search

ncr / rack-proxy

A request/response rewriting HTTP proxy. A Rack app.
MIT License
269 stars 94 forks source link

SSL Verify Mode #16

Closed ghost closed 11 years ago

ghost commented 11 years ago

Thanks for the great library. In our test environment we have our test API server using SSL but with a certificate that doesn't pass the OpenSSL verification and kills the proxy request with an OpenSSL 'certificate verify failed' error (which kills our pages).

For early QA, we shouldn't need to invest in an official cert, but should still be able to test making request over SSL (especially with JavaScript XHR and such). Perhaps have a flag to disable cert verification in QA?

Our workaround has been to add the following code after line 60 of http_streaming_response.rb:

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

This is not a good solution and the verify mode should never be hardcoded to this -- especially in production. Can there be a flag added to optionally support this? For example, I might look something like this in the proxy setup:

class APIServers < Rack::Proxy
    def rewrite_env(env)
        env['rack.ssl_verify_none'] = true
        ...
    end
    ...
end
ncr commented 11 years ago

Hi Jeremy, any chance you can prepare a pull request? I would merge it right away.

ghost commented 11 years ago

Great to hear. I haven't had a chance to actually build the solution but when I do, I'll let you know. Thanks.

ncr commented 11 years ago

Closing this, until the PR materializes :)

pvdb commented 11 years ago

@ncr wrote:

Closing this, until the PR materializes :)

The PR will materialize in the next half-hour or so... we had the same issue/requirement, and have implemented the above suggestion; I'm just updating the README file with an example, and the PR will be submitted! :smile:

ncr commented 11 years ago

Great! I'll merge it after I return from RuPy :)

2013/10/10 Peter Vandenberk notifications@github.com

@ncr https://github.com/ncr wrote:

Closing this, until the PR materializes :)

The PR will materialize in the next half-hour or so... we had the same issue/requirement, and have implemented the above suggestion; I'm just updating the README file with an example, and the PR will be submitted! [image: :smile:]

— Reply to this email directly or view it on GitHubhttps://github.com/ncr/rack-proxy/issues/16#issuecomment-26049003 .

Jacek Becela

http://trix.pl http://github.com/ncr http://linkedin.com/in/jacekbecela http://twitter.com/jacekbecela

pvdb commented 11 years ago

@jngillick / @ncr - note that in our pull request (#28) we have implement the env-based mechanism that @jngillick suggested, but have also implemented a way to do it via the initializer of the Rack::Proxy instance, that way you only have to do it once (instead of having to set it in the env of each and every Rack request that goes through the proxy) ... this has the additional benefit that you don't have to subclass Rack::Proxy, as illustrated in the Readme file... cheers!

ghost commented 11 years ago

This is great new! Thank you!