search

GitbookIO / nuts

:chestnut: Releases/downloads server with auto-updater and GitHub as a backend
http://nuts.gitbook.com
Apache License 2.0
1.25k stars 299 forks source link

I have an HTTPS feed but my RELEASE files are returned with HTTP urls for downloads #131

Open baconbrad opened 7 years ago

baconbrad commented 7 years ago

Squirrel goes to download my RELEASES file from https://myurl.com:3000/update/win32_x64/0.1.13/RELEASES?id=MyApp&localVersion=0.1.13&arch=amd64.

But it tries to download an update from http://myurl.com:3000/download/0.1.14/MyApp-0.1.14-delta.nupkg. As a result it fails to download since we don't allow Nuts to run over HTTP nor do we want updates served over HTTP.

Going to https://myurl.com:3000/download/0.1.14/MyApp-0.1.14-delta.nupkg I get the file as expected.

Looking at https://myurl.com:3000/update/win32_x64/0.1.13/RELEASES?id=MyApp&localVersion=0.1.13&arch=amd64 in an editor I can see that Nuts is telling Squirrel to download from these HTTP links instead of the proper HTTPS links.

baconbrad commented 7 years ago

Works fine in development when ran directly from node. It appears the issue is when ran on IIS with IIS-node.

dguettler commented 6 years ago

@baconbrad I see this issue when running Nuts within OpenShift. The https request is terminated at the load balancer and nuts is then called via http. Since getFullUrl(req) uses the same protocol as the incoming request you end up with an http instead of https url in the response.

baconbrad commented 6 years ago

I also narrowed down the problem to getFullUrl(req). I ended up having to jimmy rig this with a hardcoded fix in nuts.js. I was unable to figure out what in our setup was causing this and we had to get the updater working in production ASAP. Seems to have worked for over a year without issue since.

function getFullUrl(req) {
    return req.protocol + '://' + req.get('host') + req.originalUrl;
}

Was changed to:

function getFullUrl(req) {
    return 'https://' + req.get('host') + req.originalUrl;
}
baconbrad commented 6 years ago

@dguettler That does clarify things for me though now that I think about it. Node.js applications running on IISNode are actually HTTP servers tunneled through HTTPS. The binding for HTTPS is done through IIS 8.5 and not in the script itself. This must be what is throwing Nuts off.

dguettler commented 6 years ago

@baconbrad yes, forked the project and did exactly the same change. It may make sense to be able to set this via an environment variable.