v2.6.9: fix and update vhost example

This commit is contained in:
AJ ONeal 2019-03-30 01:40:26 -06:00
parent f722d9917c
commit 12058026ad
2 changed files with 61 additions and 72 deletions

View File

@ -11,22 +11,22 @@
// The prefix where sites go by name. // The prefix where sites go by name.
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path // For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
var srv = '/srv/www/'; var srv = process.argv[3] || '/srv/www/';
var path = require('path'); var path = require('path');
var fs = require('fs'); var fs = require('fs').promises;
var finalhandler = require('finalhandler'); var finalhandler = require('finalhandler');
var serveStatic = require('serve-static'); var serveStatic = require('serve-static');
//var glx = require('greenlock-express') //var glx = require('greenlock-express')
var glx = require('../').create({ var glx = require('./').create({
version: 'draft-11' // Let's Encrypt v2 is ACME draft 11 version: 'draft-11' // Let's Encrypt v2 is ACME draft 11
, server: 'https://acme-v02.api.letsencrypt.org/directory' // If at first you don't succeed, stop and switch to staging , server: 'https://acme-v02.api.letsencrypt.org/directory' // If at first you don't succeed, stop and switch to staging
// https://acme-staging-v02.api.letsencrypt.org/directory // https://acme-staging-v02.api.letsencrypt.org/directory
, configDir: '~/.config/acme/' // You MUST have access to write to directory where certs , configDir: process.argv[4] || '~/.config/acme/' // You MUST have access to write to directory where certs
// are saved. ex: /home/foouser/.config/acme // are saved. ex: /home/foouser/.config/acme
, approveDomains: myApproveDomains // Greenlock's wraps around tls.SNICallback. Check the , approveDomains: myApproveDomains // Greenlock's wraps around tls.SNICallback. Check the
@ -35,9 +35,9 @@ var glx = require('../').create({
, app: myVhostApp // Any node-style http app (i.e. express, koa, hapi, rill) , app: myVhostApp // Any node-style http app (i.e. express, koa, hapi, rill)
/* CHANGE TO A VALID EMAIL */ /* CHANGE TO A VALID EMAIL */
, email:'jon@example.com' // Email for Let's Encrypt account and Greenlock Security , email: process.argv[2] || 'jon.doe@example.com' // Email for Let's Encrypt account and Greenlock Security
, agreeTos: true // Accept Let's Encrypt ToS , agreeTos: true // Accept Let's Encrypt ToS
, communityMember: true // Join Greenlock to get important updates, no spam //, communityMember: true // Join Greenlock to get important updates, no spam
//, debug: true //, debug: true
@ -48,67 +48,61 @@ server.on('listening', function () {
console.info(server.type + " listening on", server.address()); console.info(server.type + " listening on", server.address());
}); });
// [SECURITY]
// Since v2.4.0+ Greenlock proactively protects against
// SQL injection and timing attacks by rejecting invalid domain names,
// but it's up to you to make sure that you accept opts.domain BEFORE
// an attempt is made to issue a certificate for it.
function myApproveDomains(opts, certs, cb) { function myApproveDomains(opts, certs, cb) {
console.log(opts.domains);
// In this example the filesystem is our "database". // In this example the filesystem is our "database".
// We check in /srv/www/ for opts.domain (i.e. "example.com") and only proceed if it exists. // We check in /srv/www for whatever.com and if it exists, it's allowed
console.log(opts.domain);
// Check that the hosting domain exists on the file system. // SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
var hostdir = path.join(srv, opts.domain); return checkWwws(opts.domains[0]).then(function () {
fs.readdir(hostdir, function (err, nodes) { //opts.email = email;
var e; opts.agreeTos = true;
if (err || !nodes) { cb(null, { options: opts, certs: certs });
e = new Error("rejecting '" + opts.domains[0] + "' because '" + hostdir + "' could not be read"); }).catch(cb);
console.error(e); }
console.error(err);
cb(e);
return;
}
