From 81dce2f0a1c20448a053e057ab0261235b5cc5b4 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 5 Apr 2017 04:13:03 -0400 Subject: [PATCH] tested certs issued via greenlock --- bin/stunneld.js | 34 +++++++++++++++--------- handlers.js | 70 +++++++++++++++++++++++++++++++++---------------- wstunneld.js | 13 ++++++--- 3 files changed, 79 insertions(+), 38 deletions(-) diff --git a/bin/stunneld.js b/bin/stunneld.js index 22354fd..230ad2d 100755 --- a/bin/stunneld.js +++ b/bin/stunneld.js @@ -136,26 +136,21 @@ if (!program.secret) { // TODO letsencrypt program.tlsOptions = require('localhost.daplie.com-certificates').merge({}); -/* -program.tlsOptions.SNICallback = program.greenlock.SNICallback; -program.middleware = program.greenlock.middleware(function (req, res) { - res.end('Hello, World!'); -}); -*/ -/* + function approveDomains(opts, certs, cb) { // This is where you check your database and associated // email addresses with domains and agreements and such - // The domains being approved for the first time are listed in opts.domains // Certs being renewed are listed in certs.altnames if (certs) { opts.domains = certs.altnames; } else { - opts.email = program.email; - opts.agreeTos = program.agreeTos; + if (-1 !== program.servernames.indexOf(opts.domain)) { + opts.email = program.email; + opts.agreeTos = program.agreeTos; + } } // NOTE: you can also change other options such as `challengeType` and `challenge` @@ -165,10 +160,16 @@ function approveDomains(opts, certs, cb) { cb(null, { options: opts, certs: certs }); } +if (!program.email || !program.agreeTos) { + console.error("You didn't specify --email and --agree-tos"); + console.error("(required for ACME / Let's Encrypt / Greenlock TLS/SSL certs)"); + console.error(""); + process.exit(1); +} program.greenlock = greenlock.create({ - server: 'staging' - // server: 'https://acme-v01.api.letsencrypt.org/directory' + //server: 'staging' + server: 'https://acme-v01.api.letsencrypt.org/directory' , challenges: { // TODO dns-01 @@ -181,8 +182,15 @@ program.greenlock = greenlock.create({ , agreeTos: program.agreeTos -, approveDomains: program.servernames // approveDomains +, approveDomains: approveDomains +//, approvedDomains: program.servernames + +}); +//program.tlsOptions.SNICallback = program.greenlock.SNICallback; +/* +program.middleware = program.greenlock.middleware(function (req, res) { + res.end('Hello, World!'); }); */ diff --git a/handlers.js b/handlers.js index 6f6e19c..cfc4676 100644 --- a/handlers.js +++ b/handlers.js @@ -6,37 +6,43 @@ var packerStream = require('tunnel-packer').Stream; var redirectHttps = require('redirect-https')(); module.exports.create = function (program) { - program.httpServer = http.createServer(function (req, res) { - console.log('req.socket.encrypted', req.socket.encrypted); - res.end("Look! I can do a thing!"); - }); + var tunnelAdminTlsOpts = {}; - program.httpInsecureServer = http.createServer(function (req, res) { + // Probably a reverse proxy on an internal network + program.httpServer = http.createServer(program.greenlock.middleware(function (req, res) { + console.log('req.socket.encrypted', req.socket.encrypted); + res.statusCode = 404; + res.end("File not found.\n"); + })); + program.handleHttp = function (servername, socket) { + console.log("handleHttp('" + servername + "', socket)"); + socket.__my_servername = servername; + program.httpServer.emit('connection', socket); + }; + + // Probably something that needs to be redirected to https + program.httpInsecureServer = http.createServer(program.greenlock.middleware(function (req, res) { res.setHeader('Connection', 'close'); redirectHttps(req, res); - }); - program.httpTunnelServer = http.createServer(function (req, res) { - console.log('req.socket.encrypted', req.socket.encrypted); - res.end('Hello, World!'); - }); + })); + program.handleInsecureHttp = function (servername, socket) { + console.log("handleInsecureHttp('" + servername + "', socket)"); + socket.