是否可以在NodeJS中动态返回SSL证书? [英] Is it Possible to Dynamically Return an SSL Certificate in NodeJS?

问题描述

我想在NodeJS应用程序中动态返回ssl证书信息.我有两个链接到同一节点应用程序的域名.我只看到在创建服务器时可以指定ssl设置.是否可以根据所请求的URL动态返回ssl证书?

I want to dynamically return an ssl certificate info in my NodeJS application. I have two domain names linked to the same node application. I only see that the ssl settings can be specified when the server is created. Is it possible to dynamically return ssl certificates based on the requested url?

否则，如果我必须在另一个端口上创建第二个服务器实例，是否可以将每个请求透明地传递到原始端口?我可以让它看起来好像不在第二个端口上运行吗?

Otherwise, if I must instead create a second sever instance on another port, will I be able to transparently pipe each request to the original port? Can I make it appear like it's not running on a second port?

谢谢， 杰夫

推荐答案

是的，可以在一台服务器上完成.但是需要注意的是，它可以在支持 SNI 的客户端上运行-这是大多数现代浏览器.

Yes, it is possible to do it with one server. But the caveat is that it works on clients that support SNI - which is most modern browsers.

这是您的操作方式:

//function to pick out the key + certs dynamically based on the domain name
function getSecureContext (domain) {
    return crypto.createCredentials({
        key:  fs.readFileSync('/path/to/domain.key'),
        cert: fs.readFileSync('/path/to/domain.crt'),
        ca: [fs.readFileSync('/path/to/CA_cert_1.crt'), fs.readFileSync('/path/to/CA_cert_2.crt'), <include all CA certs that you have to> ... ]
      }).context;
}

//read them into memory
var secureContext = {
    'domain1': getSecureContext('domain1'),
    'domain2': getSecureContext('domain2'),
    .
    .
}

//provide a SNICallback when you create the options for the https server
var options = {
    SNICallback: function (domain) {
        return secureContext[domain];
    }, //SNICallback is passed the domain name, see NodeJS docs on TLS
    cert: fs.readFileSync('/path/to/server.crt'),
    key: fs.readFileSync('/path/to/server.key'),                
    }
}

//create your https server
var server = require('https').createServer(options, [requestListener]);
//using Express
var server = require('https').createServer(options, require('express')());
server.listen(<someport>);

之所以可行，是因为 https的选项与tls.createServer()类似.确保在crypto.createCredentials调用中包括所有必需的CA中间证书和根证书.另外，如果您有CA捆绑软件，则将它们拆分为多个单个crt文件，然后再将其用作"ca"即可接受证书阵列.

This works because the options for https is similar to tls.createServer(). Make sure you include all required CA intermediate and root certificates in the crypto.createCredentials call. Also if you have a CA bundle, split them up into multiple single crt files before using them as 'ca' accepts an array of certificates.

这篇关于是否可以在NodeJS中动态返回SSL证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！