sammachin / node-red-contrib-ngrok

ngrok node for node-red
MIT License
7 stars 10 forks source link

Default protocol should be HTTPS not HTTP #16

Closed TotallyInformation closed 3 years ago

TotallyInformation commented 3 years ago

It is very dangerous to have the default set to http and will lead people to thinking that they have a secure connection when they do not.

sammachin commented 3 years ago

Can you clarify where this default is set?

Steve-Mcl commented 3 years ago

In the connect options

https://www.npmjs.com/package/ngrok#options

sammachin commented 3 years ago

That option is for what ngrok exposes to the outside world, in the case of it being set to http it means that ngrok accepts an http OR https connection based on the hostname and then forwards it to the client via an encrypted tunnel. The other option in there is TCP which is if you want to use ngrok to forward a raw TCP connection to you again via the secure tunnel. There is a TLS optionin ngrok if you are providing your own TLS cert on the client end but this isn't exposed through the node and I don't see any demand for it, there is also a significant amount of extra coinfiguration in providing the certificates.

In the latest version you now have the option of binding which allows you to force ngrok to serve the public url over http, https or both, the default being both and then it is down to the client making the request to choose the secure url, by default the url we output from the node though is the https version where both are set.

sammachin commented 3 years ago

Gonna close this as 2.0.0 has had a fairly major overhaul, there's nothing that defaults to plain HTTP only.