#538 skip rev-proxy for ssl config endpoints

senzing-garage · Apr 10, 2024 · 625f3c2 · 625f3c2
1 parent 53de52a
commit 625f3c2
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 39 deletions.
diff --git a/run/health/index.js b/run/health/index.js
@@ -41,6 +41,8 @@ class HealthCheckerUtility extends EventEmitter {
                 protocol = url_parts[0];
             }
         }
+        console.log('---------------------------- checkIfWebServerAlive: url: '+reqUrl);
+        console.log('---------------------------- checkIfWebServerAlive: protocol: '+protocol);
         if(protocol === 'https') {
             // use ssl
             let req = https.get(reqUrl, (res => {

diff --git a/run/runtime.datastore.config.js b/run/runtime.datastore.config.js
@@ -529,6 +529,9 @@ function getWebServerOptionsFromInput() {
     if(env.SENZING_WEB_SERVER_BASIC_AUTH_JSON) {
       retOpts.authBasicJson       = env.SENZING_WEB_SERVER_BASIC_AUTH_JSON;
     }
+    if(retOpts.url && !env.SENZING_WEB_SERVER_PROTOCOL) {
+      retOpts.protocol            = getProtocolFromUrl(retOpts.url); // set protocol from url
+    }
   }
 
   // now get cmdline options and override any defaults or ENV options
@@ -608,7 +611,7 @@ function getProxyServerOptionsFromInput() {
     ssoPathRewrite: "/sso",
     adminJwtPathRewrite: "/jwt/admin",
     adminSsoPathRewrite: "/sso/admin",
-    writeToFile: false,
+    writeToFile: false
   };
 
   // update defaults with ENV options(if present)
@@ -640,10 +643,28 @@ function getProxyServerOptionsFromInput() {
       retOpts.apiServerUrl = env.SENZING_API_SERVER_URL;
     }
     if(env.SENZING_WEB_SERVER_URL) {
-      retOpts.configPath = env.SENZING_WEB_SERVER_URL;
+      retOpts.configPath    = env.SENZING_WEB_SERVER_URL;
+      if(!env.SENZING_WEB_SERVER_PROTOCOL) {
+        retOpts.confServerProtocol  = getProtocolFromUrl(retOpts.configPath); // grab protocol from url
+      }
+      if(!env.SENZING_WEB_SERVER_ADMIN_AUTH_PATH) {
+        retOpts.adminAuthPath       = retOpts.configPath;
+      }
+      if(!env.SENZING_AUTH_SERVER_PROTOCOL) {
+        retOpts.authServerProtocol  = getProtocolFromUrl(retOpts.adminAuthPath); // grab protocol from url
+      }
     }
     if(env.SENZING_WEB_SERVER_INTERNAL_URL) {
       retOpts.configPath = env.SENZING_WEB_SERVER_INTERNAL_URL;
+      if(!env.SENZING_WEB_SERVER_PROTOCOL) {
+        retOpts.confServerProtocol  = getProtocolFromUrl(retOpts.configPath); // grab protocol from url
+      }
+      if(!env.SENZING_WEB_SERVER_ADMIN_AUTH_PATH) {
+        retOpts.adminAuthPath       = retOpts.configPath;
+      }
+      if(!env.SENZING_AUTH_SERVER_PROTOCOL) {
+        retOpts.authServerProtocol  = getProtocolFromUrl(retOpts.adminAuthPath); // grab protocol from url
+      }
     }
 
     if(retOpts.confServerProtocol && retOpts.configPath) {
@@ -861,7 +882,12 @@ function createProxyConfigFromInput() {
       }
     }
   });
-  retConfig = Object.assign(retConfig, mergeObj);
+  // if we are using SSL on our conf server we don't want to introduce
+  // a reverse proxy due to TLS needing to verify with the CA which 
+  // looks suspiciously like a MITM. just skip it to KISS
+  if(proxyOpts && proxyOpts.confServerProtocol !== 'https') {
+    retConfig = Object.assign(retConfig, mergeObj);
+  }
 
   if(env.SENZING_WEB_SERVER_ADMIN_AUTH_PATH) {
     retConfig = retConfig !== undefined ? retConfig : {};
@@ -916,7 +942,11 @@ function createProxyConfigFromInput() {
         }
       }
     });
-    retConfig = Object.assign(retConfig, mergeObj);
+    // if we are using SSL on our auth server we don't want to introduce
+    // a reverse proxy due to TLS needing to verify with the CA
+    if(proxyOpts && proxyOpts.authServerProtocol !== 'https') {
+      retConfig = Object.assign(retConfig, mergeObj);
+    }
   }
   // -------------------- start CMD LINE ARGS import -----------
     // now check our imported cmdline args
@@ -973,7 +1003,11 @@ function createProxyConfigFromInput() {
           }
         }
       });
-      retConfig = Object.assign(retConfig, mergeObj);
+      // if we are using SSL on our auth server we don't want to introduce
+      // a reverse proxy due to TLS needing to verify with the CA
+      if(proxyOpts && proxyOpts.authServerProtocol !== 'https') {
+        retConfig = Object.assign(retConfig, mergeObj);
+      }
     }
   // -------------------- end CMD LINE ARGS import -----------
 

diff --git a/run/webserver/index.js b/run/webserver/index.js
@@ -198,43 +198,54 @@ const authRes = (req, res, next) => {
 };
 
