walnut.js/lib/vhost-sni-server.js

625 lines
22 KiB
JavaScript
Raw Normal View History

2015-02-19 06:06:56 +00:00
'use strict';
2015-02-19 06:06:56 +00:00
module.exports.create = function (securePort, certsPath, vhostsdir) {
2015-02-20 21:21:37 +00:00
var PromiseA = require('bluebird').Promise;
var serveStatic;
2015-02-20 21:21:37 +00:00
var https = require('https');
var fs = require('fs');
var path = require('path');
var dummyCerts;
var serveFavicon;
2015-10-05 19:51:58 +00:00
var secureContexts = {};
var loopbackApp;
var loopbackToken = require('crypto').randomBytes(32).toString('hex');
2015-02-19 22:08:33 +00:00
2015-02-20 21:21:37 +00:00
function loadDummyCerts() {
if (dummyCerts) {
return dummyCerts;
2015-02-19 22:08:33 +00:00
}
2015-02-20 21:21:37 +00:00
dummyCerts = {
key: fs.readFileSync(path.join(certsPath, 'server', 'dummy-server.key.pem'))
, cert: fs.readFileSync(path.join(certsPath, 'server', 'dummy-server.crt.pem'))
, ca: fs.readdirSync(path.join(certsPath, 'ca')).filter(function (node) {
return /crt\.pem$/.test(node);
}).map(function (node) {
console.log('[log dummy ca]', node);
return fs.readFileSync(path.join(certsPath, 'ca', node));
})
2015-02-19 22:08:33 +00:00
};
2015-02-20 21:21:37 +00:00
return dummyCerts;
2015-02-19 22:08:33 +00:00
}
2015-06-06 00:05:37 +00:00
function handleAppScopedError(tag, domaininfo, req, res, fn) {
2015-03-02 22:42:14 +00:00
function next(err) {
if (!err) {
fn(req, res);
return;
}
2015-03-02 21:45:16 +00:00
2015-06-06 00:05:37 +00:00
if (res.headersSent) {
console.error('[ERROR] handleAppScopedError headersSent');
console.log(err);
console.log(err.stack);
return;
}
console.error('[ERROR] handleAppScopedError');
console.log(err);
console.log(err.stack);
2015-03-02 22:42:14 +00:00
res.writeHead(500);
res.end(
"<html>"
+ "<head>"
+ '<link rel="icon" href="favicon.ico" />'
+ "</head>"
+ "<body>"
+ "<pre>"
+ "<code>"
2015-03-05 22:07:45 +00:00
+ "Method: " + encodeURI(req.method)
2015-03-02 22:42:14 +00:00
+ '\n'
2015-03-05 22:07:45 +00:00
+ "Hostname: " + encodeURI(domaininfo.hostname)
2015-03-02 22:42:14 +00:00
+ '\n'
2015-03-05 22:07:45 +00:00
+ "App: " + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
2015-03-02 22:42:14 +00:00
+ '\n'
2015-03-05 22:07:45 +00:00
+ "Route: " + encodeURI(req.url)//.replace(/^\//, '')
2015-03-02 22:42:14 +00:00
+ '\n'
// TODO better sanatization
+ 'Error: ' + (err.message || err.toString()).replace(/</g, '&lt;')
+ "</code>"
+ "</pre>"
+ "</body>"
+ "</html>"
);
2015-03-02 21:45:16 +00:00
}
2015-03-02 22:42:14 +00:00
return next;
2015-03-02 21:45:16 +00:00
}
2015-02-19 06:06:56 +00:00
function createSecureContext(certs) {
// workaround for v0.12 / v1.2 backwards compat
try {
return require('tls').createSecureContext(certs);
} catch(e) {
2015-02-19 06:06:56 +00:00
return require('crypto').createCredentials(certs).context;
}
}
2015-02-19 20:51:17 +00:00
2015-02-20 21:21:37 +00:00
function createPromiseApps(secureServer) {
return new PromiseA(function (resolve) {
var forEachAsync = require('foreachasync').forEachAsync.create(PromiseA);
var connect = require('connect');
2015-03-29 03:29:40 +00:00
// TODO make lazy
var app = connect().use(require('compression')());
2015-02-20 21:21:37 +00:00
var vhost = require('vhost');
var domainMergeMap = {};
var domainMerged = [];
function getDomainInfo(apppath) {
var parts = apppath.split(/[#%]+/);
var hostname = parts.shift();
var pathname = parts.join('/').replace(/\/+/g, '/').replace(/^\//, '');
return {
hostname: hostname
, pathname: pathname
, dirpathname: parts.join('#')
, dirname: apppath
, isRoot: apppath === hostname
};
}
2015-02-19 06:06:56 +00:00
2015-02-20 21:21:37 +00:00
function loadDomainMounts(domaininfo) {
var connectContext = {};
2015-02-20 21:21:37 +00:00
var appContext;
// should order and group by longest domain, then longest path
if (!domainMergeMap[domaininfo.hostname]) {
// create an connect / express app exclusive to this domain
// TODO express??
