
336 lines
11 KiB
Raw Normal View History

2017-04-13 23:42:37 +00:00
'use strict';
module.exports.create = function (deps, config) {
console.log('config', config);
2017-04-13 23:42:37 +00:00
//var PromiseA = global.Promise;
var PromiseA = require('bluebird');
var greenlock = require('greenlock');
var listeners = require('./servers').listeners;
var parseSni = require('sni');
var modules = { };
var program = {
tlsOptions: require('').merge({})
, acmeDirectoryUrl: ''
, challengeType: 'tls-sni-01'
var secureContexts = {};
var tunnelAdminTlsOpts = {};
var tls = require('tls');
var tcpRouter = {
_map: { }
, _create: function (address, port) {
// port provides hinting for http, smtp, etc
2017-04-27 22:05:34 +00:00
return function (conn, firstChunk, opts) {
console.log('[tcpRouter] ' + address + ':' + port + ' ' + (opts.servername || ''));
var m;
var str;
2017-04-27 22:05:34 +00:00
var hostname;
var newHeads;
// TODO test per-module
// Maybe HTTP
if (firstChunk[0] > 32 && firstChunk[0] < 127) {
str = firstChunk.toString();
m = str.match(/(?:^|[\r\n])Host: ([^\r\n]+)[\r\n]*/im);
2017-04-27 22:05:34 +00:00
hostname = (m && m[1].toLowerCase() || '').split(':')[0];
console.log('[tcpRouter] hostname', hostname);
if (/HTTP\//i.test(str)) {
//conn.__service = 'http';
2017-04-27 22:05:34 +00:00
if (!hostname) {
// TODO allow tcp tunneling
// TODO we need some way of tagging tcp as either terminated tls or insecure
"HTTP/1.1 404 Not Found\r\n"
+ "Date: Fri, 31 Dec 1999 23:59:59 GMT\r\n"
+ "Content-Type: text/html\r\n"
+ "Content-Length: " + 9 + "\r\n"
+ "\r\n"
+ "Not Found"
2017-04-27 22:05:34 +00:00
// Poor-man's http proxy
// XXX SECURITY XXX: should strip existing X-Forwarded headers
newHeads =
[ "X-Forwarded-Proto: " + (opts.encrypted ? 'https' : 'http')
, "X-Forwarded-For: " + (conn.remoteAddress || opts.remoteAddress)
, "X-Forwarded-Host: " + hostname
if (!opts.encrypted) {
// a exists-only header that a bad client could not remove
newHeads.push("X-Not-Encrypted: yes");
if (opts.servername) {
newHeads.push("X-Forwarded-Sni: " + opts.servername);
if (opts.servername !== hostname) {
// an exists-only header that a bad client could not remove
newHeads.push("X-Two-Servernames: yes");
firstChunk = firstChunk.toString('utf8');
// JSON.stringify("Host:\r\nNext: Header".replace(/(Host: [^\r\n]*)/i, "$1" + "\r\n" + "X: XYZ"))
firstChunk = firstChunk.replace(/(Host: [^\r\n]*)/i, "$1" + "\r\n" + newHeads.join("\r\n"));
process.nextTick(function () {
conn.unshift(Buffer.from(firstChunk, 'utf8'));
// hard-coded routes for the admin interface
if (
/\blocalhost\.admin\./.test(hostname) || /\badmin\.localhost\./.test(hostname)
|| /\blocalhost\.alpha\./.test(hostname) || /\balpha\.localhost\./.test(hostname)
) {
if (!modules.admin) {
modules.admin = require('./modules/admin.js').create(deps, config);
modules.admin.emit('connection', conn);
2017-04-27 22:05:34 +00:00
// TODO static file handiling and such or whatever
if (!modules.http) {
modules.http = require('./modules/http.js').create(deps, config);
opts.hostname = hostname;
conn.__opts = opts;
modules.http.emit('connection', conn);
, get: function getTcpRouter(address, port) {
address = address || '';
var id = address + ':' + port;
if (!tcpRouter._map[id]) {
tcpRouter._map[id] = tcpRouter._create(address, port);
return tcpRouter._map[id];
var tlsRouter = {
_map: { }
2017-04-27 22:05:34 +00:00
, _create: function (address, port/*, nextServer*/) {
// port provides hinting for https, smtps, etc
2017-04-27 22:05:34 +00:00
return function (socket, firstChunk, opts) {
var servername = opts.servername;
var packerStream = require('tunnel-packer').Stream;
var myDuplex = packerStream.create(socket);
2017-04-27 22:05:34 +00:00
console.log('[tlsRouter] ' + address + ':' + port + ' servername', servername, myDuplex.remoteAddress);
// needs to wind up in one of 3 states:
2017-04-27 22:05:34 +00:00
// 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
// 2. Admin Interface (skips the proxying)
// 3. Terminated (goes on to a particular module or route)
//myDuplex.__tlsTerminated = true;
2017-04-27 22:05:34 +00:00
process.nextTick(function () {
// this must happen after the socket is emitted to the next in the chain,
// but before any more data comes in via the network
// nextServer.emit could be used here
program.tlsTunnelServer.emit('connection', myDuplex);
2017-04-27 22:05:34 +00:00
// Why all this wacky-do with the myDuplex?
