2015-11-04 09:22:00 +00:00
|
|
|
'use strict';
|
|
|
|
|
2015-11-06 11:05:32 +00:00
|
|
|
// Note the odd use of callbacks here.
|
|
|
|
// We're targetting low-power platforms and so we're trying to
|
|
|
|
// require everything as lazily as possible until our server
|
|
|
|
// is actually listening on the socket. Bluebird is heavy.
|
|
|
|
// Even the built-in modules can take dozens of milliseconds to require
|
2016-03-29 19:03:09 +00:00
|
|
|
module.exports.create = function (lex, certPaths, serverCallback) {
|
2015-11-06 11:05:32 +00:00
|
|
|
// Recognize that this secureContexts cache is local to this CPU core
|
2015-11-04 09:22:00 +00:00
|
|
|
var secureContexts = {};
|
2016-03-29 19:03:09 +00:00
|
|
|
var ciphers = 'ECDH+AESGCM:DH+AESGCM:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256';
|
2015-11-04 09:22:00 +00:00
|
|
|
|
|
|
|
function createSecureServer() {
|
2015-11-06 11:05:32 +00:00
|
|
|
var domainname = 'www.example.com';
|
|
|
|
var fs = require('fs');
|
|
|
|
var secureOpts = {
|
|
|
|
// TODO create backup file just in case this one is ever corrupted
|
|
|
|
// NOTE synchronous is faster in this case of initialization
|
|
|
|
// NOTE certsPath[0] must be the default (LE) directory (another may be used for OV and EV certs)
|
|
|
|
key: fs.readFileSync(certPaths[0] + '/' + domainname + '/privkey.pem', 'ascii')
|
|
|
|
, cert: fs.readFileSync(certPaths[0] + '/' + domainname + '/fullchain.pem', 'ascii')
|
|
|
|
// https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
|
|
// https://nodejs.org/api/tls.html
|
|
|
|
// removed :ECDH+AES256:DH+AES256 and added :!AES256 because AES-256 wastes CPU
|
2016-03-29 19:03:09 +00:00
|
|
|
, ciphers: ciphers
|
2015-11-06 11:05:32 +00:00
|
|
|
, honorCipherOrder: true
|
|
|
|
};
|
|
|
|
|
2015-11-23 08:42:25 +00:00
|
|
|
secureContexts['www.example.com'] = require('tls').createSecureContext(secureOpts);
|
|
|
|
secureContexts['example.com'] = secureContexts['www.example.com'];
|
|
|
|
|
2015-11-06 11:05:32 +00:00
|
|
|
//SNICallback is passed the domain name, see NodeJS docs on TLS
|
|
|
|
secureOpts.SNICallback = function (domainname, cb) {
|
|
|
|
// NOTE: '*.proxyable.*' domains will be truncated
|
|
|
|
require('./load-certs').load(secureContexts, certPaths, domainname).then(function (context) {
|
|
|
|
cb(null, context);
|
|
|
|
}, function (err) {
|
|
|
|
console.error('[SNI Callback]');
|
|
|
|
console.error(err.stack);
|
|
|
|
cb(err);
|
2015-11-04 09:22:00 +00:00
|
|
|
});
|
2015-11-06 11:05:32 +00:00
|
|
|
};
|
2015-11-04 09:22:00 +00:00
|
|
|
|
2015-11-06 11:05:32 +00:00
|
|
|
serverCallback(null, require('https').createServer(secureOpts));
|
|
|
|
}
|
2015-11-04 09:22:00 +00:00
|
|
|
|
2016-03-29 19:03:09 +00:00
|
|
|
function createLeServer() {
|
|
|
|
lex.httpsOptions.ciphers = ciphers;
|
|
|
|
lex.httpsOptions.honorCipherOrder = true;
|
|
|
|
serverCallback(null, require('https').createServer(lex.httpsOptions));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (lex) {
|
|
|
|
createLeServer();
|
|
|
|
} else {
|
|
|
|
createSecureServer();
|
|
|
|
}
|
2015-11-04 09:22:00 +00:00
|
|
|
};
|