domainMergeMap[domaininfo.hostname] = {
hostname: domaininfo.hostname
, apps: connect()
, mountsMap: {}
};
domainMerged.push(domainMergeMap[domaininfo.hostname]);
}
2015-02-19 06:06:56 +00:00
2015-02-20 21:21:37 +00:00
if (domainMergeMap[domaininfo.hostname].mountsMap['/' + domaininfo.dirpathname]) {
return;
2015-02-19 06:06:56 +00:00
}
2015-02-20 21:21:37 +00:00
console.log('[log] [once] Preparing mount for', domaininfo.hostname + '/' + domaininfo.dirpathname);
2015-02-20 21:21:37 +00:00
domainMergeMap[domaininfo.hostname].mountsMap['/' + domaininfo.dirpathname] = function (req, res, next) {
2015-09-25 08:06:47 +00:00
res.setHeader('Strict-Transport-Security', 'max-age=10886400; includeSubDomains; preload');
2015-03-29 03:29:40 +00:00
function loadThatApp() {
var time = Date.now();
2015-02-21 04:43:10 +00:00
console.log('[log] LOADING "' + domaininfo.hostname + '/' + domaininfo.pathname + '"', req.url);
2015-03-29 03:29:40 +00:00
return getAppContext(domaininfo).then(function (localApp) {
console.info((Date.now() - time) + 'ms Loaded ' + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname);
//if (localApp.arity >= 2) { /* connect uses .apply(null, arguments)*/ }
if ('function' !== typeof localApp) {
localApp = getDummyAppContext(null, "[ERROR] no connect-style export from " + domaininfo.dirname);
}
// Note: pathname should NEVER have a leading '/' on its own
// we always add it explicitly
function localAppWrapped(req, res) {
console.log('[debug]', domaininfo.hostname + '/' + domaininfo.pathname, req.url);
2015-06-06 00:05:37 +00:00
localApp(req, res, handleAppScopedError('localApp', domaininfo, req, res, function (req, res) {
if (!serveFavicon) {
serveFavicon = require('serve-favicon')(path.join(__dirname, '..', 'public', 'favicon.ico'));
}
// TODO redirect GET /favicon.ico to GET (req.headers.referer||'') + /favicon.ico
// TODO other common root things - robots.txt, app-icon, etc
2015-06-06 00:05:37 +00:00
serveFavicon(req, res, handleAppScopedError('serveFavicon', domaininfo, req, res, function (req, res) {
connectContext.static(req, res, handleAppScopedError('connect.static', domaininfo, req, res, function (req, res) {
2015-03-29 03:29:40 +00:00
res.writeHead(404);
res.end(
"<html>"
+ "<head>"
+ '<link rel="icon" href="favicon.ico" />'
+ "</head>"
+ "<body>"
+ "Cannot "
+ encodeURI(req.method)
+ " 'https://"
+ encodeURI(domaininfo.hostname)
+ '/'
+ encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+ encodeURI(req.url.replace(/^\//, ''))
+ "'"
+ "<br/>"
+ "<br/>"
+ "Domain: " + encodeURI(domaininfo.hostname)
+ "<br/>"
+ "App: " + encodeURI(domaininfo.pathname)
+ "<br/>"
+ "Route : " + encodeURI(req.url)
+ "</body>"
+ "</html>"
);
}));
}));
2015-03-02 21:45:16 +00:00
}));
}
try {
2015-03-29 03:29:40 +00:00
var localConnect = connect();
localConnect.use(require('connect-query')());
localConnect.use(localAppWrapped);
domainMergeMap[domaininfo.hostname].apps.use('/' + domaininfo.pathname, localConnect);
return localConnect;
} catch(e) {
console.error('[ERROR] '
+ domaininfo.hostname + ':' + securePort
+ '/' + domaininfo.pathname
);
console.error(e);
// TODO this may not work in web apps (due to 500), probably okay
res.writeHead(500);
res.end('{ "error": { "message": "[ERROR] could not load '
+ encodeURI(domaininfo.hostname) + ':' + securePort + '/' + encodeURI(domaininfo.pathname)
