node.js - HTTPS + SSL on Heroku - Node + Express

Question

I've created a self-signed certificate, added it to Heroku, and provisioned an SSL endpoint on Heroku, and I log heroku certs:info it seems to be there.

I'm creating my server on Express like so:

var server = require('http').createServer(app);

And then redirecting to https like so:

app.use(function(req, res, next) {
    var reqType = req.headers["x-forwarded-proto"];
    reqType == 'https' ? next() : res.redirect("https://" + req.headers.host + req.url);
});

The server runs fine, however I came across this code snippet on S.O. to create an https server:

var keys_dir = './sslcert/';
var server_options = { 
  key  : fs.readFileSync(keys_dir + 'server.key'),
  ca   : fs.readFileSync(keys_dir + 'server.csr'), 
  cert : fs.readFileSync(keys_dir + 'server.crt') 
}

var server = require('https').createServer(server_options,app);

I don't point to the certs/keys like this example, and my site is running on https (although the lock is red since it's self-signed).

• So my question is, how does my server know about my keys/certs without me explicitly pointing to them like the code snippet with server_options? Is this taken care of by Heroku behind the scenes?

• How does the SSL Endpoint I setup on Heroku interact with the http server I created with var server = require('http').createServer(app);?

---

EDIT

I just so this answer on another question:

"SSL termination occurs at Heroku's load balancers; they send your app plain (non-SSL) traffic, so your app should create a non-HTTPS server."

• What does they send your app plain (non-SSL) traffic mean exactly? Does this mean that I don't have to redirect to https in my app?

Answer 1

SSL termination is done on Heroku servers/load-balancers before the traffic gets to your application. The "thing" you added your cert to was not your dyno, but rather a Heroku-controlled server.

So when SSL (https) traffic comes in, it is "stopped" (terminated) at the server. That server opens a new http connection to your dyno, and whatever is gets it sends back over https to the client.

So on your dyno you don't need to "mess" with certs etc, and you will be seeing only incoming http traffic: whether directly from http clients, or from Heroku servers who talk https to clients and http to you.

Redirecting to https is a different matter: if a client "comes" to your app with http, and you prefer they use https, by all means redirect. They will issue a new request, this time https, and go thru Heroku's SSL termination and then to your app. But now you know that the path between the client and Heroku is secure (due to the client using https), and the path between the Heroku SSL termination and your dyno is presumably secure (if you trust Heroku...)

HTH