// because, that's why
// (because node's internal networking layer == 💩 sometimes)
socket.on('data', function (chunk) {
console.log('[' + + '] tls socket data', chunk.byteLength);
socket.on('error', function (err) {
console.error('[error] httpsTunnel (Admin) TODO close');
myDuplex.emit('error', err);
socket.on('close', function () {
2017-04-27 22:05:34 +00:00
, get: function getTcpRouter(address, port) {
address = address || '';
var id = address + ':' + port;
if (!tlsRouter._map[id]) {
tlsRouter._map[id] = tlsRouter._create(address, port);
return tlsRouter._map[id];
2017-04-27 22:05:34 +00:00
// opts = { servername, encrypted, remoteAddress, remotePort }
function handler(conn, opts) {
opts = opts || {};
2017-04-27 22:05:34 +00:00
console.log('[handler]', conn.localAddres, conn.localPort, opts.encrypted);
conn.once('data', function (firstChunk) {
var servername;
2017-04-27 22:05:34 +00:00
// TODO port-based routing can do here
// TLS
if (22 === firstChunk[0]) {
servername = (parseSni(firstChunk)||'').toLowerCase() || 'localhost.invalid';
2017-04-27 22:05:34 +00:00
tlsRouter.get(conn.localAddress, conn.localPort)(conn, firstChunk, opts);
else {
2017-04-27 22:05:34 +00:00
tcpRouter.get(conn.localAddress, conn.localPort)(conn, firstChunk, opts);
2017-04-13 23:42:37 +00:00
function approveDomains(opts, certs, cb) {
// This is where you check your database and associated
// email addresses with domains and agreements and such
// The domains being approved for the first time are listed in
// Certs being renewed are listed in certs.altnames
function complete(err, stuff) { =;
opts.agreeTos = stuff.agreeTos;
opts.server = stuff.server;
opts.challengeType = stuff.challengeType;
cb(null, { options: opts, certs: certs });
if (certs) {
// TODO make sure the same options are used for renewal as for registration? = certs.altnames;
cb(null, { options: opts, certs: certs });
// check config for domain name
if (-1 !== config.tls.servernames.indexOf(opts.domain)) {
// TODO how to handle SANs?
// TODO fetch domain-specific email
// TODO fetch domain-specific acmeDirectory
// NOTE: you can also change other options such as `challengeType` and `challenge`
// opts.challengeType = 'http-01';
// opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet
complete(null, {
email:, agreeTos: true, server: program.acmeDirectoryUrl, challengeType: program.challengeType });
// TODO ask http module about the default path (/srv/www/:hostname)
// (if it exists, we can allow and add to config)
if (!modules.http) {
modules.http = require('./modules/http.js').create(config);
modules.http.checkServername(opts.domain).then(function (stuff) {
if (! {
// TODO once precheck is implemented we can just let it pass if it passes, yknow?
cb(new Error('domain is not allowed'));
complete(null, {
domain: stuff.domain ||[0]
, domains:
, email:
, server: program.acmeDirectoryUrl
, challengeType: program.challengeType
}, cb);
function getAcme() {
return greenlock.create({
//server: 'staging'
server: ''
, challenges: {
// TODO dns-01
'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug })
, 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
//, 'dns-01': require('le-challenge-ddns').create()
2017-04-13 23:42:37 +00:00
, store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })
2017-04-13 23:42:37 +00:00
//, email:
2017-04-13 23:42:37 +00:00
//, agreeTos: program.agreeTos
2017-04-13 23:42:37 +00:00
, approveDomains: approveDomains
2017-04-13 23:42:37 +00:00
//, approvedDomains: program.servernames
2017-04-13 23:42:37 +00:00
Object.keys(program.tlsOptions).forEach(function (key) {
tunnelAdminTlsOpts[key] = program.tlsOptions[key];
tunnelAdminTlsOpts.SNICallback = function (sni, cb) {
console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");
2017-04-13 23:42:37 +00:00
var tlsOptions;
2017-04-13 23:42:37 +00:00
// Static Certs
if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) {
// TODO implement
if (!secureContexts[sni]) {
tlsOptions = require('').mergeTlsOptions(sni, {});
2017-04-13 23:42:37 +00:00
if (tlsOptions) {
secureContexts[sni] = tls.createSecureContext(tlsOptions);
2017-04-13 23:42:37 +00:00
if (secureContexts[sni]) {
console.log('Got static secure context:', sni, secureContexts[sni]);
cb(null, secureContexts[sni]);
2017-04-13 23:42:37 +00:00
if (!program.greenlock) {
program.greenlock = getAcme();
2017-04-13 23:42:37 +00:00
2017-04-27 22:05:34 +00:00
(program.greenlock.tlsOptions||program.greenlock.httpsOptions).SNICallback(sni, cb);
program.tlsTunnelServer = tls.createServer(tunnelAdminTlsOpts, function (tlsSocket) {
2017-04-27 22:05:34 +00:00
console.log('(pre-terminated) tls connection, addr:', tlsSocket.remoteAddress);
// things get a little messed up here
//tlsSocket.on('data', function (chunk) {
// console.log('terminated data:', chunk.toString());
//(program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket);
2017-04-27 22:05:34 +00:00
//tcpRouter.get(conn.localAddress, conn.localPort)(conn, firstChunk, { encrypted: false });
handler(tlsSocket, {
servername: tlsSocket.servername
, encrypted: true
// remoteAddress... ugh...
, remoteAddress: tlsSocket.remoteAddress ||
, remotePort: tlsSocket.remotePort ||
PromiseA.all( (port) {
return listeners.tcp.add(port, handler);
2017-04-13 23:42:37 +00:00