AJ ONeal
5 years ago
26 changed files with 467 additions and 805 deletions
@ -0,0 +1,39 @@ |
|||
"use strict"; |
|||
|
|||
var pkg = require("../../package.json"); |
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "websocket-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
|
|||
// When you're ready to go full cloud scale, you just change this to true:
|
|||
// Note: in cluster you CANNOT use in-memory state (see below)
|
|||
cluster: true, |
|||
|
|||
// This will default to the number of workers being equal to
|
|||
// n-1 cpus, with a minimum of 2
|
|||
workers: 4 |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
|||
|
|||
function httpsWorker(glx) { |
|||
// WRONG
|
|||
// This won't work like you
|
|||
// think because EACH worker
|
|||
// has ITS OWN `count`.
|
|||
var count = 0; |
|||
|
|||
var app = function(req, res) { |
|||
res.end("Hello... how many times now? Oh, " + count + " times"); |
|||
count += 1; |
|||
}; |
|||
|
|||
// Serves on 80 and 443... for each worker
|
|||
// Get's SSL certificates magically!
|
|||
glx.serveApp(app); |
|||
} |
@ -1,75 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
// npm install spdy@3.x
|
|||
|
|||
//var Greenlock = require('greenlock-express')
|
|||
var Greenlock = require("../"); |
|||
|
|||
var greenlock = Greenlock.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
// You MUST change this to a valid email address
|
|||
email: "jon@example.com", |
|||
|
|||
// You MUST NOT build clients that accept the ToS without asking the user
|
|||
agreeTos: true, |
|||
|
|||
// You MUST change these to valid domains
|
|||
// NOTE: all domains will validated and listed on the certificate
|
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
|
|||
// You MUST have access to write to directory where certs are saved
|
|||
// ex: /home/foouser/acme/etc
|
|||
configDir: "~/.config/acme/", |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
|
|||
//, debug: true
|
|||
}); |
|||
|
|||
////////////////////////
|
|||
// http-01 Challenges //
|
|||
////////////////////////
|
|||
|
|||
// http-01 challenge happens over http/1.1, not http2
|
|||
var redirectHttps = require("redirect-https")(); |
|||
var acmeChallengeHandler = greenlock.middleware(function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end( |
|||
"<h1>Hello, ⚠️ Insecure World!</h1><a>Visit Secure Site</a>" + |
|||
'<script>document.querySelector("a").href=window.location.href.replace(/^http/i, "https");</script>' |
|||
); |
|||
}); |
|||
require("http") |
|||
.createServer(acmeChallengeHandler) |
|||
.listen(80, function() { |
|||
console.log("Listening for ACME http-01 challenges on", this.address()); |
|||
}); |
|||
|
|||
////////////////////////
|
|||
// http2 via SPDY h2 //
|
|||
////////////////////////
|
|||
|
|||
// spdy is a drop-in replacement for the https API
|
|||
var spdyOptions = Object.assign({}, greenlock.tlsOptions); |
|||
spdyOptions.spdy = { protocols: ["h2", "http/1.1"], plain: false }; |
|||
var server = require("spdy").createServer( |
|||
spdyOptions, |
|||
require("express")().use("/", function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end("<h1>Hello, 🔐 Secure World!</h1>"); |
|||
}) |
|||
); |
|||
server.on("error", function(err) { |
|||
console.error(err); |
|||
}); |
|||
server.on("listening", function() { |
|||
console.log("Listening for SPDY/http2/https requests on", this.address()); |
|||
}); |
|||
server.listen(443); |
@ -0,0 +1,27 @@ |
|||
"use strict"; |
|||
|
|||
function httpsWorker(glx) { |
|||
var app = require("./my-express-app.js"); |
|||
|
|||
app.get("/hello", function(req, res) { |
|||
res.end("Hello, Encrypted World!"); |
|||
}); |
|||
|
|||
// Serves on 80 and 443
|
|||
// Get's SSL certificates magically!
|
|||
glx.serveApp(app); |
|||
} |
|||
|
|||
var pkg = require("../../package.json"); |
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "http2-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,30 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
//require('greenlock-express')
|
|||
require("../") |
|||
.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
email: "john.doe@example.com", |
|||
|
|||
agreeTos: true, |
|||
|
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
|
|||
app: require("express")().use("/", function(req, res) { |
|||
res.end("Hello, World!"); |
|||
}), |
|||
|
|||
renewWithin: 91 * 24 * 60 * 60 * 1000, |
|||
renewBy: 90 * 24 * 60 * 60 * 1000, |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true, |
|||
debug: true |
|||
}) |
|||
.listen(80, 443); |
@ -0,0 +1,42 @@ |
|||
"use strict"; |
|||
|
|||
var pkg = require("../../package.json"); |
|||
|
|||
// The WRONG way:
|
|||
//var http = require('http');
|
|||
//var httpServer = https.createSecureServer(redirectToHttps);
|
|||
//
|
|||
// Why is that wrong?
