search

chimurai / http-proxy-middleware

:zap: The one-liner node.js http-proxy middleware for connect, express, next.js and more
MIT License
10.8k stars 853 forks source link

http-proxy-middleware + express + node.js - unable to redirect to end-point with client side certificate authentication enabled #388

Open neerajshah179 opened 4 years ago

neerajshah179 commented 4 years ago

I am using the http-proxy-middleware (https://www.npmjs.com/package/http-proxy-middleware) to implement a proxy to another REST API that has client-side certificate based authentication enabled (requestCert: true, rejectUnauthorized: true).

Client calls to the Proxy API ( https://localhost:3000/auth ) where http-proxy-middleware is configured and is supposed to proxy it to another REST API ( https://localhost:3002/auth ) that has client-side certificate based authentication enabled (requestCert: true, rejectUnauthorized: true).

I don't want any specific authentication to happen at the proxy. When I invoke the proxy with a path that will route to this target end-point with client-side certs based authentication, it is failing with error message:

Error received in proxy server:

[HPM] Rewriting path from "/auth" to ""
[HPM] GET /auth ~> https://localhost:3002/auth

RAW REQUEST from the target {
  "host": "localhost:3000",
  "connection": "close"
}
redirecting to auth
[HPM] Error occurred while trying to proxy request  from localhost:3000 to https://localhost:3002/auth (EPROTO) (https://nodejs.org/api/errors.html#errors_common_system_errors)

Error received in client side:

Proxy error: Error: write EPROTO 28628:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1536:SSL alert number 40

I don't need the proxy to validate/act on client-side certs coming with the incoming request in any way (I have set secure: false for this), but rather just forward it to the target end point. We are seeing the the certs received from the client are not being passed/proxied/forwarded to the target end-point and hence cert based auth fails on the target end-point.

The client request when sent to the target end-point directly is working, but NOT when sent via http-proxy-middleware proxy.

My test server, client code is given below for reference.

Is there some way to configure the http-proxy-middleware so that it forwards/proxies the client-side certs received from the client to the target end-point so that the client-side certs sent by the client are available for cert based validation on the target REST end-point?

Could you please guide me on how to do this with http-proxy-middleware package or any other suitable way? Thanks in advance.

Steps to reproduce

Server code

// Certificate based HTTPS Server

var authOptions = {
    key: fs.readFileSync('./certs/server-key.pem'),
    cert: fs.readFileSync('./certs/server-crt.pem'),
    ca: fs.readFileSync('./certs/ca-crt.pem'),
    requestCert: true,
    rejectUnauthorized: true
};  

var authApp = express();
authApp.get('/auth', function (req, res) {
    res.send("data from auth");
});

var authServer = https.createServer(authOptions, authApp);
authServer.listen(3002);

// HTTP Proxy Middleware

var authProxyConfig = proxy({
    target: 'https://localhost:3002/auth',
    pathRewrite: {
        '^/auth': '' // rewrite path
    },
    changeOrigin: true,
    logLevel: 'debug',
    secure: false,
    onProxyReq: (proxyReq, req, res) => {
        // Incoming request ( req ) : Not able to see the certificate that was passed by client.
        // Refer the following client code for the same
    },
    onError: (err, req, res) => {
         res.end(`Proxy error: ${err}.`);
    }
});

proxyApp.use('/auth', authProxyConfig);

var unAuthOptions = {
    key: fs.readFileSync('./certs/server-key.pem'),
    cert: fs.readFileSync('./certs/server-crt.pem'),
    ca: fs.readFileSync('./certs/ca-crt.pem'),
    requestCert: false,
    rejectUnauthorized: false
};

var proxyServer = https.createServer(unAuthOptions, proxyApp);
proxyServer.listen(3000);

Client Code

var fs = require('fs');
var https = require('https');

process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var options = {
    hostname: 'localhost',
    port: 3000,
    path: '/auth',
    method: 'GET',
    key: fs.readFileSync('./certs/client1-key.pem'),
    cert: fs.readFileSync('./certs/client1-crt.pem'),
    ca: fs.readFileSync('./certs/ca-crt.pem')
};

var req = https.request(options, function (res) {
    res.on('data', function (data) {
        process.stdout.write(data);
    });
});
req.end();

Expected behavior

Is there some way to configure the http-proxy-middleware so that it forwards/proxies the client-side certs received from the client to the target end-point so that the client-side certs sent by the client are available for cert based validation on the target REST end-point?

Could you please guide me on how to do this with http-proxy-middleware package or any other suitable way? Thanks in advance.

Actual behavior

I don't need the proxy to validate/act on client-side certs coming with the incoming request in any way (I have set secure: false for this), but rather just forward it to the target end point. We are seeing the the certs received from the client are not being passed/proxied/forwarded to the target end-point and hence cert based auth fails on the target end-point.

The client request when sent to the target end-point directly is working, but NOT when sent via http-proxy-middleware proxy.

Setup

julianeden commented 4 years ago

I also have this problem

jinliming2 commented 4 years ago

I've got the same problem, but I found a solution that not documented: Library http-proxy required target to be a string, but actually, you can pass an object to it. It does check it if target is a string, and transform it using url.parse: https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/index.js#L63-L66 finally, some properties on target will be passed to https.request. https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/common.js#L33-L40

So, we can just pass a parsed URL to the target, including necessary options:

target: {
  protocol: 'https:',  // this is required
  host: 'test.example.com',
  hostname: 'test.example.com',  // this.is optional
  path: '/',
  cert: fs.readFileSync('/path/to/cert.pem', 'utf8'),
  key: fs.readFileSync('/path/to/key.pem', 'utf8'),
}

This works for me to configure proxy of webpack-dev-server.