greenlock-express.js/examples/old-vhost.js

#!/usr/bin/env node
"use strict";

///////////////////
// vhost example //
///////////////////

//
// virtual hosting example
//

// The prefix where sites go by name.
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
var srv = process.argv[3] || "/srv/www/";

var path = require("path");
var fs = require("fs").promises;
var finalhandler = require("finalhandler");
var serveStatic = require("serve-static");

//var glx = require('greenlock-express')
var glx = require("./").create({
    version: "draft-11", // Let's Encrypt v2 is ACME draft 11

    server: "https://acme-v02.api.letsencrypt.org/directory", // If at first you don't succeed, stop and switch to staging
    // https://acme-staging-v02.api.letsencrypt.org/directory

    configDir: process.argv[4] || "~/.config/acme/", // You MUST have access to write to directory where certs
    // are saved. ex: /home/foouser/.config/acme

    approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the
    // domain name here and reject invalid ones

    app: myVhostApp, // Any node-style http app (i.e. express, koa, hapi, rill)

    /* CHANGE TO A VALID EMAIL */
    email: process.argv[2] || "jon.doe@example.com", // Email for Let's Encrypt account and Greenlock Security
    agreeTos: true // Accept Let's Encrypt ToS
    //, communityMember: true                                   // Join Greenlock to get important updates, no spam

    //, debug: true
});

var server = glx.listen(80, 443);
server.on("listening", function() {
    console.info(server.type + " listening on", server.address());
});

function myApproveDomains(opts, certs, cb) {
    console.log("sni:", opts.domain);
    // In this example the filesystem is our "database".
    // We check in /srv/www for whatever.com and if it exists, it's allowed

    // SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
    return checkWwws(opts.domains[0])
        .then(function() {
            //opts.email = email;
            opts.agreeTos = true;
            cb(null, { options: opts, certs: certs });
        })
        .catch(cb);
}

function checkWwws(_hostname) {
    if (!_hostname) {
        // SECURITY, don't allow access to the 'srv' root
        // (greenlock-express uses middleware to check '..', etc)
        return "";
    }
    var hostname = _hostname;
    var _hostdir = path.join(srv, hostname);
    var hostdir = _hostdir;
    // TODO could test for www/no-www both in directory
    return fs
        .readdir(hostdir)
        .then(function() {
            // TODO check for some sort of htaccess.json and use email in that
            // NOTE: you can also change other options such as `challengeType` and `challenge`
            // opts.challengeType = 'http-01';
            // opts.challenge = require('le-challenge-fs').create({});
            return hostname;
        })
        .catch(function() {
            if ("www." === hostname.slice(0, 4)) {
                // Assume we'll redirect to non-www if it's available.
                hostname = hostname.slice(4);
                hostdir = path.join(srv, hostname);
                return fs.readdir(hostdir).then(function() {
                    // TODO list both domains?
                    return hostname;
                });
            } else {
                // Or check and see if perhaps we should redirect non-www to www
                hostname = "www." + hostname;
                hostdir = path.join(srv, hostname);
                return fs.readdir(hostdir).then(function() {
                    // TODO list both domains?
                    return hostname;
                });
            }
        })
        .catch(function() {
            throw new Error("rejecting '" + _hostname + "' because '" + _hostdir + "' could not be read");
        });
}

function myVhostApp(req, res) {
    // SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
    // (also: only domains approved above will get here)
    console.log("vhost:", req.headers.host);
    if (!req.headers.host) {
        // SECURITY, don't allow access to the 'srv' root
        // (greenlock-express uses middleware to check '..', etc)
        return res.end();
    }

    // We could cache wether or not a host exists for some amount of time
    var fin = finalhandler(req, res);
    return checkWwws(req.headers.host)
        .then(function(hostname) {
            if (hostname !== req.headers.host) {
                res.statusCode = 302;
                res.setHeader("Location", "https://" + hostname);
                // SECURITY this is safe only because greenlock disallows invalid hostnames
                res.end("<!-- redirecting to https://" + hostname + "-->");
                return;
            }
            var serve = serveStatic(path.join(srv, hostname), { redirect: true });
            serve(req, res, fin);
        })
        .catch(function() {
            fin();
        });
}