|
|||
// Greenlock needs to change some low-level http and https options.
|
|||
// Use glx.httpServer(redirectToHttps) instead.
|
|||
|
|||
function httpsWorker(glx) { |
|||
//
|
|||
// HTTP can only be used for ACME HTTP-01 Challenges
|
|||
// (and it is not required for DNS-01 challenges)
|
|||
//
|
|||
|
|||
// Get the raw http server:
|
|||
var httpServer = glx.httpServer(function(req, res) { |
|||
res.statusCode = 301; |
|||
res.setHeader("Location", "https://" + req.headers.host + req.path); |
|||
res.end("Insecure connections are not allowed. Redirecting..."); |
|||
}); |
|||
|
|||
httpServer.listen(80, "0.0.0.0", function() { |
|||
console.info("Listening on ", httpServer.address()); |
|||
}); |
|||
} |
|||
|
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "plain-http-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,70 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
//var Greenlock = require('greenlock-express')
|
|||
var Greenlock = require("../"); |
|||
|
|||
var greenlock = Greenlock.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
// You MUST change this to a valid email address
|
|||
email: "jon@example.com", |
|||
|
|||
// You MUST NOT build clients that accept the ToS without asking the user
|
|||
agreeTos: true, |
|||
|
|||
// You MUST change these to valid domains
|
|||
// NOTE: all domains will validated and listed on the certificate
|
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
|
|||
// You MUST have access to write to directory where certs are saved
|
|||
// ex: /home/foouser/acme/etc
|
|||
configDir: "~/.config/acme/", |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
|
|||
//, debug: true
|
|||
}); |
|||
|
|||
////////////////////////
|
|||
// http-01 Challenges //
|
|||
////////////////////////
|
|||
|
|||
// http-01 challenge happens over http/1.1, not http2
|
|||
var redirectHttps = require("redirect-https")(); |
|||
var acmeChallengeHandler = greenlock.middleware(redirectHttps); |
|||
require("http") |
|||
.createServer(acmeChallengeHandler) |
|||
.listen(80, function() { |
|||
console.log("Listening for ACME http-01 challenges on", this.address()); |
|||
}); |
|||
|
|||
////////////////////////
|
|||
// node.js' http2 api //
|
|||
////////////////////////
|
|||
|
|||
// http2 is a new API with which you would use hapi or koa, not express
|
|||
var server = require("http2").createSecureServer(greenlock.tlsOptions); |
|||
server.on("error", function(err) { |
|||
console.error(err); |
|||
}); |
|||
// WARNING: Because the middleware don't handle this API style,
|
|||
// the Host headers are unmodified and potentially dangerous
|
|||
// (ex: Host: Robert'); DROP TABLE Students;)
|
|||
server.on("stream", function(stream, headers) { |
|||
console.log(headers); |
|||
stream.respond({ |
|||
"content-type": "text/html", |
|||
":status": 200 |
|||
}); |
|||
stream.end("Hello, HTTP2 World!"); |
|||
}); |
|||
server.on("listening", function() { |
|||
console.log("Listening for http2 requests on", this.address()); |
|||
}); |
|||
server.listen(443); |
@ -0,0 +1,48 @@ |
|||
"use strict"; |
|||
|
|||
var pkg = require("../../package.json"); |
|||
|
|||
// The WRONG way:
|
|||
//var http2 = require('http2');
|
|||
//var http2Server = https.createSecureServer(tlsOptions, app);
|
|||
//
|
|||
// Why is that wrong?
|
|||
// Greenlock needs to change some low-level http and https options.
|
|||
// Use glx.httpsServer(tlsOptions, app) instead.
