HSTS: Should I force user to use HTTPS on load balance or web server?

1.1k views Asked by At

My environment :

1.) 1 load balance server (nginx)

2.) 2 web servers (express.js running on node.js)

3.) 1 database server

Hello, I am trying to force my user to use https. I look through many tutorials on how to implement https in express.js.

However, as I look through many tutorials, I found 2 ways on how to redirect user http to https.

  1. redirecting user to https on nginx config ( on load balance server )
  2. redirecting user to https on express.js ( on web server )

My question is:

  • which is a better way to implement HSTS for my web app (on a load balance or on a web server)

  • Also please kindly give little information on the advantages and disadvantages of each of the options

Thank you very much :)

1

There are 1 answers

3
Simon On

You can reduce traffic by enforcing https upstream on the load balancer, if you are only serving content that needs to be encrypted it might be best to restrict http traffic to the web servers from external sources.

Otherwise a http request will pass through the load balancer, be directed to web server 1 where it will respond with a 302 redirect to use the https url. This causes the user to have to make 2 request to get to your website.