Add "ca", "key", "cert" options and "rejectUnauthorized" options for TLS-based HTTP servers using self-signed certificates.

Question

Add "ca", "key", "cert" options and "rejectUnauthorized" options for TLS-based HTTP servers using self-signed certificates.

masx200 opened this issue 5 years ago · 10 comments

https://nodejs.org/dist/latest-v14.x/docs/api/tls.html#tls_tls_connect_options_callback

https://nodejs.org/dist/latest-v14.x/docs/api/tls.html#tls_tls_createserver_options_secureconnectionlistener

Answer 1 · 2020-04-24T11:43:41.000Z

Add where? This library doesn't create the http server.

Answer 2 · 2020-04-24T11:46:05.000Z

These options are the options that the TLS client can pass in when creating a tls connection. You can see the nodejs documentation.

Answer 3 · 2020-04-24T11:48:09.000Z

I still don't see where in the api for this library you would like this? Can you provide an example on how you would like to use it?

Answer 4 · 2020-04-24T11:48:19.000Z

const tls = require('tls');
const fs = require('fs');

const options = {
  // Necessary only if the server requires client certificate authentication.
  key: fs.readFileSync('client-key.pem'),
  cert: fs.readFileSync('client-cert.pem'),

  // Necessary only if the server uses a self-signed certificate.
  ca: [ fs.readFileSync('server-cert.pem') ],
rejectUnauthorized:false,
  // Necessary only if the server's cert isn't for "localhost".
  checkServerIdentity: () => { return null; },
};

const socket = tls.connect(8000, options, () => {})

Answer 5 · 2020-04-24T11:48:56.000Z

@masx200: that example has no relation to this library in its current form

Answer 6 · 2020-04-24T11:52:22.000Z

server.on('request', (req, res) => {
  proxy.web(req, res, {
ca:[ fs.readFileSync('server-cert.pem') ],
rejectUnauthorized:false,
protocol:"https",
    hostname: 'localhost'
    port: 9000
  }, defaultWebHandler)
})

Answer 7 · 2020-04-24T11:55:35.000Z

https://github.com/villadora/express-http-proxy#q-how-can-i-support-non-standard-certificate-chains

Q: How can I support non-standard certificate chains?
You can use the ability to decorate the proxy request prior to sending. See proxyReqOptDecorator for more details.

app.use('/', proxy('internalhost.example.com', {
  proxyReqOptDecorator: function(proxyReqOpts, originalReq) {
    proxyReqOpts.ca =  [caCert, intermediaryCert]
    return proxyReqOpts;
  }
})
Q: How to ignore self-signed certificates ?
You can set the rejectUnauthorized value in proxy request options prior to sending. See proxyReqOptDecorator for more details.

app.use('/', proxy('internalhost.example.com', {
  proxyReqOptDecorator: function(proxyReqOpts, originalReq) {
    proxyReqOpts.rejectUnauthorized = false
    return proxyReqOpts;
  }
}))

Answer 8 · 2020-04-24T11:55:41.000Z

  proxy.web(req, res, {
    hostname: 'localhost'
    port: 9000,
    onReq: (req, options) => http.request(options)
  }, defaultWebHandler)

Answer 9 · 2020-04-24T12:00:16.000Z

  proxy.web(req, res, {
    hostname: 'localhost'
    port: 9000,
    onReq: (req, options) => http.request(options)
  }, defaultWebHandler)

Such use will make the novice very confused. Novices ca n’t find how to set options to support servers that use self-signed certificates.

Answer 10 · 2020-04-24T12:02:04.000Z

Such use will make the novice very confused. Novices ca n’t find how to set options to support servers that use self-signed certificates.

Sure, PR is welcome.