|
|||
|
|||
function httpsWorker(glx) { |
|||
//
|
|||
// HTTP2 is the default httpsServer for node v12+
|
|||
// (HTTPS/1.1 is used for node <= v11)
|
|||
//
|
|||
|
|||
// Get the raw http2 server:
|
|||
var http2Server = glx.httpsServer(function(req, res) { |
|||
res.end("Hello, Encrypted World!"); |
|||
}); |
|||
|
|||
http2Server.listen(443, "0.0.0.0", function() { |
|||
console.info("Listening on ", http2Server.address()); |
|||
}); |
|||
|
|||
// Note:
|
|||
// You must ALSO listen on port 80 for ACME HTTP-01 Challenges
|
|||
// (the ACME and http->https middleware are loaded by glx.httpServer)
|
|||
var httpServer = glx.httpServer(); |
|||
httpServer.listen(80, "0.0.0.0", function() { |
|||
console.info("Listening on ", httpServer.address()); |
|||
}); |
|||
} |
|||
|
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "http2-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -0,0 +1,49 @@ |
|||
"use strict"; |
|||
|
|||
var pkg = require("../../package.json"); |
|||
|
|||
// The WRONG way:
|
|||
//var https = require('https');
|
|||
//var httpsServer = https.createServer(tlsOptions, app);
|
|||
//
|
|||
// Why is that wrong?
|
|||
// Greenlock needs to change some low-level http and https options.
|
|||
// Use glx.httpsServer(tlsOptions, app) instead.
|
|||
|
|||
function httpsWorker(glx) { |
|||
//
|
|||
// HTTPS/1.1 is only used for node v11 or lower
|
|||
// (HTTP2 is used for node v12+)
|
|||
//
|
|||
// Why not just require('https')?
|
|||
|
|||
// Get the raw https server:
|
|||
var httpsServer = glx.httpsServer(null, function(req, res) { |
|||
res.end("Hello, Encrypted World!"); |
|||
}); |
|||
|
|||
httpsServer.listen(443, "0.0.0.0", function() { |
|||
console.info("Listening on ", httpsServer.address()); |
|||
}); |
|||
|
|||
// Note:
|
|||
// You must ALSO listen on port 80 for ACME HTTP-01 Challenges
|
|||
// (the ACME and http->https middleware are loaded by glx.httpServer)
|
|||
var httpServer = glx.httpServer(); |
|||
httpServer.listen(80, "0.0.0.0", function() { |
|||
console.info("Listening on ", httpServer.address()); |
|||
}); |
|||
} |
|||
|
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "https1-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,88 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
//
|
|||
// My Secure Server
|
|||
//
|
|||
//var greenlock = require('greenlock-express')
|
|||
var greenlock = require("../").create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
version: "draft-11", |
|||
// You MUST have write access to save certs
|
|||
configDir: "~/.config/acme/", |
|||
|
|||
// The previous 'simple' example set these values statically,
|
|||
// but this example uses approveDomains() to set them dynamically
|
|||
//, email: 'none@see.note.above'
|
|||
//, agreeTos: false
|
|||
|
|||
// approveDomains is the right place to check a database for
|
|||
// email addresses with domains and agreements and such
|
|||
approveDomains: approveDomains, |
|||
|
|||
app: require("./my-express-app.js"), |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
|
|||
//, debug: true
|
|||
}); |
|||
|
|||
var server = greenlock.listen(80, 443); |
|||
|
|||
//
|
|||
// My Secure Database Check
|
|||
//
|
|||
function approveDomains(opts, certs, cb) { |
|||
// Only one domain is listed with *automatic* registration via SNI
|
|||
// (it's an array because managed registration allows for multiple domains,
|
|||
// which was the case in the simple example)
|
|||
console.log(opts.domains); |
|||
|
|||
// The domains being approved for the first time are listed in opts.domains
|
|||
// Certs being renewed are listed in certs.altnames
|
|||
if (certs) { |
|||
opts.domains = [certs.subject].concat(certs.altnames); |
|||
} |
|||
|
|||
fooCheckDb(opts.domains, function(err, agree, email) { |
|||
if (err) { |
|||
cb(err); |
|||
return; |
|||
} |
|||
|
|||
// Services SHOULD automatically accept the ToS and use YOUR email
|
|||
// Clients MUST NOT accept the ToS without asking the user
|
|||
opts.agreeTos = agree; |
|||
opts.email = email; |
|||
|
|||
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|||
// (this would be helpful if you decided you wanted wildcard support as a domain altname)
|
|||
// opts.challengeType = 'http-01';
