Last active
January 23, 2022 12:39
-
-
Save toolness/10485006 to your computer and use it in GitHub Desktop.
HTTPS proxy server with SNI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var fs = require('fs'); | |
var crypto = require('crypto'); | |
var http = require('http'); | |
var https = require('https'); | |
var async = require('async'); | |
var httpProxy = require('http-proxy'); | |
var _ = require('underscore'); | |
var UID = 1000; | |
var PASSPHRASE = process.env.PASSPHRASE || null; | |
var PROXIES = require('./proxies.json'); | |
var DEFAULT_HOSTNAME = Object.keys(PROXIES)[0]; | |
var credentials = {}; | |
function securityOptions(hostname) { | |
var basePath = __dirname + '/certs/' + hostname; | |
var options = { | |
key: fs.readFileSync(basePath + '/key.pem'), | |
cert: fs.readFileSync(basePath + '/cert.pem'), | |
passphrase: PASSPHRASE | |
}; | |
var caPath = basePath + '/ca.pem'; | |
if (fs.existsSync(caPath)) | |
options.ca = [fs.readFileSync(caPath)]; | |
return options; | |
} | |
Object.keys(PROXIES).forEach(function(hostname) { | |
console.log('loading credentials for ' + hostname); | |
credentials[hostname] = crypto.createCredentials(securityOptions(hostname)); | |
}); | |
var proxy = httpProxy.createProxy(); | |
console.log('loading credentials for default hostname ' + DEFAULT_HOSTNAME); | |
var server = https.createServer(_.extend(securityOptions(DEFAULT_HOSTNAME), { | |
SNICallback: function(servername) { | |
if (!(servername in credentials)) | |
servername = DEFAULT_HOSTNAME; | |
return credentials[servername].context; | |
} | |
}), function(req, res) { | |
var host = req.headers['host']; | |
if (!(host in PROXIES)) | |
host = DEFAULT_HOSTNAME; | |
return proxy.web(req, res, {target: PROXIES[host]}, function(e) { | |
try { | |
res.writeHead(502, {'Content-Type': 'text/plain'}); | |
res.end('Error proxying request.'); | |
} catch (e) { | |
res.end(); | |
} | |
}); | |
}); | |
var redirectServer = http.createServer(function(req, res) { | |
res.writeHead(301, { | |
'Location': 'https://' + req.headers['host'] + req.url | |
}); | |
res.end(); | |
}); | |
async.parallel([ | |
server.listen.bind(server, 443), | |
redirectServer.listen.bind(redirectServer, 80) | |
], function(err) { | |
if (err) throw err; | |
process.setuid(UID); | |
console.log('listening on ports 80 and 443 as uid ' + UID); | |
}); |
Note that this should be used with at least node v0.10.21, or else the proxy may close connections before sending all data.
(node:20745) [DEP0010] DeprecationWarning: crypto.createCredentials is deprecated. Use tls.createSecureContext instead.
events.js:183
throw er; // Unhandled 'error' event
^
Error: listen EACCES 0.0.0.0:443
at Object._errnoException (util.js:1022:11)
at _exceptionWithHostPort (util.js:1044:20)
at Server.setupListenHandle [as _listen2] (net.js:1350:19)
at listenInCluster (net.js:1408:12)
at Server.listen (net.js:1492:7)
at /usr/lib/nodejs/async.js:570:21
at /usr/lib/nodejs/async.js:249:17
at /usr/lib/nodejs/async.js:125:13
at Array.forEach ()
at _each (/usr/lib/nodejs/async.js:46:24)
~/proxy $ node -v
v8.11.1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This uses http-proxy with Node's built-in support for Server Name Identification to make it easy to serve HTTPS on custom domains without using Heroku's relatively expensive ($20/month) SSL Add-on. It also sets up a HTTP server on port 80 that redirects all traffic to HTTPS.
You'll still need to use
heroku domain:add
(or the management website) to tell Heroku that you're serving your site from a custom domain.To map custom domains:
proxies.json
in the same directory as this script. It should be a mapping from domain names to HTTPS URL proxy targets, e.g.{"foo.com": "https://foo.herokuapp.com"}
.certs/domain name/key.pem
- The private key for the server.certs/domain name/cert.pem
- The certificate for the server.certs/domain name/ca.pem
- The intermediate CA certificate (optional).You'll also need to run this script as root, so it can bind to ports 443 and 80. Modify the
UID
variable in this script to change the User ID that the server switches to once it starts up.If your certs/keys have passphrases, you will be prompted for them. If they all have the same passphrase, you can alternatively set the
PASSPHRASE
environment variable to its value.