feat: implement https server support #602
Conversation
- Fix a datarace for error handler - Add a regression test that verify datarace fix - Add TLS defaults for better security
github-actions
bot
added
t-core-services
bliuchak
added
the
t-unblocking
Could you please point me to the changes that are related to the fixes? Thanks. Also, what was wrong with the statistics? |
Don't remember right now for 100%, but few tests failed for |
Aslo revert changes in eslint and tsconfig
|
@jirimoravcik @lewis-wow Guys, I've added main logic for TLS overhead bytes. Please take a look 🙏 Gonna polish tests in meantime and push 'em ASAP. |
|
|
||
| // Check once per connection for socket._parent availability. | ||
| if (this.serverType === 'https') { | ||
| const rawSocket = socket._parent; |
There was a problem hiding this comment.
It may be worth asking in https://github.com/nodejs/node about the safety of using this private property.
There was a problem hiding this comment.
I guess I know the answer :) as long as unit tests cover the eventuality this will get removed, I think we're good
There was a problem hiding this comment.
It’s not just about the presence of the _parent property, but about the overall usability for stats tracking. I mean, if you consider yourself an expert on the TLS implementation in Node.js, that’s great. :)
There was a problem hiding this comment.
fyi: nodejs/help#5111 🤞
| if (options.serverType === 'https') { | ||
| if (!options.httpsOptions) { | ||
| throw new Error('httpsOptions is required when serverType is "https"'); | ||
| } | ||
|
|
||
| // Apply secure TLS defaults (user options can override) | ||
| // This prevents users from accidentally configuring insecure TLS settings | ||
| const secureDefaults: https.ServerOptions = { | ||
| ...HTTPS_DEFAULTS, | ||
| honorCipherOrder: true, // Server chooses cipher (prevents downgrade attacks) | ||
| ...options.httpsOptions, // User options override defaults | ||
| }; | ||
|
|
||
| this.server = https.createServer(secureDefaults); | ||
| this.serverType = 'https'; | ||
| } else { | ||
| this.server = http.createServer(); | ||
| this.serverType = 'http'; | ||
| } |
There was a problem hiding this comment.
Maybe validate if options.serverType is one of http, https? It would make it consistent with the type. I'd also set it to http by default in the constructor parameter. That way you could just do this.serverType = options.serverType
There was a problem hiding this comment.
Good point. Gonna add this.
| socket.proxyChainErrorHandled = true; | ||
|
|
||
| // Log errors only if there are no user-provided error handlers | ||
| if (this.listenerCount('error') === 0) { |
There was a problem hiding this comment.
There was === 1 before, why is it === 0 now?
There was a problem hiding this comment.
If I understand it correctly for previous condition this.listenerCount('error') === 1 (which count server-listeners, not socket) app log error only when there is one server handler. Right?
If I'm correct, then in this case the error will be handled by that one server-handler. For us it might be useful to log here when there are no other server-handlers this.listenerCount('error') === 0.
What do you think?
| // Socket contains application bytes only. | ||
| let srcTxBytes = socket.bytesWritten ?? 0; | ||
| let srcRxBytes = socket.bytesRead ?? 0; | ||
|
|
||
| if (this.serverType === 'https' && socket.tlsOverheadAvailable) { | ||
| /* eslint no-underscore-dangle: ["error", { "allow": ["_parent"] }] */ | ||
| // Access underlying raw socket to get total bytes (app + TLS overhead). | ||
| const rawSocket = socket._parent; | ||
| if (rawSocket && typeof rawSocket.bytesWritten === 'number' && typeof rawSocket.bytesRead === 'number') { | ||
| if (rawSocket.bytesWritten >= socket.bytesWritten && rawSocket.bytesRead >= socket.bytesRead) { | ||
| srcTxBytes = rawSocket.bytesWritten; | ||
| srcRxBytes = rawSocket.bytesRead; | ||
| } else { | ||
| // This should never happen, log for debugging. | ||
| this.log(connectionId, `Warning: TLS overhead count error.`); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| const targetStats = getTargetStats(socket); | ||
|
|
||
| const result = { | ||
| srcTxBytes: socket.bytesWritten, | ||
| srcRxBytes: socket.bytesRead, | ||
| trgTxBytes: targetStats.bytesWritten, | ||
| trgRxBytes: targetStats.bytesRead, | ||
| return { | ||
| srcTxBytes, // HTTP: app only, HTTPS: total (app + TLS overhead) | ||
| srcRxBytes, // HTTP: app only, HTTPS: total (app + TLS overhead) | ||
| trgTxBytes: targetStats?.bytesWritten, | ||
| trgRxBytes: targetStats?.bytesRead, | ||
| }; |
There was a problem hiding this comment.
Just an idea. Why don't we store the _parent socket in this.connections? Looking at the logic here in getConnectionsStats, you just fall back to the original socket for stats. That makes me question why would we ever want to use the TLS socket for connection tracking?
That gives me another idea, if you do this.server.on('connection') for HTTPS you should be able to reach the original Socket without using _parent, right?
There was a problem hiding this comment.
Just an idea. Why don't we store the _parent socket in this.connections? Looking at the logic here in getConnectionsStats, you just fall back to the original socket for stats. That makes me question why would we ever want to use the TLS socket for connection tracking?
tl;dr: It's possible, however it creates more isusues than it solves.
HTTPS servers create two separate JavaScript objects:
- Raw socket (TCP layer) - created first
- TLS socket (wraps raw) - created after handshake
Nodejs HTTP events (request, connect) always give us the TLS socket (for HTTPS server). This is the same object handlers receive and attach metadata to (proxyChainId, Symbols).
If we stored raw socket in connections:
- Different object identity (raw vs TLS socket) results in all metadata lookups failing (proxyChainId undefined, Symbol not found)
- Need to maintain raw to TLS mapping because of Symbol lookup in
getConnectionStats()(this func will get raw socket fromthis.connections, but stats are tracked for TLS socket in handlers) - Event handlers are attached to raw socket in
registerConnection()(close, timeout) andonConnection()(error). However nodejs for https will emit these events on TLS socket.
We store the socket that HTTP handlers actually use. Accessing _parent once for stats is simpler than complex socket bridging everywhere else.
That gives me another idea, if you do this.server.on('connection') for HTTPS you should be able to reach the original Socket without using _parent, right?
Yes, we can obtain raw socket directly via connection event, but we still need both sockets since TLS socket is used in handlers. In this case, instead of accessing tlsSocket._parent once for stats, we'll need to create and maintain bidirectional mapping between raw and TLS sockets.
4 participants
This PR implements HTTPS server support to proxy-chain.
Also fixed:
errorevent when we might log same eventsOtherwise my changes should be fully compatible with HTTP server and all the handlers.
Readiness checklist:
Verify TLS overhead tracked correctly for these casesForward via HTTPS upstreamChain via HTTPS upstream_parent, include overhead bytes intosrcXxBytes