Redirecting HTTP to HTTPS with Node.js on IBM Bluemix

Colleague Jeff Sloyer points out in his recent blog post, Inbound SSL in Bluemix, that an app using the default domain for IBM Bluemix (which is mybluemix.net) gets SSL support automatically. This means without taking any other action, the app is accessible via https and traffic is secured by a fully trusted certificate provided by IBM. However, if not careful, your app will continue to be accessible via http, which completely bypasses SSL. In this post, I’ll show code for a simple approach (which differs from Sloyer’s) to make a Node.js app redirect http requests to https by leveraging parts of the Express web app framework. In addition, I’ll touch on issues with custom domains that occur when using the built-in, default SSL certificate.

Taking a Closer Look at Default Behavior

To show what happens “out-of-the-box”, I’ve created an app in the Bluemix UI using the SDK for Node.js™ starter. You can access it for yourself via the links below (using either http or https):

In either case, you’ll see a web page like the following:

Screenshot of Node.js Starter App

However, when you use https, notice that the browser shows a lock icon in the address bar. And, if you dig into the certificate details, you should see something like the following (which happens to be from Chrome):

Certificate info for mybluemix.net

This indicates that the certificate for *.mybluemix.net was issued by DigiCert and is trusted. You can rest assured the web site is coming from a server running on mybluemix.net, and the data is encrypted. On the other hand, if you use http there is no certificate info, and web traffic is unencrypted.

Redirecting HTTP to HTTPS

Where Will It Run?

While the Node.js app has been tested only on Bluemix, it should also run anywhere the app is sitting behind a reverse proxy. In particular, since Bluemix is a Platform-as-a-Service (PaaS) built on top of the Cloud Foundry open source framework, I'd expect the code to run without change in any other Cloud Foundry-based environment.

If we want to guarantee all of our traffic uses SSL, we need to ensure http requests are redirected to https. I’ve written a small Node.js application demonstrating how to do this when running on Bluemix. The code makes use of the Express framework, and this really simplifies the work. The key components of the solution are:

  • Enabling trust proxy to turn on reverse proxy support
  • Using req.secure to determine if http or https was requested
    • NOTE: req.secure provides a shortcut to doing a string compare against req.protocol. The req.protocol flag is set by Express based on the X-Forwarded-Proto request header.

The full code listing is shown below. And, a complete package that can be deployed to Bluemix (including instructions on how to do so) is available on GitHub.

You can access a live Bluemix deployment of the code with the URLs below (one using http and one using https):

In both cases, you should see a page like the one below (and using https):

Screenshot of HTTPS Redirect Demo

Alternative Approach: Inspect X-Forwarded-Proto

In my code, I enabled trust proxy and then left most of the work to the Express framework. A slightly lower-level, “long hand” approach is described by Sloyer in his previously mentioned post. His code example is illustrative as he manually inspects the X-Forwarded-Proto request header. This gives a sense of what’s going on behind the scenes, and is especially useful if not using Express.

What About Custom Domains?

To this point, I’ve only been talking about URL’s using the default mybluemix.net domain. The reason is that if you use a custom domain, things don’t come together quite as smoothly. You still technically get https for free, but the browser will complain about a domain mismatch after inspecting the certificate.

To allow you to easily see this for yourself, I’ve added a route to the https-redirect-demo app which uses the tonyerwin.com domain:

If you follow that link, the redirect from http to https still occurs. But, your browser is going to tell you that you can’t trust the identity of the site. For example, here’s what I see in Chrome:

Security Warning in Chrome With Custom Domain

Basically, the same certificate that was present for the *.mybluemix.net domain is still being served, but its domain info doesn’t match my tonyerwin.com custom domain. So, Chrome tells me I should probably stay clear and not continue.

Clearly, you wouldn’t want this kind message appearing for your production apps. The only way to solve this problem is to upload an SSL certificate which matches *.tonyerwin.com. You can learn all about using your own SSL certificates in my post called Bluemix UI: SSL Certificates and Custom Domains.

Conclusion

In this post, you saw how both http and https is enabled for Bluemix apps using the default mybluemix.net domain. Then, you saw how a few lines of code in a Node.js app allows you to redirect all http requests to https (which then ensures data shared between your app and the user’s browser is trusted and encrypted). Finally, you learned that more work is needed to avoid SSL certificate errors when using https with a custom domain. The additional work to upload your own SSL certificates will be the subject of a follow-up post in the near future.