|
|||
// opts.challenge = require('le-challenge-fs').create({});
|
|||
|
|||
cb(null, { options: opts, certs: certs }); |
|||
}); |
|||
} |
|||
|
|||
//
|
|||
// My User / Domain Database
|
|||
//
|
|||
function fooCheckDb(domains, cb) { |
|||
// This is an oversimplified example of how we might implement a check in
|
|||
// our database if we have different rules for different users and domains
|
|||
var domains = ["example.com", "www.example.com"]; |
|||
var userEmail = "john.doe@example.com"; |
|||
var userAgrees = true; |
|||
var passCheck = opts.domains.every(function(domain) { |
|||
return -1 !== domains.indexOf(domain); |
|||
}); |
|||
|
|||
if (!passCheck) { |
|||
cb(new Error("domain not allowed")); |
|||
} else { |
|||
cb(null, userAgrees, userEmail); |
|||
} |
|||
} |
@ -1,38 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
//require('greenlock-express')
|
|||
require("../") |
|||
.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
// You MUST change this to a valid email address
|
|||
email: "john.doe@example.com", |
|||
|
|||
// You MUST NOT build clients that accept the ToS without asking the user
|
|||
agreeTos: true, |
|||
|
|||
// You MUST change these to valid domains
|
|||
// NOTE: all domains will validated and listed on the certificate
|
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
|
|||
// You MUST have access to write to directory where certs are saved
|
|||
// ex: /home/foouser/acme/etc
|
|||
configDir: "~/.config/acme/", |
|||
store: require("greenlock-store-fs"), |
|||
|
|||
app: require("express")().use("/", function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end("Hello, World!\n\n💚 🔒.js"); |
|||
}), |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
|
|||
//, debug: true
|
|||
}) |
|||
.listen(80, 443); |
@ -0,0 +1,22 @@ |
|||
# Quick Start for Let's Encrypt with Node.js |
|||
|
|||
```js |
|||
npm install --save greenlock-express |
|||
``` |
|||
|
|||
Manage via API or the config file: |
|||
|
|||
`~/.config/greenlock/manage.json`: (default filesystem config) |
|||
|
|||
```json |
|||
{ |
|||
"subscriberEmail": "letsencrypt-test@therootcompany.com", |
|||
"agreeToTerms": true, |
|||
"sites": { |
|||
"example.com": { |
|||
"subject": "example.com", |
|||
"altnames": ["example.com", "www.example.com"] |
|||
} |
|||
} |
|||
} |
|||
``` |
@ -0,0 +1,32 @@ |
|||
"use strict"; |
|||
|
|||
function httpsWorker(glx) { |
|||
// This can be a node http app (shown),
|
|||
// an Express app, or Hapi, Koa, Rill, etc
|
|||
var app = function(req, res) { |
|||
res.end("Hello, Encrypted World!"); |
|||
}; |
|||
|
|||
// Serves on 80 and 443
|
|||
// Get's SSL certificates magically!
|
|||
glx.serveApp(app); |
|||
} |
|||
|
|||
var pkg = require("../../package.json"); |
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
// Package name+version is used for ACME client user agent
|
|||
package: { name: "websocket-example", version: pkg.version }, |
|||
|
|||
// Maintainer email is the contact for critical bug and security notices
|
|||
maintainerEmail: "jon@example.com", |
|||
|
|||
// Change to true when you're ready to make your app cloud-scale
|
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,104 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
//
|
|||
// WARNING: Not for noobs
|
|||
// Try the simple example first
|
|||
//
|
|||
|
|||
//
|
|||
// This demo is used with tunnel-server.js and tunnel-client.js
|
|||
//
|
|||
|
|||
var email = "john.doe@gmail.com"; |
|||
var domains = ["example.com"]; |
|||
var agreeLeTos = true; |
|||
//var secret = "My Little Brony";
|
|||
var secret = require("crypto") |
|||
.randomBytes(16) |
|||
.toString("hex"); |
|||
|
|||
require("../") |
|||
.create({ |
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
email: email, |
|||
agreeTos: agreeLeTos, |
|||
approveDomains: domains, |
|||
configDir: "~/.config/acme/", |
|||
app: remoteAccess(secret), |
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
//, debug: true
|
|||
}) |
|||
.listen(3000, 8443); |
|||
|
|||
function remoteAccess(secret) { |
|||
var express = require("express"); |
|||
var basicAuth = require("express-basic-auth"); |
|||
var serveIndex = require("serve-index"); |
|||
|
|||