 // ----------------- start config endpoints -----------------
-  let _confBasePath = '';
+  let _confBaseRoot     = '';
+  let _confWildcardRoot = '*/conf';
+
   if(runtimeOptions.config && 
     runtimeOptions.config.web && 
     runtimeOptions.config.web.path && runtimeOptions.config.web.path !== '/') {
-      _confBasePath = runtimeOptions.config.web.path;
+      _confBaseRoot = runtimeOptions.config.web.path;
+  }
+  // add '/conf' to basepath
+  let _confBasePath = _confBaseRoot + '/conf';
+  // if we are using SSL we want to skip reverse proxy altogether
+  // otherwise we'll have to add CA to every rewrite rule and thats .. unpleasant.
+  if(serverOptions.ssl.enabled && proxyOptions.confServerProtocol === 'https') {
+    // switch from "/conf" to "/config"
+    _confBasePath     = _confBaseRoot+'/config'
+    _confWildcardRoot = '*/config';
   }
-  app.get(_confBasePath+'/conf/auth', (req, res, next) => {
+  app.get(_confBasePath+'/auth', (req, res, next) => {
     res.status(200).json( authOptions );
   });
-  app.get(_confBasePath+'/conf/auth/admin', (req, res, next) => {
+  app.get(_confBasePath+'/auth/admin', (req, res, next) => {
     res.status(200).json( authOptions.admin );
   });
-  app.get(_confBasePath+'/conf/auth/operator', (req, res, next) => {
+  app.get(_confBasePath+'/auth/operator', (req, res, next) => {
     res.status(200).json( authOptions.operator );
   });
-  app.get(_confBasePath+'/conf/console', (req, res, next) => {
+  app.get(_confBasePath+'/console', (req, res, next) => {
     res.status(200).json( consoleOptions );
   });
-  app.get(_confBasePath+'/conf/cors', (req, res, next) => {
+  app.get(_confBasePath+'/cors', (req, res, next) => {
       res.status(200).json( corsOptions );
   });
 
-  app.get(_confBasePath+'/conf/csp', (req, res, next) => {
+  app.get(_confBasePath+'/csp', (req, res, next) => {
       res.status(200).json( cspOptions );
   });
-  app.get(_confBasePath+'/conf/package', (req, res, next) => {
+  app.get(_confBasePath+'/package', (req, res, next) => {
     res.status(200).json( packageInfo );
   });
-  app.get(_confBasePath+'/conf/streams', (req, res, next) => {
+  app.get(_confBasePath+'/streams', (req, res, next) => {
       if(streamOptions && streamOptions !== undefined) {
         res.status(200).json( streamOptions );
       } else {
         console.log('stream config: ',streamOptions);
         res.status(503).json();
       }
   });
-  app.get(_confBasePath+'/health', (req, res, next) => {
+  app.get(_confBaseRoot+'/health', (req, res, next) => {
     let currentStatus = healthChecker.status;
     let retCode = 500;
     if(currentStatus && Object.values(currentStatus)){
@@ -243,30 +254,31 @@ const authRes = (req, res, next) => {
     }
     res.status(retCode).json( currentStatus );
   });
-  app.get(_confBasePath+'/status/proxy', (req, res, next) => {
+  app.get(_confBaseRoot+'/status/proxy', (req, res, next) => {
     res.status(200).json({});
   });
 
   // ----------------- wildcards -----------------
   // we need a wildcarded version due to 
   // queries from virtual directory hosted apps
   // and any number of SPA routes on top of that
-  app.get('*/conf/auth', (req, res, next) => {
+
+  app.get(_confWildcardRoot+'/auth', (req, res, next) => {
     res.status(200).json( authOptions );
   });
-  app.get('*/conf/console', (req, res, next) => {
+  app.get(_confWildcardRoot+'/console', (req, res, next) => {
     res.status(200).json( consoleOptions );
   });
-  app.get('*/conf/cors', (req, res, next) => {
+  app.get(_confWildcardRoot+'/cors', (req, res, next) => {
     res.status(200).json( corsOptions );
   });
-  app.get('*/conf/csp', (req, res, next) => {
+  app.get(_confWildcardRoot+'/csp', (req, res, next) => {
       res.status(200).json( cspOptions );
   });
-  app.get('*/conf/package', (req, res, next) => {
+  app.get(_confWildcardRoot+'/package', (req, res, next) => {
     res.status(200).json( packageInfo );
   });
-  app.get('*/conf/streams', (req, res, next) => {
+  app.get(_confWildcardRoot+'/streams', (req, res, next) => {
       if(streamOptions && streamOptions !== undefined) {
         res.status(200).json( streamOptions );
       } else {
@@ -290,12 +302,18 @@ const authRes = (req, res, next) => {
 // ----------------- end config endpoints -----------------
 
