0

I am trying to get a Node https server accessed through a node proxy.

I bought certificates and got a standalone https server working fine. Initially there were some hiccups because of multiple certs in one file but this post helped:

 http://stackoverflow.com/questions/16224064/running-ssl-node-js-server-with-godaddy-gd-bundle-crt.

Earlier I had all connections through a node-based reverse proxy nodejitsu's http-proxy module, which effectively proxied http -> http.

Now, as expected, after getting the target server changed to https, the proxy does not work as it is basically:

 client -> http-proxy(public IP) -> https connection(local IP)

which is effectively the man-in-the-middle scenario which is what https seeks to eliminate.

Additionally, I got the following error from the https server: 

 Error: Hostname/IP doesn't match certificate's altnames

The certificates are just fine because https works well without the proxy in the middle. From reading some of the posts, I realized that the following should work: 

 client -> https-proxy (Public IP) -> http connection (local IP)

Where the actual local server is running http and the public https. This is based on the explanation in http-proxy documentation:

 https://github.com/nodejitsu/node-http-proxy

and in this post:

 https://nadeesha.silvrback.com/creating-a-https-proxy-in-node-js

In the http-proxy module documentation, there appears to be an explanation for a client -> https (proxy on public IP) -> https (proxy on local IP). If so, what certs do I need to set up on the target https server?

Before I try any of these possibilities, I would like to know: What are standard best-practices to handle this requirement and how to implement it/them under node. I do not want to introduce Nginx or Apache just for handling this. Am I totally off-track here?

Sunny
  • 381
  • 1
  • 6
  • 16
  • Not enough data on what is actually the requirements. Why would you want to have https between your front-end proxy and back-end server? There are some valid reasons for doing this (two different public servers for example where the back-end can be reached over the public network), but it's not clear in your post what you're set up is. – ETL Sep 20 '15 at 13:46

1 Answers1

1

client -> https-proxy (Public IP) -> http connection (local IP)

This is perfectly valid installation, provided that https-proxy (Public IP) -> http connection (local IP) is over a secure network - i.e. your backend server isn't exposed to a public network.

client -> https-proxy (Public IP) -> httpS connection (local IP)

This is unnecessary if you are within a private network and just "overworks" your back-end server and front-end proxy by having to do encryption/decryption steps. However, it may be required in some scenarios and also, modern computers don't choke as much doing doing encryption/decryption as it used to be. But again, whether you're going to feel it or not depends on the volume of traffic.

ETL
  • 6,513
  • 1
  • 28
  • 48
  • The docs in node-proxy got me wondering about https->https proxying. I do not have the back-end server accessible through another public network/server. My proxy has two interfaces. One has multiple public IP addresses and domain DNS A records of a larger set of domains pointing to them. The other interface is for local servers to which the requests are targeted. I am also thinking of port DNATing using Iptables so that the proxy itself is not running on 80 or 443. I will wait for a day to see what other opinion comes in before marking your answer as accepted. Certainly helpful. – Sunny Sep 20 '15 at 14:14