var rootIndex = serveIndex("/", { hidden: true, icons: true, view: "details" }); |
|||
var rootFs = express.static("/", { dotfiles: "allow", redirect: true, index: false }); |
|||
|
|||
var userIndex = serveIndex(require("os").homedir(), { hidden: true, icons: true, view: "details" }); |
|||
var userFs = express.static(require("os").homedir(), { dotfiles: "allow", redirect: true, index: false }); |
|||
|
|||
var app = express(); |
|||
var realm = "Login Required"; |
|||
|
|||
var myAuth = basicAuth({ |
|||
users: { root: secret, user: secret }, |
|||
challenge: true, |
|||
realm: realm, |
|||
unauthorizedResponse: function(/*req*/) { |
|||
return 'Unauthorized <a href="/">Home</a>'; |
|||
} |
|||
}); |
|||
|
|||
app.get("/", function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end('<a href="/browse/">View Files</a>' + " | " + '<a href="/logout/">Logout</a>'); |
|||
}); |
|||
app.use("/logout", function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.setHeader("WWW-Authenticate", 'Basic realm="' + realm + '"'); |
|||
res.statusCode = 401; |
|||
//res.setHeader('Location', '/');
|
|||
res.end('Logged out | <a href="/">Home</a>'); |
|||
}); |
|||
app.use("/browse", myAuth); |
|||
app.use("/browse", function(req, res, next) { |
|||
if ("root" === req.auth.user) { |
|||
rootFs(req, res, function() { |
|||
rootIndex(req, res, next); |
|||
}); |
|||
return; |
|||
} |
|||
if ("user" === req.auth.user) { |
|||
userFs(req, res, function() { |
|||
userIndex(req, res, next); |
|||
}); |
|||
return; |
|||
} |
|||
res.end("Sad Panda"); |
|||
}); |
|||
|
|||
console.log(""); |
|||
console.log(""); |
|||
console.log("Usernames are\n"); |
|||
console.log("\troot"); |
|||
console.log("\tuser"); |
|||
console.log(""); |
|||
console.log("Password (for both) is\n"); |
|||
console.log("\t" + secret); |
|||
console.log(""); |
|||
console.log("Shhhh... It's a secret to everybody!"); |
|||
console.log(""); |
|||
console.log(""); |
|||
|
|||
return app; |
|||
} |
@ -1,32 +0,0 @@ |
|||
// First and foremost:
|
|||
// I'm not a fan of `socket.io` because it's huge and complex.
|
|||
// I much prefer `ws` because it's very simple and easy.
|
|||
// That said, it's popular.......
|
|||
"use strict"; |
|||
|
|||
//var greenlock = require('greenlock-express');
|
|||
var greenlock = require("../"); |
|||
var options = require("./greenlock-options.js"); |
|||
var socketio = require("socket.io"); |
|||
var server; |
|||
var io; |
|||
|
|||
// Any node http app will do - whether express, raw http or whatever
|
|||
options.app = require("express")().use("/", function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end("Hello, World!\n\n💚 🔒.js"); |
|||
}); |
|||
|
|||
// The server that's handed back from `listen` is a raw https server
|
|||
server = greenlock.create(options).listen(80, 443); |
|||
io = socketio(server); |
|||
|
|||
// Then you do your socket.io stuff
|
|||
io.on("connection", function(socket) { |
|||
console.log("a user connected"); |
|||
socket.emit("Welcome"); |
|||
|
|||
socket.on("chat message", function(msg) { |
|||
socket.broadcast.emit("chat message", msg); |
|||
}); |
|||
}); |
@ -0,0 +1,49 @@ |
|||
// First and foremost:
|
|||
// I'm not a fan of `socket.io` because it's huge and complex.
|
|||
// I much prefer `ws` because it's very simple and easy.
|
|||
// That said, it's popular.......
|
|||
"use strict"; |
|||
|
|||
// Note: You DO NOT NEED socket.io
|
|||
// You can just use WebSockets
|
|||
// (see the websocket example)
|
|||
|
|||
function httpsWorker(glx) { |
|||
var socketio = require("socket.io"); |
|||
var io; |
|||
|
|||
// we need the raw https server
|
|||
var server = glx.httpsServer(); |
|||
|
|||
io = socketio(server); |
|||
|
|||
// Then you do your socket.io stuff
|
|||
io.on("connection", function(socket) { |
|||
console.log("a user connected"); |
|||
socket.emit("Welcome"); |
|||
|
|||
socket.on("chat message", function(msg) { |
|||
socket.broadcast.emit("chat message", msg); |
|||
}); |
|||
}); |
|||
|
|||
// servers a node app that proxies requests to a localhost
|
|||
glx.serveApp(function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end("Hello, World!\n\n💚 🔒.js"); |
|||
}); |
|||
} |
|||
|
|||
var pkg = require("../../package.json"); |
