Slack WebClient:尽管rejectUnauthorized = false,但仍通过代理“无法验证证书”

问题描述 投票:0回答:1
  1. 我使用下面的代码在某些 Web 服务的某些 TypeScript REST 端点中按需创建 Slack Web 客户端。客户端使用 https 代理通过代理与 slack.com API 进行通信(使用
    mitmproxy
    ):
 private createProxyAwareSlackClient(token: any) {
    const proxyUrl = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
    const slackClientOptions = { logLevel: LogLevel.DEBUG };

    if (proxyUrl) {
      slackClientOptions['agent'] =
        new URL(proxyUrl).protocol === 'http' ? new HttpProxyAgent(proxyUrl, {rejectUnauthorized: false}) : new HttpsProxyAgent(proxyUrl, {rejectUnauthorized: false});
    }

    return new WebClient(token, slackClientOptions);
  }

  async firstHandshake(settings: any) {
    const slackWebClient = this.createProxyAwareSlackClient(undefined);
    let response: WebAPICallResult;
    try {
      response = await slackWebClient.oauth.v2.access({
        client_id: process.env.SLACK_CLIENT_ID,
        client_secret: process.env.SLACK_CLIENT_SECRET,
        code: settings.slack_code,
        redirect_uri: settings.redirect_uri
      });
    } catch (e) {
      logger.error(e);
      throw createError(500, 'Cannot get slack api key');
    }
    实例化代理时使用 
  1. rejectUnauthorized: false
    以避免验证 slack.com 证书。然而,证书验证发生并失败,并在客户端中出现以下错误(其余端点源代码):
[WARN]  web-api:WebClient:8 http request failed unable to verify the first certificate
[DEBUG]  web-api:WebClient:8 http request url: https://slack.com/api/oauth.v2.access
[DEBUG]  web-api:WebClient:8 http request body: {"client_id":"id","client_secret":"secret","code":"some_code","redirect_uri":"some_url"}
[DEBUG]  web-api:WebClient:8 http request headers: {}
[WARN]  web-api:WebClient:8 http request failed unable to verify the first certificate

并且在 

mitmproxy
日志中看到以下错误:


[23:02:09.731][127.0.0.1:59940] client connect
[23:02:09.826][127.0.0.1:59940] server connect slack.com:443 (some_ip:443)
[23:02:09.911][127.0.0.1:59940] Client TLS handshake failed. The client disconnected during the handshake. If this happens consistently for slack.com, this may indicate that the client does not trust the proxy's certificate.
[23:02:09.913][127.0.0.1:59940] client disconnect
[23:02:09.914][127.0.0.1:59940] server disconnect slack.com:443 (some_ip:443)

需要注意的是:

HTTPS_PROXY 环境变量是 

https://localhost:8080
(其中 
mitmproxy
监听)

当 slack webclient 通过代理访问 slack.com 时,如何跳过 slack.com 证书验证?

如果 Web 服务环境中存在 

NODE_TLS_REJECT_UNAUTHORIZED=0
env var,则没有问题,并且无需证书验证即可通过代理成功访问 slack API。但是,全局禁用证书验证是一个不好的做法。

typescript ssl-certificate slack slack-api mitmproxy
1个回答
0
投票

通过此指令,可以指示客户端短路代理的证书,而不是终端服务器的证书

您会测试

rejectUnauthorized
直接添加到
slackClientOptions
(除了已经设置的之外)吗?

if (proxyUrl) {
      slackClientOptions['agent'] =
        new URL(proxyUrl).protocol === 'http:' ? new HttpProxyAgent(proxyUrl, {rejectUnauthorized: false}) : new HttpsProxyAgent(proxyUrl, {rejectUnauthorized: false});
        //--- Here we add: ---
        slackClientOptions.rejectUnauthorized = false;
        //---  (finished)  ---
    }

这看起来与 HttpsProxyAgentissue #35 有关,尽管尚不清楚它是否已解决。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.