In this example, we discuss how to setup a production system using a reverse proxy with SSL offloading.
Purpose is to expose the website http://kiki
or http://kiki.jlg.local
that will be in fact http://musette:3000
.
You need to have many hosts:
reverse-proxy-host
: A Windows Server OS running the following features:- AD DS (Active Directory Domain Controller)
- DNS
- IIS
server-host
: A Windows 10 OS running:- nodejs and npm
- a server running
node-expose-sspi
client-host
: A Windows 10 OS running- Chrome, or Firefox, or Edge
For this example, let say the domain name is:
- jlg.local (NETBIOS: JLG)
Suppose we have two Windows domain accounts:
marcel@jlg.local
: a user account for client.erp@jlg.local
: a user account for server. Please create the above accounts on the domain controller (AD DS).
For this example, let say that all host have a name:
reverse-proxy-host
:jlgdc01
(192.168.1.216
)server-host
:musette
client-host
:chouchou
Connect with erp@jlg.local
user account.
mkdir myserver
cd myserver
npm init -y
npm i node-expose-sspi express
create a server.js
file in the myserver
directory:
const express = require('express');
const { sso } = require('node-expose-sspi');
const app = express();
app.use(sso.auth());
app.use((req, res) => {
res.json({
method: req.sso.method,
displayName: req.sso.user.displayName,
});
});
app.listen(3000, () =>
console.log('Server started on port 3000')
);
You need to be connected as the Window Domain user erp@jlg.local
.
Start the server:
node server.js
Test the server locally:
start chrome http://musette:3000
You should see something like this:
{
"method": "NTLM",
"displayName": "<your-account-name>"
}
You need to configure the DNS via an app called DNS Manager:
- under the domain zone, add a Host(A) rule:
kiki
->192.168.1.216
It means that jlgdc01
and kiki
means the same machine: the reverse-proxy-host.
You need to configure IIS as a reverse proxy via IIS Manager:
- look at this microsoft documentation
- install
URL Rewrite
- add a reverse proxy rule to redirect
http://kiki
tohttp://musette:3000
.
It is better to use Kerberos, so you need to add a Service Principal Name to the erp@jlg.local
user. Open Active Directory Users and Computers
:
- make sure you have the Advanced Features view.
- open the
erp@jlg.local
user. - open the Attribute Editor tab. and edit the Service Principal Name:
- add
HTTP/kiki
andHTTP/kiki.jlg.local
SPN.
- add
Login to the Window machine as marcel@jlg.local
.
Both below commands should work:
start chrome http://kiki.jlg.local
start chrome http://kiki
You should see something like this:
{
"method": "Kerberos",
"displayName": "marcel"
}
If Kerberos is not well configured, then the browser will try to connect using NTLM. In this case, you will probably have a dialog box asking for credentials, which is bad user experience...
Jean-Louis GUENEGO jlguenego@gmail.com