如何通过node-http-proxy启用HSTS？

Question

在node.js 0.8下，我在“路由表”模式下使用node-http-proxy，配置如下：

var httpProxy = require("http-proxy");
var config = require("./config");

proxyServer = httpProxy.createServer({
    hostnameOnly: true,
    router: {
        "one.example.com": "localhost:9000",
        "two.example.com": "localhost:9001"
    },
    https: {
        key: config.key,
        cert: config.cert,
        // mitigate BEAST: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
        honorCipherOrder: true,
        ciphers: "ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"
    }
})
proxyServer.listen(8000)

我想添加HSTS (超文本传输协议严格传输安全)，以便兼容的浏览器将被告知始终使用SSL。为此，我需要让http-proxy添加头：

Strict-Transport-Security: max-age=60000

(或其他最大年龄)。如何才能让node-http-proxy高效地追加这个头部？

Answer 1

对于你的例子，我不确定，因为这个老问题似乎使用了http-proxy@0.8。然而，下面是我对http-proxy@1.0.0所做的工作

var httpProxy = require('http-proxy');

// https server to decrypt TLS traffic and direct to a normal HTTP backend
var proxy = httpProxy.createProxyServer({
  target: {
    host: 'localhost',
    port: 9009 // or whatever port your local http proxy listens on
  },
  ssl: {
    key: fs.readFileSync('valid-ssl-key.pem', 'utf8'),
    cert: fs.readFileSync('valid-ssl-cert.pem', 'utf8')
  }
}).listen(443); // HTTPS listener for the real server

// http server that redirects all requests to their corresponding
// https urls, and allows standards-compliant HTTP clients to 
// prevent future insecure requests.
var server = http.createServer(function(req, res) {
  res.statusCode = 301;
  res.setHeader('Location', 'https://' + req.headers.host.split(':')[0] + req.url);
  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
  return res.end();
});

server.listen(80); // HTTP listener for the old HTTP clients