search

medic / cht-core

The CHT Core Framework makes it faster to build responsive, offline-first digital health apps that equip health workers to provide better care in their communities. It is a central resource of the Community Health Toolkit.
https://communityhealthtoolkit.org
GNU Affero General Public License v3.0
468 stars 217 forks source link

Add SNI details for use in e2e HTTPS environment with TLS termination external to server (eg, kubernetes pod) #8591

Closed fardarter closed 6 months ago

fardarter commented 1 year ago

When proxying to HTTPS from HTTP (for example where an ingress does TLS termination), not including a 'servername' for a request to the HTTPS server (eg, def.org) the request produces the following error (where abc.com is the calling server):

'ERR_TLS_CERT_ALTNAME_INVALID'
"RequestError: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames:
Host: abc.com. is not in the cert's altnames: DNS:def.org"
The addition of servername as an option passed to the HTTP agent resolves this error.

See docs for tls.connect(options[, callback]) (https://nodejs.org/api/tls.html): "Server name for the SNI (Server Name Indication) TLS extension. It is the name of the host being connected to, and must be a host name, and not an IP address.".

This pull request represents the current state of the work: https://github.com/medic/cht-core/pull/8579

As of writing, I need to figure out why the e2e tests are failing.

Note: Have not changed the use of request-promise-native outside of calls to Couch.

For us this resolves the breakdown between node and haproxy. The Azure equivalent of ELB which medic uses is not an option for termination for a few reasons:

garethbowen commented 6 months ago

The cht-core change is merged. Needs documentation before closing this issue.

garethbowen commented 6 months ago

Feature and documentation merged.

garethbowen commented 6 months ago

Thanks again @fardarter !