+ 'or default error app." } }');
}
});
}
function suckItDubDubDub(req, res) {
var newLoc = 'https://' + (req.headers.host||'').replace(/^www\./) + req.url;
res.statusCode = 301;
res.setHeader('Location', newLoc);
res.end("<html><head><title></title></head><body><!-- redirecting nowww --></body><html>");
}
2015-03-29 03:29:40 +00:00
function nextify() {
if (!appContext) {
appContext = loadThatApp();
}
if (!appContext.then) {
appContext(req, res, next);
} else {
appContext.then(function (localConnect) {
appContext = localConnect;
appContext(req, res, next);
});
}
}
if (!serveStatic) {
serveStatic = require('serve-static');
}
if (!connectContext.static) {
console.log('[static]', path.join(vhostsdir, domaininfo.dirname, 'public'));
connectContext.static = serveStatic(path.join(vhostsdir, domaininfo.dirname, 'public'));
}
if (/^www\./.test(req.headers.host)) {
if (/\.appcache\b/.test(req.url)) {
res.setHeader('Content-Type', 'text/cache-manifest');
res.end('CACHE MANIFEST\n\n# v0__DELETE__CACHE__MANIFEST__\n\nNETWORK:\n*');
return;
}
suckItDubDubDub(req, res);
return;
}
if (/^\/api\//.test(req.url)) {
nextify();
return;
}
connectContext.static(req, res, nextify);
2015-02-20 21:21:37 +00:00
};
domainMergeMap[domaininfo.hostname].apps.use(
'/' + domaininfo.pathname
, domainMergeMap[domaininfo.hostname].mountsMap['/' + domaininfo.dirpathname]
);
2015-02-20 21:21:37 +00:00
return PromiseA.resolve();
2015-02-19 06:06:56 +00:00
}
2015-02-20 21:21:37 +00:00
function readNewVhosts() {
return fs.readdirSync(vhostsdir).filter(function (node) {
// not a hidden or private file
return '.' !== node[0] && '_' !== node[0];
}).map(getDomainInfo).sort(function (a, b) {
var hlen = b.hostname.length - a.hostname.length;
var plen = b.pathname.length - a.pathname.length;
// A directory could be named example.com, example.com# example.com##
// to indicate order of preference (for API addons, for example)
var dlen = b.dirname.length - a.dirname.length;
if (!hlen) {
if (!plen) {
return dlen;
}
return plen;
}
return plen;
2015-02-19 06:06:56 +00:00
});
}
2015-02-20 21:21:37 +00:00
function getDummyAppContext(err, msg) {
console.error('[ERROR] getDummyAppContext');
console.error(err);
console.error(msg);
return function (req, res) {
2015-03-05 22:07:45 +00:00
res.writeHead(500);
2015-02-20 21:21:37 +00:00
res.end('{ "error": { "message": "' + msg + '" } }');
2015-03-29 03:29:40 +00:00
};
2015-02-20 21:21:37 +00:00
}
2015-02-19 06:06:56 +00:00
2015-10-05 19:51:58 +00:00
function getLoopbackApp() {
return function (req, res) {
res.setHeader('Content-Type', 'application/json; charset=utf-8');
res.end(JSON.stringify({ "success": true, "token": loopbackToken }));
};
}
2015-02-20 21:21:37 +00:00
function getAppContext(domaininfo) {
var localApp;
2015-02-19 06:06:56 +00:00
2015-10-05 19:51:58 +00:00
if ('loopback.daplie.invalid' === domaininfo.dirname) {
return getLoopbackApp();
}
2015-02-20 21:21:37 +00:00
try {
// TODO live reload required modules
localApp = require(path.join(vhostsdir, domaininfo.dirname, 'app.js'));
if (localApp.create) {
// TODO read local config.yml and pass it in
// TODO pass in websocket
localApp = localApp.create(secureServer, {
dummyCerts: dummyCerts
, hostname: domaininfo.hostname
, port: securePort
, url: domaininfo.pathname
});
2015-02-21 04:43:10 +00:00
2015-02-20 21:21:37 +00:00
if (!localApp) {
