index.js
9.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
"use strict";
var PromiseA;
try {
PromiseA = require("bluebird");
} catch (e) {
PromiseA = global.Promise;
}
// opts.approveDomains(options, certs, cb)
module.exports.create = function(opts) {
// accept all defaults for greenlock.challenges, greenlock.store, greenlock.middleware
if (!opts._communityPackage) {
opts._communityPackage = "greenlock-express.js";
opts._communityPackageVersion = require("./package.json").version;
}
function explainError(e) {
console.error("Error:" + e.message);
if ("EACCES" === e.errno) {
console.error("You don't have prmission to access '" + e.address + ":" + e.port + "'.");
console.error('You probably need to use "sudo" or "sudo setcap \'cap_net_bind_service=+ep\' $(which node)"');
return;
}
if ("EADDRINUSE" === e.errno) {
console.error("'" + e.address + ":" + e.port + "' is already being used by some other program.");
console.error("You probably need to stop that program or restart your computer.");
return;
}
console.error(e.code + ": '" + e.address + ":" + e.port + "'");
}
function _createPlain(plainPort) {
if (!plainPort) {
plainPort = 80;
}
var parts = String(plainPort).split(":");
var p = parts.pop();
var addr = parts
.join(":")
.replace(/^\[/, "")
.replace(/\]$/, "");
var args = [];
var httpType;
var server;
var validHttpPort = parseInt(p, 10) >= 0;
if (addr) {
args[1] = addr;
}
if (!validHttpPort && !/(\/)|(\\\\)/.test(p)) {
console.warn("'" + p + "' doesn't seem to be a valid port number, socket path, or pipe");
}
var mw = greenlock.middleware.sanitizeHost(greenlock.middleware(require("redirect-https")()));
server = require("http").createServer(function(req, res) {
req.on("error", function(err) {
console.error("Insecure Request Network Connection Error:");
console.error(err);
});
mw(req, res);
});
httpType = "http";
return {
server: server,
listen: function() {
return new PromiseA(function(resolve, reject) {
args[0] = p;
args.push(function() {
if (!greenlock.servername) {
if (Array.isArray(greenlock.approvedDomains) && greenlock.approvedDomains.length) {
greenlock.servername = greenlock.approvedDomains[0];
}
if (Array.isArray(greenlock.approveDomains) && greenlock.approvedDomains.length) {
greenlock.servername = greenlock.approvedDomains[0];
}
}
if (!greenlock.servername) {
resolve(null);
return;
}
return greenlock
.check({ domains: [greenlock.servername] })
.then(function(certs) {
if (certs) {
return {
key: Buffer.from(certs.privkey, "ascii"),
cert: Buffer.from(certs.cert + "\r\n" + certs.chain, "ascii")
};
}
console.info(
"Fetching certificate for '%s' to use as default for HTTPS server...",
greenlock.servername
);
return new PromiseA(function(resolve, reject) {
// using SNICallback because all options will be set
greenlock.tlsOptions.SNICallback(greenlock.servername, function(err /*, secureContext*/) {
if (err) {
reject(err);
return;
}
return greenlock
.check({ domains: [greenlock.servername] })
.then(function(certs) {
resolve({
key: Buffer.from(certs.privkey, "ascii"),
cert: Buffer.from(certs.cert + "\r\n" + certs.chain, "ascii")
});
})
.catch(reject);
});
});
})
.then(resolve)
.catch(reject);
});
server.listen.apply(server, args).on("error", function(e) {
if (server.listenerCount("error") < 2) {
console.warn("Did not successfully create http server and bind to port '" + p + "':");
explainError(e);
process.exit(41);
}
});
});
}
};
}
function _create(port) {
if (!port) {
port = 443;
}
var parts = String(port).split(":");
var p = parts.pop();
var addr = parts
.join(":")
.replace(/^\[/, "")
.replace(/\]$/, "");
var args = [];
var httpType;
var server;
var validHttpPort = parseInt(p, 10) >= 0;
if (addr) {
args[1] = addr;
}
if (!validHttpPort && !/(\/)|(\\\\)/.test(p)) {
console.warn("'" + p + "' doesn't seem to be a valid port number, socket path, or pipe");
}
var https;
try {
https = require("spdy");
greenlock.tlsOptions.spdy = { protocols: ["h2", "http/1.1"], plain: false };
httpType = "http2 (spdy/h2)";
} catch (e) {
https = require("https");
httpType = "https";
}
var sniCallback = greenlock.tlsOptions.SNICallback;
greenlock.tlsOptions.SNICallback = function(domain, cb) {
sniCallback(domain, function(err, context) {
cb(err, context);
if (!context || server._hasDefaultSecureContext) {
return;
}
if (!domain) {
