This guide explains how to run a Node.js service on both HTTP and HTTPS during a controlled transition, then tighten traffic toward HTTPS once behavior is verified. It is a migration and troubleshooting walkthrough based on production cutovers where certificate chain mistakes and redirect loops caused outages. We cover listener setup, certificate loading, redirect strategy, proxy headers, and test sequence, with follow-up depth in the SSL playbook.

Why dual-protocol windows still matter

In ideal systems, you flip to HTTPS-only instantly. In real systems, old clients, webhook providers, or stale integrations often need a short transition window. Serving both protocols buys control, as long as you enforce a clear timeline and monitor actively.

The Node.js HTTPS server API reference is in the official docs at nodejs.org.

Step 1: Load key, certificate, and chain safely

1
2
3
4
5
6
7
8
9
10
11
12
const fs = require('fs');
const https = require('https');
const http = require('http');
const restify = require('restify');

const app = restify.createServer();

const tls = {
  key: fs.readFileSync('/etc/ssl/private/service.key'),
  cert: fs.readFileSync('/etc/ssl/certs/service.crt'),
  ca: fs.readFileSync('/etc/ssl/certs/chain.crt')
};

Use absolute paths and restrictive file permissions.

Step 2: Run HTTPS app and HTTP redirect endpoint

1
2
3
4
5
6
7
https.createServer(tls, app).listen(443);

http.createServer((req, res) => {
  const host = req.headers.host ? req.headers.host.replace(/:\d+$/, '') : 'qugstart.com';
  res.writeHead(301, { Location: `https://${host}${req.url}` });
  res.end();
}).listen(80);

If you are behind a reverse proxy, ensure forwarded protocol headers are handled consistently.

Step 3: Verify locally and externally

  • Verify cert chain from command line.
  • Verify redirect status and location headers.
  • Verify application routes through both paths.
  • Verify no mixed-content links in rendered pages.

Redirect caveats that trigger loops

  • Proxy terminates TLS but app still thinks request is HTTP.
  • Redirect middleware runs on already secure requests.
  • Host header includes unexpected port and generates malformed location.

Operational checklist

  • Track request counts on HTTP after redirect policy starts.
  • Watch for handshake errors and unknown CA events.
  • Log redirect target URL during rollout to catch malformed rules early.

FAQ

Should HTTP stay enabled forever?

No. Keep it only for transition, then remove once all critical clients are confirmed.

Can I use one Restify server for both ports?

You can share handlers, but create distinct HTTP and HTTPS listeners for control.

What breaks most often?

Certificate chain order, proxy header assumptions, and broad redirect middleware.

Filed under