forked from coolaj86/goldilocks.js
284 lines
10 KiB
JavaScript
284 lines
10 KiB
JavaScript
'use strict';
|
|
|
|
module.exports.create = function (deps, config, netHandler) {
|
|
var tls = require('tls');
|
|
var parseSni = require('sni');
|
|
var greenlock = require('greenlock');
|
|
var localhostCerts = require('localhost.daplie.me-certificates');
|
|
var domainMatches = require('../domain-utils').match;
|
|
|
|
function extractSocketProp(socket, propName) {
|
|
// remoteAddress, remotePort... ugh... https://github.com/nodejs/node/issues/8854
|
|
return socket[propName]
|
|
|| socket['_' + propName]
|
|
|| socket._handle._parent.owner.stream[propName]
|
|
;
|
|
}
|
|
|
|
function wrapSocket(socket, opts) {
|
|
var myDuplex = require('tunnel-packer').Stream.create(socket);
|
|
myDuplex.remoteFamily = opts.remoteFamily || myDuplex.remoteFamily;
|
|
myDuplex.remoteAddress = opts.remoteAddress || myDuplex.remoteAddress;
|
|
myDuplex.remotePort = opts.remotePort || myDuplex.remotePort;
|
|
|
|
socket.on('data', function (chunk) {
|
|
console.log('[' + Date.now() + '] tls socket data', chunk.byteLength);
|
|
myDuplex.push(chunk);
|
|
});
|
|
socket.on('error', function (err) {
|
|
console.error('[error] httpsTunnel (Admin) TODO close');
|
|
console.error(err);
|
|
myDuplex.emit('error', err);
|
|
});
|
|
socket.on('close', function () {
|
|
myDuplex.end();
|
|
});
|
|
|
|
process.nextTick(function () {
|
|
// this must happen after the socket is emitted to the next in the chain,
|
|
// but before any more data comes in via the network
|
|
socket.unshift(opts.firstChunk);
|
|
});
|
|
|
|
return myDuplex;
|
|
}
|
|
|
|
var le = greenlock.create({
|
|
// server: 'staging'
|
|
server: 'https://acme-v01.api.letsencrypt.org/directory'
|
|
|
|
, challenges: {
|
|
'http-01': require('le-challenge-fs').create({ webrootPath: '/tmp/acme-challenges', debug: config.debug })
|
|
, 'tls-sni-01': require('le-challenge-sni').create({ debug: config.debug })
|
|
// TODO dns-01
|
|
//, 'dns-01': require('le-challenge-ddns').create()
|
|
}
|
|
|
|
, store: require('le-store-certbot').create({ webrootPath: '/tmp/acme-challenges' })
|
|
|
|
, approveDomains: function (opts, certs, cb) {
|
|
// This is where you check your database and associated
|
|
// email addresses with domains and agreements and such
|
|
|
|
// The domains being approved for the first time are listed in opts.domains
|
|
// Certs being renewed are listed in certs.altnames
|
|
if (certs) {
|
|
// TODO make sure the same options are used for renewal as for registration?
|
|
opts.domains = certs.altnames;
|
|
|
|
cb(null, { options: opts, certs: certs });
|
|
return;
|
|
}
|
|
|
|
function complete(optsOverride) {
|
|
Object.keys(optsOverride).forEach(function (key) {
|
|
opts[key] = optsOverride[key];
|
|
});
|
|
|
|
cb(null, { options: opts, certs: certs });
|
|
}
|
|
|
|
|
|
// check config for domain name
|
|
if (-1 !== (config.tls.servernames || []).indexOf(opts.domain)) {
|
|
// TODO how to handle SANs?
|
|
// TODO fetch domain-specific email
|
|
// TODO fetch domain-specific acmeDirectory
|
|
// NOTE: you can also change other options such as `challengeType` and `challenge`
|
|
// opts.challengeType = 'http-01';
|
|
// opts.challenge = require('le-challenge-fs').create({}); // TODO this doesn't actually work yet
|
|
complete({
|
|
email: config.tls.email
|
|
, agreeTos: true
|
|
, server: config.tls.acmeDirectoryUrl || le.server
|
|
, challengeType: config.tls.challengeType || 'http-01'
|
|
});
|
|
return;
|
|
}
|
|
|
|
// TODO ask http module (and potentially all other modules) about what domains it can
|
|
// handle. We can allow any domains that other modules will handle after we terminate TLS.
