From 70e7d573955712799e5ff52f9b00274ccff6ebc7 Mon Sep 17 00:00:00 2001 From: tigerbot Date: Wed, 10 May 2017 16:05:54 -0600 Subject: [PATCH] added hooks to handle ACME challenges --- lib/goldilocks.js | 21 ++++++++++++--------- lib/modules/http.js | 13 ++++++++----- lib/modules/tls.js | 9 +++++++++ lib/worker.js | 3 +++ 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/lib/goldilocks.js b/lib/goldilocks.js index d398741..fd88055 100644 --- a/lib/goldilocks.js +++ b/lib/goldilocks.js @@ -6,20 +6,27 @@ module.exports.create = function (deps, config) { //var PromiseA = global.Promise; var PromiseA = require('bluebird'); var listeners = require('./servers').listeners; - var modules = { }; + var modules; + + function loadModules() { + modules = {}; + + modules.tls = require('./modules/tls').create(deps, config, netHandler); + modules.http = require('./modules/http.js').create(deps, config, modules.tls.middleware); + } // opts = { servername, encrypted, peek, data, remoteAddress, remotePort } function peek(conn, firstChunk, opts) { + if (!modules) { + loadModules(); + } + opts.firstChunk = firstChunk; conn.__opts = opts; // TODO port/service-based routing can do here // TLS byte 1 is handshake and byte 6 is client hello if (0x16 === firstChunk[0]/* && 0x01 === firstChunk[5]*/) { - if (!modules.tls) { - modules.tls = require('./modules/tls').create(deps, config, netHandler); - } - modules.tls.emit('connection', conn); return; } @@ -37,10 +44,6 @@ module.exports.create = function (deps, config) { if (firstChunk[0] > 32 && firstChunk[0] < 127) { var firstStr = firstChunk.toString(); if (/HTTP\//i.test(firstStr)) { - if (!modules.http) { - modules.http = require('./modules/http.js').create(deps, config); - } - modules.http.emit('connection', conn); return; } diff --git a/lib/modules/http.js b/lib/modules/http.js index 5c6247a..ab41e6c 100644 --- a/lib/modules/http.js +++ b/lib/modules/http.js @@ -1,6 +1,6 @@ 'use strict'; -module.exports.create = function (deps, conf) { +module.exports.create = function (deps, conf, greenlockMiddleware) { var express = require('express'); var app = express(); var adminApp = require('./admin').create(deps, conf); @@ -19,11 +19,13 @@ module.exports.create = function (deps, conf) { var redirecters = {}; function redirectHttps(req, res, next) { var port = req.headers.host.split(':')[1]; - var redirecter = redirecters[port]; - if (!redirecter) { - redirecter = redirecters[port] = require('redirect-https')({port: port}); + if (!redirecters[port]) { + redirecters[port] = require('redirect-https')({ + port: port + , trustProxy: conf.http.trustProxy + }); } - redirecter(req, res, next); + redirecters[port](req, res, next); } function handleAdmin(req, res, next) { @@ -123,6 +125,7 @@ module.exports.create = function (deps, conf) { }; } + app.use(greenlockMiddleware); app.use(redirectHttps); app.use(handleAdmin); diff --git a/lib/modules/tls.js b/lib/modules/tls.js index 054bea5..c3570ce 100644 --- a/lib/modules/tls.js +++ b/lib/modules/tls.js @@ -199,6 +199,14 @@ module.exports.create = function (deps, config, netHandler) { // 2. Terminated (goes on to a particular module or route, including the admin interface) // 3. Closed (we don't recognize the SNI servername as something we actually want to handle) + // We always want to terminate is the SNI matches the challenge pattern, unless a client + // on the south side has temporarily claimed a particular challenge. For the time being + // we don't have a way for the south-side to communicate with us, so that part isn't done. + if (domainMatches('*.acme-challenge.invalid', opts.servername)) { + terminate(socket, opts); + return; + } + var handled = (config.tls.modules || []).some(function (mod) { var relevant = mod.domains.some(function (pattern) { return domainMatches(pattern, opts.servername); @@ -231,5 +239,6 @@ module.exports.create = function (deps, config, netHandler) { handleConn(socket, socket.__opts); } } + , middleware: le.middleware() }; }; diff --git a/lib/worker.js b/lib/worker.js index 84569e1..79db594 100644 --- a/lib/worker.js +++ b/lib/worker.js @@ -4,6 +4,9 @@ process.on('message', function (conf) { var deps = { messenger: process + // Note that if a custom createConnections is used it will be called with different + // sets of custom options based on what is actually being proxied. Most notably the + // HTTP proxying connection creation is not something we currently control. , net: require('net') }; require('./goldilocks.js').create(deps, conf);