简体繁体 English

在NodeJS中创建可以处理多个安全域的反向代理

[英]Create a Reverse Proxy in NodeJS that can handle multiple secure domains

原文 2014-04-06 02:47:48 2 6 node.js/ ssl/ proxy/ reverse-proxy

I'm trying to create a reverse proxy in NodeJS. 我正在尝试在NodeJS中创建反向代理。 But I keep running the issue that in that I can only serve one one set of cert/key pair on the same port(443), even though I want to serve multiple domains. 但是我一直在运行这个问题，因为我只能在同一个端口（443）上提供一组证书/密钥对，即使我想服务多个域。 I have done the research and keep running into teh same road block: 我已完成研究并继续遇到同样的路障：

A node script that can serve multiple domains secure domain from non-secure local source (http local accessed and served https public) 可以从非安全本地源（http本地访问和服务的https public）为多个域安全域提供服务的节点脚本
Let me dynamically server SSL certificates via domain header 让我通过域头动态地为SSL证书服务
Example: 例：
- https ://www.someplace.com:443 will pull from http ://thisipaddress:8000 and use the cert and key files for www.someplace.com https：//www.someplace.com:443将从http：// thisipaddress：8000中提取并使用www.someplace.com的证书和密钥文件
- https ://www.anotherplace.com:443 will pull from http ://thisipaddress:8080 and use the cert and key files for www.anotherplace.com https://www.anotherplace.com:443将从http：// thisipaddress：8080中提取并使用www.anotherplace.com的证书和密钥文件
- ect. 等。
I have looked at using NodeJS's https.createServer(options, [requestListener]) 我看过使用NodeJS的https.createServer（options，[requestListener]）
- But this method supports just one cert/key pair per port 但是这种方法每个端口只支持一个证书/密钥对
- I can't find a way to dynamically switch certs based on domain header 我找不到基于域头动态切换证书的方法
- I can't ask my people to use custom https ports 我不能要求我的员工使用自定义https端口
- And I'll run into browse SSL certificate error if I serve the same SSL certificate for multiple domain names, even if it is secure 如果我为多个域名提供相同的SSL证书，即使它是安全的，我也会遇到浏览SSL证书错误
I looked at node-http-proxy but as far as I can see it has the same limitations 我查看了node-http-proxy，但据我所知它有相同的限制
I looked into Apache mod-proxy and nginx but I would rather have something I have more direct control of 我查看了Apache mod-proxy和nginx，但我宁愿拥有一些我可以更直接控制的东西

If anyone can show me an example of serving multiple secure domains each with their own certificate from the same port number (443) using NodeJS and either https.createServer or node-http-proxy I would be indebted to you. 如果有人能够向我展示一个服务多个安全域的示例，每个安全域都使用自己的证书来自相同的端口号（443），使用NodeJS和https.createServer或node-http-proxy，我将感激不尽。

6 个解决方案

Redbird actually does this very gracefully and not too hard to configure either. Redbird实际上非常优雅，也不太难配置。

https://github.com/OptimalBits/redbird https://github.com/OptimalBits/redbird

Let me dynamically server SSL certificates via domain header 让我通过域头动态地为SSL证书服务

There is no domain header so I guess you mean the Host header in the HTTP request. 没有域头，所以我猜你的意思是HTTP请求中的Host头。 But, this will not work because 但是，这不起作用，因为

HTTPS is HTTP encapsulated inside SSL HTTPS是在SSL内部封装的HTTP
therefore you first have to do your SSL layer (eg SSL handshake, which requires the certificates), then comes the HTTP layer 因此，您首先必须执行SSL层（例如SSL握手，需要证书），然后是HTTP层
but the Host header is inside the HTTP layer :( 但主机头是在HTTP层内:(

In former times you would need to have a single IP address for each SSL certificate. 以前，您需要为每个SSL证书提供一个IP地址。 Current browsers do support SNI (server name indication), which sends the expected target host already inside the SSL layer. 当前的浏览器确实支持SNI（服务器名称指示），它发送已经在SSL层内的预期目标主机。 It looks like node.js does support this, look for SNICallback . 看起来node.js支持这一点，寻找SNICallback 。 But, beware that there are still enough libraries out there, which either don't support SNI on the client side at all or where one needs to use it explicitly. 但是，要注意那里仍然有足够的库，要么根本不支持客户端的SNI，要么显然需要使用它。 But, as long you only want to support browsers this should be ok. 但是，只要您只想支持浏览器，这应该没问题。

Bouncy is a good library to do this and has an example of what you are needing. Bouncy是一个很好的图书馆，并且有一个你需要的例子。

As Steffen Ullrich says it will depend on the browser support for it 正如Steffen Ullrich所说，它将取决于浏览器对它的支持

Here is the solution you might be looking at, I found it very useful for my implementation though you will need to do huge customization to handle domains 这是您可能正在查看的解决方案，我发现它对我的实现非常有用，但您需要进行大量自定义来处理域

node-http-rev proxy: https://github.com/nodejitsu/node-http-proxy node-http-rev代理： https ： //github.com/nodejitsu/node-http-proxy

如何在不同的端口上创建SSL服务器，并使用node-http-proxy作为443上的服务器来根据域中继请求。

You stated you don't want to use nginx for that, and I don't understand why. 你声明你不想使用nginx，我不明白为什么。 You can just setup multiple locations for your nginx. 您可以为nginx设置多个位置。 Have each of them listen to different hostnames and all on port 443. Give all of them a proxypass to your nodejs server. 让他们每个人都在端口443上监听不同的主机名和所有主机名。将所有这些主机名都传递给您的nodejs服务器。 To my understanding, that serves all of your requirements and is state of the art. 根据我的理解，这符合您的所有要求，并且是最先进的。