234 lines
6.8 KiB
JavaScript
234 lines
6.8 KiB
JavaScript
#!/usr/bin/env node
|
|
"use strict";
|
|
/*global Promise*/
|
|
|
|
/////////////////////////////////
|
|
// an okay vhost + api example //
|
|
/////////////////////////////////
|
|
|
|
//
|
|
// I run this on a few servers. It demonstrates dynamic virtual hosting + apis
|
|
// /srv/www -> static sites in plain folders
|
|
// ex: /srv/www/example.com
|
|
//
|
|
// /srv/api -> express apps
|
|
// ex: /srv/api/api.example.com
|
|
//
|
|
|
|
var configpath = process.argv[2] || "./config.js";
|
|
var config = require(configpath);
|
|
// The prefix where sites go by name.
|
|
// For example: whatever.com may live in /srv/www/whatever.com, thus /srv/www is our path
|
|
|
|
var path = require("path");
|
|
var fs = require("./lib/compat.js").fsAsync;
|
|
var finalhandler = require("finalhandler");
|
|
var serveStatic = require("serve-static");
|
|
|
|
//var glx = require('greenlock-express')
|
|
var glx = require("./").create({
|
|
version: "draft-11", // Let's Encrypt v2 is ACME draft 11
|
|
|
|
//, server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
|
server: "https://acme-v02.api.letsencrypt.org/directory", // If at first you don't succeed, stop and switch to staging
|
|
// https://acme-staging-v02.api.letsencrypt.org/directory
|
|
|
|
configDir: config.configDir, // You MUST have access to write to directory where certs
|
|
// are saved. ex: /home/foouser/.config/acme
|
|
|
|
approveDomains: myApproveDomains, // Greenlock's wraps around tls.SNICallback. Check the
|
|
// domain name here and reject invalid ones
|
|
|
|
app: myVhostApp, // Any node-style http app (i.e. express, koa, hapi, rill)
|
|
|
|
/* CHANGE TO A VALID EMAIL */
|
|
email: config.email, // Email for Let's Encrypt account and Greenlock Security
|
|
agreeTos: true, // Accept Let's Encrypt ToS
|
|
//, communityMember: true // Join Greenlock to get important updates, no spam
|
|
|
|
//, debug: true
|
|
store: require("greenlock-store-fs")
|
|
});
|
|
|
|
var server = glx.listen(80, 443);
|
|
server.on("listening", function() {
|
|
console.info(server.type + " listening on", server.address());
|
|
});
|
|
|
|
function myApproveDomains(opts) {
|
|
console.info("SNI:", opts.domain);
|
|
// In this example the filesystem is our "database".
|
|
// We check in /srv/www for whatever.com and if it exists, it's allowed
|
|
// SECURITY Greenlock validates opts.domains ahead-of-time so you don't have to
|
|
|
|
var domains = [];
|
|
var domain = opts.domain.replace(/^(www|api)\./, "");
|
|
return checkWwws(domain)
|
|
.then(function(hostname) {
|
|
// this is either example.com or www.example.com
|
|
domains.push(hostname);
|
|
if ("api." + domain !== opts.domain) {
|
|
if (!domains.includes(opts.domain)) {
|
|
domains.push(opts.domain);
|
|
}
|
|
}
|
|
})
|
|
.catch(function() {
|
|
// ignore error
|
|
return null;
|
|
})
|
|
.then(function() {
|
|
// check for api prefix
|
|
var apiname = domain;
|
|
if (domains.length) {
|
|
apiname = "api." + domain;
|
|
}
|
|
return checkApi(apiname)
|
|
.then(function(app) {
|
|
if (!app) {
|
|
return null;
|
|
}
|
|
domains.push(apiname);
|
|
})
|
|
.catch(function() {
|
|
return null;
|
|
});
|
|
})
|
|
.then(function() {
|
|
if (0 === domains.length) {
|
|
return Promise.reject(new Error("no bare, www., or api. domain matching '" + opts.domain + "'"));
|
|
}
|
|
|
|
console.info("Approved domains:", domains);
|
|
opts.domains = domains;
|
|
//opts.email = email;
|
|
opts.agreeTos = true;
|
|
// pick the shortest (bare) or latest (www. instead of api.) to be the subject
|
|
opts.subject = opts.domains.sort(function(a, b) {
|
|
var len = a.length - b.length;
|
|
