Migrate to SSL by default about samples HOT 17 CLOSED

I'd call this a P1! Do you have time to look into how to set SSL up on GCP?

https://cloud.google.com/sql/docs/mysql/configure-ssl-instance

@pbakaus does anything else need to be done to redirect to HTTPS?

from samples.

@morsssss will await @pbakaus comments and then start working on this. Will reach out to you to ask for access to the backend.

from samples.

nothing else AFAIK, I just don't know how to properly set it up on GCP.

from samples.

Hi guys,

I'm not seeing any reference to the domain "amp.cards" in the code itself, or any configuration file, outside the data-iframe-src attribute of the amp-install-serviceworker component.
With that said, I think that all the configuration should be done on GCP console.

This seems to be the guide to migrate to a Node Application to SSL when using custom domains.

If we can take a look at the GCP console, maybe we can check if all the required steps are correct.

from samples.

I just looked into this for a little bit, and don't think there's anything to be done in GCP. Rather, it's HSTS (Strict Transport Security) headers that are missing, and I figured the obvious way to add them would be in the actual server: https://github.com/ampproject/amp-publisher-sample/blob/master/amp-pwa-reader/src/server/server.js

However, I'm at a loss why all of this even works on HTTPS today anyway, as the express server spun up in that file doesn't configure HTTPS...I wonder if GCP does wicked magic?

from samples.

Thanks Paul, would you recommend to add the header directly on the code on server.js, or using something like helmet, that would encapsulate many security features (including HSTS)?

If the latter, the work would consist on adding one entry to package.json, and two lines of code to server.js.

from samples.

Hey everyone. We use this config in PWA Directory, to make all URLs be served from a secure URL: https://github.com/GoogleChromeLabs/gulliver/blob/master/app.yaml#L18-L21, along with this bit: https://github.com/GoogleChromeLabs/gulliver/blob/master/app.js#L41-L49 Does this help?

from samples.

oooh this looks good. Andre or Demian, are you cool providing a PR with this change?

from samples.

This is what I tried adding locally to add helmet, but haven't tested in a live environment yet, to see if it actually works:

npm install helmet --save (will add helmet dependency to gulpfile).

On server.js:

const helmet = require('helmet')
app.use(helmet());

Before moving forward with this option, do you guys think that using helmet is the way to go, or it's better to stick to Andre's solution (which seems to solve the particular SSL need, without adding anything else that might potentially be unnecessary)?

from samples.

BTW: helmet is recommended as best practice on ExpressJS site, but I don't have any other experience with it.

from samples.

So the files Andre pointed out, the change in app.yaml is probably the most important as it relates to GCP.

The thing that I'm wondering about: Why does HTTPS even work today (as there is no code at all suggesting express is configured for it)? So anyway, I'm all for trying out helmet and doing the app.yaml change and see how it goes.

from samples.

@pbakaus @morsssss @andreban created PR #119 and uploaded a version on GCP at: steel-topic-208022.appspot.com.

from samples.

Deployed! All looks good 👍

from samples.

@morsssss thank you Ben,

I've just tested amp.cards, but I don't see it's redirecting to HTTPS by default.
Please, let me know if you need my help to do some extra tests (in case the latest version is not in prod yet).

from samples.

BTW, just cloned the latest version and uploaded it here: nodejs-tests-210101.appspot.com.
On my tests it is always redirecting to HTTPS, regardless of the protocol on the URL.

from samples.

from samples.

Hi Ben! In case you test the url I sent before: I turned off nodejs-tests-210101.appspot.com, because I found I was starting to get charged again.
I can't explain the reasons since that version should be receiving no traffic (or minimal). Maybe there's some special configuration requirement on this project reserving resources.
Don't worry about checking the code, maybe we can take a look on Thursday at the production server to understand why it's not redirecting by default, or any other day.

from samples.