__my_servername = servername; + program.httpInsecureServer.emit('connection', socket); + }; + + + // + // SNI is not recogonized / cannot be handled + // program.httpInvalidSniServer = http.createServer(function (req, res) { res.end("You're doing strange things that make me feel uncomfortable. Please don't touch me there any more."); }); - program.tlsTunnelServer = tls.createServer(program.tlsOptions, function (tlsSocket) { - console.log('tls connection'); - // things get a little messed up here - (program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket); - }); program.tlsInvalidSniServer = tls.createServer(program.tlsOptions, function (tlsSocket) { console.log('tls connection'); // things get a little messed up here program.httpInvalidSniServer.emit('connection', tlsSocket); }); - program.handleInsecureHttp = function (servername, socket) { - console.log("handleInsecureHttp('" + servername + "', socket)"); - socket.__my_servername = servername; - program.httpInsecureServer.emit('connection', socket); - }; program.httpsInvalid = function (servername, socket) { // none of these methods work: // httpsServer.emit('connection', socket); // this didn't work @@ -57,6 +63,26 @@ module.exports.create = function (program) { console.error(err); }); }; + + // + // To ADMIN / CONTROL PANEL of the Tunnel Server Itself + // + program.httpTunnelServer = http.createServer(function (req, res) { + console.log('req.socket.encrypted', req.socket.encrypted); + res.end('Hello, World!'); + }); + Object.keys(program.tlsOptions).forEach(function (key) { + tunnelAdminTlsOpts[key] = program.tlsOptions[key]; + }); + tunnelAdminTlsOpts.SNICallback = (program.greenlock && program.greenlock.httpsOptions && function (servername, cb) { + console.log("time to handle '" + servername + "'"); + program.greenlock.httpsOptions.SNICallback(servername, cb); + }) || tunnelAdminTlsOpts.SNICallback; + program.tlsTunnelServer = tls.createServer(tunnelAdminTlsOpts, function (tlsSocket) { + console.log('tls connection'); + // things get a little messed up here + (program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket); + }); program.httpsTunnel = function (servername, socket) { // none of these methods work: // httpsServer.emit('connection', socket); // this didn't work @@ -65,7 +91,7 @@ module.exports.create = function (program) { var myDuplex = packerStream.create(socket); - console.log('httpsTunnel servername', servername); + console.log('httpsTunnel (Admin) servername', servername); program.tlsTunnelServer.emit('connection', myDuplex); socket.on('data', function (chunk) { @@ -73,7 +99,7 @@ module.exports.create = function (program) { myDuplex.push(chunk); }); socket.on('error', function (err) { - console.error('[error] httpsTunnel TODO close'); + console.error('[error] httpsTunnel (Admin) TODO close'); console.error(err); }); }; diff --git a/wstunneld.js b/wstunneld.js index 4c490c7..93472eb 100644 --- a/wstunneld.js +++ b/wstunneld.js @@ -307,13 +307,20 @@ module.exports.create = function (copts) { var nextDevice; if (-1 !== copts.servernames.indexOf(servername)) { + console.log("Lock and load, admin interface time!"); copts.httpsTunnel(servername, browser); return; } + if (!servername) { + console.log("No SNI was given, so there's nothing we can do here"); + copts.httpsInvalid(servername, browser); + return; + } + nextDevice = Devices.next(deviceLists, servername); - if (!servername || !nextDevice) { - console.log('this is a server or an unknown'); + if (!nextDevice) { + console.log("No devices match the given servername"); copts.httpsInvalid(servername, browser); return; } @@ -347,7 +354,7 @@ module.exports.create = function (copts) { pipeWs(servername, service, browser, Devices.next(deviceLists, servername)); return; } - copts.handleInsecureHttp(servername, browser); + copts.handleHttp(servername, browser); } else { // redirect to https