2015-02-21 04:43:10 +00:00
localApp = getDummyAppContext(null, "[ERROR] no app was returned by app.js for " + domaininfo.dirname);
2015-02-20 21:21:37 +00:00
}
}
2015-02-21 04:43:10 +00:00
2015-02-20 21:21:37 +00:00
if (!localApp.then) {
localApp = PromiseA.resolve(localApp);
} else {
return localApp.catch(function (e) {
2015-03-29 03:29:40 +00:00
console.error("[ERROR] initialization failed during create() for " + domaininfo.dirname);
console.error(e);
throw e;
2015-02-20 21:21:37 +00:00
return getDummyAppContext(e, "[ERROR] initialization failed during create() for " + domaininfo.dirname);
});
}
} catch(e) {
localApp = getDummyAppContext(e, "[ERROR] could not load app.js for " + domaininfo.dirname);
localApp = PromiseA.resolve(localApp);
}
return localApp;
}
function loadDomainVhosts() {
domainMerged.forEach(function (domainApp) {
if (domainApp._loaded) {
return;
}
console.log('[log] [once] Loading all mounts for ' + domainApp.hostname);
domainApp._loaded = true;
2015-02-20 21:21:37 +00:00
app.use(vhost(domainApp.hostname, domainApp.apps));
app.use(vhost('www.' + domainApp.hostname, function (req, res, next) {
if (/\.appcache\b/.test(req.url)) {
res.setHeader('Content-Type', 'text/cache-manifest');
res.end('CACHE MANIFEST\n\n# v0__DELETE__CACHE__MANIFEST__\n\nNETWORK:\n*');
//domainApp.apps(req, res, next);
return;
}
// TODO XXX this is in the api section, so it should hard break
//res.statusCode = 301;
//res.setHeader('Location', newLoc);
// TODO port number for non-443
var escapeHtml = require('escape-html');
var newLocation = 'https://' + domainApp.hostname + req.url;
var safeLocation = escapeHtml(newLocation);
var metaRedirect = ''
+ '<html>\n'
+ '<head>\n'
+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+ ' <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
+ '</head>\n'
+ '<body style="display: none;">\n'
+ ' <p>You requested an old resource. Please use this instead: \n'
+ ' <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
+ '</body>\n'
+ '</html>\n'
;
// 301 redirects will not work for appcache
res.end(metaRedirect);
}));
2015-02-20 21:21:37 +00:00
});
}
2015-03-29 03:29:40 +00:00
/*
2015-02-20 21:21:37 +00:00
function hotloadApp(req, res, next) {
var forEachAsync = require('foreachasync').forEachAsync.create(PromiseA);
var vhost = (req.headers.host || '').split(':')[0];
// the matching domain didn't catch it
console.log('[log] vhost:', vhost);
2015-02-20 21:21:37 +00:00
if (domainMergeMap[vhost]) {
next();
return;
}
return forEachAsync(readNewVhosts(), loadDomainMounts).then(loadDomainVhosts).then(function () {
// no matching domain was added
if (!domainMergeMap[vhost]) {
next();
return;
}
return forEachAsync(domainMergeMap[vhost].apps, function (fn) {
return new PromiseA(function (resolve, reject) {
function next(err) {
if (err) {
reject(err);
}
resolve();
}
2015-02-20 21:21:37 +00:00
try {
fn(req, res, next);
2015-02-20 21:21:37 +00:00
} catch(e) {
reject(e);
}
});
}).catch(function (e) {
next(e);
});
});
/*
// TODO loop through mounts and see if any fit
domainMergeMap[vhost].mountsMap['/' + domaininfo.dirpathname]
if (!domainMergeMap[domaininfo.hostname]) {
// TODO reread directories
}
2015-03-29 03:29:40 +00:00
*/ //
/*
2015-02-20 21:21:37 +00:00
}
2015-03-29 03:29:40 +00:00
*/
2015-02-20 21:21:37 +00:00
// TODO pre-cache these once the server has started?