|
|
cb(new Error('domain is not allowed'));
|
|
// if (!modules.http) {
|
|
// modules.http = require('./modules/http.js').create(deps, config);
|
|
// }
|
|
// modules.http.checkServername(opts.domain).then(function (stuff) {
|
|
// if (!stuff || !stuff.domains) {
|
|
// // TODO once precheck is implemented we can just let it pass if it passes, yknow?
|
|
// cb(new Error('domain is not allowed'));
|
|
// return;
|
|
// }
|
|
|
|
// complete({
|
|
// domain: stuff.domain || stuff.domains[0]
|
|
// , domains: stuff.domains
|
|
// , email: stuff.email || program.email
|
|
// , server: stuff.acmeDirectoryUrl || program.acmeDirectoryUrl
|
|
// , challengeType: stuff.challengeType || program.challengeType
|
|
// , challenge: stuff.challenge
|
|
// });
|
|
// return;
|
|
// }, cb);
|
|
}
|
|
});
|
|
le.tlsOptions = le.tlsOptions || le.httpsOptions;
|
|
|
|
var secureContexts = {};
|
|
var terminatorOpts = require('localhost.daplie.me-certificates').merge({});
|
|
terminatorOpts.SNICallback = function (sni, cb) {
|
|
console.log("[tlsOptions.SNICallback] SNI: '" + sni + "'");
|
|
|
|
var tlsOptions;
|
|
|
|
// Static Certs
|
|
if (/.*localhost.*\.daplie\.me/.test(sni.toLowerCase())) {
|
|
// TODO implement
|
|
if (!secureContexts[sni]) {
|
|
tlsOptions = localhostCerts.mergeTlsOptions(sni, {});
|
|
}
|
|
if (tlsOptions) {
|
|
secureContexts[sni] = tls.createSecureContext(tlsOptions);
|
|
}
|
|
if (secureContexts[sni]) {
|
|
console.log('Got static secure context:', sni, secureContexts[sni]);
|
|
cb(null, secureContexts[sni]);
|
|
return;
|
|
}
|
|
}
|
|
|
|
le.tlsOptions.SNICallback(sni, cb);
|
|
};
|
|
|
|
var terminateServer = tls.createServer(terminatorOpts, function (socket) {
|
|
console.log('(pre-terminated) tls connection, addr:', socket.remoteAddress);
|
|
|
|
netHandler(socket, {
|
|
servername: socket.servername
|
|
, encrypted: true
|
|
// remoteAddress... ugh... https://github.com/nodejs/node/issues/8854
|
|
, remoteAddress: extractSocketProp(socket, 'remoteAddress')
|
|
, remotePort: extractSocketProp(socket, 'remotePort')
|
|
, remoteFamily: extractSocketProp(socket, 'remoteFamily')
|
|
});
|
|
});
|
|
|
|
function proxy(socket, opts, mod) {
|
|
var destination = mod.address.split(':');
|
|
var connected = false;
|
|
|
|
var newConn = deps.net.createConnection({
|
|
port: destination[1]
|
|
, host: destination[0] || '127.0.0.1'
|
|
|
|
, servername: opts.servername
|
|
, data: opts.firstChunk
|
|
, remoteFamily: opts.family || extractSocketProp(socket, 'remoteFamily')
|
|
, remoteAddress: opts.address || extractSocketProp(socket, 'remoteAddress')
|
|
, remotePort: opts.port || extractSocketProp(socket, 'remotePort')
|
|
}, function () {
|
|
connected = true;
|
|
if (!opts.hyperPeek) {
|
|
newConn.write(opts.firstChunk);
|
|
}
|
|
newConn.pipe(socket);
|
|
socket.pipe(newConn);
|
|
});
|
|
|
|
// Not sure how to effectively report this to the user or client, but we need to listen
|
|
// for the event to prevent it from crashing us.
