Support NODE_TLS_REJECT_UNAUTHORIZED=0 to ignore client errors #341

Apparently `NODE_TLS_REJECT_UNAUTHORIZED` is only effective if `rejectUnauthorized` was not overridden by the code: 85e6089c4d/lib/_tls_wrap.js (L1583-L1591) But the underlying library does override it: https://github.com/http-party/node-http-proxy/blob/v1.11.1/lib/http-proxy/common.js#L53-L55 Fix this by overriding the option via the library's "secure" option.
2026-05-13 23:16:51 +00:00 · 2021-03-21 23:38:32 +01:00
parent d10efb1b46
commit 3c87a51664
2 changed files with 77 additions and 0 deletions
--- a/test/test.js
+++ b/test/test.js
@@ -5,6 +5,7 @@ var createServer = require('../').createServer;
 var request = require('supertest');
 var path = require('path');
 var http = require('http');
+var https = require('https');
 var fs = require('fs');
 var assert = require('assert');

@@ -554,6 +555,81 @@ describe('server on https', function() {
  });
 });

+describe('NODE_TLS_REJECT_UNAUTHORIZED', function() {
+  var NODE_TLS_REJECT_UNAUTHORIZED;
+  var bad_https_server;
+  var bad_https_server_port;
+
+  before(function() {
+    cors_anywhere = createServer({});
+    cors_anywhere_port = cors_anywhere.listen(0).address().port;
+  });
+  after(function(done) {
+    stopServer(done);
+  });
+
+  before(function() {
+    bad_https_server = https.createServer({
+      // rejectUnauthorized: false,
+      key: fs.readFileSync(path.join(__dirname, 'key.pem')),
+      cert: fs.readFileSync(path.join(__dirname, 'cert.pem')),
+    }, function(req, res) {
+      res.end('Response from server with expired cert');
+    });
+    bad_https_server_port = bad_https_server.listen(0).address().port;
+
+    NODE_TLS_REJECT_UNAUTHORIZED = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+  });
+  after(function(done) {
+    if (NODE_TLS_REJECT_UNAUTHORIZED === undefined) {
+      delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    } else {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = NODE_TLS_REJECT_UNAUTHORIZED;
+    }
+    bad_https_server.close(function() {
+      done();
+    });
+  });
+
+  it('respects certificate errors by default', function(done) {
+    // Test is expected to run without NODE_TLS_REJECT_UNAUTHORIZED=0
+    request(cors_anywhere)
+      .get('/https://127.0.0.1:' + bad_https_server_port)
+      .set('test-include-xfwd', '')
+      .expect('Access-Control-Allow-Origin', '*')
+      .expect('Not found because of proxy error: Error: certificate has expired', done);
+  });
+
+  it('ignore certificate errors via NODE_TLS_REJECT_UNAUTHORIZED=0', function(done) {
+    stopServer(function() {
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+      cors_anywhere = createServer({});
+      cors_anywhere_port = cors_anywhere.listen(0).address().port;
+      request(cors_anywhere)
+        .get('/https://127.0.0.1:' + bad_https_server_port)
+        .set('test-include-xfwd', '')
+        .expect('Access-Control-Allow-Origin', '*')
+        .expect('Response from server with expired cert', done);
+    });
+  });
+
+  it('respects certificate errors when httpProxyOptions.secure=true', function(done) {
+    stopServer(function() {
+      cors_anywhere = createServer({
+        httpProxyOptions: {
+          secure: true,
+        },
+      });
+      cors_anywhere_port = cors_anywhere.listen(0).address().port;
+      request(cors_anywhere)
+        .get('/https://127.0.0.1:' + bad_https_server_port)
+        .set('test-include-xfwd', '')
+        .expect('Access-Control-Allow-Origin', '*')
+        .expect('Not found because of proxy error: Error: certificate has expired', done);
+    });
+  });
+});
+
 describe('originBlacklist', function() {
  before(function() {
    cors_anywhere = createServer({