With MVC frameworks like LocomotiveJS now available for NodeJS / Express, I'm just wondering how it would be possible to implement SSL on part of an app?
For example, an ecommerce app.
I'd need all /checkout controllers to force SSL.
I've read tutorials like this one but not sure on how to implement this with Locomotive, since Express is effectively "wrapped" ?
Currently SSL is not directly supported by Locomotive, but should be soon, according to this Google Groups posting in April by Jared Hanson, the creator of Locomotive.
Currently, I've always been putting Locomotive behind a proxy that terminates SSL. But, I'll be adding a command line option for this shortly, for direct support.
That said, if you want a completely node-based solution without using a proxy, then for the time being you'll need to edit the Express instance in Locomotive. I've tested the below and it's working well.
As of writing, npm install locomotive uses Express 2.x, though the latest at github has since been updated to use Express 3.x.
If you're using Locomotive with Express 2.x, then I think you have to edit /locomotive/lib/locomotive/index.js, around line 180, to look something like:
var sslOptions = {
cert : fs.readFileSync('/path/to/your/ssl-cert/dev.crt')
, key : fs.readFileSync('/path/to/your/ssl-key/dev.key')
};
var self = this
, server = express.createServer(sslOptions)
, entry;
Additionally, you will probably still want to listen on HTTP and redirect all traffic to HTTPS. Sticking with an all node-based solution, you could simply start another Express server at the end of /locomotive/lib/locomotive/cli/server.js that redirects all its traffic to HTTPS, e.g.
...
debug('booting app at %s in %s environment', dir, env);
locomotive.boot(dir, env, function(err, server) {
if (err) { throw err; }
server.listen(port, address, function() {
var addr = this.address();
debug('listening on %s:%d', addr.address, addr.port);
});
// add an http server and redirect all request to https
var httpServer = require('express').createServer();
httpServer.all('*', function(req, res) {
res.redirect('https://' + address + ':' + port + req.url);
});
httpServer.listen(80); // probably change based on NODE_ENV
});
}
Lastly, start the server:
$ lcm server -p 443 # again, probably use different port in development
All those frameworks are based on top of Express which based is on connect which has HTTPS support.
Anyway in a real life situation you might want to want to have a nginx/or nother proxy handling the https for you anyway.