Add TLS/HTTPS support with auto-detection

- Server auto-detects cert/key in backend/certs/ and starts HTTPS - Falls back to plain HTTP if no certs found or TLS_ENABLED=false - Self-signed cert generated for dev (365-day, gitignored) - Added TLS env vars to .env.example - Frontend rebuilt with https:// API URLs for dev server
2026-06-19 14:44:04 -06:00
parent e9d6038636
commit 55795710d9
3 changed files with 38 additions and 5 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -80,3 +80,11 @@ GITLAB_PAT=
 # Generate with: openssl rand -hex 20
 GITLAB_WEBHOOK_SECRET=changeme_generate_a_random_secret

+
+# TLS / HTTPS Configuration
+# If cert and key files exist at the paths below, the server starts with HTTPS.
+# Set TLS_ENABLED=false to force plain HTTP even when certs are present.
+# Generate a self-signed cert: openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes -subj "/CN=cve-dashboard.local"
+TLS_ENABLED=true
+TLS_CERT=certs/cert.pem
+TLS_KEY=certs/key.pem
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -3,3 +3,6 @@
 backend/fix_multivendor_constraint.js
 backend/migrate_multivendor.js
 backend/add_vendor_to_documents.js
+
+# TLS certificates (self-signed or CA-issued)
+certs/
--- a/backend/server.js
+++ b/backend/server.js
@@ -1203,8 +1203,30 @@ if (fs.existsSync(frontendBuild)) {
    });
 }

-// Start server
-app.listen(PORT, () => {
-    console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
+// Start server — use HTTPS if TLS cert/key are available, otherwise plain HTTP
+const TLS_CERT = process.env.TLS_CERT || path.join(__dirname, 'certs', 'cert.pem');
+const TLS_KEY = process.env.TLS_KEY || path.join(__dirname, 'certs', 'key.pem');
+const TLS_ENABLED = process.env.TLS_ENABLED !== 'false' && fs.existsSync(TLS_CERT) && fs.existsSync(TLS_KEY);
+
+if (TLS_ENABLED) {
+    const https = require('https');
+    const httpsOptions = {
+        cert: fs.readFileSync(TLS_CERT),
+        key: fs.readFileSync(TLS_KEY),
+    };
+    https.createServer(httpsOptions, app).listen(PORT, () => {
+        console.log(`CVE API server running on https://${API_HOST}:${PORT}`);
+        console.log(`TLS: enabled (cert: ${TLS_CERT})`);
        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
-});
+    });
+} else {
+    app.listen(PORT, () => {
+        console.log(`CVE API server running on http://${API_HOST}:${PORT}`);
+        if (!fs.existsSync(TLS_CERT) || !fs.existsSync(TLS_KEY)) {
+            console.log('TLS: disabled (no certs found in backend/certs/)');
+        } else {
+            console.log('TLS: disabled (TLS_ENABLED=false)');
+        }
+        console.log(`CORS origins: ${CORS_ORIGINS.join(', ')}`);
+    });
+}