'use strict'; module.exports.create = function (deps, config, netHandler) { var tls = require('tls'); var parseSni = require('sni'); var greenlock = require('greenlock'); var localhostCerts = require('localhost.daplie.me-certificates'); var domainMatches = require('../domain-utils').match; function extractSocketProp(socket, propName) { // remoteAddress, remotePort... ugh... https://github.com/nodejs/node/issues/8854 return socket[propName] || socket['_' + propName] || socket._handle._parent.owner.stream[propName] ; } function wrapSocket(socket, opts) { var myDuplex = require('tunnel-packer').Stream.create(socket); myDuplex.remoteFamily = opts.remoteFamily || myDuplex.remoteFamily; myDuplex.remoteAddress = opts.remoteAddress || myDuplex.remoteAddress; myDuplex.remotePort = opts.remotePort || myDuplex.remotePort; socket.on('data', function (chunk) { console.log('[' + Date.now() + '] tls socket data', chunk.byteLength); myDuplex.push(chunk); }); socket.on('error', function (err) { console.error('[error] httpsTunnel (Admin) TODO close'); console.error(err); myDuplex.emit('error', err); }); socket.on('close', function () { myDuplex.end(); }); process.nextTick(function () { // this must happen after the socket is emitted to the next in the chain, // but before any more data comes in via the network socket.unshift(opts.firstChunk); }); return myDuplex; } var le = greenlock.create({ // server: 'staging' server: 'https://acme-v01.api.letsencrypt.org/directory' , challenges: { 'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug }) , 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug }) // TODO dns-01 //, 'dns-01': require('le-challenge-ddns').create() } , store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' }) , approveDomains: function (opts, certs, cb) { // This is where you check your database and associated // email addresses with domains and agreements and such // The domains being approved for the first time are listed in opts.domains // Certs being renewed are listed in certs.altnames if (certs) { // TODO make sure the same options are used for renewal as for registration? opts.domains = certs.altnames; cb(null, { options: opts, certs: certs }); return; } function complete(optsOverride) { Object.keys(optsOverride).forEach(function (key) { opts[key] = optsOverride[key]; }); cb(null, { options: opts, certs: certs }); } // check config for domain name if (-1 !== (config.tls.servernames || []).indexOf(opts.domain)) { // TODO how to handle SANs? // TODO fetch domain-specific email // TODO fetch domain-specific acmeDirectory // NOTE: you can also change other options such as `challengeType` and `challenge` // opts.challengeType = 'http-01'; // opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet complete({ email: config.tls.email , agreeTos: true , server: config.tls.acmeDirectoryUrl || le.server , challengeType: config.tls.challengeType || 'http-01' }); return; } // TODO ask http module (and potentially all other modules) about what domains it can // handle. We can allow any domains that other modules will handle after we terminate TLS. cb(new Error('domain is not allowed')); // if (!modules.http) { // modules.http = require('./modules/http.js').create(deps, config); // } // modules.http.checkServername(opts.domain).then(function (stuff) { // if (!stuff || !stuff.domains) { // // TODO once precheck is implemented we can just let it pass if it passes, yknow? // cb(new Error('domain is not allowed')); // return; // } // complete({ // domain: stuff.domain || stuff.domains[0] // , domains: stuff.domains // , email: stuff.email || program.email // , server: stuff.acmeDirectoryUrl || program.acmeDirectoryUrl // , challengeType: stuff.challengeType || program.challengeType // , challenge: stuff.challenge // }); // return; // }, cb); } }); le.tlsOptions = le.tlsOptions || le.httpsOptions; var secureContexts = {}; var terminatorOpts = require('localhost.daplie.me-certificates').merge({}); terminatorOpts.SNICallback = function (sni, cb) { console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'"); var tlsOptions; // Static Certs if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) { // TODO implement if (!secureContexts[sni]) { tlsOptions = localhostCerts.mergeTlsOptions(sni, {}); } if (tlsOptions) { secureContexts[sni] = tls.createSecureContext(tlsOptions); } if (secureContexts[sni]) { console.log('Got static secure context:', sni, secureContexts[sni]); cb(null, secureContexts[sni]); return; } } le.tlsOptions.SNICallback(sni, cb); }; var terminateServer = tls.createServer(terminatorOpts, function (socket) { console.log('(pre-terminated) tls connection, addr:', socket.remoteAddress); netHandler(socket, { servername: socket.servername , encrypted: true // remoteAddress... ugh... https://github.com/nodejs/node/issues/8854 , remoteAddress: extractSocketProp(socket, 'remoteAddress') , remotePort: extractSocketProp(socket, 'remotePort') , remoteFamily: extractSocketProp(socket, 'remoteFamily') }); }); function proxy(socket, opts, mod) { var destination = mod.address.split(':'); var connected = false; var newConn = deps.net.createConnection({ port: destination[1] , host: destination[0] || '127.0.0.1' , servername: opts.servername , data: opts.firstChunk , remoteFamily: opts.family || extractSocketProp(socket, 'remoteFamily') , remoteAddress: opts.address || extractSocketProp(socket, 'remoteAddress') , remotePort: opts.port || extractSocketProp(socket, 'remotePort') }, function () { connected = true; if (!opts.hyperPeek) { newConn.write(opts.firstChunk); } newConn.pipe(socket); socket.pipe(newConn); }); // Not sure how to effectively report this to the user or client, but we need to listen // for the event to prevent it from crashing us. newConn.on('error', function (err) { if (connected) { console.error('TLS proxy remote error', err); socket.end(); } else { console.log('TLS proxy connection error', err); var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true}); var decrypted; if (opts.hyperPeek) { decrypted = new tls.TLSSocket(socket, tlsOpts); } else { decrypted = new tls.TLSSocket(wrapSocket(socket, opts), tlsOpts); } require('../proxy-err-resp').sendBadGateway(decrypted, err, config.debug); } }); socket.on('error', function (err) { console.error('TLS proxy client error', err); newConn.end(); }); } function terminate(socket, opts) { console.log( '[tls-terminate]' , opts.localAddress || socket.localAddress +':'+ opts.localPort || socket.localPort , 'servername=' + opts.servername , opts.remoteAddress || socket.remoteAddress ); if (opts.hyperPeek) { // This connection was peeked at using a method that doesn't interferre with the TLS // server's ability to handle it properly. Currently the only way this happens is // with tunnel connections where we have the first chunk of data before creating the // new connection (thus removing need to get data off the new connection). terminateServer.emit('connection', socket); } else { // The hyperPeek flag wasn't set, so we had to read data off of this connection, which // means we can no longer use it directly in the TLS server. // See https://github.com/nodejs/node/issues/8752 (node's internal networking layer == 💩 sometimes) terminateServer.emit('connection', wrapSocket(socket, opts)); } } function handleConn(socket, opts) { opts.servername = (parseSni(opts.firstChunk)||'').toLowerCase() || 'localhost.invalid'; // needs to wind up in one of 2 states: // 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket) // 2. Terminated (goes on to a particular module or route, including the admin interface) // 3. Closed (we don't recognize the SNI servername as something we actually want to handle) // We always want to terminate is the SNI matches the challenge pattern, unless a client // on the south side has temporarily claimed a particular challenge. For the time being // we don't have a way for the south-side to communicate with us, so that part isn't done. if (domainMatches('*.acme-challenge.invalid', opts.servername)) { terminate(socket, opts); return; } var handled = (config.tls.modules || []).some(function (mod) { var relevant = mod.domains.some(function (pattern) { return domainMatches(pattern, opts.servername); }); if (!relevant) { return false; } if (mod.name === 'proxy') { proxy(socket, opts, mod); } else { console.error('saw unknown TLS module', mod); return false; } return true; }); // TODO: figure out all of the domains that the other modules intend to handle, and only // terminate those ones, closing connections for all others. if (!handled) { terminate(socket, opts); } } return { emit: function (type, socket) { if (type === 'connection') { handleConn(socket, socket.__opts); } } , middleware: le.middleware() }; };