I am working on a NodeJS application which runs a server on https://localhost:port
and uses a self signed certificate (as no vendor provides a certificate for localhost). I am using AJAX call from my website to hit the locahost and send data to the NodeJs app. My calls are getting blocked due to INSECURE_CONTENT which is expected. I want to know if we have any workarounds for this?
3 Answers
Answers 1
Workaround is to enable it on browser level. This should allow AJAX calls also.
For Chrome
- Go to this url in chrome (chrome://flags/#allow-insecure-localhost)
- Hit enable.
- Then you have to relaunch your chrome browser so changes may affect.
For Firefox
- Go to your localhost in firefox. It should show you warning.
- Click Advanced
- Click Add Exception...
- New popup window will appear, click Get Certificate
- Verify that checkbox says 'Permanently store this exception'
Click 'Confirm Security Exception'. Refer Image below.
UPDATE:
As per op's comment, updated answer is below:
(Reply to this comment) For this simple hack is to have a proxy
route in your node app. Create route like http://localhost/proxy?yourwebsites_api/getData
. In node server proxy route will get GET
parameter from your url and hit your website server. And will return same response back. Like you do in c#
with HttpWebRequest or HttpClient or in PHP
with curl.
Answers 2
Add an entry for local.host 127.0.0.1
to your local hosts file to point the local.host domain to 127.0.0.1 ( on that machine only )
You can then create a self signed certificate for local.host
, make sure to use this with your nodejs app, and and add it to the root certificate store on your machine, this will make the browser recognize the certificate.
You need the local.host
entry because you need a well formated domain name for your self signed certificate.
You can create a self signed certificate like so:
openssl req -x509 -nodes -days 1000 -subj '/C=US/ST=CA/L=MV/CN=local.host' -newkey rsa:2048 -keyout local.host.key -out local.host.crt
On osx the hosts file is located on /etc/hosts
on windows it's at c:\windows\system32\drivers\etc\hosts
Here is how you can add your certificate to the root certificate store:
Windows:
http://www.thewindowsclub.com/manage-trusted-root-certificates-windows
Update:
Op pointed out by OP the app would be installed on a consumer desktop.
You could potentially generate a certificate for a myapp.mydomain.com, and point that to 127.0.0.1 after you require the certificate. This does not require you to add a certificate to to the root store. However, this will still require you to ship the private key with the app, which compromises the certificate for all users, it will also be painful to update the certificate. This is not a good solution.
You can generate a unique certificate during installation and install it in the root store. This also compromises the certificate, but only to the specific user. This reduces the attack vector, as the certificate it self is only supposed to protect the user, this is actually also how charlesproxy works.
Answers 3
The very easiest way to do this is to get an ngrok account. Ngrok uses wildcardcerts so you can run your server on your local machine but your urls start https://mycompany.ngrok.io
In addition to being more like a real server (urls can ignore the port) the ngrok control panel lets your replay messages (e.g. a form post breaks something server side; fix your server side code and re-play from the ngrok control panel so you don't have to fill in the form again)
Ngrok is also great if you want to be able to share your work in progress. The tunnels that ngrok creates are open to the public (unless you password protect them)
It's $60 per year for your own domain. Free if you want to use random domains like https://ba615d46.ngrok.io
0 comments:
Post a Comment