Add client implementation of hello-mTLS using nodejs
Fixes smallstep/ca-component#138
This commit is contained in:
parent
8022ed80bc
commit
14fcf58903
5 changed files with 80 additions and 6 deletions
|
@ -68,9 +68,9 @@ languages are appreciated!
|
||||||
- [X] Restrict to safe ciphersuites and TLS versions
|
- [X] Restrict to safe ciphersuites and TLS versions
|
||||||
- [ ] TLS stack configuration loaded from `step-ca`
|
- [ ] TLS stack configuration loaded from `step-ca`
|
||||||
- [ ] Root certificate rotation
|
- [ ] Root certificate rotation
|
||||||
- [ ] Client using autocert root certificate
|
- [X] Client using autocert root certificate
|
||||||
- [ ] mTLS (send client certificate if server asks for it)
|
- [X] mTLS (send client certificate if server asks for it)
|
||||||
- [ ] Automatic certificate rotation
|
- [X] Automatic certificate rotation
|
||||||
- [ ] Restrict to safe ciphersuites and TLS versions
|
- [X] Restrict to safe ciphersuites and TLS versions
|
||||||
- [ ] TLS stack configuration loaded from `step-ca`
|
- [ ] TLS stack configuration loaded from `step-ca`
|
||||||
- [ ] Root certificate rotation
|
- [ ] Root certificate rotation
|
||||||
|
|
6
autocert/examples/hello-mtls/node/Dockerfile.client
Normal file
6
autocert/examples/hello-mtls/node/Dockerfile.client
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
FROM node:lts-alpine
|
||||||
|
|
||||||
|
RUN mkdir /src
|
||||||
|
ADD client.js /src
|
||||||
|
|
||||||
|
CMD ["node", "/src/client.js"]
|
44
autocert/examples/hello-mtls/node/client.js
Normal file
44
autocert/examples/hello-mtls/node/client.js
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
const fs = require('fs');
|
||||||
|
const https = require('https');
|
||||||
|
|
||||||
|
const config = {
|
||||||
|
ca: '/var/run/autocert.step.sm/root.crt',
|
||||||
|
key: '/var/run/autocert.step.sm/site.key',
|
||||||
|
cert: '/var/run/autocert.step.sm/site.crt',
|
||||||
|
url: process.env.HELLO_MTLS_URL,
|
||||||
|
requestFrequency: 5000
|
||||||
|
};
|
||||||
|
|
||||||
|
var options = {
|
||||||
|
ca: fs.readFileSync(config.ca),
|
||||||
|
key: fs.readFileSync(config.key),
|
||||||
|
cert: fs.readFileSync(config.cert),
|
||||||
|
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256',
|
||||||
|
minVersion: 'TLSv1.2',
|
||||||
|
maxVersion: 'TLSv1.2',
|
||||||
|
// Not necessary as it defaults to true
|
||||||
|
rejectUnauthorized: true
|
||||||
|
};
|
||||||
|
|
||||||
|
fs.watch(config.cert, (event, filename) => {
|
||||||
|
if (event == 'change') {
|
||||||
|
options.cert = fs.readFileSync(config.cert);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
function loop() {
|
||||||
|
var req = https.request(config.url, options, function(res) {
|
||||||
|
res.on('data', (data) => {
|
||||||
|
process.stdout.write(options.cert)
|
||||||
|
process.stdout.write(data)
|
||||||
|
setTimeout(loop, config.requestFrequency);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
req.on('error', (e) => {
|
||||||
|
process.stderr.write('error: ' + e.message + '\n');
|
||||||
|
setTimeout(loop, config.requestFrequency);
|
||||||
|
})
|
||||||
|
req.end();
|
||||||
|
}
|
||||||
|
|
||||||
|
loop();
|
22
autocert/examples/hello-mtls/node/hello-mtls.client.yaml
Normal file
22
autocert/examples/hello-mtls/node/hello-mtls.client.yaml
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: hello-mtls-client
|
||||||
|
labels: {app: hello-mtls-client}
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector: {matchLabels: {app: hello-mtls-client}}
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
autocert.step.sm/name: hello-mtls-client.default.pod.cluster.local
|
||||||
|
labels: {app: hello-mtls-client}
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: hello-mtls-client
|
||||||
|
image: hello-mtls-client-node:latest
|
||||||
|
imagePullPolicy: Never
|
||||||
|
resources: {requests: {cpu: 10m, memory: 20Mi}}
|
||||||
|
env:
|
||||||
|
- name: HELLO_MTLS_URL
|
||||||
|
value: https://hello-mtls.default.svc.cluster.local
|
|
@ -9,7 +9,7 @@ var config = {
|
||||||
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256',
|
ciphers: 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256',
|
||||||
minVersion: 'TLSv1.2',
|
minVersion: 'TLSv1.2',
|
||||||
maxVersion: 'TLSv1.2'
|
maxVersion: 'TLSv1.2'
|
||||||
}
|
};
|
||||||
|
|
||||||
function createSecureContext() {
|
function createSecureContext() {
|
||||||
return tls.createSecureContext({
|
return tls.createSecureContext({
|
||||||
|
@ -24,7 +24,7 @@ var ctx = createSecureContext()
|
||||||
|
|
||||||
fs.watch(config.cert, (event, filename) => {
|
fs.watch(config.cert, (event, filename) => {
|
||||||
if (event == 'change') {
|
if (event == 'change') {
|
||||||
ctx = createSecureContext()
|
ctx = createSecureContext();
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -38,3 +38,5 @@ https.createServer({
|
||||||
res.writeHead(200);
|
res.writeHead(200);
|
||||||
res.end('hello nodejs\n');
|
res.end('hello nodejs\n');
|
||||||
}).listen(443);
|
}).listen(443);
|
||||||
|
|
||||||
|
console.log("Listening on :443 ...");
|
Loading…
Reference in a new issue