Let's do regular https and mtls on the same port

mendhak · mendhak · commit 38c6b896eb87 · 2022-10-30T14:45:59.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -20,7 +20,7 @@ RUN set -ex \
 FROM node:16-alpine AS final
 WORKDIR /app
 COPY --from=build /app /app
-ENV HTTP_PORT=8080 HTTPS_PORT=8443 HTTPS_MTLS_PORT=8444
-EXPOSE $HTTP_PORT $HTTPS_PORT $HTTPS_MTLS_PORT
+ENV HTTP_PORT=8080 HTTPS_PORT=8443
+EXPOSE $HTTP_PORT $HTTPS_PORT
 USER 1000
 CMD ["node", "./index.js"]
diff --git a/README.md b/README.md
@@ -203,27 +203,17 @@ The output will be 'cauliflower'.
 
 ## Client certificate details (mTLS)
 
-There's also an HTTPS server that requests client certificates (also known as mTLS), listening on port 8444 by default. 
+If you pass a client certificate, then the details about that certificate can be echoed back in the response body. 
 
-```bash
-docker run -p 8444:8444 --rm -t mendhak/http-https-echo:25
-```
-
-You can then call it with curl passing a certificate and key.  The client certificate will not be validated.  
+For example, invoke using curl, passing a certificate and key.  The client certificate will not be validated.  
 
 ```bash
-curl -k --cert cert.pem --key privkey.pem  https://localhost:8444/
+curl -k --cert cert.pem --key privkey.pem  https://localhost:8443/
 ```
 
 The response body will contain details about the client certificate passed in.  
 
-You can change the port by using the `HTTPS_MTLS_PORT` environment variable. 
-
-```bash
-docker run -e HTTPS_MTLS_PORT=3333 -p 3333:3333 --rm -t mendhak/http-https-echo:25
-```
-
-If you browse to https://localhost:8444/ in Firefox, you should get prompted to supply a client certificate as long as you have [an imported certificate by the same issuer as the server](https://superuser.com/questions/1043415/firefox-doesnt-ask-me-for-a-certificate-when-visiting-a-site-that-needs-one).  If you need browser prompting to work,  you'll need to follow the 'use your own certificates' section.  
+If you browse to https://localhost:8443/ in Firefox, you won't get prompted to supply a client certificate unless you have [an imported certificate by the same issuer as the server](https://superuser.com/questions/1043415/firefox-doesnt-ask-me-for-a-certificate-when-visiting-a-site-that-needs-one). If you need browser prompting to work,  you'll need to follow the 'use your own certificates' section.  
 
 
 ## Output
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -6,11 +6,9 @@ services:
         environment: 
             - HTTP_PORT=8888
             - HTTPS_PORT=9999
-            - HTTPS_MTLS_PORT=10101
         ports:
             - "8080:8888"
             - "8443:9999"
-            - "8444:10101"
         # volumes:
         #     - /etc/ssl/certs/ssl-cert-snakeoil.pem:/app/fullchain.pem
         #     - /etc/ssl/private/ssl-cert-snakeoil.key:/app/privkey.pem
diff --git a/index.js b/index.js
@@ -105,12 +105,13 @@ app.all('*', (req, res) => {
 const sslOpts = {
   key: require('fs').readFileSync('privkey.pem'),
   cert: require('fs').readFileSync('fullchain.pem'),
+  requestCert: true, 
+  rejectUnauthorized: false
 };
 
 var httpServer = http.createServer(app).listen(process.env.HTTP_PORT || 8080);
 var httpsServer = https.createServer(sslOpts,app).listen(process.env.HTTPS_PORT || 8443);
-var httpsMTlsServer = https.createServer( { requestCert: true, rejectUnauthorized: false, ...sslOpts }, app).listen(process.env.HTTPS_MTLS_PORT || 8444);
-console.log(`Listening on ports ${process.env.HTTP_PORT || 8080} for http, and ${process.env.HTTPS_PORT || 8443} for https, and ${process.env.HTTPS_MTLS_PORT || 8444} for https_mtls`);
+console.log(`Listening on ports ${process.env.HTTP_PORT || 8080} for http, and ${process.env.HTTPS_PORT || 8443} for https.`);
 
 let calledClose = false;
 
@@ -130,10 +131,8 @@ function shutDown(){
   calledClose = true;
   httpServer.close(function() {
     httpsServer.close(function() {
-      httpsMTlsServer.close(function(){
-        console.log("HTTP and HTTPS servers closed. Asking process to exit.");
-        process.exit()
-      })
+      console.log("HTTP and HTTPS servers closed. Asking process to exit.");
+      process.exit()
     });
   });
 }
diff --git a/tests.sh b/tests.sh
@@ -328,9 +328,9 @@ message " Check that mTLS server responds with client certificate details"
 # Might as well just reuse any cert
 cp ../generate-cert.sh .
 bash generate-cert.sh
-docker run -d --rm --name http-echo-tests -p 8080:8080 -p 8443:8443 -p 8444:8444 -t mendhak/http-https-echo
+docker run -d --rm --name http-echo-tests -p 8080:8080 -p 8443:8443 -t mendhak/http-https-echo
 sleep 5
-COMMON_NAME="$(curl -sk --cert cert.pem --key privkey.pem  https://localhost:8444/ | jq -r  '.clientCertificate.subject.CN')"
+COMMON_NAME="$(curl -sk --cert cert.pem --key privkey.pem  https://localhost:8443/ | jq -r  '.clientCertificate.subject.CN')"
 if [ "$COMMON_NAME" == "my.example.com" ]
 then
     passed "Client certificate details are present in the output"
@@ -339,11 +339,11 @@ else
     exit 1
 fi
 
-message " Check that HTTPS server (non-MTLS) does not have any client certificate details"
-CLIENT_CERT="$(curl -sk --cert cert.pem --key privkey.pem  https://localhost:8443/ | jq -r  '.clientCertificate')"
+message " Check if certificate is not passed, then client certificate details are empty"
+CLIENT_CERT="$(curl -sk https://localhost:8443/ | jq -r  '.clientCertificate')"
 if [ "$CLIENT_CERT" == "{}" ]
 then
-    passed "Client certificate details are not present in regular HTTPS server"
+    passed "Client certificate details are not present in the response"
 else
     failed "Client certificate details found in output? ${CLIENT_CERT}"
     exit 1
