Allow reverseProxy to terminate SSL

Author: sisou

clients/nodejs/index.js

@@ -170,7 +170,7 @@ const $ = {};
 
     const clientConfigBuilder = Nimiq.Client.Configuration.builder();
     clientConfigBuilder.protocol(config.protocol, config.host, config.port, config.tls.key, config.tls.cert);
-    if (config.reverseProxy.enabled) clientConfigBuilder.reverseProxy(config.reverseProxy.port, config.reverseProxy.header, ...config.reverseProxy.addresses);
+    if (config.reverseProxy.enabled) clientConfigBuilder.reverseProxy(config.reverseProxy.port, config.reverseProxy.header, config.reverseProxy.terminatesSsl, ...config.reverseProxy.addresses);
     if (config.passive) clientConfigBuilder.feature(Nimiq.Client.Feature.PASSIVE);
     if (config.type === 'full' || config.type === 'light') clientConfigBuilder.feature(Nimiq.Client.Feature.MEMPOOL);
     const clientConfig = clientConfigBuilder.build();
@@ -200,7 +200,7 @@ const $ = {};
     $.mempool = $.consensus.mempool;
     $.network = $.consensus.network;
 
-    Nimiq.Log.i(TAG, `Peer address: ${networkConfig.peerAddress.toString()} - public key: ${networkConfig.keyPair.publicKey.toHex()}`);
+    Nimiq.Log.i(TAG, `Peer address: ${networkConfig.publicPeerAddress.toString()} - public key: ${networkConfig.keyPair.publicKey.toHex()}`);
 
     // TODO: Wallet key.
     $.walletStore = await new Nimiq.WalletStore();

clients/nodejs/modules/Config.js

@@ -22,7 +22,7 @@ const TAG = 'Config';
  * @property {{enabled: boolean, port: number}} uiServer
  * @property {{enabled: boolean, port: number, password: string}} metricsServer
  * @property {{seed: string, address: string}} wallet
- * @property {{enabled: boolean, port: number, address: string, addresses: Array.<string>, header: string}} reverseProxy
+ * @property {{enabled: boolean, port: number, address: string, addresses: Array.<string>, header: string, terminatesSsl: boolean}} reverseProxy
  * @property {{level: string, tags: object}} log
  * @property {Array.<{host: string, port: number, publicKey: string, protocol: string}>} seedPeers
  * @property {object} constantOverrides
@@ -83,7 +83,8 @@ const DEFAULT_CONFIG = /** @type {Config} */ {
         port: 8444,
         address: '::ffff:127.0.0.1', // deprecated
         addresses: [],
-        header: 'x-forwarded-for'
+        header: 'x-forwarded-for',
+        terminatesSsl: false
     },
     log: {
         level: 'info',
@@ -163,7 +164,8 @@ const CONFIG_TYPES = {
             port: 'number',
             address: 'string', // deprecated
             addresses: {type: 'array', inner: 'string'},
-            header: 'string'
+            header: 'string',
+            terminatesSsl: 'boolean'
         }
     },
     log: {

clients/nodejs/modules/MetricsServer.js

@@ -79,7 +79,7 @@ class MetricsServer {
 
     get _desc() {
         return {
-            peer: this._network._networkConfig.peerAddress.toString()
+            peer: this._network._networkConfig.internalPeerAddress.toString()
         };
     }
 

clients/nodejs/sample.conf

@@ -191,6 +191,10 @@
         // Possible values: any valid HTTP header name
         // Default: "x-forwarded-for"
         //header: "x-forwarded-for"
+
+        // Set termination of SSL on the reverse proxy.
+        // Default: false
+        //terminatesSsl: true,
     },
 
     // Configure log output. All output will go to STDOUT.

dist/types.d.ts

@@ -131,7 +131,7 @@ declare class ClientConfigurationBuilder {
     public volatile(volatile?: boolean): this;
     public blockConfirmations(confirmations: number): this;
     public feature(...feature: Client.Feature[]): this;
-    public reverseProxy(port: number, header: string, ...addresses: string[]): this;
+    public reverseProxy(port: number, header: string, terminatesSsl: boolean, ...addresses: string[]): this;
     public build(): Client.Configuration;
     public instantiateClient(): Client;
 }
@@ -4014,13 +4014,13 @@ export class NetworkConfig {
 export class WsNetworkConfig extends NetworkConfig {
     public protocol: number;
     public port: number;
-    public reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string };
+    public reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string, terminatesSsl: boolean };
     public peerAddress: WsPeerAddress | WssPeerAddress;
     public secure: boolean;
     constructor(
         host: string,
         port: number,
-        reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string },
+        reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string, terminatesSsl: boolean },
     );
 }
 