// return forEachAsync(rootDomains, loadCerts);
// TODO load these even more lazily
return forEachAsync(readNewVhosts(), loadDomainMounts).then(loadDomainVhosts).then(function () {
console.log('[log] TODO fix and use hotload');
//app.use(hotloadApp);
2015-02-20 21:21:37 +00:00
resolve(app);
return;
});
});
}
2015-02-19 06:06:56 +00:00
function loadCerts(domainname) {
// TODO make async
// WARNING: This must be SYNC until we KNOW we're not going to be running on v0.10
// Also, once we load Let's Encrypt, it's lights out for v0.10
var certsPath = path.join(vhostsdir, domainname, 'certs');
var secOpts;
2015-02-19 06:06:56 +00:00
try {
2015-07-14 21:36:20 +00:00
var nodes = fs.readdirSync(certsPath);
var keyNode = nodes.filter(function (node) { return 'privkey.pem' === node; })[0];
var crtNode = nodes.filter(function (node) { return 'fullchain.pem' === node; })[0];
if (keyNode && crtNode) {
keyNode = path.join(certsPath, keyNode);
crtNode = path.join(certsPath, crtNode);
} else {
nodes = fs.readdirSync(path.join(certsPath, 'server'));
keyNode = nodes.filter(function (node) { return /^privkey(\.key)?\.pem$/.test(node) || /\.key\.pem$/.test(node); })[0];
crtNode = nodes.filter(function (node) { return /^fullchain(\.crt)?\.pem$/.test(node) || /\.crt\.pem$/.test(node); })[0];
keyNode = path.join(certsPath, 'server', keyNode);
crtNode = path.join(certsPath, 'server', crtNode);
}
secOpts = {
2015-07-14 21:36:20 +00:00
key: fs.readFileSync(keyNode)
, cert: fs.readFileSync(crtNode)
};
2015-02-19 06:06:56 +00:00
2015-07-14 21:36:20 +00:00
// I misunderstood what the ca option was for
/*
2015-02-19 06:06:56 +00:00
if (fs.existsSync(path.join(certsPath, 'ca'))) {
secOpts.ca = fs.readdirSync(path.join(certsPath, 'ca')).filter(function (node) {
console.log('[log ca]', node);
return /crt\.pem$/.test(node);
}).map(function (node) {
return fs.readFileSync(path.join(certsPath, 'ca', node));
});
}
2015-07-14 21:36:20 +00:00
*/
2015-02-19 06:06:56 +00:00
} catch(err) {
// TODO Let's Encrypt / ACME HTTPS
console.error("[ERROR] Couldn't READ HTTPS certs from '" + certsPath + "':");
// this will be a simple file-read error
console.error(err.message);
return null;
}
try {
secureContexts[domainname] = createSecureContext(secOpts);
2015-02-19 06:06:56 +00:00
} catch(err) {
console.error("[ERROR] Certificates in '" + certsPath + "' could not be used:");
console.error(err);
return null;
}
if (!secureContexts[domainname]) {
console.error("[ERROR] Sanity check fail, no cert for '" + domainname + "'");
return null;
}
2015-02-19 06:06:56 +00:00
return secureContexts[domainname];
}
2015-02-20 21:21:37 +00:00
function createSecureServer() {
var localDummyCerts = loadDummyCerts();
2015-02-20 21:21:37 +00:00
var secureOpts = {
2015-02-19 06:06:56 +00:00
// fallback / default dummy certs
key: localDummyCerts.key
, cert: localDummyCerts.cert
2015-07-14 21:36:20 +00:00
//, ca: localDummyCerts.ca
// io.js defaults have disallowed insecure algorithms as of 2015-06-29
// https://iojs.org/api/tls.html
// previous version could use something like this
//, ciphers: "ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL"
