-1

Looking for a Linux HTTP-listening-app which would relay incoming requests as-is to a remote HTTPS server and relay the (decrypred) responses back.

Basically we have a blackbox https VM for which the access is lost and its certs have expired. While devs are working on implementing a replacement (by end-of-year) we need our numerous other apps to keep talking to it. It would take significant time to re-code those apps to allow ignoring of expired certs, but it would be easy to reconfigure those apps to talk to another (HTTP) url, which would do the talking-to-expired-HTTPS behind the scenes.

Examples:

cert expired

$ curl https://blackbox:3333/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
curl: (60) Peer's Certificate has expired.
...

ignoring-the-cert works for curl

$ curl -k https://blackbox:3333/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
{"request_id":"b6e832", "backdoor.token.encryption.password":"****", "oauth.keys":"****|****",
...

need something HTTP-listening on localhost:80 and talking to HTTPS://blackbox:3333 behind the scenes

$ curl http://localhost:80/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
{"request_id":"b6e832", "backdoor.token.encryption.password":"****", "oauth.keys":"****|****",
...

I'm told nginx should be capable of doing this, but I found no examples to easily set this up while ignoring the expired certs (and it feels nginx requires hefty background knowledge in configuring it before-you-even-start).

Update:

my question is for an HTTP -> expired-cert-HTTPS relay

@GeraldSchneider,

  • there are topics solving the opposite relaying (HTTPS -> HTTP):

How can I forward requests from my web server?

  • there are topics solving the alike relaying (HTTP -> good-valid-cert-HTTPS):

https://stackoverflow.com/questions/8017508/solutions-to-convert-http-traffic-to-https-proxy-relay

if any of those would mention how to configure the apacheHttpd/nginx/etc to ignore the expired/invalid/selfSigned certificates - that would be the answer I was looking for

Vlad
  • 107
  • 3
  • @GeraldSchneider - nope, I had seen this one and many other HTTPS->HTTP examples (opposite of what I'm asking). Some of those could be easily reworked into HTTP->HTTPS but I found none capable of ignoring the expired cert yet :( – Vlad Feb 01 '23 at 09:15
  • Every server capable of acting as a reverse proxy has options to disable ssl verification to the backend. – Gerald Schneider Feb 01 '23 at 09:17
  • Apart from that, requests for software or services are off topic. – Gerald Schneider Feb 01 '23 at 09:20
  • @GeraldSchneider - "has options" is good to know, and if someone actually finds one working example - that would answer my question :) The where-to-publish guide suggested serverFault is the preferred choice for my question, if it guided me wrong - could you share a better guide so I could choose better in the future? – Vlad Feb 01 '23 at 09:58

1 Answers1

-1

In meantime I wrote a sample HTTP->HTTPS relay using java spring-boot, but it lacks the completeness (not handling "circular" redirects, only GET method, lots of manual fiddling with headers/retCodes/queryStrings/closables/streams/buffers, likely having some bugs in the code, etc). It might work for our short-term needs, but I would prefer a standard/robust/easier HTTP->HTTPS relay-tool instead (if any exists).

@RestController
class Controller {
    @GetMapping("/**")
    void relay(HttpServletRequest servletReq, HttpServletResponse servletResp) {
        HttpClient httpClient = null;
        HttpResponse httpResp = null;
        try {
            httpClient = HttpClients.custom()
                    .setSSLContext(new SSLContextBuilder().loadTrustMaterial(null, TrustAllStrategy.INSTANCE).build())
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
            String host = "blackbox:3333";
            HttpUriRequest httpReq = new HttpGet("https://" + host + servletReq.getRequestURI() + "?" + servletReq.getQueryString());
            Enumeration<String> he = servletReq.getHeaderNames();
            if (null != he)
                while (he.hasMoreElements()) {
                    String n = he.nextElement(), v = ("host".equals(n)) ? host : servletReq.getHeader(n);
                    httpReq.setHeader(new BasicHeader(n, v));
                }
            httpResp = httpClient.execute(httpReq);
            for (Header h : httpResp.getAllHeaders()) {
                servletResp.addHeader(h.getName(), h.getValue());
            }
            servletResp.setStatus(httpResp.getStatusLine().getStatusCode());
            IOUtils.copy(httpResp.getEntity().getContent(), servletResp.getOutputStream());
            servletResp.flushBuffer();
            servletResp.getOutputStream().close();
        } catch (Throwable t) {
            t.printStackTrace();
        } finally {
            if (null != httpResp && httpResp instanceof CloseableHttpResponse) {
                try {
                    ((CloseableHttpResponse) httpResp).close();
                } catch (Throwable t) {
                    t.printStackTrace();
                }
            }
            if (null != httpClient && httpClient instanceof CloseableHttpClient) {
                try {
                    ((CloseableHttpClient) httpClient).close();
                } catch (Throwable t) {
                    t.printStackTrace();
                }
            }
        }
    }
Vlad
  • 107
  • 3