if (0 !== len) {
|
|
return len;
|
|
}
|
|
if (a < b) {
|
|
return 1;
|
|
} else {
|
|
return -1;
|
|
}
|
|
})[0];
|
|
|
|
if (!opts.challenges) {
|
|
opts.challenges = {};
|
|
}
|
|
opts.challenges["http-01"] = require("le-challenge-fs");
|
|
//opts.challenges['dns-01'] = require('le-challenge-dns');
|
|
|
|
// explicitly set account id and certificate.id
|
|
opts.account = { id: opts.email };
|
|
opts.certificate = { id: opts.subject };
|
|
|
|
return Promise.resolve(opts);
|
|
});
|
|
}
|
|
|
|
function checkApi(hostname) {
|
|
var apipath = path.join(config.api, hostname);
|
|
var link = "";
|
|
return fs
|
|
.stat(apipath)
|
|
.then(function(stats) {
|
|
if (stats.isDirectory()) {
|
|
return require(apipath);
|
|
}
|
|
return fs.readFile(apipath, "utf8").then(function(txt) {
|
|
var linkpath = txt.split("\n")[0];
|
|
link = " => " + linkpath + " ";
|
|
return require(linkpath);
|
|
});
|
|
})
|
|
.catch(function(e) {
|
|
if ("ENOENT" === e.code) {
|
|
return null;
|
|
}
|
|
console.error(e);
|
|
throw new Error("rejecting '" + hostname + "' because '" + apipath + link + "' failed at require()");
|
|
});
|
|
}
|
|
|
|
function checkWwws(_hostname) {
|
|
if (!_hostname) {
|
|
// SECURITY don't serve the whole config.srv
|
|
return Promise.reject(new Error("missing hostname"));
|
|
}
|
|
var hostname = _hostname;
|
|
var hostdir = path.join(config.srv, hostname);
|
|
// TODO could test for www/no-www both in directory
|
|
return fs
|
|
.readdir(hostdir)
|
|
.then(function() {
|
|
// TODO check for some sort of htaccess.json and use email in that
|
|
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|
// opts.challengeType = 'http-01';
|
|
// opts.challenge = require('le-challenge-fs').create({});
|
|
return hostname;
|
|
})
|
|
.catch(function() {
|
|
if ("www." === hostname.slice(0, 4)) {
|
|
// Assume we'll redirect to non-www if it's available.
|
|
hostname = hostname.slice(4);
|
|
hostdir = path.join(config.srv, hostname);
|
|
return fs.readdir(hostdir).then(function() {
|
|
return hostname;
|
|
});
|
|
} else {
|
|
// Or check and see if perhaps we should redirect non-www to www
|
|
hostname = "www." + hostname;
|
|
hostdir = path.join(config.srv, hostname);
|
|
return fs.readdir(hostdir).then(function() {
|
|
return hostname;
|
|
});
|
|
}
|
|
})
|
|
.catch(function() {
|
|
throw new Error("rejecting '" + _hostname + "' because '" + hostdir + "' could not be read");
|
|
});
|
|
}
|
|
|
|
function myVhostApp(req, res) {
|
|
// SECURITY greenlock pre-sanitizes hostnames to prevent unauthorized fs access so you don't have to
|
|
// (also: only domains approved above will get here)
|
|
console.info(req.method, (req.headers.host || "") + req.url);
|
|
Object.keys(req.headers).forEach(function(key) {
|
|
console.info(key, req.headers[key]);
|
|
});
|
|
|
|
// We could cache wether or not a host exists for some amount of time
|
|
var fin = finalhandler(req, res);
|
|
return checkWwws(req.headers.host)
|
|
.then(function(hostname) {
|
|
if (hostname !== req.headers.host) {
|
|
res.statusCode = 302;
|
|
res.setHeader("Location", "https://" + hostname);
|
|
// SECURITY this is safe only because greenlock disallows invalid hostnames
|
|
res.end("<!-- redirecting to https://" + hostname + "-->");
|
|
return;
|
|
}
|
|
var serve = serveStatic(path.join(config.srv, hostname), { redirect: true });
|
|
serve(req, res, fin);
|
|
})
|
|
.catch(function(err) {
|
|
return checkApi(req.headers.host)
|
|
.then(function(app) {
|
|
if (app) {
|
|
app(req, res);
|
|
return;
|
|
}
|
|
console.error("none found", err);
|
|
fin();
|
|
})
|
|
.catch(function(err) {
|
|
console.error("api crashed error", err);
|
|
fin(err);
|
|
});
|
|
});
|
|
}
|