AJ ONeal
6 years ago
1 changed files with 87 additions and 59 deletions
@ -1,86 +1,114 @@ |
|||||
#!/usr/bin/env node
|
#!/usr/bin/env node
|
||||
'use strict'; |
'use strict'; |
||||
|
|
||||
// This is an example for virtual hosting
|
///////////////////
|
||||
|
// vhost example //
|
||||
|
///////////////////
|
||||
|
|
||||
|
//
|
||||
|
// virtual hosting example
|
||||
|
//
|
||||
|
|
||||
var email = 'john@example.com'; |
|
||||
// The prefix where sites go by name.
|
// The prefix where sites go by name.
|
||||
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
|
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
|
||||
var srv = '/srv/www/'; |
var srv = '/srv/www/'; |
||||
|
|
||||
|
var path = require('path'); |
||||
var fs = require('fs'); |
var fs = require('fs'); |
||||
var finalhandler = require('finalhandler'); |
var finalhandler = require('finalhandler'); |
||||
var serveStatic = require('serve-static'); |
var serveStatic = require('serve-static'); |
||||
var path = require('path'); |
|
||||
// Allowed characters are a-z,0-9,.,-,_ with TLDs being alpha-only
|
|
||||
|
|
||||
//var glx = require('greenlock-express')
|
//var glx = require('greenlock-express')
|
||||
var glx = require('../').create({ |
var glx = require('../').create({ |
||||
|
|
||||
// Let's Encrypt v2 is ACME draft 11
|
version: 'draft-11' // Let's Encrypt v2 is ACME draft 11
|
||||
version: 'draft-11' |
|
||||
|
|
||||
, server: 'https://acme-v02.api.letsencrypt.org/directory' |
, server: 'https://acme-v02.api.letsencrypt.org/directory' // If at first you don't succeed, stop and switch to staging
|
||||
// Note: If at first you don't succeed, stop and switch to staging
|
// https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|
||||
|
|
||||
, approveDomains: function (opts, certs, cb) { |
, configDir: '~/.config/acme/' // You MUST have access to write to directory where certs
|
||||
// In this example the filesystem is our "database".
|
// are saved. ex: /home/foouser/.config/acme
|
||||
// We check in /srv/www for whateve.com and if it exists, it's allowed
|
|
||||
|
|
||||
|
, approveDomains: myApproveDomains // Greenlock's wraps around tls.SNICallback. Check the
|
||||
|
// domain name here and reject invalid ones
|
||||
|
|
||||
// The domains being approved for the first time are listed in opts.domains
|
, app: myVhostApp // Any node-style http app (i.e. express, koa, hapi, rill)
|
||||
|
|
||||
// Certs being renewed are listed in certs.altnames
|
/* CHANGE TO A VALID EMAIL */ |
||||
if (certs) { |
, email:'jon@example.com' // Email for Let's Encrypt account and Greenlock Security
|
||||
opts.domains = certs.altnames; |
, agreeTos: true // Accept Let's Encrypt ToS
|
||||
cb(null, { options: opts, certs: certs }); |
, communityMember: true // Join Greenlock to get important updates, no spam
|
||||
return; |
|
||||
} |
|
||||
|
|
||||
// SECURITY Greenlock validates opts.domains ahead-of-time
|
//, debug: true
|
||||
var hostdir = path.join(srv, opts.domains[0]); |
|
||||
// TODO could test for www/no-www both in directory and IP
|
|
||||
fs.readdir(hostdir, function (err, nodes) { |
|
||||
var e; |
|
||||
if (err || !nodes) { |
|
||||
e = new Error("rejecting '" + opts.domains[0] + "' because '" + hostdir + "' could not be read"); |
|
||||
console.error(err); |
|
||||
console.error(e); |
|
||||
cb(e); |
|
||||
return; |
|
||||
} |
|
||||
|
|
||||
// TODO check for some sort of htaccess.json and use email in that
|
|
||||
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|
||||
// opts.challengeType = 'http-01';
|
|
||||
// opts.challenge = require('le-challenge-fs').create({});
|
|
||||
opts.email = email; |
|
||||
opts.agreeTos = true; |
|
||||
cb(null, { options: opts, certs: certs }); |
|
||||
}); |
|
||||
|
|
||||
} |
}); |
||||
|
|
||||
// You MUST have access to write to directory where certs are saved
|
var server = glx.listen(80, 443); |
||||
// ex: /home/foouser/acme/etc
|
server.on('listening', function () { |
||||
, configDir: '~/.config/acme/' |
console.info(server.type + " listening on", server.address()); |
||||
|
}); |
||||
|
|
||||
, app: function (req, res) { |
// [SECURITY]
|
||||
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access
|
// Since v2.4.0+ Greenlock proactively protects against
|
||||
console.log(req.headers.host); |
// SQL injection and timing attacks by rejecting invalid domain names,
|
||||
var hostname = req.headers.host; |
// but it's up to you to make sure that you accept opts.domain BEFORE
|
||||
|
// an attempt is made to issue a certificate for it.