@@ -4031,7 +4031,7 @@ export class WssNetworkConfig extends WsNetworkConfig {
         port: number,
         key: string,
         cert: string,
-        reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string },
+        reverseProxy: { enabled: boolean, port: number, addresses: string[], header: string, terminatesSsl: boolean },
     );
 }
 

src/main/generic/api/Configuration.js

@@ -184,15 +184,17 @@ Client.ConfigurationBuilder = class ConfigurationBuilder {
     /**
      * @param {number} port
      * @param {string} header
+     * @param {boolean} terminatesSsl
      * @param {...string} addresses
      * @returns {Client.ConfigurationBuilder}
      */
-    reverseProxy(port, header, ...addresses) {
+    reverseProxy(port, header, terminatesSsl, ...addresses) {
         if (this._protocol !== 'ws' && this._protocol !== 'wss') throw new Error('Protocol must be ws or wss for reverse proxy.');
         this._reverseProxy = {
             enabled: true,
             port: this._requiredType(port, 'port', 'number'),
             header: this._requiredType(header, 'header', 'string'),
+            terminatesSsl,
             addresses: addresses
         };
         return this;

src/main/generic/api/NetworkClient.js

@@ -63,7 +63,7 @@ Client.Network = class Network {
      */
     async getOwnAddress() {
         const consensus = await this._client._consensus;
-        return new Client.BasicAddress(consensus.network.config.peerAddress);
+        return new Client.BasicAddress(consensus.network.config.publicPeerAddress);
     }
 
     /**

src/main/generic/network/NetworkConfig.js

@@ -128,7 +128,14 @@ class NetworkConfig {
     /**
      * @type {PeerAddress}
      */
-    get peerAddress() {
+    get internalPeerAddress() {
+        throw new Error('Not implemented');
+    }
+
+    /**
+     * @type {PeerAddress}
+     */
+    get publicPeerAddress() {
         throw new Error('Not implemented');
     }
 
@@ -157,7 +164,7 @@ class WsNetworkConfig extends NetworkConfig {
      * @constructor
      * @param {string} host
      * @param {number} port
-     * @param {{enabled: boolean, port: number, addresses: Array.<string>, header: string}} reverseProxy
+     * @param {{enabled: boolean, port: number, addresses: Array.<string>, header: string, terminatesSsl: boolean}} reverseProxy
      */
     constructor(host, port, reverseProxy) {
         super(Protocol.WS | Protocol.WSS);
@@ -182,7 +189,7 @@ class WsNetworkConfig extends NetworkConfig {
     }
 
     /**
-     * @type {{enabled: boolean, port: number, addresses: Array.<string>, header: string}}
+     * @type {{enabled: boolean, port: number, addresses: Array.<string>, header: string, terminatesSsl: boolean}}
      */
     get reverseProxy() {
         return this._reverseProxy;
@@ -192,13 +199,41 @@ class WsNetworkConfig extends NetworkConfig {
      * @type {WsPeerAddress|WssPeerAddress}
      * @override
      */
-    get peerAddress() {
+    get internalPeerAddress() {
         if (!this._services || !this._keyPair) {
             throw new Error('PeerAddress is not configured.');
         }
 
