some changes to make it at least _possible_ to run in dev without https

configs/nginx.example

@@ -6,14 +6,14 @@ server {
 
 	server_name domain.com www.domain.com;
 	server_tokens off;
-	error_page 404 = /home/tom/jschan/static/html/404.html;
+	error_page 404 = /path/to/jschan/static/html/404.html;
 
 	add_header Cache-Control "public";
-	add_header Content-Security-Policy "Content-Security-Policy: default-src 'none'; img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'";
-	add_header Referrer-Policy "same-origin";
-	add_header X-Frame-Options "sameorigin";
-	add_header X-Content-Type-Options "nosniff";
-	add_header X-XSS-Protection "1; mode=block";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'";
+	add_header Referrer-Policy "same-origin" always;
+	add_header X-Frame-Options "sameorigin" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-XSS-Protection "1; mode=block" always;
 
 	if ($request_uri ~ ^/(?!captcha|randombanner|forms|logout|socket\.io)) {
 		rewrite ^([^.\?]*[^/])$ $1/ redirect;

configs/nginx_no_https.example

@@ -0,0 +1,122 @@
+upstream chan {
+	server localhost:7000;
+}
+
+server {
+
+	server_name domain.com www.domain.com;
+	server_tokens off;
+	error_page 404 = /path/to/jschan/static/html/404.html;
+
+	add_header Cache-Control "public";
+	add_header Content-Security-Policy "default-src 'self'; img-src 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'";
+	add_header Referrer-Policy "same-origin" always;
+	add_header X-Frame-Options "sameorigin" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+
+	if ($request_uri ~ ^/(?!captcha|randombanner|forms|logout|socket\.io)) {
+		rewrite ^([^.\?]*[^/])$ $1/ redirect;
+		rewrite ^(.+)/$ $1/index.html redirect;
+	}
+
+	location = /robots.txt {
+		access_log off;
+		add_header Content-Type text/plain;
+		return 200 "User-agent: *\nDisallow:\n";
+	}
+
+	location = /favicon.ico {
+		access_log off;
+		expires max;
+		root /path/to/jschan/static/img;
+		try_files $uri =404;
+	}
+
+	location = / {
+		return 302 http://$host/index.html;
+	}
+
+	location /captcha {
+		access_log off;
+		root /path/to/jschan/static/captcha;
+		if ($cookie_captchaid) {
+			return 302 http://$host/captcha/$cookie_captchaid.jpg;
+		}
+		try_files /$cookie_captchaid.jpg @backend;
+	}
+
+	location / {
+		proxy_buffering off;
+		proxy_pass http://chan$request_uri;
+		proxy_http_version 1.1;
+
+		#websocket
+		proxy_set_header Host $host;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection 'upgrade';
+		proxy_cache_bypass $http_upgrade;
+
+		proxy_set_header X-Forwarded-Proto http;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Country-Code $geoip_country_code;
+		proxy_set_header X-Country-Name $geoip_country_name;
+	}
+
+	location @backend {
+		proxy_buffering off;
+		proxy_pass http://chan$request_uri;
+		proxy_http_version 1.1;
+		proxy_set_header X-Forwarded-Proto http;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Country-Code $geoip_country_code;
+		proxy_set_header X-Country-Name $geoip_city_country_name;
+		proxy_set_header Connection '';
+		proxy_set_header Host $host;
+	}
+
+	# HTML
+	location ~* \.html$ {
+		expires 0;
+		root /path/to/jschan/static/html;
+		try_files $uri @backend;
+	}
+
+	# JSON
+	location ~* \.json$ {
+		expires 0;
+		root /path/to/jschan/static/json;
+		try_files $uri =404;
+		#json doesnt hit backend if it doesnt exist yet.
+	}
+
+	# CSS
+	location ~* \.css$ {
+		access_log off;
+		expires 1d;
+		root /path/to/jschan/static;
+		try_files $uri =404;
+	}
+
+	# Scripts
+	location ~* \.js$ {
+		expires 1d;
+		access_log off;
+		root /path/to/jschan/static;
+		try_files $uri =404;
+	}
+
+	# Images
+	location ~* \.(png|jpg|jpeg|gif|mp4|webm|mov|svg)$ {
+		access_log off;
+		expires max;
+		root /path/to/jschan/static;
+		try_files $uri =404;
+	}
+
+	listen 80;
+	listen [::]:80;
+
+}

models/pages/captcha.js

@@ -1,10 +1,15 @@
 'use strict';
 
 const { Captchas, Ratelimits } = require(__dirname+'/../../db/')
-	, generateCaptcha = require(__dirname+'/../../helpers/captcha/captchagenerate.js');
+	, generateCaptcha = require(__dirname+'/../../helpers/captcha/captchagenerate.js')
+	, production = process.env.NODE_ENV === 'production';
 
 module.exports = async (req, res, next) => {
 
+	if (!production && req.cookies['captchaid'] !== null) {
+		return res.redirect(`/captcha/${req.cookies['captchaid']}.jpg`);
+	}
+
 	let captchaId;
 	try {
 		const ratelimit = await Ratelimits.incrmentQuota(res.locals.ip.hash, 'captcha', 10);
@@ -21,7 +26,7 @@ module.exports = async (req, res, next) => {
 	return res
 		.cookie('captchaid', captchaId.toString(), {
 			'maxAge': 5*60*1000, //5 minute cookie
-			'secure': true,
+			'secure': production,
 			'sameSite': 'strict'
 		})
 		.redirect(`/captcha/${captchaId}.jpg`);

package.json

@@ -40,7 +40,8 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1",
     "setup": "npm i -g pm2 gulp && gulp",
-    "start": "pm2 start ecosystem.config.js --env production"
+    "start": "pm2 start ecosystem.config.js --env production",
+    "start-dev": "pm2 start ecosystem.config.js --env development"
   },
   "author": "",
   "license": "ISC"

server.js

@@ -22,7 +22,9 @@ const express = require('express')
 
 (async () => {
 
-	console.log('STARTING IN MODE:', process.env.NODE_ENV);
+	const env = process.env.NODE_ENV;
+	const production = env === 'production';
+	console.log('STARTING IN MODE:', env);
 
 	// connect to mongodb
 	console.log('CONNECTING TO MONGODB');
@@ -53,7 +55,7 @@ const express = require('express')
 		saveUninitialized: false,
 		cookie: {
 			httpOnly: true,
-			secure: true,
+			secure: production,
 			sameSite: 'strict',
 		}
 	}));