feat(http-server): add TLS and mTLS termination#2808
Open
Ignacio-Vidal wants to merge 1 commit into
Open
Conversation
Lets Prism serve HTTPS and optionally require/verify client certificates, for both mock and proxy. Plain HTTP behaviour is unchanged when no TLS flags are given. - TLS termination: --tls-key / --tls-cert serve HTTPS via https.createServer, reusing Micri's router/handler (Micri's serve() is http-only). Reported address switches to https://. Supports --tls-passphrase for encrypted keys. - mTLS termination: --tls-ca + --mtls request and verify the client cert at the handshake; unauthorized clients are rejected before reaching the handler. - Client identity passthrough: --tls-forward-client-cert injects the verified client cert subject/SAN/SHA-256 fingerprint as x-client-cert-* request headers. - HTTP/2: --tls-http2 serves over HTTP/2 with HTTPS/1.1 fallback (ALPN). - Flags added to shared options (mock + proxy); CLI reads PEM files with clear errors and validates flag combinations. - Unit tests for TLS and mTLS (accept/reject) using openssl-generated certs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds TLS termination (serve HTTPS) and mTLS termination (require/verify client certificates) to the Prism HTTP server, for both
mockandproxy. It is fully opt-in: with no TLS flags, Prism serves plain HTTP exactly as before.Lets Prism stand in for an API that is fronted by TLS/mTLS — e.g. mock or contract-test a service that requires HTTPS or client certs, without putting a real TLS gateway in front.
How it works
Prism's server framework (
micri) only creates plainhttpservers, so the TLS path is built on Node's built-in modules instead:https.createServer(tlsOptions, handler)(andhttp2.createSecureServerfor--tls-http2).run()in the TLS path, so routing, CORS, and the mock/validate/proxy pipeline are unchanged.tlslayer performs the handshake and client-certificate verification; Prism just passes the options through.@stoplight/prism-coreor@stoplight/prism-http— TLS is purely a server-transport concern.Flags (available on both
mockandproxy)--tls-key <path>--tls-cert.--tls-cert <path>--tls-passphrase <str>--tls-ca <path>--mtls--tls-ca).--tls-forward-client-certx-client-cert-subject/-san/-fingerprint/-verifiedrequest headers.--tls-http2The CLI reads the PEM files (clear errors on missing/unreadable files) and validates flag combinations (e.g.
--mtlsrequires--tls-ca; TLS requires both key and cert). When TLS is active, the reported listen address switches tohttps://.Testing
packages/http-server/src/__tests__/tls.spec.ts) using openssl-generated certs: TLS serves HTTPS (200); mTLS rejects a request with no client cert and accepts one with a valid client cert.x-client-cert-*headers injected; HTTP/2 (proto=2) with HTTPS/1.1 fallback.Checklist