Running Node.js HTTPS server without providing SSL certificate?

Question

We've got a setup, where SSL/HTTPS stuff is managed by Cloudflare.

What is the proper way to run Node.js HTTPS server in this case?

I've tried running it like this and it's working, but what are the downsides?

const app = express()
const httpsServer = https.createServer({}, app) //creating https server with an empty ssl certificate object

httpsServer.listen(443)

Answer 1

I've tried running it like this and it's working,

By this, I assume you're using Flexible mode? When in Flexible mode, it gives you the illusion of security, but in actuality client-server connection is only half-secured.

  Cloudflare Universal SSL Certiticate
              |
Client <----HTTPS-----> Cloudflare <------HTTP-----> Origin Server

Surely you've heard of MITM (man-in-the-middle) attacks or state-sponsored surveillance over insecure channel (read: HTTP)? These are the downsides when your connection is not fully encrypted end-to-end.

For you to secure the connection end-to-end, you'll need to use Full/Full(Strict) mode , and for this to work you'll need to specify the certificate on the origin server. Opening port 443 and put it on listening mode is not enough, HTTPS uses Public Key Infrastructure (PKI) and SSL certificates are fundamental part of it. In other words, you simply can't use HTTPS without SSL certificates in place!

  Cloudflare Universal SSL Certiticate      Origin Certificate
              |                              |
Client <----HTTPS-----> Cloudflare <------HTTPS-----> Origin Server

Provisioning a self-signed certificate on the origin server will suffice for Full mode, but Full(Strict) mode requires a valid certificate. Good new is that you don't need to purchase Extended Validation (EV) certificates from retail Certificate Authority (CA), as nowadays there are free Domain Validation (DV) certificates such as Let's Encrypt/Certbot or Cloudflare Origin CA certificate which would work just as fine.