greenlock-express.js/examples/vhost.js

129 lines
4.7 KiB
JavaScript
Raw Normal View History

2018-05-05 19:56:28 +00:00
#!/usr/bin/env node
'use strict';
2018-08-22 22:36:25 +00:00
///////////////////
// vhost example //
///////////////////
//
// virtual hosting example
//
2018-05-05 19:56:28 +00:00
// The prefix where sites go by name.
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
2019-03-30 07:40:26 +00:00
var srv = process.argv[3] || '/srv/www/';
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
var path = require('path');
2019-03-30 07:40:26 +00:00
var fs = require('fs').promises;
2018-05-05 19:56:28 +00:00
var finalhandler = require('finalhandler');
var serveStatic = require('serve-static');
2018-08-18 10:40:26 +00:00
//var glx = require('greenlock-express')
2019-03-30 07:40:26 +00:00
var glx = require('./').create({
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
version: 'draft-11' // Let's Encrypt v2 is ACME draft 11
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
, server: 'https://acme-v02.api.letsencrypt.org/directory' // If at first you don't succeed, stop and switch to staging
// https://acme-staging-v02.api.letsencrypt.org/directory
2018-05-05 19:56:28 +00:00
2019-03-30 07:40:26 +00:00
, configDir: process.argv[4] || '~/.config/acme/' // You MUST have access to write to directory where certs
2018-08-22 22:36:25 +00:00
// are saved. ex: /home/foouser/.config/acme
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
, approveDomains: myApproveDomains // Greenlock's wraps around tls.SNICallback. Check the
// domain name here and reject invalid ones
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
, app: myVhostApp // Any node-style http app (i.e. express, koa, hapi, rill)
2018-05-10 06:53:45 +00:00
2018-08-22 22:36:25 +00:00
/* CHANGE TO A VALID EMAIL */
2019-03-30 07:40:26 +00:00
, email: process.argv[2] || 'jon.doe@example.com' // Email for Let's Encrypt account and Greenlock Security
2018-08-22 22:36:25 +00:00
, agreeTos: true // Accept Let's Encrypt ToS
2019-03-30 07:40:26 +00:00
//, communityMember: true // Join Greenlock to get important updates, no spam
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
//, debug: true
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
});
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
var server = glx.listen(80, 443);
server.on('listening', function () {
console.info(server.type + " listening on", server.address());
});
2018-05-05 19:56:28 +00:00
2018-08-22 22:36:25 +00:00
function myApproveDomains(opts, certs, cb) {
2019-03-30 07:50:13 +00:00
console.log('sni:', opts.domain);
2018-08-22 22:36:25 +00:00
// In this example the filesystem is our "database".
2019-03-30 07:40:26 +00:00
// We check in /srv/www for whatever.com and if it exists, it's allowed
2018-08-22 22:36:25 +00:00
2019-03-30 07:40:26 +00:00
// SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
return checkWwws(opts.domains[0]).then(function () {
//opts.email = email;
opts.agreeTos = true;
cb(null, { options: opts, certs: certs });
}).catch(cb);
}
2018-08-22 22:36:25 +00:00
2019-03-30 07:40:26 +00:00
function checkWwws(_hostname) {
2019-04-10 17:44:24 +00:00
if (!_hostname) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return '';
}
2019-03-30 07:40:26 +00:00
var hostname = _hostname;
2019-03-30 07:50:13 +00:00
var _hostdir = path.join(srv, hostname);
var hostdir = _hostdir;
2019-03-30 07:40:26 +00:00
// TODO could test for www/no-www both in directory
return fs.readdir(hostdir).then(function () {
// TODO check for some sort of htaccess.json and use email in that
// NOTE: you can also change other options such as `challengeType` and `challenge`
2018-08-22 22:36:25 +00:00
// opts.challengeType = 'http-01';
// opts.challenge = require('le-challenge-fs').create({});
2019-03-30 07:40:26 +00:00
return hostname;
}).catch(function () {
if ('www.' === hostname.slice(0, 4)) {
// Assume we'll redirect to non-www if it's available.
hostname = hostname.slice(4);
hostdir = path.join(srv, hostname);
return fs.readdir(hostdir).then(function () {
2019-03-30 08:35:23 +00:00
// TODO list both domains?
2019-03-30 07:40:26 +00:00
return hostname;
});
} else {
// Or check and see if perhaps we should redirect non-www to www
hostname = 'www.' + hostname;
hostdir = path.join(srv, hostname);
return fs.readdir(hostdir).then(function () {
2019-03-30 08:35:23 +00:00
// TODO list both domains?
2019-03-30 07:40:26 +00:00
return hostname;
});
}
}).catch(function () {
2019-03-30 07:50:13 +00:00
throw new Error("rejecting '" + _hostname + "' because '" + _hostdir + "' could not be read");
2018-08-22 22:36:25 +00:00
});
}
function myVhostApp(req, res) {
2019-03-30 07:40:26 +00:00
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
// (also: only domains approved above will get here)
2019-03-30 07:50:13 +00:00
console.log('vhost:', req.headers.host);
2019-04-10 17:44:24 +00:00
if (!req.headers.host) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return res.end();
}
2019-03-30 07:40:26 +00:00
// We could cache wether or not a host exists for some amount of time
var fin = finalhandler(req, res);
return checkWwws(req.headers.host).then(function (hostname) {
2019-03-30 08:35:23 +00:00
if (hostname !== req.headers.host) {
res.statusCode = 302;
res.setHeader('Location', 'https://' + hostname);
// SECURITY this is safe only because greenlock disallows invalid hostnames
res.end("<!-- redirecting to https://" + hostname + "-->");
return;
}
2019-03-30 07:40:26 +00:00
var serve = serveStatic(path.join(srv, hostname), { redirect: true });
serve(req, res, fin);
}).catch(function () {
fin();
});
2018-08-22 22:36:25 +00:00
}