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "socket-io-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,64 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
// npm install spdy@3.x
|
|||
|
|||
//var Greenlock = require('greenlock-express')
|
|||
var Greenlock = require("../"); |
|||
|
|||
var greenlock = Greenlock.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
version: "draft-11", |
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
// You MUST change this to a valid email address
|
|||
email: "jon@example.com", |
|||
|
|||
// You MUST NOT build clients that accept the ToS without asking the user
|
|||
agreeTos: true, |
|||
|
|||
// You MUST change these to valid domains
|
|||
// NOTE: all domains will validated and listed on the certificate
|
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
|
|||
// You MUST have access to write to directory where certs are saved
|
|||
// ex: /home/foouser/acme/etc
|
|||
configDir: "~/.config/acme/", // MUST have write access
|
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true |
|||
|
|||
//, debug: true
|
|||
}); |
|||
|
|||
////////////////////////
|
|||
// http-01 Challenges //
|
|||
////////////////////////
|
|||
|
|||
// http-01 challenge happens over http/1.1, not http2
|
|||
var redirectHttps = require("redirect-https")(); |
|||
var acmeChallengeHandler = greenlock.middleware(redirectHttps); |
|||
require("http") |
|||
.createServer(acmeChallengeHandler) |
|||
.listen(80, function() { |
|||
console.log("Listening for ACME http-01 challenges on", this.address()); |
|||
}); |
|||
|
|||
////////////////////////
|
|||
// http2 via SPDY h2 //
|
|||
////////////////////////
|
|||
|
|||
// spdy is a drop-in replacement for the https API
|
|||
var spdyOptions = Object.assign({}, greenlock.tlsOptions); |
|||
spdyOptions.spdy = { protocols: ["h2", "http/1.1"], plain: false }; |
|||
var myApp = require("./my-express-app.js"); |
|||
var server = require("spdy").createServer(spdyOptions, myApp); |
|||
server.on("error", function(err) { |
|||
console.error(err); |
|||
}); |
|||
server.on("listening", function() { |
|||
console.log("Listening for SPDY/http2/https requests on", this.address()); |
|||
}); |
|||
server.listen(443); |
@ -0,0 +1,3 @@ |
|||
// SPDY is dead. It was replaced by HTTP2, which is a native node module
|
|||
//
|
|||
// Greenlock uses HTTP2 as the default https server in node v12+
|
@ -1,134 +0,0 @@ |
|||
#!/usr/bin/env node
|
|||
"use strict"; |
|||
|
|||
///////////////////
|
|||
// vhost example //
|
|||
///////////////////
|
|||
|
|||
//
|
|||
// virtual hosting example
|
|||
//
|
|||
|
|||
// The prefix where sites go by name.
|
|||
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
|
|||
var srv = process.argv[3] || "/srv/www/"; |
|||
|
|||
var path = require("path"); |
|||
var fs = require("fs").promises; |
|||
var finalhandler = require("finalhandler"); |
|||
var serveStatic = require("serve-static"); |
|||
|
|||
//var glx = require('greenlock-express')
|
|||
var glx = require("./").create({ |
|||
version: "draft-11", // Let's Encrypt v2 is ACME draft 11
|
|||
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", // If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
configDir: process.argv[4] || "~/.config/acme/", // You MUST have access to write to directory where certs
|
|||
// are saved. ex: /home/foouser/.config/acme
|
|||
|
|||
approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the
|
|||
// domain name here and reject invalid ones
|
|||
|
|||
app: myVhostApp, // Any node-style http app (i.e. express, koa, hapi, rill)
|
|||
|
|||
/* CHANGE TO A VALID EMAIL */ |
|||
email: process.argv[2] || "jon.doe@example.com", // Email for Let's Encrypt account and Greenlock Security
|
|||
agreeTos: true // Accept Let's Encrypt ToS
|
|||
//, communityMember: true // Join Greenlock to get important updates, no spam
|
|||
|
|||
//, debug: true
|
|||
}); |
|||
|
|||
var server = glx.listen(80, 443); |
|||
server.on("listening", function() { |
|||
console.info(server.type + " listening on", server.address()); |
|||
}); |
|||
|
|||
function myApproveDomains(opts, certs, cb) { |
|||
console.log("sni:", opts.domain); |
|||
// In this example the filesystem is our "database".
