Score:-1

Server

Solutions to relay (not redirect) incoming HTTP requests to existing HTTPS server?

Vlad

2/1/24, 8:46 AM

Looking for a Linux HTTP-listening-app which would relay incoming requests as-is to a remote HTTPS server and relay the (decrypred) responses back.

Basically we have a blackbox https VM for which the access is lost and its certs have expired. While devs are working on implementing a replacement (by end-of-year) we need our numerous other apps to keep talking to it. It would take significant time to re-code those apps to allow ignoring of expired certs, but it would be easy to reconfigure those apps to talk to another (HTTP) url, which would do the talking-to-expired-HTTPS behind the scenes.

Examples:

cert expired

$ curl https://blackbox:3333/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
curl: (60) Peer's Certificate has expired.
...

ignoring-the-cert works for curl

$ curl -k https://blackbox:3333/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
{"request_id":"b6e832", "backdoor.token.encryption.password":"****", "oauth.keys":"****|****",
...

need something HTTP-listening on localhost:80 and talking to HTTPS://blackbox:3333 behind the scenes

$ curl http://localhost:80/v1/configserver/6c15dd4a -H 'X-Vault-Token: ****'
{"request_id":"b6e832", "backdoor.token.encryption.password":"****", "oauth.keys":"****|****",
...

I'm told nginx should be capable of doing this, but I found no examples to easily set this up while ignoring the expired certs (and it feels nginx requires hefty background knowledge in configuring it before-you-even-start).

Update:

my question is for an HTTP -> expired-cert-HTTPS relay

@GeraldSchneider,

there are topics solving the opposite relaying (HTTPS -> HTTP):

How can I forward requests from my web server?

there are topics solving the alike relaying (HTTP -> good-valid-cert-HTTPS):

https://stackoverflow.com/questions/8017508/solutions-to-convert-http-traffic-to-https-proxy-relay

if any of those would mention how to configure the apacheHttpd/nginx/etc to ignore the expired/invalid/selfSigned certificates - that would be the answer I was looking for

1 + 4

linux

ssl

http

proxy

https

Vlad

2/1/24, 9:15 AM

@GeraldSchneider - nope, I had seen this one and many other HTTPS->HTTP examples (opposite of what I'm asking). Some of those could be easily reworked into HTTP->HTTPS but I found none capable of ignoring the expired cert yet :(

Gerald Schneider

2/1/24, 9:17 AM

Every server capable of acting as a reverse proxy has options to disable ssl verification to the backend.

Gerald Schneider

2/1/24, 9:20 AM

Apart from that, requests for software or services are off topic.

Vlad

2/1/24, 9:58 AM

@GeraldSchneider - "has options" is good to know, and if someone actually finds one working example - that would answer my question :) The where-to-publish guide suggested serverFault is the preferred choice for my question, if it guided me wrong - could you share a better guide so I could choose better in the future?

Score:-1

Server

Vlad

2/1/24, 9:09 AM

In meantime I wrote a sample HTTP->HTTPS relay using java spring-boot, but it lacks the completeness (not handling "circular" redirects, only GET method, lots of manual fiddling with headers/retCodes/queryStrings/closables/streams/buffers, likely having some bugs in the code, etc). It might work for our short-term needs, but I would prefer a standard/robust/easier HTTP->HTTPS relay-tool instead (if any exists).

@RestController
class Controller {
    @GetMapping("/**")
    void relay(HttpServletRequest servletReq, HttpServletResponse servletResp) {
        HttpClient httpClient = null;
        HttpResponse httpResp = null;
        try {
            httpClient = HttpClients.custom()
                    .setSSLContext(new SSLContextBuilder().loadTrustMaterial(null, TrustAllStrategy.INSTANCE).build())
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build();
            String host = "blackbox:3333";
            HttpUriRequest httpReq = new HttpGet("https://" + host + servletReq.getRequestURI() + "?" + servletReq.getQueryString());
            Enumeration<String> he = servletReq.getHeaderNames();
            if (null != he)
                while (he.hasMoreElements()) {
                    String n = he.nextElement(), v = ("host".equals(n)) ? host : servletReq.getHeader(n);
                    httpReq.setHeader(new BasicHeader(n, v));
                }
            httpResp = httpClient.execute(httpReq);
            for (Header h : httpResp.getAllHeaders()) {
                servletResp.addHeader(h.getName(), h.getValue());
            }
            servletResp.setStatus(httpResp.getStatusLine().getStatusCode());
            IOUtils.copy(httpResp.getEntity().getContent(), servletResp.getOutputStream());
            servletResp.flushBuffer();
            servletResp.getOutputStream().close();
        } catch (Throwable t) {
            t.printStackTrace();
        } finally {
            if (null != httpResp && httpResp instanceof CloseableHttpResponse) {
                try {
                    ((CloseableHttpResponse) httpResp).close();
                } catch (Throwable t) {
                    t.printStackTrace();
                }
            }
            if (null != httpClient && httpClient instanceof CloseableHttpClient) {
                try {
                    ((CloseableHttpClient) httpClient).close();
                } catch (Throwable t) {
                    t.printStackTrace();
                }
            }
        }
    }

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Solutions to relay (not redirect) incoming HTTP requests to existing HTTPS server?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.