greenlock-express.js/examples/vhost.js

#!/usr/bin/env node
"use strict";

///////////////////
// vhost example //
///////////////////

//
// virtual hosting example
//

// The prefix where sites go by name.
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
var srv = process.argv[3] || "/srv/www/";

var path = require("path");
var fs = require("fs").promises;
var finalhandler = require("finalhandler");
var serveStatic = require("serve-static");

//var glx = require('greenlock-express')
var glx = require("./").create({
	version: "draft-11", // Let's Encrypt v2 is ACME draft 11

	server: "https://acme-v02.api.letsencrypt.org/directory", // If at first you don't succeed, stop and switch to staging
	// https://acme-staging-v02.api.letsencrypt.org/directory

	configDir: process.argv[4] || "~/.config/acme/", // You MUST have access to write to directory where certs
	// are saved. ex: /home/foouser/.config/acme

	approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the
	// domain name here and reject invalid ones

	app: myVhostApp, // Any node-style http app (i.e. express, koa, hapi, rill)

	/* CHANGE TO A VALID EMAIL */
	email: process.argv[2] || "jon.doe@example.com", // Email for Let's Encrypt account and Greenlock Security
	agreeTos: true // Accept Let's Encrypt ToS
	//, communityMember: true                                   // Join Greenlock to get important updates, no spam

	//, debug: true
});

var server = glx.listen(80, 443);
server.on("listening", function() {
	console.info(server.type + " listening on", server.address());
});

function myApproveDomains(opts, certs, cb) {
	console.log("sni:", opts.domain);
	// In this example the filesystem is our "database".
	// We check in /srv/www for whatever.com and if it exists, it's allowed

	// SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
	return checkWwws(opts.domains[0])
		.then(function() {
			//opts.email = email;
			opts.agreeTos = true;
			cb(null, { options: opts, certs: certs });
		})
		.catch(cb);
}

function checkWwws(_hostname) {
	if (!_hostname) {
		// SECURITY, don't allow access to the 'srv' root
		// (greenlock-express uses middleware to check '..', etc)
		return "";
	}
	var hostname = _hostname;
	var _hostdir = path.join(srv, hostname);
	var hostdir = _hostdir;
	// TODO could test for www/no-www both in directory
	return fs
		.readdir(hostdir)
		.then(function() {
			// TODO check for some sort of htaccess.json and use email in that
			// NOTE: you can also change other options such as `challengeType` and `challenge`
			// opts.challengeType = 'http-01';
			// opts.challenge = require('le-challenge-fs').create({});
			return hostname;
		})
		.catch(function() {
			if ("www." === hostname.slice(0, 4)) {
				// Assume we'll redirect to non-www if it's available.
				hostname = hostname.slice(4);
				hostdir = path.join(srv, hostname);
				return fs.readdir(hostdir).then(function() {
					// TODO list both domains?
					return hostname;
				});
			} else {
				// Or check and see if perhaps we should redirect non-www to www
				hostname = "www." + hostname;
				hostdir = path.join(srv, hostname);
				return fs.readdir(hostdir).then(function() {
					// TODO list both domains?
					return hostname;
				});
			}
		})
		.catch(function() {
			throw new Error("rejecting '" + _hostname + "' because '" + _hostdir + "' could not be read");
		});
}

function myVhostApp(req, res) {
	// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
	// (also: only domains approved above will get here)
	console.log("vhost:", req.headers.host);
	if (!req.headers.host) {
		// SECURITY, don't allow access to the 'srv' root
		// (greenlock-express uses middleware to check '..', etc)
		return res.end();
	}

	// We could cache wether or not a host exists for some amount of time
	var fin = finalhandler(req, res);
	return checkWwws(req.headers.host)
		.then(function(hostname) {
			if (hostname !== req.headers.host) {
				res.statusCode = 302;
				res.setHeader("Location", "https://" + hostname);
				// SECURITY this is safe only because greenlock disallows invalid hostnames
				res.end("<!-- redirecting to https://" + hostname + "-->");
				return;
			}
			var serve = serveStatic(path.join(srv, hostname), { redirect: true });
			serve(req, res, fin);
		})
		.catch(function() {
			fin();
		});
}
add virtual hosting example 2018-05-05 19:56:28 +00:00			`#!/usr/bin/env node`
make Prettier 2019-06-03 09:47:07 +00:00			`"use strict";`
add virtual hosting example 2018-05-05 19:56:28 +00:00
update vhost example 2018-08-22 22:36:25 +00:00			`///////////////////`
			`// vhost example //`
			`///////////////////`

