Add support for using SSL client certificates when making target HTTP requests. #9
Comments
|
An early Pull Request is ready for testing here: #11. |
|
These changes have been pushed to [email protected]. @srinandan has been testing it out and will report issues here. To install: |
|
installed this and am working with it now. attempting to hit a node service running on another machine on the network, getting the following error response. {"message":"write EPROTO","code":"EPROTO","errno":"EPROTO","syscall":"write"}. I can send you my configuration file if you'd like but I'm wondering if this has to do with using a self signed certificate or not? |
|
I think it might be something else. Self-signed certs should work. You should set the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0 if you're using self-signed certs. Please do send us the configuration file. |
|
@zcmack It definitely seems TLS related. I just had a thrilling read through this very long thread: nodejs/node#3692 |
|
Usually I get this (misleading) error from EMG when it unsuccessfully tries to directly reach an SSL site while it should use a proxy... |
|
so i created a different express service on my local machine and secured via https. loaded in my certs and am now receiving {"message":"self signed certificate","code":"DEPTH_ZERO_SELF_SIGNED_CERT"} i included |
|
Please set environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0 |
|
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; is the first line in my On Wed, Sep 21, 2016 at 4:52 PM, Srinandan Sridhar <[email protected]
|
|
Try setting it as an environment variable (outside of node.js). |
|
tried it as an environmental var with no luck. i added rejectUnauthorized=false to my config file and my service and specified the ca in both places as well. My error message changed to
Any other ideas? |
|
ok so i was able to get this working by setting the environment variable on the EMG rather than the server, my bad. I am curious how we can configure this to use bi-directional SSL. How can I configure a truststore on the EMG? |
|
@zcmack You can point to a file for the CA. targets:
- host: 'example.com'
ssl:
client:
key: '/location/of/key'
cert: '/location/of/cert'
ca: '/location/of/ca' |
|
@zcmack It might be worth keeping an eye on this Node PR, as well: "crypto: use system CAs instead of bundled ones" (nodejs/node#8334). It hasn't been merged yet. |
When i tried to configure 1 way ssl, i encountered this error. {"message":"self signed certificate","code":"DEPTH_ZERO_SELF_SIGNED_CERT"} below is my configuration edgemicro:
Hope you have an idea on this error. |
|
@gealogojoemarg You should make sure your edge_config:
...some configs...
targets:
- ssl:
client:
ca: '/path/to/your/self/signed/certificate.pem'
edgemicro:
request_timeout: 7
port: 8888 #or 8080 #NOTE: never use one of these ports for your backends!!!
max_connections: 1000
max_connections_hard: 5000
config_change_poll_interval: 600 #seconds
... others configs...If you write it under and maybe the documents should be updated, it confused me several hours: https://docs.apigee.com/api-platform/microgateway/2.5.x/operation-and-configuration-reference-edge-microgateway#usingclientssltlsoptions |
|
@dawncold Thanks for the post. I spent some time on the same issue but didn't get a chance to request the doc update. I have just filed the ticket. |
This should be a fairly straightforward change. We'll have to add configuration options for key and cert files per host. Then we can update the HTTP agent to use these based on the hostname for the backend request.
The text was updated successfully, but these errors were encountered: