greenlock.js/index.js

'use strict';
/*global Promise*/
require('./lib/compat.js');

// I hate this code so much.
// Soooo many shims for backwards compatibility (some stuff dating back to v1)
// v3 will be a clean break and I'll delete half of the code...

var DAY = 24 * 60 * 60 * 1000;
//var MIN = 60 * 1000;
var ACME = require('acme-v2/compat').ACME;
var pkg = require('./package.json');
var util = require('util');

function promisifyAllSelf(obj) {
	if (obj.__promisified) {
		return obj;
	}
	Object.keys(obj).forEach(function(key) {
		if ('function' === typeof obj[key] && !/Async$/.test(key)) {
			obj[key + 'Async'] = util.promisify(obj[key]);
		}
	});
	obj.__promisified = true;
	return obj;
}
function promisifyAllStore(obj) {
	Object.keys(obj).forEach(function(key) {
		if ('function' !== typeof obj[key] || /Async$/.test(key)) {
			return;
		}

		var p;
		if (0 === obj[key].length || 1 === obj[key].length) {
			// wrap just in case it's synchronous (or improperly throws)
			p = function(opts) {
				return Promise.resolve().then(function() {
					return obj[key](opts);
				});
			};
		} else {
			p = util.promisify(obj[key]);
		}
		// internal backwards compat
		obj[key + 'Async'] = p;
	});
	obj.__promisified = true;
	return obj;
}

var Greenlock = module.exports;
Greenlock.Greenlock = Greenlock;
Greenlock.LE = Greenlock;
// in-process cache, shared between all instances
var ipc = {};

function _log(debug) {
	if (debug) {
		var args = Array.prototype.slice.call(arguments);
		args.shift();
		args.unshift('[gl/index.js]');
		console.log.apply(console, args);
	}
}

Greenlock.defaults = {
	productionServerUrl: 'https://acme-v01.api.letsencrypt.org/directory',
	stagingServerUrl: 'https://acme-staging.api.letsencrypt.org/directory',

	rsaKeySize: ACME.rsaKeySize || 2048,
	challengeType: ACME.challengeType || 'http-01',
	challengeTypes: ACME.challengeTypes || ['http-01', 'dns-01'],

	acmeChallengePrefix: ACME.acmeChallengePrefix
};

// backwards compat
Object.keys(Greenlock.defaults).forEach(function(key) {
	Greenlock[key] = Greenlock.defaults[key];
});

// show all possible options
var u; // undefined
Greenlock._undefined = {
	acme: u,
	store: u,
	//, challenge: u
	challenges: u,
	sni: u,
	tlsOptions: u,

	register: u,
	check: u,

	renewWithin: u, // le-auto-sni and core
	//, renewBy: u // le-auto-sni
	acmeChallengePrefix: u,
	rsaKeySize: u,
	challengeType: u,
	server: u,
	version: u,
	agreeToTerms: u,
	_ipc: u,
	duplicate: u,
	_acmeUrls: u
};
Greenlock._undefine = function(gl) {
	Object.keys(Greenlock._undefined).forEach(function(key) {
		if (!(key in gl)) {
			gl[key] = u;
		}
	});

	return gl;
};
Greenlock.create = function(gl) {
	if (!gl.store) {
		console.warn(
			"Deprecation Notice: You're haven't chosen a storage strategy." +
				" The old default is 'le-store-certbot', but the new default will be 'greenlock-store-fs'." +
				" Please `npm install greenlock-store-fs@3` and explicitly set `{ store: require('greenlock-store-fs') }`."
		);
		gl.store = require('le-store-certbot').create({
			debug: gl.debug,
			configDir: gl.configDir,
			logsDir: gl.logsDir,
			webrootPath: gl.webrootPath
		});
	}
	gl.core = require('./lib/core');
	var log = gl.log || _log;

	if (!gl.challenges) {
		gl.challenges = {};
	}
	if (!gl.challenges['http-01']) {
		gl.challenges['http-01'] = require('le-challenge-fs').create({
			debug: gl.debug,
			webrootPath: gl.webrootPath
		});
	}
	if (!gl.challenges['dns-01']) {
		try {
			gl.challenges['dns-01'] = require('le-challenge-ddns').create({
				debug: gl.debug
			});
		} catch (e) {
			try {
				gl.challenges['dns-01'] = require('le-challenge-dns').create({
					debug: gl.debug
				});
			} catch (e) {
				// not yet implemented
			}
		}
	}

	gl = Greenlock._undefine(gl);
	gl.acmeChallengePrefix = Greenlock.acmeChallengePrefix;
	gl.rsaKeySize = gl.rsaKeySize || Greenlock.rsaKeySize;
	gl.challengeType = gl.challengeType || Greenlock.challengeType;
	gl._ipc = ipc;
	gl._communityPackage = gl._communityPackage || 'greenlock.js';
	if ('greenlock.js' === gl._communityPackage) {
		gl._communityPackageVersion = pkg.version;
	} else {
		gl._communityPackageVersion =
			gl._communityPackageVersion || 'greenlock.js-' + pkg.version;
	}
	gl.agreeToTerms =
		gl.agreeToTerms ||
		function(args, agreeCb) {
			agreeCb(
				new Error(
					"'agreeToTerms' was not supplied to Greenlock and 'agreeTos' was not supplied to Greenlock.register"
				)
			);
		};

	if (!gl.renewWithin) {
		gl.renewWithin = 14 * DAY;
	}
	// renewBy has a default in le-sni-auto

	///////////////////////////
	// BEGIN VERSION MADNESS //
	///////////////////////////

	gl.version = gl.version || 'draft-11';
	gl.server = gl.server || 'https://acme-v02.api.letsencrypt.org/directory';
	if (!gl.version) {
		//console.warn("Please specify version: 'v01' (Let's Encrypt v1) or 'draft-12' (Let's Encrypt v2 / ACME draft 12)");
		console.warn('');
		console.warn('');
		console.warn('');
		console.warn(
			'=========================================================='
		);
		console.warn(
			'==                greenlock.js (v2.2.0+)                =='
		);
		console.warn(
			'=========================================================='
		);
		console.warn('');
		console.warn("Please specify 'version' option:");
		console.warn('');
		console.warn(
			"        'draft-12' for Let's Encrypt v2 and ACME draft 12"
		);
		console.warn("        ('v02' is an alias of 'draft-12'");
		console.warn('');
		console.warn('or');
		console.warn('');
		console.warn("        'v01' for Let's Encrypt v1 (deprecated)");
		console.warn(
			"         (also 'npm install --save le-acme-core' as this legacy dependency will soon be removed)"
		);
		console.warn('');
		console.warn('This will be required in versions v2.3+');
		console.warn('');
		console.warn('');
	} else if ('v02' === gl.version) {
		gl.version = 'draft-11';
	} else if ('draft-12' === gl.version) {
		gl.version = 'draft-11';
	} else if ('draft-11' === gl.version) {
		// no-op
	} else if ('v01' !== gl.version) {
		throw new Error("Unrecognized version '" + gl.version + "'");
	}

	if (!gl.server) {
		throw new Error(
			"opts.server must specify an ACME directory URL, such as 'https://acme-staging-v02.api.letsencrypt.org/directory'"
		);
	}
	if ('staging' === gl.server || 'production' === gl.server) {
		if ('staging' === gl.server) {
			gl.server = 'https://acme-staging.api.letsencrypt.org/directory';
			gl.version = 'v01';
			gl._deprecatedServerName = 'staging';
		} else if ('production' === gl.server) {
			gl.server = 'https://acme-v01.api.letsencrypt.org/directory';
			gl.version = 'v01';
			gl._deprecatedServerName = 'production';
		}
		console.warn('');
		console.warn('');
		console.warn('=== WARNING ===');
		console.warn('');
		console.warn(
			"Due to versioning issues the '" +
				gl._deprecatedServerName +
				"' option is deprecated."
		);
		console.warn('Please specify the full url and version.');
		console.warn('');
		console.warn('For APIs add:');
		console.warn('\t, "version": "' + gl.version + '"');
		console.warn('\t, "server": "' + gl.server + '"');
		console.warn('');
		console.warn('For the CLI add:');
		console.warn("\t--acme-url '" + gl.server + "' \\");
		console.warn("\t--acme-version '" + gl.version + "' \\");
		console.warn('');
		console.warn('');
	}

	function loadLeV01() {
		console.warn('');
		console.warn('=== WARNING ===');
		console.warn('');
		console.warn("Let's Encrypt v1 is deprecated.");
		console.warn("Please update to Let's Encrypt v2 (ACME draft 12)");
		console.warn('');
		try {
			return require('le-acme-core').ACME;
		} catch (e) {
			console.error('');
			console.error('=== Error (easy-to-fix) ===');
			console.error('');
			console.error(
				"Hey, this isn't a big deal, but you need to manually add v1 support:"
			);
			console.error('');
			console.error('        npm install --save le-acme-core');
			console.error('');
			console.error(
				'Just run that real quick, restart, and everything will work great.'
			);
			console.error('');
			console.error('');
			process.exit(e.code || 13);
		}
	}

	if (
		-1 !==
		[
			'https://acme-v02.api.letsencrypt.org/directory',
			'https://acme-staging-v02.api.letsencrypt.org/directory'
		].indexOf(gl.server)
	) {
		if ('draft-11' !== gl.version) {
			console.warn(
				"Detected Let's Encrypt v02 URL. Changing version to draft-12."
			);
			gl.version = 'draft-11';
		}
	} else if (
		-1 !==
			[
				'https://acme-v01.api.letsencrypt.org/directory',
				'https://acme-staging.api.letsencrypt.org/directory'
			].indexOf(gl.server) ||
		'v01' === gl.version
	) {
		if ('v01' !== gl.version) {
			console.warn(
				"Detected Let's Encrypt v01 URL (deprecated). Changing version to v01."
			);
			gl.version = 'v01';
		}
	}
	if ('v01' === gl.version) {
		ACME = loadLeV01();
	}
	/////////////////////////
	// END VERSION MADNESS //
	/////////////////////////

	gl.acme =
		gl.acme ||
		ACME.create({
			debug: gl.debug,
			skipChallengeTest: gl.skipChallengeTest,
			skipDryRun: gl.skipDryRun
		});
	if (gl.acme.create) {
		gl.acme = gl.acme.create(gl);
	}
	gl.acme = promisifyAllSelf(gl.acme);
	gl._acmeOpts =
		(gl.acme.getOptions && gl.acme.getOptions()) || gl.acme.options || {};
	Object.keys(gl._acmeOpts).forEach(function(key) {
		if (!(key in gl)) {
			gl[key] = gl._acmeOpts[key];
		}
	});

	try {
		if (gl.store.create) {
			gl.store = gl.store.create(gl);
		}
		gl.store = promisifyAllSelf(gl.store);
		gl.store.accounts = promisifyAllStore(gl.store.accounts);
		gl.store.certificates = promisifyAllStore(gl.store.certificates);
		gl._storeOpts =
			(gl.store.getOptions && gl.store.getOptions()) ||
			gl.store.options ||
			{};
	} catch (e) {
		console.error(e);
		console.error(
			'\nPROBABLE CAUSE:\n' +
				'\tYour greenlock-store module should have a create function and return { options, accounts, certificates }\n'
		);
		process.exit(18);
		return;
	}
	Object.keys(gl._storeOpts).forEach(function(key) {
		if (!(key in gl)) {
			gl[key] = gl._storeOpts[key];
		}
	});

	//
	// Backwards compat for <= v2.1.7
	//
	if (gl.challenge) {
		console.warn(
			"Deprecated use of gl.challenge. Use gl.challenges['" +
				Greenlock.challengeType +
				"'] instead."
		);
		gl.challenges[gl.challengeType] = gl.challenge;
		gl.challenge = undefined;
	}

	Object.keys(gl.challenges || {}).forEach(function(challengeType) {
		var challenger = gl.challenges[challengeType];

		if (challenger.create) {
			challenger = gl.challenges[challengeType] = challenger.create(gl);
		}
		challenger = gl.challenges[challengeType] = promisifyAllSelf(
			challenger
		);
		gl['_challengeOpts_' + challengeType] =
			(challenger.getOptions && challenger.getOptions()) ||
			challenger.options ||
			{};
		Object.keys(gl['_challengeOpts_' + challengeType]).forEach(function(
			key
		) {
			if (!(key in gl)) {
				gl[key] = gl['_challengeOpts_' + challengeType][key];
			}
		});

