[BUG FIX] NodeJS Template Missing SSL Configuration and HTTPS Redirection

Hello HestiaCP community,

I wanted to share a solution for an issue I encountered with the NodeJS templates when using the hestiacp-nodejs plugin (https://github.com/JLFdzDev/hestiacp-nodejs).

The Issue

When using NodeJS as a proxy template, I discovered two major problems:

1. The automatic SSL renewal stopped working for NodeJS domains
2. HTTP to HTTPS redirections stopped functioning properly

After investigating, I found that the NodeJS.tpl and NodeJS.stpl templates provided by the plugin were missing crucial configurations that exist in the default templates.

Technical Details

The core issue was that the NodeJS templates lacked:

1. The nginx.forcessl.conf inclusion in the HTTP template
2. SSL stapling configurations in the HTTPS template
3. TLS anti-replay protection
4. HSTS header inclusion
5. Proper location blocks to handle secure files and directories
6. Several standard includes that exist in the default HestiaCP templates

The Solution

I modified both the NodeJS.tpl and NodeJS.stpl files to include the missing configurations, bringing them in line with HestiaCP’s default templates.

Changes to NodeJS.tpl:

// Added forced SSL configuration
include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

// Added better security for dot files
location ~ /\.(?!well-known\/|file) {
    deny all;
    return 404;
}

// Added standard configuration includes
include %home%/%user%/conf/web/%domain%/nginx.conf_*;

Changes to NodeJS.stpl:

// Added SSL stapling
ssl_stapling on;
ssl_stapling_verify on;

// Added TLS anti-replay protection
if ($anti_replay = 307) { return 307 https://$host$request_uri; }
if ($anti_replay = 425) { return 425; }

// Added HSTS configuration
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

// Added better security for dot files
location ~ /\.(?!well-known\/|file) {
    deny all;
    return 404;
}

// Added proxy header management
proxy_hide_header Upgrade;

// Added standard SSL configuration includes
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;

How to Apply This Fix

If you’re using the hestiacp-nodejs plugin and experiencing similar issues, here’s how you can fix it:

1. Edit the NodeJS.tpl and NodeJS.stpl files in /usr/local/hestia/data/templates/web/nginx/
2. Apply the changes mentioned above to each file
3. Run v-restart-web to restart the web server
4. Rebuild the affected domains with v-rebuild-web-domain user domain.com

After applying these changes, SSL auto-renewal and HTTP to HTTPS redirections should work properly for NodeJS domains, just as they do for standard domains.

Future Updates

I recommend the plugin maintainers include these changes in future releases of the hestiacp-nodejs plugin to ensure proper SSL handling and security for all NodeJS domains.

I hope this helps anyone facing similar issues with NodeJS applications on HestiaCP. Let me know if you have any questions!

/usr/local/hestia/data/templates/web/nginx/

New NodeJS.tpl:

server {
        listen %ip%:%proxy_port%;
        server_name %domain_idn% %alias_idn%;
        error_log /var/log/%web_system%/domains/%domain%.error.log error;

        include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

        include %home%/%user%/hestiacp_nodejs_config/web/%domain%/nodejs-app.conf;

        location /error/ {
        	alias %home%/%user%/web/%domain%/document_errors/;
        }

        include %home%/%user%/hestiacp_nodejs_config/web/%domain%/nodejs-app-fallback.conf;

        location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }

        location ~ /\.ht {return 404;}
        location ~ /\.svn/ {return 404;}
        location ~ /\.git/ {return 404;}
        location ~ /\.hg/ {return 404;}
        location ~ /\.bzr/ {return 404;}

        include %home%/%user%/conf/web/%domain%/nginx.conf_*;
}

and new NodeJS.stpl:

server {
    listen %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    return 301 https://%domain_idn%$request_uri;
}

server {
    listen %ip%:%proxy_ssl_port% http2 ssl;
    server_name %domain_idn% %alias_idn%;
    ssl_certificate %ssl_pem%;
    ssl_certificate_key %ssl_key%;
    ssl_stapling on;
    ssl_stapling_verify on;
    error_log /var/log/%web_system%/domains/%domain%.error.log error;
    
    # TLS 1.3 0-RTT anti-replay
    if ($anti_replay = 307) { return 307 https://$host$request_uri; }
    if ($anti_replay = 425) { return 425; }
    
    include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
    
    gzip on;
    gzip_min_length 1100;
    gzip_buffers 4 32k;
    gzip_types image/svg+xml svg svgz text/plain application/x-javascript text/xml text/css;
    gzip_vary on;

    include %home%/%user%/hestiacp_nodejs_config/web/%domain%/nodejs-app.conf;

    location /error/ {
        alias %home%/%user%/web/%domain%/document_errors/;
    }

    include %home%/%user%/hestiacp_nodejs_config/web/%domain%/nodejs-app-fallback.conf;

    location ~ /\.(?!well-known\/|file) {
        deny all;
        return 404;
    }

    location ~ /\.ht {return 404;}
    location ~ /\.svn/ {return 404;}
    location ~ /\.git/ {return 404;}
    location ~ /\.hg/ {return 404;}
    location ~ /\.bzr/ {return 404;}
    
    proxy_hide_header Upgrade;
    
    include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}

v-rebuild-web-domain user domain.com If you do not want to deal with this way one by one, you can rebuild all users and domains using this script:

rebuild-all-domains.sh:

users=$(/usr/local/hestia/bin/v-list-users | tail -n+3 | awk '{print $1}')

for user in $users; do
    echo "Processing user: $user"
    
    domains=$(/usr/local/hestia/bin/v-list-web-domains $user | tail -n+3 | awk '{print $1}')
    
    for domain in $domains; do
        echo "Rebuilding domain: $domain for user: $user"
        /usr/local/hestia/bin/v-rebuild-web-domain $user $domain
    done
done

echo "All domains have been rebuilt successfully!"

then you can start the process with v-restart-web and sudo ./rebuild-all-domains.sh

Hi @hadsizefendi

Thanks for sharing the fix

Maybe you should create a pull request in their GitHub’s repo.

thank you bro