[英]How to create a TLS tunnel in Node.js
I'm trying to tunnel traffic received by my node.js server to a TLS connection. 我正在尝试将node.js服务器接收的流量隧道传输到TLS连接。 I have some code like this:
我有一些这样的代码:
function tunnel() {
var c = tls.connect(443, 'myhost', {rejectUnauthorized: false});
var server = net.createServer(function (socket) {
socket.addListener("connect", function () {
console.log("Connection from " + socket.remoteAddress);
//sync the file descriptors, so that the socket data structures are the same
c.fd = socket.fd;
//pipe the incoming data from the client directly onto the server
c.pipe(socket);
//and the response from the server back to the client
socket.pipe(c);
});
socket.addListener("data", function (data) {
console.log("Data received from client");
});
socket.addListener("close", function () {
server.close();
});
});
server.listen(7000);
}
When I run it and test it, I see this in my terminal: 当我运行它并对其进行测试时,我会在终端中看到以下内容:
$ curl --insecure https://myhost:443
hello world
$ curl --insecure https://localhost:7000
# nothing... just hangs
In the server console, I see Data received from client
, but never the connect
callback. 在服务器控制台中,我看到
Data received from client
,但是没有看到connect
回调。
Am I on the right track? 我在正确的轨道上吗?
Sockets passed to a server's connection
event handler (the callback you pass to createServer()
) are already connected, so there will never be a connect
event (that is for client sockets created with net.connect()
/ tls.connect()
). 传递给服务器的
connection
事件处理程序(传递给createServer()
的回调)的套接字已经连接,因此永远不会有connect
事件(即使用net.connect()
/ tls.connect()
创建的客户端套接字)。 。
Here is what a proxy would look like that only accepts one connection: 这是仅接受一个连接的代理的样子:
net.createServer(function(socket) {
server.close(); // Stop listening for additional connections
var upstream = tls.connect(443, 'myhost', {rejectUnauthorized: false});
socket.pipe(upstream).pipe(socket);
}).listen(7000);
I should also point out that using rejectUnauthorized: false
is not secure. 我还应该指出,使用
rejectUnauthorized: false
是不安全的。 If you are using that because the upstream server is using a self-signed certificate, then you should instead set the ca
option to the self-signed CA. 如果由于上游服务器使用的是自签名证书而使用该证书,则应将
ca
选项设置为自签名CA。 This will allow certificates signed by the CA and prevent MITM attacks. 这将允许CA签署证书,并防止MITM攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.