domain = greenlock.servername;
}
if (!domain) {
return;
}
return greenlock
.check({ domains: [domain] })
.then(function(certs) {
// ignore the case that check doesn't have all the right args here
// to get the same certs that it just got (eventually the right ones will come in)
if (!certs) {
return;
}
if (server.setSecureContext) {
// only available in node v11.0+
server.setSecureContext({
key: Buffer.from(certs.privkey, "ascii"),
cert: Buffer.from(certs.cert + "\r\n" + certs.chain, "ascii")
});
console.info("Using '%s' as default certificate", domain);
} else {
console.info("Setting default certificates dynamically requires node v11.0+. Skipping.");
}
server._hasDefaultSecureContext = true;
})
.catch(function(/*e*/) {
// this may be that the test.example.com was requested, but it's listed
// on the cert for demo.example.com which is in its own directory, not the other
//console.warn("Unusual error: couldn't get newly authorized certificate:");
//console.warn(e.message);
});
});
};
if (greenlock.tlsOptions.cert) {
server._hasDefaultSecureContext = true;
if (greenlock.tlsOptions.cert.toString("ascii").split("BEGIN").length < 3) {
console.warn(
"Invalid certificate file. 'tlsOptions.cert' should contain cert.pem (certificate file) *and* chain.pem (intermediate certificates) seperated by an extra newline (CRLF)"
);
}
}
var mw = greenlock.middleware.sanitizeHost(function(req, res) {
try {
greenlock.app(req, res);
} catch (e) {
console.error("[error] [greenlock.app] Your HTTP handler had an uncaught error:");
console.error(e);
try {
res.statusCode = 500;
res.end("Internal Server Error: [Greenlock] HTTP exception logged for user-provided handler.");
} catch (e) {
// ignore
// (headers may have already been sent, etc)
}
}
});
server = https.createServer(greenlock.tlsOptions, function(req, res) {
/*
// Don't do this yet
req.on("error", function(err) {
console.error("HTTPS Request Network Connection Error:");
console.error(err);
});
*/
mw(req, res);
});
server.type = httpType;
return {
server: server,
listen: function() {
return new PromiseA(function(resolve) {
args[0] = p;
args.push(function() {
resolve(/*server*/);
});
server.listen.apply(server, args).on("error", function(e) {
if (server.listenerCount("error") < 2) {
console.warn("Did not successfully create http server and bind to port '" + p + "':");
explainError(e);
process.exit(41);
}
});
});
}
};
}
// NOTE: 'greenlock' is just 'opts' renamed
var greenlock = require("greenlock").create(opts);
if (!opts.app) {
opts.app = function(req, res) {
res.end("Hello, World!\nWith Love,\nGreenlock for Express.js");
};
}
opts.listen = function(plainPort, port, fnPlain, fn) {
var server;
var plainServer;
// If there is only one handler for the `listening` (i.e. TCP bound) event
// then we want to use it as HTTPS (backwards compat)
if (!fn) {
fn = fnPlain;
fnPlain = null;
}
var obj1 = _createPlain(plainPort, true);
var obj2 = _create(port, false);
plainServer = obj1.server;
server = obj2.server;
server.then = obj1.listen().then(function(tlsOptions) {
if (tlsOptions) {
if (server.setSecureContext) {
// only available in node v11.0+
server.setSecureContext(tlsOptions);
console.info("Using '%s' as default certificate", greenlock.servername);
} else {
console.info("Setting default certificates dynamically requires node v11.0+. Skipping.");
}
server._hasDefaultSecureContext = true;
}
return obj2.listen().then(function() {
// Report plain http status
if ("function" === typeof fnPlain) {
fnPlain.apply(plainServer);
} else if (!fn && !plainServer.listenerCount("listening") && !server.listenerCount("listening")) {
console.info(
"[:" +
(plainServer.address().port || plainServer.address()) +
"] Handling ACME challenges and redirecting to " +
server.type
);
}
// Report h2/https status
if ("function" === typeof fn) {
fn.apply(server);
} else if (!server.listenerCount("listening")) {
console.info("[:" + (server.address().port || server.address()) + "] Serving " + server.type);
}
});
}).then;
server.unencrypted = plainServer;
return server;
};
opts.middleware.acme = function(opts) {
return greenlock.middleware.sanitizeHost(greenlock.middleware(require("redirect-https")(opts)));
};
opts.middleware.secure = function(app) {
return greenlock.middleware.sanitizeHost(app);
};
return greenlock;
};