			`//`
			`// virtual hosting example`
			`//`
add virtual hosting example 2018-05-05 19:56:28 +00:00
			`// The prefix where sites go by name.`
			`// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path`
make Prettier 2019-06-03 09:47:07 +00:00			`var srv = process.argv[3] \|\| "/srv/www/";`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`var path = require("path");`
			`var fs = require("fs").promises;`
			`var finalhandler = require("finalhandler");`
			`var serveStatic = require("serve-static");`
add virtual hosting example 2018-05-05 19:56:28 +00:00
rely on built-in security checks 2018-08-18 10:40:26 +00:00			`//var glx = require('greenlock-express')`
make Prettier 2019-06-03 09:47:07 +00:00			`var glx = require("./").create({`
			`version: "draft-11", // Let's Encrypt v2 is ACME draft 11`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`server: "https://acme-v02.api.letsencrypt.org/directory", // If at first you don't succeed, stop and switch to staging`
			`// https://acme-staging-v02.api.letsencrypt.org/directory`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`configDir: process.argv[4] \|\| "~/.config/acme/", // You MUST have access to write to directory where certs`
			`// are saved. ex: /home/foouser/.config/acme`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the`
			`// domain name here and reject invalid ones`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`app: myVhostApp, // Any node-style http app (i.e. express, koa, hapi, rill)`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`/* CHANGE TO A VALID EMAIL */`
			`email: process.argv[2] \|\| "jon.doe@example.com", // Email for Let's Encrypt account and Greenlock Security`
			`agreeTos: true // Accept Let's Encrypt ToS`
			`//, communityMember: true // Join Greenlock to get important updates, no spam`
add virtual hosting example 2018-05-05 19:56:28 +00:00
make Prettier 2019-06-03 09:47:07 +00:00			`//, debug: true`
update vhost example 2018-08-22 22:36:25 +00:00			`});`
add virtual hosting example 2018-05-05 19:56:28 +00:00
update vhost example 2018-08-22 22:36:25 +00:00			`var server = glx.listen(80, 443);`
make Prettier 2019-06-03 09:47:07 +00:00			`server.on("listening", function() {`
			`console.info(server.type + " listening on", server.address());`
update vhost example 2018-08-22 22:36:25 +00:00			`});`
add virtual hosting example 2018-05-05 19:56:28 +00:00
update vhost example 2018-08-22 22:36:25 +00:00			`function myApproveDomains(opts, certs, cb) {`
make Prettier 2019-06-03 09:47:07 +00:00			`console.log("sni:", opts.domain);`
			`// In this example the filesystem is our "database".`
			`// We check in /srv/www for whatever.com and if it exists, it's allowed`

			`// SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to`
			`return checkWwws(opts.domains[0])`
			`.then(function() {`
			`//opts.email = email;`
			`opts.agreeTos = true;`
			`cb(null, { options: opts, certs: certs });`
			`})`
			`.catch(cb);`
v2.6.9: fix and update vhost example 2019-03-30 07:40:26 +00:00			`}`
update vhost example 2018-08-22 22:36:25 +00:00
v2.6.9: fix and update vhost example 2019-03-30 07:40:26 +00:00			`function checkWwws(_hostname) {`
make Prettier 2019-06-03 09:47:07 +00:00			`if (!_hostname) {`
			`// SECURITY, don't allow access to the 'srv' root`
			`// (greenlock-express uses middleware to check '..', etc)`
			`return "";`
			`}`
			`var hostname = _hostname;`
			`var _hostdir = path.join(srv, hostname);`
			`var hostdir = _hostdir;`
			`// TODO could test for www/no-www both in directory`
			`return fs`
			`.readdir(hostdir)`
			`.then(function() {`
			`// TODO check for some sort of htaccess.json and use email in that`
			// NOTE: you can also change other options such as `challengeType` and `challenge`
			`// opts.challengeType = 'http-01';`
			`// opts.challenge = require('le-challenge-fs').create({});`
			`return hostname;`
			`})`
			`.catch(function() {`
			`if ("www." === hostname.slice(0, 4)) {`
			`// Assume we'll redirect to non-www if it's available.`
			`hostname = hostname.slice(4);`
			`hostdir = path.join(srv, hostname);`
			`return fs.readdir(hostdir).then(function() {`
			`// TODO list both domains?`
			`return hostname;`
			`});`
			`} else {`
			`// Or check and see if perhaps we should redirect non-www to www`
			`hostname = "www." + hostname;`
			`hostdir = path.join(srv, hostname);`
			`return fs.readdir(hostdir).then(function() {`
			`// TODO list both domains?`
			`return hostname;`
			`});`
			`}`
			`})`
			`.catch(function() {`
			`throw new Error("rejecting '" + _hostname + "' because '" + _hostdir + "' could not be read");`
			`});`
update vhost example 2018-08-22 22:36:25 +00:00			`}`

			`function myVhostApp(req, res) {`
make Prettier 2019-06-03 09:47:07 +00:00			`// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to`
			`// (also: only domains approved above will get here)`
			`console.log("vhost:", req.headers.host);`
			`if (!req.headers.host) {`
			`// SECURITY, don't allow access to the 'srv' root`
			`// (greenlock-express uses middleware to check '..', etc)`
			`return res.end();`
			`}`

			`// We could cache wether or not a host exists for some amount of time`
			`var fin = finalhandler(req, res);`
			`return checkWwws(req.headers.host)`
			`.then(function(hostname) {`
			`if (hostname !== req.headers.host) {`
			`res.statusCode = 302;`
			`res.setHeader("Location", "https://" + hostname);`
			`// SECURITY this is safe only because greenlock disallows invalid hostnames`
			`res.end("<!-- redirecting to https://" + hostname + "-->");`
			`return;`
			`}`
			`var serve = serveStatic(path.join(srv, hostname), { redirect: true });`
			`serve(req, res, fin);`
			`})`
			`.catch(function() {`
			`fin();`
			`});`
update vhost example 2018-08-22 22:36:25 +00:00			`}`