		// TODO wrap these here and now with tplCopy?
		if (!challenger.set || ![5, 2, 1].includes(challenger.set.length)) {
			throw new Error(
				'gl.challenges[' +
					challengeType +
					'].set receives the wrong number of arguments.' +
					' You must define setChallenge as function (opts) { return Promise.resolve(); }'
			);
		}
		if (challenger.get && ![4, 2, 1].includes(challenger.get.length)) {
			throw new Error(
				'gl.challenges[' +
					challengeType +
					'].get receives the wrong number of arguments.' +
					' You must define getChallenge as function (opts) { return Promise.resolve(); }'
			);
		}
		if (
			!challenger.remove ||
			![4, 2, 1].includes(challenger.remove.length)
		) {
			throw new Error(
				'gl.challenges[' +
					challengeType +
					'].remove receives the wrong number of arguments.' +
					' You must define removeChallenge as function (opts) { return Promise.resolve(); }'
			);
		}

		/*
    if (!gl._challengeWarn && (!challenger.loopback || 4 !== challenger.loopback.length)) {
      gl._challengeWarn = true;
      console.warn("gl.challenges[" + challengeType + "].loopback should be defined as function (opts, domain, token, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed");
    }
    else if (!gl._challengeWarn && (!challenger.test || 5 !== challenger.test.length)) {
      gl._challengeWarn = true;
      console.warn("gl.challenges[" + challengeType + "].test should be defined as function (opts, domain, token, keyAuthorization, cb) { ... } and should prove (by external means) that the ACME server challenge '" + challengeType + "' will succeed");
    }
*/
	});

	gl.sni = gl.sni || null;
	gl.tlsOptions = gl.tlsOptions || gl.httpsOptions || {};

	// Workaround for https://github.com/nodejs/node/issues/22389
	gl._updateServernames = function(cert) {
		if (!gl._certnames) {
			gl._certnames = {};
		}

		// Note: Any given domain could exist on multiple certs
		// (especially during renewal where some may be added)
		// hence we use a separate object for each domain and list each domain on it
		// to get the minimal full set associated with each cert and domain
		var allDomains = [cert.subject].concat(cert.altnames.slice(0));
		allDomains.forEach(function(name) {
			name = name.toLowerCase();
			if (!gl._certnames[name]) {
				gl._certnames[name] = {};
			}
			allDomains.forEach(function(name2) {
				name2 = name2.toLowerCase();
				gl._certnames[name][name2] = true;
			});
		});
	};
	gl._checkServername = function(safeHost, servername) {
		// odd, but acceptable
		if (!safeHost || !servername) {
			return true;
		}
		if (safeHost === servername) {
			return true;
		}
		// connection established with servername and session is re-used for allowed name
		if (gl._certnames[servername] && gl._certnames[servername][safeHost]) {
			return true;
		}
		return false;
	};

	if (!gl.tlsOptions.SNICallback) {
		if (!gl.getCertificatesAsync && !gl.getCertificates) {
			if (Array.isArray(gl.approveDomains)) {
				gl.approvedDomains = gl.approveDomains;
				gl.approveDomains = null;
			}
			if (!gl.approveDomains) {
				gl.approveDomains = function(lexOpts, cb) {
					var err;
					var emsg;

					if (!gl.email) {
						throw new Error(
							'le-sni-auto is not properly configured. Missing email'
						);
					}
					if (!gl.agreeTos) {
						throw new Error(
							'le-sni-auto is not properly configured. Missing agreeTos'
						);
					}
					if (!/[a-z]/i.test(lexOpts.domain)) {
						cb(
							new Error(
								'le-sni-auto does not allow IP addresses in SNI'
							)
						);
						return;
					}

					if (!Array.isArray(gl.approvedDomains)) {
						// The acme-v2 package uses pre-flight test challenges to
						// verify that each requested domain is hosted by the server
						// these checks are sufficient for most use cases
						return cb(null, lexOpts);
					}

					if (
						lexOpts.domains.every(function(domain) {
							return -1 !== gl.approvedDomains.indexOf(domain);
						})
					) {
						// commented this out because people expect to be able to edit the list of domains
						// lexOpts.domains = gl.approvedDomains.slice(0);
						lexOpts.email = gl.email;
						lexOpts.agreeTos = gl.agreeTos;
						lexOpts.communityMember = gl.communityMember;
						lexOpts.telemetry = gl.telemetry;
						return cb(null, lexOpts);
					}

