better security / education in example

This commit is contained in:
AJ ONeal 2019-04-10 11:44:24 -06:00
parent 0d2d571458
commit c7dfec515d
1 changed files with 10 additions and 0 deletions

View File

@ -62,6 +62,11 @@ function myApproveDomains(opts, certs, cb) {
}
function checkWwws(_hostname) {
if (!_hostname) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return '';
}
var hostname = _hostname;
var _hostdir = path.join(srv, hostname);
var hostdir = _hostdir;
@ -99,6 +104,11 @@ function myVhostApp(req, res) {
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
// (also: only domains approved above will get here)
console.log('vhost:', req.headers.host);
if (!req.headers.host) {
// SECURITY, don't allow access to the 'srv' root
// (greenlock-express uses middleware to check '..', etc)
return res.end();
}
// We could cache wether or not a host exists for some amount of time
var fin = finalhandler(req, res);