-        const port = this._reverseProxy.enabled ? this._reverseProxy.port : this._port;
         const peerAddress = new WsPeerAddress(
+            this._services.provided, Date.now(), NetAddress.UNSPECIFIED,
+            this.publicKey, /*distance*/ 0,
+            this._host, this._port);
+
+        if (!peerAddress.globallyReachable()) {
+            throw new Error('PeerAddress not globally reachable.');
+        }
+
+        peerAddress.signature = Signature.create(this._keyPair.privateKey, this.publicKey, peerAddress.serializeContent());
+        return peerAddress;
+    }
+
+    /**
+     * @type {WsPeerAddress|WssPeerAddress}
+     * @override
+     */
+    get publicPeerAddress() {
+        if (!this._services || !this._keyPair) {
+            throw new Error('PeerAddress is not configured.');
+        }
+
+        const port = this._reverseProxy.enabled ? this._reverseProxy.port : this._port;
+        let _PeerAddress;
+        if (this._reverseProxy.enabled && this._reverseProxy.terminatesSsl) {
+            _PeerAddress = WssPeerAddress;
+        } else {
+            _PeerAddress = WsPeerAddress;
+        }
+        const peerAddress = new _PeerAddress(
             this._services.provided, Date.now(), NetAddress.UNSPECIFIED,
             this.publicKey, /*distance*/ 0,
             this._host, port);
@@ -260,7 +295,29 @@ class WssNetworkConfig extends WsNetworkConfig {
      * @type {WsPeerAddress|WssPeerAddress}
      * @override
      */
-    get peerAddress() {
+    get internalPeerAddress() {
+        if (!this._services || !this._keyPair) {
+            throw new Error('PeerAddress is not configured.');
+        }
+
+        const peerAddress = new WssPeerAddress(
+            this._services.provided, Date.now(), NetAddress.UNSPECIFIED,
+            this.publicKey, /*distance*/ 0,
+            this._host, this._port);
+
+        if (!peerAddress.globallyReachable()) {
+            throw new Error('PeerAddress not globally reachable.');
+        }
+
+        peerAddress.signature = Signature.create(this._keyPair.privateKey, this.publicKey, peerAddress.serializeContent());
+        return peerAddress;
+    }
+
+    /**
+     * @type {WsPeerAddress|WssPeerAddress}
+     * @override
+     */
+    get publicPeerAddress() {
         if (!this._services || !this._keyPair) {
             throw new Error('PeerAddress is not configured.');
         }
@@ -321,7 +378,7 @@ class RtcNetworkConfig extends NetworkConfig {
      * @type {RtcPeerAddress}
      * @override
      */
-    get peerAddress() {
+    get internalPeerAddress() {
         if (!this._services || !this._keyPair) {
             throw new Error('PeerAddress is not configured.');
         }
@@ -332,6 +389,14 @@ class RtcNetworkConfig extends NetworkConfig {
         peerAddress.signature = Signature.create(this._keyPair.privateKey, this.publicKey, peerAddress.serializeContent());
         return peerAddress;
     }
+
+    /**
+     * @type {RtcPeerAddress}
+     * @override
+     */
+    get publicPeerAddress() {
+        return this.internalPeerAddress;
+    }
 }
 Class.register(RtcNetworkConfig);
 
@@ -356,7 +421,7 @@ class DumbNetworkConfig extends NetworkConfig {
      * @type {DumbPeerAddress}
      * @override
      */
-    get peerAddress() {
+    get internalPeerAddress() {
         if (!this._services || !this._keyPair) {
             throw new Error('PeerAddress is not configured.');
         }
@@ -367,5 +432,13 @@ class DumbNetworkConfig extends NetworkConfig {
         peerAddress.signature = Signature.create(this._keyPair.privateKey, this.publicKey, peerAddress.serializeContent());
         return peerAddress;
     }
+
+    /**
+     * @type {DumbPeerAddress}
+     * @override
+     */
+    get publicPeerAddress() {
+        return this.internalPeerAddress;
+    }
 }
 Class.register(DumbNetworkConfig);

src/main/generic/network/address/PeerAddressBook.js

@@ -303,7 +303,7 @@ class PeerAddressBook extends Observable {
      */
     _add(channel, peerAddress) {
         // Ignore our own address.
-        if (this._networkConfig.peerAddress.equals(peerAddress)) {
+        if (this._networkConfig.publicPeerAddress.equals(peerAddress)) {
             return false;
         }
 

src/main/generic/network/connection/ConnectionPool.js

@@ -546,7 +546,7 @@ class ConnectionPool extends Observable {
 
                     case PeerConnectionState.NEGOTIATING:
                         // The peer with the lower peerId accepts this connection and closes his stored connection.
-                        if (this._networkConfig.peerAddress.peerId.compare(peer.peerAddress.peerId) < 0) {
+                        if (this._networkConfig.publicPeerAddress.peerId.compare(peer.peerAddress.peerId) < 0) {
                             storedConnection.peerChannel.close(CloseType.SIMULTANEOUS_CONNECTION,
                                 'simultaneous connection (post handshake) - lower peerId');
                             Assert.that(!this.getConnectionByPeerAddress(peer.peerAddress), 'PeerConnection not removed');

src/main/generic/network/connection/NetworkAgent.js

@@ -130,7 +130,7 @@ class NetworkAgent extends Observable {
         // Kick off the handshake by telling the peer our version, network address & blockchain head hash.
         // Some browsers (Firefox, Safari) send the data-channel-open event too early, so sending the version message might fail.
         // Try again in this case.
-        if (!this._channel.version(this._networkConfig.peerAddress, this._blockchain.headHash, this._challengeNonce, this._networkConfig.appAgent)) {
+        if (!this._channel.version(this._networkConfig.publicPeerAddress, this._blockchain.headHash, this._challengeNonce, this._networkConfig.appAgent)) {
             this._versionAttempts++;
             if (this._versionAttempts >= NetworkAgent.VERSION_ATTEMPTS_MAX || this._channel.closed) {
                 this._channel.close(CloseType.SENDING_OF_VERSION_MESSAGE_FAILED, 'sending of version message failed');
@@ -303,7 +303,7 @@ class NetworkAgent extends Observable {
         }
 