					emsg =
						"tls SNI for '" +
						lexOpts.domains.join(',') +
						"' rejected: not in list '" +
						gl.approvedDomains +
						"'";
					log(gl.debug, emsg, lexOpts.domains, gl.approvedDomains);
					err = new Error(emsg);
					err.code = 'E_REJECT_SNI';
					cb(err);
				};
			}

			gl.getCertificates = function(domain, certs, cb) {
				// certs come from current in-memory cache, not lookup
				log(
					gl.debug,
					'gl.getCertificates called for',
					domain,
					'with certs for',
					(certs && certs.altnames) || 'NONE'
				);
				var opts = {
					domain: domain,
					domains: (certs && certs.altnames) || [domain],
					certs: certs,
					certificate: {},
					account: {}
				};
				opts.wildname =
					'*.' +
					(domain || '')
						.split('.')
						.slice(1)
						.join('.');

				function cb2(results) {
					log(
						gl.debug,
						'gl.approveDomains called with certs for',
						(results.certs && results.certs.altnames) || 'NONE',
						'and options:'
					);
					log(gl.debug, results.options || results);
					var err;
					if (!results) {
						err = new Error('E_REJECT_SNI');
						err.code = 'E_REJECT_SNI';
						eb2(err);
						return;
					}

					var options = results.options || results;
					if (opts !== options) {
						Object.keys(options).forEach(function(key) {
							if (
								'undefined' !== typeof options[key] &&
								'domain' !== key
							) {
								opts[key] = options[key];
							}
						});
						options = opts;
					}
					if (
						Array.isArray(options.altnames) &&
						options.altnames.length
					) {
						options.domains = options.altnames;
					}
					options.altnames = options.domains;
					// just in case we get a completely different object from the one we originally created
					if (!options.account) {
						options.account = {};
					}
					if (!options.certificate) {
						options.certificate = {};
					}
					if (results.certs) {
						log(gl.debug, 'gl renewing');
						return gl.core.certificates
							.renewAsync(options, results.certs)
							.then(
								function(certs) {
									// Workaround for https://github.com/nodejs/node/issues/22389
									gl._updateServernames(certs);
									cb(null, certs);
								},
								function(e) {
									console.debug(
										"Error renewing certificate for '" +
											domain +
											"':"
									);
									console.debug(e);
									console.error('');
									cb(e);
								}
							);
					} else {
						log(
							gl.debug,
							'gl getting from disk or registering new'
						);
						return gl.core.certificates.getAsync(options).then(
							function(certs) {
								// Workaround for https://github.com/nodejs/node/issues/22389
								gl._updateServernames(certs);
								cb(null, certs);
							},
							function(e) {
								console.debug(
									"Error loading/registering certificate for '" +
										domain +
										"':"
								);
								console.debug(e);
								console.error('');
								cb(e);
							}
						);
					}
				}
				function eb2(_err) {
					if (false !== gl.logRejectedDomains) {
						console.error(
							"[Error] approveDomains rejected tls sni '" +
								domain +
								"'"
						);
						console.error(
							'[Error] (see https://git.coolaj86.com/coolaj86/greenlock.js/issues/11)'
						);
						if ('E_REJECT_SNI' !== _err.code) {
							console.error(
								'[Error] This is the rejection message:'
							);
							console.error(_err.message);
						}
						console.error('');
					}
					cb(_err);
					return;
				}
				function mb2(_err, results) {
					if (_err) {
						eb2(_err);
						return;
					}
					cb2(results);
				}

				try {
					if (1 === gl.approveDomains.length) {
						Promise.resolve(gl.approveDomains(opts))
							.then(cb2)
							.catch(eb2);
					} else if (2 === gl.approveDomains.length) {
						gl.approveDomains(opts, mb2);
					} else {
						gl.approveDomains(opts, certs, mb2);
					}
				} catch (e) {
					console.error(
						'[ERROR] Something went wrong in approveDomains:'
					);
					console.error(e);
					console.error(
						"BUT WAIT! Good news: It's probably your fault, so you can probably fix it."
					);
				}
			};
		}
		gl.sni = gl.sni || require('le-sni-auto');
		if (gl.sni.create) {
			gl.sni = gl.sni.create(gl);
		}
		gl.tlsOptions.SNICallback = function(_domain, cb) {
			// format and (lightly) sanitize sni so that users can be naive
			// and not have to worry about SQL injection or fs discovery
			var domain = (_domain || '').toLowerCase();
			// hostname labels allow a-z, 0-9, -, and are separated by dots
			// _ is sometimes allowed
			// REGEX // https://www.codeproject.com/Questions/1063023/alphanumeric-validation-javascript-without-regex
			if (
				!gl.__sni_allow_dangerous_names &&
				(!/^[a-z0-9_\.\-]+$/i.test(domain) ||
					-1 !== domain.indexOf('..'))
			) {
				log(gl.debug, "invalid sni '" + domain + "'");
				cb(new Error('invalid SNI'));
				return;
			}

