I use SSL mutual authentication for my client and server. Now I would like to add a Reverse Proxy. As far as I understand a Reverse Proxy can't forward a client certificate to the backend web-server. Can I work around this shortcoming? E.g. can my Reverse Proxy send client-information to my backend web-server in order to let my server know what certificate the client is using?
I use IIS 7.5.
Related
I am running IIS and Node in parallel on a Windows Server. Is it possible to allow IIS intercept HTTPS requests, authentic them using Windows Authentication (Negotiate/NTLM), then proxy the requirements onto Node as HTTP requests with username and security groups in the header for Node to process?
As far as I know, it is possible to use windows authentication before proxy request. Windows authentication is to authenticate people through the local Windows network. There is no proxy server or even a proxy server. Protocol does not authenticate HTTP sessions, but authenticates the underlying TCP connection.
IIS can also proxy the request to Node, as long as the request is rewritten using ARR and URL rewrite.
However, IIS itself cannot obtain the user name and security group information, and requires the help of ASP.NET applications.
We've got a setup, where SSL/HTTPS stuff is managed by Cloudflare.
What is the proper way to run Node.js HTTPS server in this case?
I've tried running it like this and it's working, but what are the downsides?
const app = express()
const httpsServer = https.createServer({}, app) //creating https server with an empty ssl certificate object
httpsServer.listen(443)
I've tried running it like this and it's working,
By this, I assume you're using Flexible mode?
When in Flexible mode, it gives you the illusion of security, but in actuality
client-server connection is only half-secured.
Cloudflare Universal SSL Certiticate
|
Client <----HTTPS-----> Cloudflare <------HTTP-----> Origin Server
Surely you've heard of MITM (man-in-the-middle) attacks or state-sponsored surveillance over insecure channel (read: HTTP)? These are the downsides when your connection is not fully encrypted end-to-end.
For you to secure the connection end-to-end, you'll need to use Full/Full(Strict) mode, and for this to work you'll need to specify the certificate on the origin server. Opening port 443 and put it on listening mode is not enough, HTTPS uses Public Key Infrastructure (PKI) and SSL certificates are fundamental part of it. In other words, you simply can't use HTTPS without SSL certificates in place!
Cloudflare Universal SSL Certiticate Origin Certificate
| |
Client <----HTTPS-----> Cloudflare <------HTTPS-----> Origin Server
Provisioning a self-signed certificate on the origin server will suffice for Full mode, but Full(Strict) mode requires a valid certificate. Good new is that you don't need to purchase Extended Validation (EV) certificates from retail Certificate Authority (CA), as nowadays there are free Domain Validation (DV) certificates such as Let's Encrypt/Certbot or Cloudflare Origin CA certificate which would work just as fine.
I have a website running on a nodejs server. The website contacts an API which is present on another server. Now, I want to make the connection secure by using SSL. So, I have a self-signed certificate on the API server. My question is that how do I make the nodejs server trust thes self-signed certificate and accept a connection to it.
We want to establish a TLS encrypted connection between a node.js client behind our company proxy and a node.js server in the internet (which we control, too).
I am confused by this issue, how can we keep our certificate based security approach with TLS through a proxy?
A TLS proxy is transparent. The client sends a CONNECT request, which has the target host name and port, then the proxy creates a new TCP connection to that host, and after that does nothing else than move packets between the client and the server connection.
So from the client's point of view, the certificate the client retreives from the proxy will be exactly the bytes the server sent.
On the server side, the IP you'll be seeing is that of the proxy, not that of the client. So you shouldn't use a server certificate in the client, as the CN from the certificate and the IP / reverse looked up host name won't match. But if you use a client certificate, the proxy will again pass it to the server without modifying anyting - so if you do some "was this client certificate signed by a CA i trust" checking on the server, everything will work fine.
In IIS 7, I've created an https binding for a site, and I'd like to require client certificates for https and still keep my http endpoint.
That is to say, I'd like to require client certificates for my https endpoint without requiring SSL across the board and disallowing access to my http endpoint (via "require SSL" in SSL Settings). Is this possible?
Client certs are usually used for 2-way SSL, so not just the server but the client is also encrypting the traffic with it's private key.
If you don't want to enforce https across the board, then the one thing you can try is to accept the client cert ( see SSL settings ) then implement the cert validation in your application.
See Request.ClientCertificate on MSDN for more details
if (HttpContext.Current.Request.IsSecureConnection)
{
// it's SSL, so check the client cert
bool authorized = IsClientCertAuthorized(HttpContext.Current.Request.ClientCertificate)
}
Then implement that method as needed.
Note: I haven't tested this, so please comment if you've tried.