tobymurray]

I just don't understand what needs to be done for this issue.

My guess is that @eldyvoon is wanting a lower barrier to entry for SSL (although the Let's Encrypt part doesn't sound necessary).

I believe no one just exposes Node.js app/Express app directly to the web

Why do you say that? Playing with an application right now I exposed it directly to the web (temporarily), so at least one person does. The HTTPS server in Node exists, is maintained and enhanced - why would that be happening if nobody is exposing a Node server to the web? I don't believe everyone who reaches for something like the Express generator (often new developers use projects like this to bootstrap their application) is going to read the advanced security topics and understand what Nginx is and why they should use it - they just want to put something on the internet.

So, what's the point of bloating the generator instead of keeping it as bare minimum?

Minimum has to be a balance - too minimal and there's no point to the generator at all, too bloated and people will look for more focused tools. Personally, I feel SSL has recently moved into the "minimum requirement" area - browsers are warning about sites without it, specifically those that solicit user input. Users can now get red flags in their browser right from the start, which is discouraging. From that perspective, I think it makes sense to add to the generator to bootstrap an SSL setup.

Noted that proliferation of flags is not awesome, but maybe default to HTTP only and add a flag for HTTPS only and another for HTTP/HTTPS? Definitely have to be some supporting documentation, but Let's Encrypt is pretty great, so it would likely be sufficient to say "you need keys, Let's Encrypt gives you keys, go get them then come back".

Maybe this project is relevant: https://git.daplie.com/Daplie/greenlock-express

[jonchurch]

I don't personally think this is within the scope of the Express generator.

I do believe that having a section about SSL would be useful in the readme, but I believe that SSL is an important part of going to production with an Express app and so the greater need would be teaching people how to get an Express generator app ready for production.

Correct me if I'm wrong, but exposing port 443 requires sudo permissions. I don't think that encouraging folks to run their Node apps with sudo permissions is recommended. That gets into configuring their production environment safely, the nuts and bolts of which I think would be out of scope for this generator. So creating a section in the readme that recommends how folks should go to production would be useful, but baking it into the generator is something I don't really think is necessary. I'm more than willing to change my mind about this, but this is my input based on the project as it is today.