chimurai
http-proxy-middleware + express + node.js - unable to redirect to end-point with client side certificate authentication enabled
I am using the http-proxy-middleware (https://www.npmjs.com/package/http-proxy-middleware) to implement a proxy to another REST API that has client-side certificate based authentication enabled (requestCert: true, rejectUnauthorized: true).
Client calls to the Proxy API ( https://localhost:3000/auth ) where http-proxy-middleware is configured and is supposed to proxy it to another REST API ( https://localhost:3002/auth ) that has client-side certificate based authentication enabled (requestCert: true, rejectUnauthorized: true).
I don't want any specific authentication to happen at the proxy. When I invoke the proxy with a path that will route to this target end-point with client-side certs based authentication, it is failing with error message:
Error received in proxy server:
[HPM] Rewriting path from "/auth" to ""
[HPM] GET /auth ~> https://localhost:3002/auth
RAW REQUEST from the target {
"host": "localhost:3000",
"connection": "close"
}
redirecting to auth
[HPM] Error occurred while trying to proxy request from localhost:3000 to https://localhost:3002/auth (EPROTO) (https://nodejs.org/api/errors.html#errors_common_system_errors)
Error received in client side:
Proxy error: Error: write EPROTO 28628:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1536:SSL alert number 40
I don't need the proxy to validate/act on client-side certs coming with the incoming request in any way (I have set secure: false for this), but rather just forward it to the target end point. We are seeing the the certs received from the client are not being passed/proxied/forwarded to the target end-point and hence cert based auth fails on the target end-point.
The client request when sent to the target end-point directly is working, but NOT when sent via http-proxy-middleware proxy.
My test server, client code is given below for reference.
Is there some way to configure the http-proxy-middleware so that it forwards/proxies the client-side certs received from the client to the target end-point so that the client-side certs sent by the client are available for cert based validation on the target REST end-point?
Could you please guide me on how to do this with http-proxy-middleware package or any other suitable way? Thanks in advance.
Steps to reproduce
Server code
// Certificate based HTTPS Server
var authOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: true,
rejectUnauthorized: true
};
var authApp = express();
authApp.get('/auth', function (req, res) {
res.send("data from auth");
});
var authServer = https.createServer(authOptions, authApp);
authServer.listen(3002);
// HTTP Proxy Middleware
var authProxyConfig = proxy({
target: 'https://localhost:3002/auth',
pathRewrite: {
'^/auth': '' // rewrite path
},
changeOrigin: true,
logLevel: 'debug',
secure: false,
onProxyReq: (proxyReq, req, res) => {
// Incoming request ( req ) : Not able to see the certificate that was passed by client.
// Refer the following client code for the same
},
onError: (err, req, res) => {
res.end(`Proxy error: ${err}.`);
}
});
proxyApp.use('/auth', authProxyConfig);
var unAuthOptions = {
key: fs.readFileSync('./certs/server-key.pem'),
cert: fs.readFileSync('./certs/server-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem'),
requestCert: false,
rejectUnauthorized: false
};
var proxyServer = https.createServer(unAuthOptions, proxyApp);
proxyServer.listen(3000);
Client Code
var fs = require('fs');
var https = require('https');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
var options = {
hostname: 'localhost',
port: 3000,
path: '/auth',
method: 'GET',
key: fs.readFileSync('./certs/client1-key.pem'),
cert: fs.readFileSync('./certs/client1-crt.pem'),
ca: fs.readFileSync('./certs/ca-crt.pem')
};
var req = https.request(options, function (res) {
res.on('data', function (data) {
process.stdout.write(data);
});
});
req.end();
Expected behavior
Is there some way to configure the http-proxy-middleware so that it forwards/proxies the client-side certs received from the client to the target end-point so that the client-side certs sent by the client are available for cert based validation on the target REST end-point?
Could you please guide me on how to do this with http-proxy-middleware package or any other suitable way? Thanks in advance.
Actual behavior
I don't need the proxy to validate/act on client-side certs coming with the incoming request in any way (I have set secure: false for this), but rather just forward it to the target end point. We are seeing the the certs received from the client are not being passed/proxied/forwarded to the target end-point and hence cert based auth fails on the target end-point.
The client request when sent to the target end-point directly is working, but NOT when sent via http-proxy-middleware proxy.
Setup
- http-proxy-middleware: 0.20.0
- express: 4.16.4
- node.js: 10.16.0
- OS: windows 10 x64
I've got the same problem, but I found a solution that not documented:
Library http-proxy required target to be a string, but actually, you can pass an object to it. It does check it if target is a string, and transform it using url.parse:
https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/index.js#L63-L66
finally, some properties on target will be passed to https.request.
https://github.com/http-party/node-http-proxy/blob/master/lib/http-proxy/common.js#L33-L40
So, we can just pass a parsed URL to the target, including necessary options:
target: {
protocol: 'https:', // this is required
host: 'test.example.com',
hostname: 'test.example.com', // this.is optional
path: '/',
cert: fs.readFileSync('/path/to/cert.pem', 'utf8'),
key: fs.readFileSync('/path/to/key.pem', 'utf8'),
}
This works for me to configure proxy of webpack-dev-server.