 if(authOptions && authOptions !== undefined) {
-  let _authBasePath = '';
+  let _authBasePath   = '';
+  let _authPathIsSSL  = false;
   if(runtimeOptions.config && 
     runtimeOptions.config.web && 
     runtimeOptions.config.web.path && runtimeOptions.config.web.path !== '/') {
       _authBasePath = runtimeOptions.config.web.path;
   }
+  // if we are using SSL we want to skip reverse proxy altogether
+  // otherwise we'll have to add CA to every rewrite rule and thats .. unpleasant.
+  if(serverOptions.ssl.enabled && proxyOptions.authServerProtocol === 'https') {
+    _authPathIsSSL     = true;
+  }
   if(authOptions.admin && authOptions.admin.mode === 'SSO' || authOptions.admin && authOptions.admin.mode === 'EXTERNAL') {
     const ssoResForceTrue = (req, res, next) => {
       res.status(200).json({
@@ -309,8 +327,8 @@ if(authOptions && authOptions !== undefined) {
     };
     // dunno if this should be a reverse proxy req or not
     // especially if the SSO uses cookies etc
-    app.get(_authBasePath+'/sso/admin/status', ssoResForceTrue);
-    app.get(_authBasePath+'/sso/admin/login', (req, res, next) => {
+    app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/sso/admin/status', ssoResForceTrue);
+    app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/sso/admin/login', (req, res, next) => {
       res.sendFile(path.resolve(path.join(__dirname,'../../', '/auth/sso-login.html')));
     });
     //STARTUP_MSG = STARTUP_MSG + '\n'+'';
@@ -347,24 +365,24 @@ if(authOptions && authOptions !== undefined) {
     app.get('/jwt/admin/login', jwtResForceTrue);
     */
 
-    app.post(_authBasePath+'/jwt/admin/status', auth.auth.bind(auth), jwtRes);
-    app.post(_authBasePath+'/jwt/admin/login', auth.login.bind(auth));
-    app.get(_authBasePath+'/jwt/admin/status', auth.auth.bind(auth), jwtRes);
-    app.get(_authBasePath+'/jwt/admin/login', auth.auth.bind(auth), jwtRes);
+    app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/admin/status', auth.auth.bind(auth), jwtRes);
+    app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/admin/login', auth.login.bind(auth));
+    app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/admin/status', auth.auth.bind(auth), jwtRes);
+    app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/admin/login', auth.auth.bind(auth), jwtRes);
 
     /** operator endpoints */
     if(authOptions.operator && authOptions.operator.mode === 'JWT') {
       // token auth for operators
-      app.post(_authBasePath+'/jwt/status', auth.auth.bind(adminAuth), jwtRes);
-      app.post(_authBasePath+'/jwt/login', auth.login.bind(adminAuth));
-      app.get(_authBasePath+'/jwt/status', auth.auth.bind(adminAuth), jwtRes);
-      app.get(_authBasePath+'/jwt/login', auth.auth.bind(adminAuth), jwtRes);
+      app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/status', auth.auth.bind(adminAuth), jwtRes);
+      app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/login', auth.login.bind(adminAuth));
+      app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/status', auth.auth.bind(adminAuth), jwtRes);
+      app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/login', auth.auth.bind(adminAuth), jwtRes);
     } else {
       // always return true for operators
-      app.post(_authBasePath+'/jwt/status', jwtResForceTrue);
-      app.post(_authBasePath+'/jwt/login', jwtResForceTrue);
-      app.get(_authBasePath+'/jwt/status', jwtResForceTrue);
-      app.get(_authBasePath+'/jwt/login', jwtResForceTrue);
+      app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/status', jwtResForceTrue);
+      app.post(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/login', jwtResForceTrue);
+      app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/status', jwtResForceTrue);
+      app.get(_authBasePath+(_authPathIsSSL ? '/auth' : '')+'/jwt/login', jwtResForceTrue);
     }
 
     STARTUP_MSG = STARTUP_MSG + '\n'+'';
@@ -487,7 +505,7 @@ if( serverOptions && serverOptions.ssl && serverOptions.ssl.enabled ){
     cert: fs.readFileSync(serverOptions.ssl.certPath)
   }
   ExpressSrvInstance = https.createServer(ssl_opts, app).listen(serverOptions.port)
-  STARTUP_MSG_POST = '\n'+'SSL Express Server started on port '+ serverOptions.port;
+  STARTUP_MSG_POST = '\n'+'SSL Express Server '+ serverOptions.url +' started on port '+ serverOptions.port;
   STARTUP_MSG_POST = STARTUP_MSG_POST +'\nSSL Opts: '+ JSON.stringify(serverOptions.ssl, undefined, 2)
   if(serverOptions.ssl && serverOptions.ssl.keyPath) {
     STARTUP_MSG_POST = STARTUP_MSG_POST + '\n'+'\t\t- KEY Path: '+ serverOptions.ssl.keyPath;