added hooks to handle ACME challenges

This commit is contained in:
tigerbot 2017-05-10 16:05:54 -06:00
parent afca49feae
commit 70e7d57395
4 changed files with 32 additions and 14 deletions

View File

@ -6,20 +6,27 @@ module.exports.create = function (deps, config) {
//var PromiseA = global.Promise; //var PromiseA = global.Promise;
var PromiseA = require('bluebird'); var PromiseA = require('bluebird');
var listeners = require('./servers').listeners; var listeners = require('./servers').listeners;
var modules = { }; var modules;
function loadModules() {
modules = {};
modules.tls = require('./modules/tls').create(deps, config, netHandler);
modules.http = require('./modules/http.js').create(deps, config, modules.tls.middleware);
}
// opts = { servername, encrypted, peek, data, remoteAddress, remotePort } // opts = { servername, encrypted, peek, data, remoteAddress, remotePort }
function peek(conn, firstChunk, opts) { function peek(conn, firstChunk, opts) {
if (!modules) {
loadModules();
}
opts.firstChunk = firstChunk; opts.firstChunk = firstChunk;
conn.__opts = opts; conn.__opts = opts;
// TODO port/service-based routing can do here // TODO port/service-based routing can do here
// TLS byte 1 is handshake and byte 6 is client hello // TLS byte 1 is handshake and byte 6 is client hello
if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) { if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) {
if (!modules.tls) {
modules.tls = require('./modules/tls').create(deps, config, netHandler);
}
modules.tls.emit('connection', conn); modules.tls.emit('connection', conn);
return; return;
} }
@ -37,10 +44,6 @@ module.exports.create = function (deps, config) {
if (firstChunk[0] > 32 && firstChunk[0] < 127) { if (firstChunk[0] > 32 && firstChunk[0] < 127) {
var firstStr = firstChunk.toString(); var firstStr = firstChunk.toString();
if (/HTTP\//i.test(firstStr)) { if (/HTTP\//i.test(firstStr)) {
if (!modules.http) {
modules.http = require('./modules/http.js').create(deps, config);
}
modules.http.emit('connection', conn); modules.http.emit('connection', conn);
return; return;
} }

View File

@ -1,6 +1,6 @@
'use strict'; 'use strict';
module.exports.create = function (deps, conf) { module.exports.create = function (deps, conf, greenlockMiddleware) {
var express = require('express'); var express = require('express');
var app = express(); var app = express();
var adminApp = require('./admin').create(deps, conf); var adminApp = require('./admin').create(deps, conf);
@ -19,11 +19,13 @@ module.exports.create = function (deps, conf) {
var redirecters = {}; var redirecters = {};
function redirectHttps(req, res, next) { function redirectHttps(req, res, next) {
var port = req.headers.host.split(':')[1]; var port = req.headers.host.split(':')[1];
var redirecter = redirecters[port]; if (!redirecters[port]) {
if (!redirecter) { redirecters[port] = require('redirect-https')({
redirecter = redirecters[port] = require('redirect-https')({port: port}); port: port
, trustProxy: conf.http.trustProxy
});
} }
redirecter(req, res, next); redirecters[port](req, res, next);
} }
function handleAdmin(req, res, next) { function handleAdmin(req, res, next) {
@ -123,6 +125,7 @@ module.exports.create = function (deps, conf) {
}; };
} }
app.use(greenlockMiddleware);
app.use(redirectHttps); app.use(redirectHttps);
app.use(handleAdmin); app.use(handleAdmin);

View File

@ -199,6 +199,14 @@ module.exports.create = function (deps, config, netHandler) {
// 2. Terminated (goes on to a particular module or route, including the admin interface) // 2. Terminated (goes on to a particular module or route, including the admin interface)
// 3. Closed (we don't recognize the SNI servername as something we actually want to handle) // 3. Closed (we don't recognize the SNI servername as something we actually want to handle)
// We always want to terminate is the SNI matches the challenge pattern, unless a client
// on the south side has temporarily claimed a particular challenge. For the time being
// we don't have a way for the south-side to communicate with us, so that part isn't done.
if (domainMatches('*.acme-challenge.invalid', opts.servername)) {
terminate(socket, opts);
return;
}
var handled = (config.tls.modules || []).some(function (mod) { var handled = (config.tls.modules || []).some(function (mod) {
var relevant = mod.domains.some(function (pattern) { var relevant = mod.domains.some(function (pattern) {
return domainMatches(pattern, opts.servername); return domainMatches(pattern, opts.servername);
@ -231,5 +239,6 @@ module.exports.create = function (deps, config, netHandler) {
handleConn(socket, socket.__opts); handleConn(socket, socket.__opts);
} }
} }
, middleware: le.middleware()
}; };
}; };

View File

@ -4,6 +4,9 @@
process.on('message', function (conf) { process.on('message', function (conf) {
var deps = { var deps = {
messenger: process messenger: process
// Note that if a custom createConnections is used it will be called with different
// sets of custom options based on what is actually being proxied. Most notably the
// HTTP proxying connection creation is not something we currently control.
, net: require('net') , net: require('net')
}; };
require('./goldilocks.js').create(deps, conf); require('./goldilocks.js').create(deps, conf);