如何在Node.js中创建TLS隧道

Question

I'm trying to tunnel traffic received by my node.js server to a TLS connection. I have some code like this:

function tunnel() {
  var c = tls.connect(443, 'myhost', {rejectUnauthorized: false});

  var server = net.createServer(function (socket) {
    socket.addListener("connect", function () {
      console.log("Connection from " + socket.remoteAddress);
      //sync the file descriptors, so that the socket data structures are the same
      c.fd = socket.fd;
      //pipe the incoming data from the client directly onto the server
      c.pipe(socket);
      //and the response from the server back to the client
      socket.pipe(c);
    });

    socket.addListener("data", function (data) {
      console.log("Data received from client");
    });

    socket.addListener("close", function () {
      server.close();
    });
  });

  server.listen(7000);
}

When I run it and test it, I see this in my terminal:

$ curl --insecure https://myhost:443
hello world

$ curl --insecure https://localhost:7000
# nothing... just hangs

In the server console, I see Data received from client , but never the connect callback.

Am I on the right track?

Answer 1

Sockets passed to a server's connection event handler (the callback you pass to createServer() ) are already connected, so there will never be a connect event (that is for client sockets created with net.connect() / tls.connect() ).

Here is what a proxy would look like that only accepts one connection:

net.createServer(function(socket) {
  server.close(); // Stop listening for additional connections
  var upstream = tls.connect(443, 'myhost', {rejectUnauthorized: false});
  socket.pipe(upstream).pipe(socket);
}).listen(7000);

I should also point out that using rejectUnauthorized: false is not secure. If you are using that because the upstream server is using a self-signed certificate, then you should instead set the ca option to the self-signed CA. This will allow certificates signed by the CA and prevent MITM attacks.