From 85d9547b4d0d10049f996dbb2486930d40a45e53 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 10 May 2018 13:35:48 -0600 Subject: [PATCH] update for latest greenlock --- LICENSE | 31 ++++++++++- README.md | 142 +++++++++++++++++++++++++++++---------------------- index.js | 7 ++- package.json | 14 ++--- 4 files changed, 123 insertions(+), 71 deletions(-) diff --git a/LICENSE b/LICENSE index 8dada3e..a5f428e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,3 +1,32 @@ +At your option you may choose either of the following licenses: + + * The MIT License (MIT) + * The Apache License 2.0 (Apache-2.0) + + +The MIT License (MIT) + +Copyright (c) 2016-2018 AJ ONeal + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + + Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ @@ -186,7 +215,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright {yyyy} {name of copyright owner} + Copyright 2015 AJ ONeal Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index fa09476..07efb24 100644 --- a/README.md +++ b/README.md @@ -1,81 +1,76 @@ -# greenlock-hapi +# Greenlock™ for hapi -(previously letsencrypt-hapi) +An Automated HTTPS ACME client (Let's Encrypt v2) for hapi -| [greenlock (lib)](https://git.coolaj86.com/coolaj86/greenlock.js) -| [greenlock-cli](https://git.coolaj86.com/coolaj86/greenlock-cli.js) -| [greenlock-express](https://git.coolaj86.com/coolaj86/greenlock-express.js) -| [greenlock-cluster](https://git.coolaj86.com/coolaj86/greenlock-cluster.js) -| [greenlock-koa](https://git.coolaj86.com/coolaj86/greenlock-koa.js) -| **greenlock-hapi** -| +| Sponsered by [ppl](https://ppl.family) +| Greenlock™ is for +[Browsers](https://git.coolaj86.com/coolaj86/greenlock.html), +[Node.js](https://git.coolaj86.com/coolaj86/greenlock.js), +[Commandline](https://git.coolaj86.com/coolaj86/greenlock-cli.js), +[Express.js](https://git.coolaj86.com/coolaj86/greenlock-express.js), +[Node.js Cluster](https://git.coolaj86.com/coolaj86/greenlock-cluster.js), +**hapi**, +[Koa](https://git.coolaj86.com/coolaj86/greenlock-koa.js), +and [rill](https://git.coolaj86.com/coolaj86/greenlock-rill.js) | -Free SSL and Automatic HTTPS for node.js with hapi.js and other middleware systems via Let's Encrypt +Features +======== -* Automatic Registration via SNI (`httpsOptions.SNICallback`) - * **registrations** require an **approval callback** in *production* -* Automatic Renewal (around 80 days) - * **renewals** are *fully automatic* and happen in the *background*, with **no downtime** -* Automatic vhost / virtual hosting + * [x] Automatic Registration via SNI (`httpsOptions.SNICallback`) + * [x] Secure domain approval callback + * [x] Automatic renewal between 10 and 14 days before expiration + * [x] Virtual Hosting (vhost) with Multiple Domains & SAN + * [x] plugins for AWS, redis, etc + * [x] and [more](https://git.coolaj86.com/coolaj86/greenlock-express.js) -All you have to do is start the webserver and then visit it at it's domain name. +This module is just an alias for greenlock-express.js, +which works with any middleware system. -## Install +Install +======= ``` -npm install --save greenlock-express@2.x +npm install --save greenlock-hapi@2.x ``` -*Pay no attention to the man behind the curtain.* (just ignore that the name of the module is greenlock-express) - -### Part 1: Configure Greenlock +QuickStart +========== ```javascript 'use strict'; -var le = require('greenlock-express').create({ +////////////////////// +// Greenlock Setup // +////////////////////// + +var greenlock = require('greenlock-hapi').create({ + version: 'draft-11' // Let's Encrypt v2 // You MUST change this to 'https://acme-v02.api.letsencrypt.org/directory' in production - server: 'https://acme-staging-v02.api.letsencrypt.org/directory' -, version: 'draft-11' // Let's Encrypt v2 - -, configDir: require('os').homedir() + '/letsencrypt/etc' - -, approveDomains: function (opts, certs, cb) { - opts.domains = certs && certs.altnames || opts.domains; - opts.email = 'john.doe@example.com' // CHANGE ME - opts.agreeTos = true; - - cb(null, { options: opts, certs: certs }); - } - - , debug: true +, server: 'https://acme-staging-v02.api.letsencrypt.org/directory' + +, email: 