Inforequst: SNI
Closed this issue · 14 comments
I'm attempting to use http-master to proxy SSL with SNI, but I'm having trouble getting it configured. I've read the info from #48, and have what I believe is a usable configuration, but receive:
[3] Error while starting entry port 443 : Error: Missing PFX or certificate + private key.
...
[2] Entry port 443 is unusable
My config.yml:
---
watchConfig: true
logging: true
ports:
80:
proxy:
'my.host.server': 172.17.0.162:80
443:
proxy:
'my.host.server': 172.17.0.162:443
"*": "127.0.0.1:4443"
ssl:
certDir: "/etc/http-master/certificates"
primaryDomain: "my.host.server"
Any help you can provide is appreciated!
@clcollins Thanks for trying out http-master. That could indicate our auto-configurator wasn't able to do the job. Can you please try the old way, as described in #48 (comment)?
And to isolate the problem, can you first try to get non-SNI working, and then proceed to adding SNI? Thanks.
Also what node version are you using? Some versions had a problem with compiling dependencies required for automatic certificate scanner to work.
To further debug the issue, you can call upon bin/cert-scan program in your node_modules/http-master. Run this program with your certificate directory and it will report what http-master is seeing.
Thanks @Nowaker! Http-master looks like it has a ton of promise, especially for a large project I'm working on.
Regarding your questions:
Nodejs version from Ubuntu 14.04 repo
root@3764239a5d28:/# nodejs --version
v0.10.32
Results of cert-scan
root@3764239a5d28:/# /usr/lib/node_modules/http-master/bin/cert-scan /etc/http-master/certificates/
{}
Contents of /etc/http-master/certificates/
I originally tried a crt and key file, and then attempted the pem file just to see if it would work. All are readable by root. Http-master is started by root.
root@3764239a5d28:/# ls -l /etc/http-master/certificates/
total 16
-rw-rw-r-- 1 root 1000 1452 Oct 14 13:31 my.host.server.crt
-r-------- 1 root 1000 1679 Oct 14 13:31 my.host.server.key
-rw-rw-r-- 1 root 1000 4583 Oct 14 13:54 my.host.server.pem
(Other requests cont. below, for readability)
Try without SNI using the old method
Http-master reloads with no errors using this config:
---
watchConfig: true
logging: true
ports:
80:
proxy:
'my.host.server': 172.17.0.162:80
443:
proxy:
'my.host.server': 172.17.0.162:443
"*": "127.0.0.1:4443"
ssl:
key: "/etc/http-master/certificates/my.host.server.key"
cert: "/etc/http-master/certificates/my.host.server.crt"
When I try to navigate to it in a browsers, the browser spins. Http-master writes to it's logs:
[4] Get session data EMTPfrbIo4QZiZj0MfRfN06LtcnNamJ20F2gxjzsI0M=
[4] Got session data
[2] Get session data EMTPfrbIo4QZiZj0MfRfN06LtcnNamJ20F2gxjzsI0M=
[2] Got session data
And the host server writes to it's Apache logs:
[14/Oct/2014:16:31:03 +0100] 172.17.0.163 - - "GET /" 456
I have not seen a 456 status code before, and I don't see much info about it on Google. This appears to be terminating SSL at http-master (which makes sense). If I change the 443 proxy to use port 80 on the backend, the page loads, but any included http resources are broken (yay proxy fun!).
Try Old Way With SNI
Http-master reloads fine again using this config below (proxy SSL to backend on port 80), but has the same broken included http resources. This makes sense.
---
watchConfig: true
logging: true
ports:
80:
proxy:
'my.host.server': 172.17.0.162:80
443:
proxy:
'my.host.server': 172.17.0.162:80
"*": "127.0.0.1:4443"
ssl:
key: "/etc/http-master/certificates/my.other.server.key"
cert: "/etc/http-master/certificates/my.other.server.crt"
SNI:
'my.host.server':
key: "/etc/http-master/certificates/my.host.server.key"
cert: "/etc/http-master/certificates/my.host.server.crt"
Changing the SSL to proxy to the backend on 443 results in the spinning browser and the error:
[14/Oct/2014:16:42:11 +0100] 172.17.0.163 - - "GET /" 456
Is this terminating SSL at http-master with this setup? Is this the intended behavior? Would it be possible to read the host header provided by SNI, and just pass the request back to the backend still encrypted?
Otherwise, passing back to port 80 on the backend would be OK, but I'm guessing some X-Forwarded-Proto https header is either not being set, or not being read. I don't have quite as much experience with that side of things. Any suggestions?
Thanks again for all your help!
I have not seen such status code either. It is not intended behavior. Can you try the below changes?
443:
proxy:
'my.host.server': "https://172.17.0.162:443"
"*": "https://127.0.0.1:4443"
Please note that proxying to a HTTPs server is not very good performance-wise. I would use such a setup only for testing cause you are paying the encryption cost three times.
- Encrypting at destination server
- Decrypting at proxy
- Encrypting at proxy to the client
Passing SSL stream after SNI seems like a clever idea but most likely it wouldn't work due to the encryption state of the underlying openssl library.
In a few days we will try to polish the new branch for 0.8.0 version and it will allow adding arbitrary headers.
If you can, you could also try running with node 0.11.14. :) It's quite a good release.
nvm install 0.11
nvm use 0.11
Adding "https://172.17.0.162:443" results in no request seen by the host server, but http-master writes into it's logs:
[4] Get session data MNQrnY9Xv/wMmiXNlQs/t/EhSOk+jur1ueLJUMwE4pI=
[4] Got session data
I'm not sure a session was ever started though. Certainly the webserver on the backend hasn't seen one.
Passing SSL stream after SNI seems like a clever idea but most likely it wouldn't work due to the encryption state of the underlying openssl library.
Noted, thanks!
In a few days we will try to polish the new branch for 0.8.0 version and it will allow adding arbitrary headers.
Cool, that sounds very useful!
I'll try the newer node version this afternoon, too. Thanks @RushPL!
Just an update - the same behavior with the v0.11 version of node.
Thanks!
Released http-master 1.0, please see README for Add header https://github.com/CodeCharmLtd/http-master#addheader
@clcollins : actually Apache should be getting the x-forwarded-for headers by default so when you disable SSL on your Apache and require x-forwarded-for https header it should basically work.