			try {
				gl.sni.sniCallback(
					(gl.__sni_preserve_case && _domain) || domain,
					cb
				);
			} catch (e) {
				console.error(
					'[ERROR] Something went wrong in the SNICallback:'
				);
				console.error(e);
				cb(e);
			}
		};
	}

	// We want to move to using tlsOptions instead of httpsOptions, but we also need to make
	// sure anything that uses this object will still work if looking for httpsOptions.
	gl.httpsOptions = gl.tlsOptions;

	if (gl.core.create) {
		gl.core = gl.core.create(gl);
	}

	gl.renew = function(args, certs) {
		return gl.core.certificates.renewAsync(args, certs);
	};

	gl.register = function(args) {
		return gl.core.certificates.getAsync(args);
	};

	gl.check = function(args) {
		// TODO must return email, domains, tos, pems
		return gl.core.certificates.checkAsync(args);
	};

	gl.middleware = gl.middleware || require('./lib/middleware');
	if (gl.middleware.create) {
		gl.middleware = gl.middleware.create(gl);
	}

	//var SERVERNAME_RE = /^[a-z0-9\.\-_]+$/;
	var SERVERNAME_G = /[^a-z0-9\.\-_]/;
	gl.middleware.sanitizeHost = function(app) {
		return function(req, res, next) {
			function realNext() {
				if ('function' === typeof app) {
					app(req, res);
				} else if ('function' === typeof next) {
					next();
				} else {
					res.statusCode = 500;
					res.end('Error: no middleware assigned');
				}
			}
			// Get the host:port combo, if it exists
			var host = (req.headers.host || '').split(':');

			// if not, move along
			if (!host[0]) {
				realNext();
				return;
			}

			// if so, remove non-allowed characters
			var safehost = host[0].toLowerCase().replace(SERVERNAME_G, '');

			// if there were unallowed characters, complain
			if (
				!gl.__sni_allow_dangerous_names &&
				safehost.length !== host[0].length
			) {
				res.statusCode = 400;
				res.end("Malformed HTTP Header: 'Host: " + host[0] + "'");
				return;
			}

			// make lowercase
			if (!gl.__sni_preserve_case) {
				host[0] = safehost;
				req.headers.host = host.join(':');
			}

			// Note: This sanitize function is also called on plain sockets, which don't need Domain Fronting checks
			if (req.socket.encrypted && !gl.__sni_allow_domain_fronting) {
				if (req.socket && 'string' === typeof req.socket.servername) {
					// Workaround for https://github.com/nodejs/node/issues/22389
					if (
						!gl._checkServername(
							safehost,
							req.socket.servername.toLowerCase()
						)
					) {
						res.statusCode = 400;
						res.setHeader(
							'Content-Type',
							'text/html; charset=utf-8'
						);
						res.end(
							'<h1>Domain Fronting Error</h1>' +
								"<p>This connection was secured using TLS/SSL for '" +
								req.socket.servername.toLowerCase() +
								"'</p>" +
								"<p>The HTTP request specified 'Host: " +
								safehost +
								"', which is (obviously) different.</p>" +
								'<p>Because this looks like a domain fronting attack, the connection has been terminated.</p>'
						);
						return;
					}
				} else if (
					safehost &&
					!gl.middleware.sanitizeHost._skip_fronting_check
				) {
					// TODO how to handle wrapped sockets, as with telebit?
					console.warn(
						'\n\n\n[greenlock] WARN: no string for req.socket.servername,' +
							" skipping fronting check for '" +
							safehost +
							"'\n\n\n"
					);
					gl.middleware.sanitizeHost._skip_fronting_check = true;
				}
			}

			// carry on
			realNext();
		};
	};
	gl.middleware.sanitizeHost._skip_fronting_check = false;

	return gl;
};