// You could put a variety of configuration details alongside the vhost folder function checkWwws(_hostname) {
// For example, /srv/www/example.com.json could describe the following: var hostname = _hostname;
var hostdir = path.join(srv, hostname);
// If you have multiple domains grouped together, you can list them on the same certificate // TODO could test for www/no-www both in directory
// opts.domains = [ 'example.com', 'www.example.com', 'api.example.com', 'sso.example.com' ] return fs.readdir(hostdir).then(function () {
// TODO check for some sort of htaccess.json and use email in that
// You can also change other options on-the-fly // NOTE: you can also change other options such as `challengeType` and `challenge`
// (approveDomains is called after the in-memory certificates cache is checked, but before any ACME requests)
// opts.email = "jon@example.com"
// opts.agreeTos = true;
// opts.challengeType = 'http-01'; // opts.challengeType = 'http-01';
// opts.challenge = require('le-challenge-fs').create({}); // opts.challenge = require('le-challenge-fs').create({});
cb(null, { options: opts, certs: certs }); return hostname;
}); }).catch(function () {
if ('www.' === hostname.slice(0, 4)) {
} // Assume we'll redirect to non-www if it's available.
hostname = hostname.slice(4);
// [SECURITY] hostdir = path.join(srv, hostname);
// Since v2.4.0+ Greenlock Express will proactively protect against return fs.readdir(hostdir).then(function () {
// SQL injection and timing attacks by rejecting invalid domain names return hostname;
// in Host headers. });
// It will also make them lowercase and protect against "domain fronting". } else {
// However, it's up to you to make sure you actually have a domain to serve :) // Or check and see if perhaps we should redirect non-www to www
var servers = {}; hostname = 'www.' + hostname;
function myVhostApp(req, res) { hostdir = path.join(srv, hostname);
var hostname = req.headers.host; return fs.readdir(hostdir).then(function () {
var srvpath = path.join(srv, hostname); return hostname;
console.log('vhost for', req.headers.host); });
if (!servers[hostname]) {
try {
fs.accessSync(srvpath);
servers[hostname] = serveStatic(srvpath, { redirect: true });
} catch(e) {
finalhandler(req, res);
} }
} }).catch(function () {
throw new Error("rejecting '" + _hostname + "' because '" + hostdir + "' could not be read");
servers[hostname](req, res, finalhandler(req, res)); });
}
function myVhostApp(req, res) {
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
// (also: only domains approved above will get here)
console.log(req.headers.host);
// We could cache wether or not a host exists for some amount of time
var fin = finalhandler(req, res);
return checkWwws(req.headers.host).then(function (hostname) {
var serve = serveStatic(path.join(srv, hostname), { redirect: true });
serve(req, res, fin);
}).catch(function () {
fin();
});
} }

View File

@ -1,6 +1,6 @@
{ {
"name": "greenlock-express", "name": "greenlock-express",
"version": "2.6.8", "version": "2.6.9",
"description": "Free SSL and managed or automatic HTTPS for node.js with Express, Koa, Connect, Hapi, and all other middleware systems.", "description": "Free SSL and managed or automatic HTTPS for node.js with Express, Koa, Connect, Hapi, and all other middleware systems.",
"main": "index.js", "main": "index.js",
"homepage": "https://git.coolaj86.com/coolaj86/greenlock-express.js", "homepage": "https://git.coolaj86.com/coolaj86/greenlock-express.js",
@ -36,19 +36,14 @@
"url": "https://git.coolaj86.com/coolaj86/greenlock-express.js.git" "url": "https://git.coolaj86.com/coolaj86/greenlock-express.js.git"
}, },
"keywords": [ "keywords": [
"acme",
"cloud",
"cluster",
"free", "free",
"ssl",
"letsencrypt",
"acme",
"greenlock", "greenlock",
"https", "https",
"cloud",
"le", "le",
"letsencrypt",
"multi-core",
"node",
"node.js",
"scale",
"ssl",
"tls" "tls"
], ],
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)", "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",