         // Verify signature
-        const data = BufferUtils.concatTypedArrays(this._networkConfig.peerAddress.peerId.serialize(), this._challengeNonce);
+        const data = BufferUtils.concatTypedArrays(this._networkConfig.publicPeerAddress.peerId.serialize(), this._challengeNonce);
         if (!msg.signature.verify(msg.publicKey, data)) {
             this._channel.close(CloseType.INVALID_SIGNATURE_IN_VERACK_MESSAGE, 'Invalid signature in verack message');
             return;
@@ -330,7 +330,7 @@ class NetworkAgent extends Observable {
 
         // Regularly announce our address.
         this._timers.setInterval('announce-addr',
-            () => this._channel.addr([this._networkConfig.peerAddress]),
+            () => this._channel.addr([this._networkConfig.publicPeerAddress]),
             NetworkAgent.ANNOUNCE_ADDR_INTERVAL);
 
         // Tell listeners that the handshake with this peer succeeded.

src/main/generic/network/websocket/WebSocketConnector.js

@@ -12,11 +12,11 @@ class WebSocketConnector extends Observable {
         this._protocolPrefix = protocolPrefix;
         this._networkConfig = networkConfig;
 
-        if (networkConfig.peerAddress.protocol === this._protocol) {
+        if (networkConfig.internalPeerAddress.protocol === this._protocol) {
             this._wss = WebSocketFactory.newWebSocketServer(networkConfig);
             this._wss.on('connection', (ws, req) => this._onConnection(ws, req));
 
-            Log.d(WebSocketConnector, `${this._protocolPrefix.toUpperCase()}-Connector listening on port ${networkConfig.peerAddress.port}`);
+            Log.d(WebSocketConnector, `${this._protocolPrefix.toUpperCase()}-Connector listening on port ${networkConfig.internalPeerAddress.port}`);
         }
 
         /** @type {HashMap.<PeerAddress, WebSocket>} */

src/test/specs/generic/api/Client.spec.js

@@ -8,7 +8,7 @@ describe('Client', () => {
         const name = 'volatile' + consensus.charAt(0).toUpperCase() + consensus.slice(1);
         const promise = Consensus[name]();
         promise.then((c) => {
-            Log.d('Client.spec', `${consensus}-consensus uses ${c.network.config.peerAddress}`);
+            Log.d('Client.spec', `${consensus}-consensus uses ${c.network.config.publicPeerAddress}`);
         });
         return promise;
     }

src/test/specs/generic/network/ConnectionPool.spec.js

@@ -444,7 +444,7 @@ describe('ConnectionPool', () => {
             netConfig1._keyPair = KeyPair.generate();
 
             const sameIP1 = await Consensus.volatileFull(netConfig1);
-            sameIP1.network._connections.connectOutbound(netConfig.peerAddress);
+            sameIP1.network._connections.connectOutbound(netConfig.publicPeerAddress);
 
             const conn = await new Promise(resolve => consensus.network._connections.on('connection', (conn) => { resolve(conn); }));
             await new Promise(resolve => sameIP1.on('established', () => {
@@ -456,7 +456,7 @@ describe('ConnectionPool', () => {
             netConfig2._keyPair = KeyPair.generate();
 
             const sameIP2 = await Consensus.volatileFull(netConfig2);
-            sameIP2.network._connections.connectOutbound(netConfig.peerAddress);
+            sameIP2.network._connections.connectOutbound(netConfig.publicPeerAddress);
 
             const disconnected = new Promise(resolve => sameIP2.network.on('disconnected', resolve));
             sameIP2.on('established', done.fail);

src/test/specs/generic/network/MockNetwork.spec.js

@@ -421,14 +421,14 @@ class MockNetwork {
         MockNetwork._lossrate = lossrate;
 
         spyOn(WebSocketFactory, 'newWebSocketServer').and.callFake((netconfig) => {
-            const peerAddress = netconfig.peerAddress;
+            const peerAddress = netconfig.publicPeerAddress;
             const server = new MockWebSocketServer();
             MockNetwork._servers.set(`wss://${peerAddress.host}:${peerAddress.port}`, server);
             return server;
         });
 
         spyOn(WebSocketFactory, 'newWebSocket').and.callFake((url, options, netconfig) => {
-            const peerAddress = netconfig.peerAddress;
+            const peerAddress = netconfig.publicPeerAddress;
             const seed = peerAddress.protocol === Protocol.WSS ?
                 `wss://${peerAddress.host}:${peerAddress.port}` :
                 `reserved${MockNetwork._clientSerial++}.test`;