2015-02-19 06:06:56 +00:00
};
function addSniWorkaroundCallback() {
//SNICallback is passed the domain name, see NodeJS docs on TLS
secureOpts.SNICallback = function (domainname, cb) {
domainname = domainname.replace(/^www\./, '')
if (/(^|\.)proxyable\./.test(domainname)) {
// device-id-12345678.proxyable.myapp.mydomain.com => myapp.mydomain.com
// proxyable.myapp.mydomain.com => myapp.mydomain.com
2015-02-21 18:05:26 +00:00
// TODO myapp.mydomain.com.proxyable.com => myapp.mydomain.com
domainname = domainname.replace(/.*\.?proxyable\./, '');
2015-02-21 18:05:26 +00:00
}
2015-02-20 21:21:37 +00:00
if (!secureContexts.dummy) {
console.log('[log] Loading dummy certs');
secureContexts.dummy = createSecureContext(localDummyCerts);
2015-02-20 21:21:37 +00:00
}
if (!secureContexts[domainname]) {
console.log('[log] Loading certs for', domainname);
// TODO keep trying to find the cert in case it's uploaded late?
secureContexts[domainname] = loadCerts(domainname) || secureContexts.dummy;
2015-02-19 06:06:56 +00:00
}
// workaround for v0.12 / v1.2 backwards compat bug
if ('function' === typeof cb) {
cb(null, secureContexts[domainname] || secureContexts.dummy);
2015-02-19 06:06:56 +00:00
} else {
return secureContexts[domainname] || secureContexts.dummy;
2015-02-19 06:06:56 +00:00
}
};
}
2015-02-20 21:21:37 +00:00
2015-02-19 06:06:56 +00:00
addSniWorkaroundCallback();
2015-02-20 21:21:37 +00:00
return https.createServer(secureOpts);
}
2015-02-19 06:06:56 +00:00
2015-02-20 21:21:37 +00:00
function runServer() {
return new PromiseA(function (resolve) {
var secureServer = createSecureServer();
var promiseApps;
2015-02-19 06:06:56 +00:00
2015-02-20 21:21:37 +00:00
function loadPromise() {
if (!promiseApps) {
promiseApps = createPromiseApps(secureServer);
}
return promiseApps;
}
secureServer.listen(securePort, function () {
resolve(secureServer);
console.log("Listening on https://localhost:" + secureServer.address().port, '\n');
loadPromise();
});
// Get up and listening as absolutely quickly as possible
secureServer.on('request', function (req, res) {
if (/(^|\.)proxyable\./.test(req.headers.host)) {
// device-id-12345678.proxyable.myapp.mydomain.com => myapp.mydomain.com
// proxyable.myapp.mydomain.com => myapp.mydomain.com
// TODO myapp.mydomain.com.proxyable.com => myapp.mydomain.com
req.headers.host = req.headers.host.replace(/.*\.?proxyable\./, '');
}
2015-02-20 21:21:37 +00:00
loadPromise().then(function (app) {
app(req, res);
});
});
return secureServer;
});
2015-02-19 06:06:56 +00:00
}
2015-02-20 21:21:37 +00:00
2015-10-05 19:51:58 +00:00
function updateIps() {
console.log('[UPDATE IP]');
require('./ddns-updater').update().then(function (results) {
results.forEach(function (result) {
if (result.error) {
console.error(result);
} else {
console.log('[SUCCESS]', result.service.hostname);
}
});
}).error(function (err) {
console.error('[UPDATE IP] ERROR');
console.error(err);
});
}
// TODO check the IP every 5 minutes and update it every hour
setInterval(updateIps, 60 * 60 * 1000);
updateIps();
2015-02-20 21:21:37 +00:00
return runServer();
};