HTTPS required message is displayed even when using HTTPS if dashboard is deployed to Heroku.

[chatpongs]

I basically cloned the repo and pushed it to Heroku. First, there was an error that Node version wasn't specified. I added Node version in package.json. Then there is this error

remote: > @ preinstall /tmp/build_59a48c67353dd6c9057be7bd1698879f
remote: > git update-index --skip-worktree Parse-Dashboard/parse-dashboard-config.json
remote:
remote: fatal: Not a git repository (or any parent up to mount point /tmp)

Does it need to be deployed another way?

[drew-gross]

We've focused primarily on the localhost experience, so some issues when deploying to Heroku are expected. In this case, we added some git commands that prevent you from accidentally leaking your Master Key. We would gladly accept a PR to change this, you would just need to add the config file to .gitignore, then write a small node script that creates the file with some default data in it in the postinstall script. Alternatively, you could have the small express app that serves the dashboard create that file if it doesn't exist.

[chatpongs]

Thanks @drew-gross Since it is just for testing, I am not worried about the Master Key.

I removed that preinstall script, created a Procfile to run "npm run dashboard" and I changed environment on Heroku to development with "heroku config:set NPM_CONFIG_PRODUCTION=false". Then add my Parse Server info into parse-dashboard-config.json

The server is now running at https://parse-dashboard-1.herokuapp.com/ But even the web is running on HTTPS, it is still showing that the dashboard needs to be accessed via HTTPS

[drew-gross]

The dashboard requires your connection to server to be HTTPS. Heroku may be doing some early SSL termination, resulting in the connection to your dashboard not being HTTPS. You can allow insecure connections by digging into the source of Parse-Dashboard/index.js. Do note that your URL does seem to be accessible over HTTP as well.

I would also happily accept a PR that adds a config option to allow non HTTP requests for people who are doing early SSL termination.

[flovilmart]

It's most likely that heroku is handling the ssl termination and the node express server is on HTTP.

client <---- HTTPS -----> heroku <--- HTTP ---> parse-dashboard.

The requests coming to parse-dashboard are likely to be http requests from heroku proxy/load balancer/reverse proxy.

From there you have multiple options

• switch off the test for req.secure in the source (that I won't recommend)
• inspect the request header, there maybe an X-forwarded-proto, X-forwarded-for etc... propose a pull request

[kilabyte]

you can for now comment out line 33 in the Parse-Dashboard/index.js. This will bypass that check and allow you to continue setting it up for now while you work out SSL

[chatpongs]

I figured it out. It seems Heroku doesn't terminate SSL but the app itself doesn't feel secure running behind the proxy. What I did is adding this statement

app.enable('trust proxy');

at line 13. And that's it. I can confirm this works for Heroku and Dokku

[drew-gross]

Note that the 'trust proxy' line causes express to trust the request headers, which can be spoofed by an attacker. If you are doing this, make sure to have a username and password enabled for your dashboard, and make sure you are only entering the username and password over https. (The auth is HTTP Basic Auth so if you enter your password over http, your password will be transmitted in clear-text)

[drew-gross]

Replacing this issue with #54