|
||||
|
function myApproveDomains(opts, certs, cb) { |
||||
|
|
||||
|
// In this example the filesystem is our "database".
|
||||
|
// We check in /srv/www/ for opts.domain (i.e. "example.com") and only proceed if it exists.
|
||||
|
console.log(opts.domain); |
||||
|
|
||||
|
// Check that the hosting domain exists on the file system.
|
||||
|
var hostdir = path.join(srv, opts.domain); |
||||
|
fs.readdir(hostdir, function (err, nodes) { |
||||
|
var e; |
||||
|
if (err || !nodes) { |
||||
|
e = new Error("rejecting '" + opts.domains[0] + "' because '" + hostdir + "' could not be read"); |
||||
|
console.error(e); |
||||
|
console.error(err); |
||||
|
cb(e); |
||||
|
return; |
||||
|
} |
||||
|
|
||||
var serve = serveStatic(path.join(srv, hostname), { redirect: true }); |
// You could put a variety of configuration details alongside the vhost folder
|
||||
serve(req, res, finalhandler(req, res)); |
// For example, /srv/www/example.com.json could describe the following:
|
||||
|
|
||||
|
// If you have multiple domains grouped together, you can list them on the same certificate
|
||||
|
// opts.domains = [ 'example.com', 'www.example.com', 'api.example.com', 'sso.example.com' ]
|
||||
|
|
||||
|
// You can also change other options on-the-fly
|
||||
|
// (approveDomains is called after the in-memory certificates cache is checked, but before any ACME requests)
|
||||
|
|
||||
|
// opts.email = "jon@example.com"
|
||||
|
// opts.agreeTos = true;
|
||||
|
// opts.challengeType = 'http-01';
|
||||
|
// opts.challenge = require('le-challenge-fs').create({});
|
||||
|
cb(null, { options: opts, certs: certs }); |
||||
|
}); |
||||
|
|
||||
|
} |
||||
|
|
||||
|
// [SECURITY]
|
||||
|
// Since v2.4.0+ Greenlock Express will proactively protect against
|
||||
|
// SQL injection and timing attacks by rejecting invalid domain names
|
||||
|
// in Host headers.
|
||||
|
// It will also make them lowercase and protect against "domain fronting".
|
||||
|
// However, it's up to you to make sure you actually have a domain to serve :)
|
||||
|
var servers = {}; |
||||
|
function myVhostApp(req, res) { |
||||
|
var hostname = req.headers.host; |
||||
|
var srvpath = path.join(srv, hostname); |
||||
|
console.log('vhost for', req.headers.host); |
||||
|
|
||||
|
if (!servers[hostname]) { |
||||
|
try { |
||||
|
fs.accessSync(srvpath); |
||||
|
servers[hostname] = serveStatic(srvpath, { redirect: true }); |
||||
|
} catch(e) { |
||||
|
finalhandler(req, res); |
||||
|
} |
||||
} |
} |
||||
|
|
||||
// Get notified of important updates and help me make greenlock better
|
servers[hostname](req, res, finalhandler(req, res)); |
||||
, communityMember: true |
} |
||||
|
|
||||
//, debug: true
|
|
||||
|
|
||||
}); |
|
||||
|
|
||||
var server = glx.listen(80, 443); |
|
||||
|
Loading…
Reference in new issue