Updated, Sept. 15, 2014 to include link to my new post entitled “Bluemix UI: SSL Certificates and Custom Domains.”

IBM Bluemix Banners

The Bluemix UI updates for August are now live in 85 countries! The team kept busy this month and put together a lot of awesome new features since our July refresh. We think you’ll enjoy these enhancements, which include:

  • Better Allowances for Runtime Usage
  • Cost Estimator — estimate costs for your apps and services based on configurations you specify
  • Redesigned App Details — featuring a cleaner look, brand new function, and responsiveness for mobile devices
  • SSL Certificates for Custom Domains — upload SSL certificates to secure your custom domains
  • Apple iOS Solutions Page — learn about the power of the Bluemix and iOS combo
  • Multimedia for Catalog Offerings — enhanced media (in the form of images and videos) for numerous items in the catalog
  • Java Cloudant Web Starter — get started quickly with Java and Cloudant NoSQL DB
  • Documentation Updates — navigation improvements and updated styling
  • Many bug fixes and usability improvements

Bluemix UI Updates: August 2014

IBM Bluemix Banners

About this time a week ago, I was in the middle of the opening night meet-and-greet at That Conference 2014 held at the Kalahari Resort in Wisconsin Dells, WI. While the “Dells” (as we in the region refer to it) is the self-proclaimed “Water Park Capital of the World”, That Conference is a major tech event with 1000+ software developers, designers, and IT professionals getting together to share information about happenings in mobile, web, and cloud. I was there to represent IBM (the Principal Sponsor of the conference) with the goal of sharing IBM Bluemix with a new group of developers.

For those readers who may not know, Bluemix is IBM’s new Platform-as-a-Service (PAAS) offering intended to facilitate rapid development of applications in the cloud. It offers more than 50 services to use in your apps and flexible, pay-as-you-go pricing (after a 30-day free trial).

Working the Bluemix Booth

IBM Bluemix: T-shirts

I drove over from MN and met up with colleagues Mark VanderWiele and Carl Osipov. We spent most of our time from Sunday night through Wednesday at the IBM booth talking Bluemix with attendees. There was regular traffic and we ended up running out of the very popular t-shirts we were handing out as SWAG. :)

The vast majority of visitors to the booth (like 99%) had never heard of Bluemix. This wasn’t terribly surprising since we just GA’ed at the end of June, so it offered us a great opportunity to spread the word. Folks who stayed at the booth long enough to see demos of the Bluemix UI and/or sample apps seemed to leave with a favorable impression. For example, I tweeted the following after Farah Prasla got her introduction to Bluemix:

Bluemix Break-out Sessions

IBM Bluemix: Carl Osipov Presenting

The team also held two Bluemix breakout sessions on Tuesday afternoon. These sessions were intended to take people through a deeper dive to see how easy it was to construct the sample apps shown at the booth:

Positive Feedback on Twitter

By the end of the week, we had accumulated a lot of positive feedback on Bluemix (even though most people started the week unaware of the platform). Below are some of my favorite tweets from conference participants showing the inroads we made in this community:

Picture Albums

What’s a conference summary without some pictures? From keynotes to pig roasts to “bacon bars,” below are links to some of my picture highlights over the four days of the conference:

Final Thoughts

In short, we had a great time last week at That Conference 2014. The conference was well-organized, and everyone was friendly and eager to talk about technology. The staff was awesome to work with and regularly checked in to see if we needed anything. So, thanks That Conference! :)

Most importantly, we were able to connect with a lot of people who had never heard of Bluemix. For those people, please let us know if you have any post-conference questions or other feedback. And, if you haven’t already, be sure to go out to Bluemix.net and sign-up for a free 30-day trial. Also, check out the Bluemix Dev-to-Dev Community and follow @IBMBluemix on Twitter.

IBM Bluemix and That Conference 2014

It’s been just one month since IBM Bluemix reached general availability, but we already have another round of Bluemix UI updates! The new features include enhancements to collaboration, catalog, solutions pages, and responsiveness. You’ll also notice updates to Bluemix Documentation with improved search, filtering, and mobile rendering. And, finally, there was a healthy dose of general bug squashing and usability tweaks.

Check out my write-up on the Bluemix Developers Community for the details.

Bluemix UI Updates: July 2014

I’ve recently jumped on the Paper.li bandwagon and created Tony’s #Bluemix Journal. Hopefully, it will contain interesting articles related to IBM Bluemix, cloud, and related technologies. So, please check it out!

Tony's #Bluemix Journal