Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Proxy handler plugin for hapi.js.
Lead Maintainer - Oscar A. Funes Martinez
h2o2 is a hapi plugin that adds proxying functionality.
Starting on version 9, hapi
does not load the h2o2
automatically. To add h2o2
to your server, you should register it normally.
const Hapi = require('hapi');
const server = new Hapi.Server();
server.register({
register: require('h2o2')
}, function (err) {
if (err) {
console.log('Failed to load h2o2');
}
server.start(function (err) {
console.log('Server started at: ' + server.info.uri);
});
});
NOTE: h2o2 is included with and loaded by default in Hapi < 9.0.
The plugin can be registered with an optional object specifying defaults to be applied to the proxy handler object.
The proxy handler object has the following properties:
host
- upstream service host to proxy requests to. It will have the same path as the client request.port
- upstream service port.protocol
- protocol to use when making the request to the proxied host:
uri
- absolute URI used instead of host, port, protocol, path, and query. Cannot be used with host
, port
, protocol
, or mapUri
.passThrough
- if set to true
, it forwards the headers from the client to the upstream service, headers sent from the upstream service will also be forwarded to the client. Defaults to false
.localStatePassThrough
- if set tofalse
, any locally defined state is removed from incoming requests before being sent to the upstream service. This value can be overridden on a per state basis via the server.state()``passThrough
option. Defaults to false
acceptEncoding
- if set to false
, does not pass-through the 'Accept-Encoding' HTTP header which is useful for the onResponse
post-processing to avoid receiving an encoded response. Can only be used together with passThrough
. Defaults to true
(passing header).rejectUnauthorized
- sets the rejectUnauthorized
property on the https agent making the request. This value is only used when the proxied server uses TLS/SSL. If set it will override the node.js rejectUnauthorized
property. If false
then ssl errors will be ignored. When true
the server certificate is verified and an 500 response will be sent when verification fails. This shouldn't be used alongside the agent
setting as the agent
will be used instead. Defaults to the https agent default value of true
.xforward
- if set to true
, sets the 'X-Forwarded-For', 'X-Forwarded-Port', 'X-Forwarded-Proto', 'X-Forwarded-Host' headers when making a request to the proxied upstream endpoint. Defaults to false
.redirects
- the maximum number of HTTP redirections allowed to be followed automatically by the handler. Set to false
or 0
to disable all redirections (the response will contain the redirection received from the upstream service). If redirections are enabled, no redirections (301, 302, 307, 308) will be passed along to the client, and reaching the maximum allowed redirections will return an error response. Defaults to false
.timeout
- number of milliseconds before aborting the upstream request. Defaults to 180000
(3 minutes).mapUri
- a function used to map the request URI to the proxied URI. Cannot be used together with host
, port
, protocol
, or uri
. The function signature is function (request, callback)
where:
request
- is the incoming request object.callback
- is function (err, uri, headers)
where:
err
- internal error condition.uri
- the absolute proxy URI.headers
- optional object where each key is an HTTP request header and the value is the header content.onResponse
- a custom function for processing the response from the upstream service before sending to the client. Useful for custom error handling of responses from the proxied endpoint or other payload manipulation. Function signature is function (err, res, request, reply, settings, ttl)
where:
err
- internal or upstream error returned from attempting to contact the upstream proxy.res
- the node response object received from the upstream service. res
is a readable stream (use the wreck module read
method to easily convert it to a Buffer or string).request
- is the incoming request object.reply
- the reply interface function.settings
- the proxy handler configuration.ttl
- the upstream TTL in milliseconds if proxy.ttl
it set to 'upstream'
and the upstream response included a valid 'Cache-Control' header with 'max-age'.ttl
- if set to 'upstream'
, applies the upstream response caching policy to the response using the response.ttl()
method (or passed as an argument to the onResponse
method if provided).agent
- a node http(s) agent to be used for connections to upstream server.maxSockets
- sets the maximum number of sockets available per outgoing proxy host connection. false
means use the wreck module default value (Infinity
). Does not affect non-proxy outgoing client connections. Defaults to Infinity
.secureProtocol
- TLS flag indicating the SSL method to use, e.g. SSLv3_method
to force SSL version 3. The possible values depend on your installation of OpenSSL. Read the official OpenSSL docs for possible SSL_METHODS.ciphers
- TLS list of TLS ciphers to override node's default.As one of the handlers for hapi, it is used through the route configuration object.
reply.proxy(options)
Proxies the request to an upstream endpoint where:
options
- an object including the same keys and restrictions defined by the
route proxy
handler options.No return value.
The response flow control rules do not apply.
const handler = function (request, reply) {
return reply.proxy({ host: 'example.com', port: 80, protocol: 'http' });
};
host
, port
, protocol
optionsSetting these options will send the request to certain route to a specific upstream service with the same path as the original request. Cannot be used with uri
, mapUri
.
server.route({
method: 'GET',
path: '/',
handler: {
proxy: {
host: '10.33.33.1',
port: '443',
protocol: 'https'
}
}
});
uri
optionSetting this option will send the request to an absolute URI instead of the incoming host, port, protocol, path and query. Cannot be used with host
, port
, protocol
, mapUri
.
server.route({
method: 'GET',
path: '/',
handler: {
proxy: {
uri: 'https://some.upstream.service.com/that/has?what=you&want=todo'
}
}
});
uri
template valuesWhen using the uri
option, there are optional default template values that can be injected from the incoming request
:
{protocol}
{host}
{port}
{path}
server.route({
method: 'GET',
path: '/foo',
handler: {
proxy: {
uri: '{protocol}://{host}:{port}/go/to/{path}'
}
}
});
Requests to http://127.0.0.1:8080/foo/
would be proxied to an upstream destination of http://127.0.0.1:8080/go/to/foo
Additionally, you can capture request.params values and inject them into the upstream uri value using a similar replacment strategy:
server.route({
method: 'GET',
path: '/foo/{bar}',
handler: {
proxy: {
uri: 'https://some.upstream.service.com/some/path/to/{bar}'
}
}
});
Note The default variables of {protocol}
, {host}
, {port}
, {path}
take precedence - it's best to treat those as reserved when naming your own request.params
.
mapUri
and onResponse
optionsSetting both options with custom functions will allow you to map the original request to an upstream service and to processing the response from the upstream service, before sending it to the client. Cannot be used together with host
, port
, protocol
, or uri
.
server.route({
method: 'GET',
path: '/',
handler: {
proxy: {
mapUri: function (request, callback) {
console.log('doing some aditional stuff before redirecting');
callback(null, 'https://some.upstream.service.com/');
},
onResponse: function (err, res, request, reply, settings, ttl) {
console.log('receiving the response from the upstream.');
Wreck.read(res, { json: true }, function (err, payload) {
console.log('some payload manipulation if you want to.')
reply(payload).headers = res.headers;
});
}
}
}
});
FAQs
Proxy handler plugin for hapi.js
The npm package h2o2 receives a total of 12,971 weekly downloads. As such, h2o2 popularity was classified as popular.
We found that h2o2 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.