|
|||
// We check in /srv/www for whatever.com and if it exists, it's allowed
|
|||
|
|||
// SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
|
|||
return checkWwws(opts.domains[0]) |
|||
.then(function() { |
|||
//opts.email = email;
|
|||
opts.agreeTos = true; |
|||
cb(null, { options: opts, certs: certs }); |
|||
}) |
|||
.catch(cb); |
|||
} |
|||
|
|||
function checkWwws(_hostname) { |
|||
if (!_hostname) { |
|||
// SECURITY, don't allow access to the 'srv' root
|
|||
// (greenlock-express uses middleware to check '..', etc)
|
|||
return ""; |
|||
} |
|||
var hostname = _hostname; |
|||
var _hostdir = path.join(srv, hostname); |
|||
var hostdir = _hostdir; |
|||
// TODO could test for www/no-www both in directory
|
|||
return fs |
|||
.readdir(hostdir) |
|||
.then(function() { |
|||
// TODO check for some sort of htaccess.json and use email in that
|
|||
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|||
// opts.challengeType = 'http-01';
|
|||
// opts.challenge = require('le-challenge-fs').create({});
|
|||
return hostname; |
|||
}) |
|||
.catch(function() { |
|||
if ("www." === hostname.slice(0, 4)) { |
|||
// Assume we'll redirect to non-www if it's available.
|
|||
hostname = hostname.slice(4); |
|||
hostdir = path.join(srv, hostname); |
|||
return fs.readdir(hostdir).then(function() { |
|||
// TODO list both domains?
|
|||
return hostname; |
|||
}); |
|||
} else { |
|||
// Or check and see if perhaps we should redirect non-www to www
|
|||
hostname = "www." + hostname; |
|||
hostdir = path.join(srv, hostname); |
|||
return fs.readdir(hostdir).then(function() { |
|||
// TODO list both domains?
|
|||
return hostname; |
|||
}); |
|||
} |
|||
}) |
|||
.catch(function() { |
|||
throw new Error("rejecting '" + _hostname + "' because '" + _hostdir + "' could not be read"); |
|||
}); |
|||
} |
|||
|
|||
function myVhostApp(req, res) { |
|||
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
|
|||
// (also: only domains approved above will get here)
|
|||
console.log("vhost:", req.headers.host); |
|||
if (!req.headers.host) { |
|||
// SECURITY, don't allow access to the 'srv' root
|
|||
// (greenlock-express uses middleware to check '..', etc)
|
|||
return res.end(); |
|||
} |
|||
|
|||
// We could cache wether or not a host exists for some amount of time
|
|||
var fin = finalhandler(req, res); |
|||
return checkWwws(req.headers.host) |
|||
.then(function(hostname) { |
|||
if (hostname !== req.headers.host) { |
|||
res.statusCode = 302; |
|||
res.setHeader("Location", "https://" + hostname); |
|||
// SECURITY this is safe only because greenlock disallows invalid hostnames
|
|||
res.end("<!-- redirecting to https://" + hostname + "-->"); |
|||
return; |
|||
} |
|||
var serve = serveStatic(path.join(srv, hostname), { redirect: true }); |
|||
serve(req, res, fin); |
|||
}) |
|||
.catch(function() { |
|||
fin(); |
|||
}); |
|||
} |
@ -1,46 +0,0 @@ |
|||
"use strict"; |
|||
|
|||
////////////////////////
|
|||
// Greenlock Setup //
|
|||
////////////////////////
|
|||
|
|||
//var Greenlock = require('greenlock-express');
|
|||
var Greenlock = require("../"); |
|||
var greenlock = Greenlock.create({ |
|||
// Let's Encrypt v2 is ACME draft 11
|
|||
// Note: If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
server: "https://acme-v02.api.letsencrypt.org/directory", |
|||
version: "draft-11", |
|||
configDir: "~/.config/acme/", |
|||
app: require("./my-express-app.js"), |
|||
|
|||
// You MUST change these to a valid email and domains
|
|||
email: "john.doe@example.com", |
|||
approvedDomains: ["example.com", "www.example.com"], |
|||
agreeTos: true, |
|||
|
|||
// Get notified of important updates and help me make greenlock better
|
|||
communityMember: true, |
|||
telemetry: true |
|||
//, debug: true
|
|||
}); |
|||
|
|||
var server = greenlock.listen(80, 443); |
|||
|
|||
var WebSocket = require("ws"); |
|||
var ws = new WebSocket.Server({ server: server }); |
|||
ws.on("connection", function(ws, req) { |
|||
// inspect req.headers.authorization (or cookies) for session info
|
|||
ws.send( |
|||
"[Secure Echo Server] Hello!\nAuth: '" + |
|||
(req.headers.authorization || "none") + |
|||
"'\n" + |
|||
"Cookie: '" + |
