45 lines
1.9 KiB
JavaScript
45 lines
1.9 KiB
JavaScript
'use strict';
|
|
|
|
// Note the odd use of callbacks here.
|
|
// We're targetting low-power platforms and so we're trying to
|
|
// require everything as lazily as possible until our server
|
|
// is actually listening on the socket. Bluebird is heavy.
|
|
// Even the built-in modules can take dozens of milliseconds to require
|
|
module.exports.create = function (certPaths, serverCallback) {
|
|
// Recognize that this secureContexts cache is local to this CPU core
|
|
var secureContexts = {};
|
|
|
|
function createSecureServer() {
|
|
var domainname = 'www.example.com';
|
|
var fs = require('fs');
|
|
var secureOpts = {
|
|
// TODO create backup file just in case this one is ever corrupted
|
|
// NOTE synchronous is faster in this case of initialization
|
|
// NOTE certsPath[0] must be the default (LE) directory (another may be used for OV and EV certs)
|
|
key: fs.readFileSync(certPaths[0] + '/' + domainname + '/privkey.pem', 'ascii')
|
|
, cert: fs.readFileSync(certPaths[0] + '/' + domainname + '/fullchain.pem', 'ascii')
|
|
// https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
// https://nodejs.org/api/tls.html
|
|
// removed :ECDH+AES256:DH+AES256 and added :!AES256 because AES-256 wastes CPU
|
|
, ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256'
|
|
, honorCipherOrder: true
|
|
};
|
|
|
|
//SNICallback is passed the domain name, see NodeJS docs on TLS
|
|
secureOpts.SNICallback = function (domainname, cb) {
|
|
// NOTE: '*.proxyable.*' domains will be truncated
|
|
require('./load-certs').load(secureContexts, certPaths, domainname).then(function (context) {
|
|
cb(null, context);
|
|
}, function (err) {
|
|
console.error('[SNI Callback]');
|
|
console.error(err.stack);
|
|
cb(err);
|
|
});
|
|
};
|
|
|
|
serverCallback(null, require('https').createServer(secureOpts));
|
|
}
|
|
|
|
createSecureServer();
|
|
};
|