3

I currently have a HTTPS web server listening on port 443 on my host machine.

My goal is to set up another HTTPS web server on the same host machine, change ports on both web servers, and then set up a proxy server using node-http-proxy listening on port 443 instead. The proxy server then delegates requests based on custom logic to the servers on other ports.

Below is the proxy server I adapted from one I successfully use when proxying plain HTTP requests on port 80. However, when I try to run this code the browser displays the message 'Secure Proxy Server unable to handle your request at this time.' and console logs '[Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE]' It does make it to the point where it tries to proxy the request to the server listening on a different port.

var sugar = require('sugar')
var url = require('url')
var https = require('https')
var httpProxy = require('http-proxy')
var fs = require('fs')

//configure proxy
var ssl proxy = httpProxy.createProxyServer({
  ssl: {
    key: fs.readFileSync('/cert/server.key', 'utf-8'),
    cert: fs.readFileSync('/cert/mydomain.crt', 'utf-8')
  }
})
sslproxy.on(
  'error',
  function(err, req, res) {
    console.log(err)
    res.end('Secure Proxy Server unable to handle your request at this time.')
  }
)

//configure and start server that uses proxy
var credentials = {
  key: fs.readFileSync('/cert/server.key','utf-8'),
  cert: fs.readFileSync('/cert/mydomain.crt', 'utf-8')
}
var sslserver = https.createServer(
  credentials,
  function(req, res) {
    console.log("Received request on secure proxy server")
    var target = url.parse(req.url)
    if(target.pathname.startsWith('/version1')) {
      console.log("Forwarding request to port 444")
      sslproxy.web(req, res, {target: 'https://localhost:444'})
    } else {
      console.log("Forwarding request to 445")
      sslproxy.web(req, res, {target: 'https://localhost:445'})
    }
  }
)
sslserver.listen(443)

Couple thoughts:

  1. I tried using node-ssl-root-cas as indicated in the answer to another question, but nothing appeared to change. My SSL certificate is from Network Solutions.
  2. The targets for my proxy are localhost:444 and localhost:445 because those ports are not open externally and cannot be. Not sure if the localhost in the host name is affecting the https proxy.
Community
  • 1
  • 1
Ryan Jarvis
  • 375
  • 3
  • 13

1 Answers1

1

Try this: process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0';

And look at this:

// AUTHENTICATION MODES
//
// There are several levels of authentication that TLS/SSL supports.
// Read more about this in "man SSL_set_verify".
//
// 1. The server sends a certificate to the client but does not request a
// cert from the client. This is common for most HTTPS servers. The browser
// can verify the identity of the server, but the server does not know who
// the client is. Authenticating the client is usually done over HTTP using
// login boxes and cookies and stuff.
//
// 2. The server sends a cert to the client and requests that the client
// also send it a cert. The client knows who the server is and the server is
// requesting the client also identify themselves. There are several
// outcomes:
//
//   A) verifyError returns null meaning the client's certificate is signed
//   by one of the server's CAs. The server know's the client idenity now
//   and the client is authorized.
//
//   B) For some reason the client's certificate is not acceptable -
//   verifyError returns a string indicating the problem. The server can
//   either (i) reject the client or (ii) allow the client to connect as an
//   unauthorized connection.
//
// The mode is controlled by two boolean variables.
//
// requestCert
//   If true the server requests a certificate from client connections. For
//   the common HTTPS case, users will want this to be false, which is what
//   it defaults to.
//
// rejectUnauthorized
//   If true clients whose certificates are invalid for any reason will not
//   be allowed to make connections. If false, they will simply be marked as
//   unauthorized but secure communication will continue. By default this is
//   false.
//

Both, solution and additional infos, are from here: Node.js HTTPS 400 Error - 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'

Community
  • 1
  • 1
Yannick Gottschalk
  • 93
  • 9
  • I figured out the answer, I was using ipaddress and the server was rejecting it, when I used localhost it worked. I added virtual host for ipaddress and it worked great..One thing not sure is how to send cert if sef-signed – madhured Oct 28 '14 at 19:28