|||
(req.headers.cookie || "none") + |
|||
"'\n" |
|||
); |
|||
ws.on("message", function(data) { |
|||
ws.send(data); |
|||
}); |
|||
}); |
@ -0,0 +1,42 @@ |
|||
"use strict"; |
|||
|
|||
function httpsWorker(glx) { |
|||
// we need the raw https server
|
|||
var server = glx.httpsServer(); |
|||
var WebSocket = require("ws"); |
|||
var ws = new WebSocket.Server({ server: server }); |
|||
ws.on("connection", function(ws, req) { |
|||
// inspect req.headers.authorization (or cookies) for session info
|
|||
ws.send( |
|||
"[Secure Echo Server] Hello!\nAuth: '" + |
|||
(req.headers.authorization || "none") + |
|||
"'\n" + |
|||
"Cookie: '" + |
|||
(req.headers.cookie || "none") + |
|||
"'\n" |
|||
); |
|||
ws.on("message", function(data) { |
|||
ws.send(data); |
|||
}); |
|||
}); |
|||
|
|||
// servers a node app that proxies requests to a localhost
|
|||
glx.serveApp(function(req, res) { |
|||
res.setHeader("Content-Type", "text/html; charset=utf-8"); |
|||
res.end("Hello, World!\n\n💚 🔒.js"); |
|||
}); |
|||
} |
|||
|
|||
var pkg = require("../../package.json"); |
|||
//require("greenlock-express")
|
|||
require("../../") |
|||
.init(function getConfig() { |
|||
// Greenlock Config
|
|||
|
|||
return { |
|||
package: { name: "websocket-example", version: pkg.version }, |
|||
maintainerEmail: "jon@example.com", |
|||
cluster: false |
|||
}; |
|||
}) |
|||
.serve(httpsWorker); |
@ -1,77 +0,0 @@ |
|||
#!/usr/bin/env node
|
|||
"use strict"; |
|||
/*global Promise*/ |
|||
|
|||
///////////////////////
|
|||
// wildcard example //
|
|||
//////////////////////
|
|||
|
|||
//
|
|||
// wildcard example
|
|||
//
|
|||
|
|||
//var glx = require('greenlock-express')
|
|||
var glx = require("../").create({ |
|||
version: "draft-11", // Let's Encrypt v2 is ACME draft 11
|
|||
|
|||
server: "https://acme-staging-v02.api.letsencrypt.org/directory", |
|||
//, server: 'https://acme-v02.api.letsencrypt.org/directory' // If at first you don't succeed, stop and switch to staging
|
|||
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|||
|
|||
configDir: "~/acme/", // You MUST have access to write to directory where certs
|
|||
// are saved. ex: /home/foouser/.config/acme
|
|||
|
|||
approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the
|
|||
// domain name here and reject invalid ones
|
|||
|
|||
app: require("./my-express-app.js"), // Any node-style http app (i.e. express, koa, hapi, rill)
|
|||
|
|||
/* CHANGE TO A VALID EMAIL */ |
|||
email: "jon.doe@example.com", // Email for Let's Encrypt account and Greenlock Security
|
|||
agreeTos: true, // Accept Let's Encrypt ToS
|
|||
communityMember: true, // Join Greenlock to (very rarely) get important updates
|
|||
|
|||
//, debug: true
|
|||
store: require("le-store-fs") |
|||
}); |
|||
|
|||
var server = glx.listen(80, 443); |
|||
server.on("listening", function() { |
|||
console.info(server.type + " listening on", server.address()); |
|||
}); |
|||
|
|||
function myApproveDomains(opts) { |
|||
console.log("sni:", opts.domain); |
|||
|
|||
// must be 'example.com' or start with 'example.com'
|
|||
if ( |
|||
"example.com" !== opts.domain && |
|||
"example.com" !== |
|||
opts.domain |
|||
.split(".") |
|||
.slice(1) |
|||
.join(".") |
|||
) { |
|||
return Promise.reject(new Error("we don't serve your kind here: " + opts.domain)); |
|||
} |
|||
|
|||
// the primary domain for the cert
|
|||
opts.subject = "example.com"; |
|||
// the altnames (including the primary)
|
|||
opts.domains = [opts.subject, "*.example.com"]; |
|||
|
|||
if (!opts.challenges) { |
|||
opts.challenges = {}; |
|||
} |
|||
opts.challenges["http-01"] = require("le-challenge-fs").create({}); |
|||
// Note: When implementing a dns-01 plugin you should make it check in a loop
|
|||
// until it can positively confirm that the DNS changes have propagated.
|
|||
// That could take several seconds to a few minutes.
|
|||
opts.challenges["dns-01"] = require("le-challenge-dns").create({}); |
|||
|
|||
// explicitly set account id and certificate.id
|
|||
opts.account = { id: opts.email }; |
|||
opts.certificate = { id: opts.subject }; |
|||
|
|||
return Promise.resolve(opts); |
|||
} |
Loading…
Reference in new issue