Search code examples

HTTP Proxy( Node.js) Not Performing Proper SSL Verification

I need to create a proxy server that is able to handle SSL certificate verification. I have been working with Node.js 's http-proxy library to handle ssl verification. My problem is that the proxy server does not do anything in regards to verifying if the client has the proper credentials.

I have a proxy server and I pass the server options that have the ssl certRequire = true and rejectUnauthroized = true. However, the client is able to connect to the server with no cert/key and I am not sure why.

Here is my code:

 var options = {
        ssl: {
        key:   fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-key.pem'),
        cert: fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-crt.pem'),
        requestCert: true,
        rejectUnauthorized: true

var proxy = new httpProxy.createProxyServer(options);

http.createServer(function (req, res) {
  setTimeout(function () {
    proxy.web(req, res, {
        target: {
        host: 'localhost',
        port: 9002
  }, 200);

http.createServer(function (request, response) {

//Handles the response
response.writeHead(200, {'Content-Type': 'text/plain'});
response.write('request successfully proxied to server');

response.on('data', function(data){

response.on('end', function(){

response.on('error', function(err){

Please let me know if you need any clarification!


Here is my code after I remove the ssl object.

var options = {
        key: fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-key.pem'),
        cert: fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-crt.pem'),
        requestCert: true,
        rejectUnauthorized: false


Even with this, I am still able to connect to the proxy without a certificate.


  •  var options = {
            ssl: {
            key:   fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-key.pem'),
            cert: fs.readFileSync('/Users/grantherman/Desktop/ssl_certificates/client1-crt.pem'),
            requestCert: true,
            rejectUnauthorized: true

    The problem is your nesting -- these options don't exist inside the ssl object, they are top-level items in options. Take out the interior ssl section and move those options to the top level.