http代理中间件&x2B;express+;node.js-无法重定向到启用客户端证书身份验证的端点
我正在使用http代理中间件()实现另一个RESTAPI的代理,该RESTAPI启用了客户端基于证书的身份验证(requestCert:true,rejectUnauthorized:true) 客户端调用代理API(),其中配置了http代理中间件,并应将其代理给另一个启用了客户端基于证书的身份验证的REST API()(requestCert:true,rejectUnauthorized:true) 我不希望在代理上发生任何特定的身份验证。当我使用基于客户端证书的身份验证路由到此目标端点的路径调用代理时,代理失败,并显示错误消息: 代理服务器中收到错误:http代理中间件&x2B;express+;node.js-无法重定向到启用客户端证书身份验证的端点,node.js,ssl,x509,client-certificates,http-proxy-middleware,Node.js,Ssl,X509,Client Certificates,Http Proxy Middleware,我正在使用http代理中间件()实现另一个RESTAPI的代理,该RESTAPI启用了客户端基于证书的身份验证(requestCert:true,rejectUnauthorized:true) 客户端调用代理API(),其中配置了http代理中间件,并应将其代理给另一个启用了客户端基于证书的身份验证的REST API()(requestCert:true,rejectUnauthorized:true) 我不希望在代理上发生任何特定的身份验证。当我使用基于客户端证书的身份验证路由到此目标端点的
[HPM] Rewriting path from "/auth" to ""
[HPM] GET /auth ~> https://localhost:3002/auth
RAW REQUEST from the target {
"host": "localhost:3000",
"connection": "close"
}
redirecting to auth
[HPM] Error occurred while trying to proxy request from localhost:3000 to https://localhost:3002/auth (EPROTO) (https://nodejs.org/api/errors.html#errors_common_system_errors)
Proxy error: Error: write EPROTO 28628:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1536:SSL alert number 40
客户端收到错误:
[HPM] Rewriting path from "/auth" to ""
[HPM] GET /auth ~> https://localhost:3002/auth
RAW REQUEST from the target {
"host": "localhost:3000",
"connection": "close"
}
redirecting to auth
[HPM] Error occurred while trying to proxy request from localhost:3000 to https://localhost:3002/auth (EPROTO) (https://nodejs.org/api/errors.html#errors_common_system_errors)
Proxy error: Error: write EPROTO 28628:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1536:SSL alert number 40
我不需要代理以任何方式对传入请求附带的客户端证书进行验证/操作(我为此设置了secure:false),而是将其转发到目标端点。我们看到,从客户端接收到的证书没有被传递/代理/转发到目标端点,因此基于证书的身份验证在目标端点失败
当直接发送到目标端点时,客户端请求正在工作,但当通过http代理中间件代理发送时,客户端请求不工作
我的测试服务器、客户端代码如下所示,以供参考
是否有某种方法可以配置http代理中间件,以便它将从客户端接收的客户端证书转发/代理到目标端点,以便客户端发送的客户端证书可用于目标REST端点上基于证书的验证
请您指导我如何使用http代理中间件包或任何其他合适的方法来实现这一点好吗?提前谢谢
服务器代码
// Certificate based HTTPS Server
var authOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: true,
rejectUnauthorized: true
};
var authApp = express();
authApp.get('/auth', function (req, res) {
res.send("data from auth");
});
var authServer = https.createServer(authOptions, authApp);
authServer.listen(3002);
// HTTP Proxy Middleware
var authProxyConfig = proxy({
target: 'https://localhost:3002/auth',
pathRewrite: {
'^/auth': '' // rewrite path
},
changeOrigin: true,
logLevel: 'debug',
secure: false,
onProxyReq: (proxyReq, req, res) => {
// Incoming request ( req ) : Not able to see the certificate that was passed by client.
// Refer the following client code for the same
},
onError: (err, req, res) => {
res.end(`Proxy error: ${err}.`);
}
});
proxyApp.use('/auth', authProxyConfig);
var unAuthOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: false,
rejectUnauthorized: false
};
var proxyServer = https.createServer(unAuthOptions, proxyApp);
proxyServer.listen(3000);
var fs = require('fs');
var https = require('https');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var options = {
hostname: 'localhost',
port: 3000,
path: '/auth',
method: 'GET',
key: fs.readFileSync('./certs/client1-key.pem'),
cert: fs.readFileSync('./certs/client1-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem')
};
var req = https.request(options, function (res) {
res.on('data', function (data) {
process.stdout.write(data);
});
});
req.end();
客户端代码
// Certificate based HTTPS Server
var authOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: true,
rejectUnauthorized: true
};
var authApp = express();
authApp.get('/auth', function (req, res) {
res.send("data from auth");
});
var authServer = https.createServer(authOptions, authApp);
authServer.listen(3002);
// HTTP Proxy Middleware
var authProxyConfig = proxy({
target: 'https://localhost:3002/auth',
pathRewrite: {
'^/auth': '' // rewrite path
},
changeOrigin: true,
logLevel: 'debug',
secure: false,
onProxyReq: (proxyReq, req, res) => {
// Incoming request ( req ) : Not able to see the certificate that was passed by client.
// Refer the following client code for the same
},
onError: (err, req, res) => {
res.end(`Proxy error: ${err}.`);
}
});
proxyApp.use('/auth', authProxyConfig);
var unAuthOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: false,
rejectUnauthorized: false
};
var proxyServer = https.createServer(unAuthOptions, proxyApp);
proxyServer.listen(3000);
var fs = require('fs');
var https = require('https');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var options = {
hostname: 'localhost',
port: 3000,
path: '/auth',
method: 'GET',
key: fs.readFileSync('./certs/client1-key.pem'),
cert: fs.readFileSync('./certs/client1-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem')
};
var req = https.request(options, function (res) {
res.on('data', function (data) {
process.stdout.write(data);
});
});
req.end();
您明确地说,
//传入请求(req):无法看到客户端传递的证书。
,因此您可能已经查看了getPeerCertificate
,并发现连接已关闭
也就是说,在onProxyReq
处理程序中,您可以尝试使用getPeerCertificate
方法()从req
向proxyReq
添加证书
这显示了如何获取并转换为有效证书
const parseReqCert = (req) => {
const { socket } = req;
const prefix = '-----BEGIN CERTIFICATE-----';
const postfix = '-----END CERTIFICATE-----';
const pemText = socket.getPeerCertificate(true).raw.toString('base64').match(/.{0,64}/g);
return [prefix, pemText, postfix].join("\n");
}
const addClientCert = (proxyReq, req) => {
proxyReq.cert = parseReqCert(req);
return proxyReq;
}
const authProxyConfig = proxy({
...
onProxyReq: (proxyReq, req, res) => {
addClientCert(proxyReq, req);
},
...
})
您是否尝试通过httpagent从客户端传递证书?这有用吗?谢谢分享提示。是的,我已尝试通过HTTP代理传递证书,但它不起作用,客户端收到与发布的错误相同的错误。@Neeraj您是否找到解决问题的方法?我也遇到了同样的问题。子孙后代请注意:我在没有时间独立验证它是否有效的情况下,就将赏金授予了这个答案。到那时,我已经不再讨论这个问题了。但nrako付出了努力,答案似乎是信息性的,所以因为他是唯一一个这样做的人,所以默认情况下,赏金归他所有。