|
|
newConn.on('error', function (err) {
|
|
if (connected) {
|
|
console.error('TLS proxy remote error', err);
|
|
socket.end();
|
|
} else {
|
|
console.log('TLS proxy connection error', err);
|
|
var tlsOpts = localhostCerts.mergeTlsOptions('localhost.daplie.me', {isServer: true});
|
|
var decrypted;
|
|
if (opts.hyperPeek) {
|
|
decrypted = new tls.TLSSocket(socket, tlsOpts);
|
|
} else {
|
|
decrypted = new tls.TLSSocket(wrapSocket(socket, opts), tlsOpts);
|
|
}
|
|
require('../proxy-err-resp').sendBadGateway(decrypted, err, config.debug);
|
|
}
|
|
});
|
|
socket.on('error', function (err) {
|
|
console.error('TLS proxy client error', err);
|
|
newConn.end();
|
|
});
|
|
}
|
|
|
|
function terminate(socket, opts) {
|
|
console.log(
|
|
'[tls-terminate]'
|
|
, opts.localAddress || socket.localAddress +':'+ opts.localPort || socket.localPort
|
|
, 'servername=' + opts.servername
|
|
, opts.remoteAddress || socket.remoteAddress
|
|
);
|
|
|
|
if (opts.hyperPeek) {
|
|
// This connection was peeked at using a method that doesn't interferre with the TLS
|
|
// server's ability to handle it properly. Currently the only way this happens is
|
|
// with tunnel connections where we have the first chunk of data before creating the
|
|
// new connection (thus removing need to get data off the new connection).
|
|
terminateServer.emit('connection', socket);
|
|
}
|
|
else {
|
|
// The hyperPeek flag wasn't set, so we had to read data off of this connection, which
|
|
// means we can no longer use it directly in the TLS server.
|
|
// See https://github.com/nodejs/node/issues/8752 (node's internal networking layer == 💩 sometimes)
|
|
terminateServer.emit('connection', wrapSocket(socket, opts));
|
|
}
|
|
}
|
|
|
|
function handleConn(socket, opts) {
|
|
opts.servername = (parseSni(opts.firstChunk)||'').toLowerCase() || 'localhost.invalid';
|
|
// needs to wind up in one of 2 states:
|
|
// 1. SNI-based Proxy / Tunnel (we don't even need to put it through the tlsSocket)
|
|
// 2. Terminated (goes on to a particular module or route, including the admin interface)
|
|
// 3. Closed (we don't recognize the SNI servername as something we actually want to handle)
|
|
|
|
// We always want to terminate is the SNI matches the challenge pattern, unless a client
|
|
// on the south side has temporarily claimed a particular challenge. For the time being
|
|
// we don't have a way for the south-side to communicate with us, so that part isn't done.
|
|
if (domainMatches('*.acme-challenge.invalid', opts.servername)) {
|
|
terminate(socket, opts);
|
|
return;
|
|
}
|
|
|
|
var handled = (config.tls.modules || []).some(function (mod) {
|
|
var relevant = mod.domains.some(function (pattern) {
|
|
return domainMatches(pattern, opts.servername);
|
|
});
|
|
if (!relevant) {
|
|
return false;
|
|
}
|
|
|
|
if (mod.name === 'proxy') {
|
|
proxy(socket, opts, mod);
|
|
}
|
|
else {
|
|
console.error('saw unknown TLS module', mod);
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
});
|
|
|
|
// TODO: figure out all of the domains that the other modules intend to handle, and only
|
|
// terminate those ones, closing connections for all others.
|
|
if (!handled) {
|
|
terminate(socket, opts);
|
|
}
|
|
}
|
|
|
|
return {
|
|
emit: function (type, socket) {
|
|
if (type === 'connection') {
|
|
handleConn(socket, socket.__opts);
|
|
}
|
|
}
|
|
, middleware: le.middleware()
|
|
};
|
|
};
|