Bug 1138137

Summary: Undefined req.headers.host when using SSL on node.js application
Product: OpenShift Online Reporter: JVerstry <tshikatshikaaa>
Component: SecurityAssignee: Dan McPherson <dmcphers>
Status: CLOSED NOTABUG QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.xCC: jialiu, jokerman, lmeyer, mmccomas, tshikatshikaaa
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 14:32:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description JVerstry 2014-09-04 07:09:46 UTC 
Description of problem:

In a node.js Express 4.0 application using https, including forwarding from http to https, the received requests are not populated correctly. Some are not received at all.

I have opened a SO question with details: http://stackoverflow.com/questions/25654796/creating-an-express-js-4-0-application-with-https-on-openshift-including-http-r/

Some Openshift documentation (https://help.openshift.com/hc/en-us/articles/202398810-How-to-redirect-traffic-to-HTTPS-) recommends using:

    function redirectSec(req, res, next) {
        if (req.headers['x-forwarded-proto'] == 'http') { 
            res.redirect('https://' + req.headers.host + req.path);
        } else {
            return next();
        }
    }

for redirect, but this code does not work. In my tests (see SO question, ligatures.net), some requests slip through unpopulated (req.headers.host is undefined for example).
 
Moreover, it uses req.path which will ignore query parameters.

I have noticed that node.js applications created from Openshift use an old version of Express (~3.4.4). Today, Express 4.0 has been completely 'refurbished'.

It would be great if OpenShift was up to date with Express and if secured communications were tested properly (SSL & HTTPS). An operational and tested https code example would be fantastic. It is much needed.

Version-Release number of selected component (if applicable):

Unknown

How reproducible:

Creating a simple Express 4.0 node.js application with http -> https redirection and loading the certificates in the console. 

Actual results:

Improperly populated user requests.

Expected results:

Properly populated user requests.
Comment 1 JVerstry 2014-09-04 13:09:58 UTC 
Something I forgot to mention, I am using Cloudflare too. This may have an impact on this issue.