'jon@example.com' +, agreeTos: true +, approveDomains: [ 'example.com' ] + + // Join the community to get notified of important updates + // and help make greenlock better +, communityMember: true + +, configDir: require('os').homedir() + '/acme/etc' + +//, debug: true }); -``` -WARNING: If you don't do any checks and simply complete `approveDomains` callback, -an attacker will spoof SNI packets with bad hostnames and that will cause you to be rate-limited -and/or blocked from the ACME server. -Alternatively, You can run registration *manually*: -```bash -npm install -g greenlock-cli +/////////////////// +// Just add hapi // +/////////////////// -greenlock certonly --standalone \ - --server 'https://acme-v02.api.letsencrypt.org/directory' \ - --config-dir ~/acme/etc \ - --agree-tos --domains example.com --email user@example.com - -# Note: the '--webrootPath' option is also available if you don't want to shut down your webserver to get the cert. -``` - -### Part 2: Just add Hapi - -```javascript var hapi = require('hapi'); -var https = require('spdy'); +var https = require('https'); var server = new hapi.Server(); -var acmeResponder = le.middleware(); -var httpsServer = https.createServer(le.httpsOptions).listen(443); +var acmeResponder = greenlock.middleware(); +var httpsServer = https.createServer(greenlock.httpsOptions).listen(443); server.connection({ listener: httpsServer, autoListen: false, tls: true }); @@ -98,15 +93,38 @@ server.route({ reply("Hello, I'm so Hapi!"); } }); -``` -### Part 3: Redirect http to https -```javascript +// +// http redirect to https +// var http = require('http'); var redirectHttps = require('redirect-https')(); -http.createServer(le.middleware(redirectHttps)).listen(80, function () { - console.log('handle ACME http-01 challenge and redirect to https'); +http.createServer(greenlock.middleware(redirectHttps)).listen(80, function () { + console.log('Listening on port 80 to handle ACME http-01 challenge and redirect to https'); }); ``` + +Usage & Troubleshooting +============================ + +See + +Handling a dynamic list of domains +======================== + +In the oversimplified exapmple above we handle a static list of domains. +If you add domains programmatically you'll want to use the `approveDomains` +callback. + +**SECURITY**: Be careful with this. +If you don't check that the domains being requested are the domains you +allow an attacker can make you hit your rate limit for failed verification +attempts. + +We have a +[vhost example](https://git.coolaj86.com/coolaj86/greenlock-express.js/src/branch/master/examples/vhost.js) +that allows any domain for which there is a folder on the filesystem in a specific location. + +See that example for an idea of how this is done. diff --git a/index.js b/index.js index f5aa71c..49aa767 100644 --- a/index.js +++ b/index.js @@ -1,3 +1,8 @@ 'use strict'; -module.exports = require('greenlock-express'); \ No newline at end of file +module.exports = require('greenlock-express'); +module.exports._greenlockExpressCreate = module.exports.create; +module.create = function (opts) { + opts._communityPackage = opts._communityPackage || 'greenlock-hapi'; + return module.exports._greenlockExpressCreate(opts); +}; diff --git a/package.json b/package.json index 8bcfcec..22a4c8b 100644 --- a/package.json +++ b/package.json @@ -1,32 +1,32 @@ { "name": "greenlock-hapi", - "version": "2.0.4", - "description": "Free SSL and Automatic HTTPS for node.js with hapi and other middleware systems via ACME (Let's Encrypt)", + "version": "2.1.2", + "description": "An Automated HTTPS ACME client (Let's Encrypt v2) for hapi", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "repository": { "type": "git", - "url": "git+git.daplie.com/Daplie/greenlock-hapi.git" + "url": "git+https://git.coolaj86.com/coolaj86/greenlock-hapi.js.git" }, "keywords": [ - "hapi", "acme", "cloud", "cluster", "free", "greenlock", + "freessl", + "free ssl", "https", + "hapi", "le", "letsencrypt", - "multi-core", "node", "node.js", - "scale", "ssl", "tls" ], - "author": "AJ ONeal (https://daplie.com/)", + "author": "AJ ONeal (https://coolaj86.com/)", "license": "(MIT OR Apache-2.0)" }