tested certs issued via greenlock

bin/stunneld.js

@@ -136,27 +136,22 @@ if (!program.secret) {
 
 // TODO letsencrypt
 program.tlsOptions = require('localhost.daplie.com-certificates').merge({});
-/*
+
-program.tlsOptions.SNICallback = program.greenlock.SNICallback;
-program.middleware = program.greenlock.middleware(function (req, res) {
-  res.end('Hello, World!');
-});
-*/
-/*
 function approveDomains(opts, certs, cb) {
   // This is where you check your database and associated
   // email addresses with domains and agreements and such
 
-
   // The domains being approved for the first time are listed in opts.domains
   // Certs being renewed are listed in certs.altnames
   if (certs) {
     opts.domains = certs.altnames;
   }
   else {
+    if (-1 !== program.servernames.indexOf(opts.domain)) {
       opts.email = program.email;
       opts.agreeTos = program.agreeTos;
     }
+  }
 
   // NOTE: you can also change other options such as `challengeType` and `challenge`
   // opts.challengeType = 'http-01';
@@ -165,10 +160,16 @@ function approveDomains(opts, certs, cb) {
   cb(null, { options: opts, certs: certs });
 }
 
+if (!program.email || !program.agreeTos) {
+  console.error("You didn't specify --email <EMAIL> and --agree-tos");
+  console.error("(required for ACME / Let's Encrypt / Greenlock TLS/SSL certs)");
+  console.error("");
+  process.exit(1);
+}
 program.greenlock = greenlock.create({
 
-  server: 'staging'
+  //server: 'staging'
-  // server: 'https://acme-v01.api.letsencrypt.org/directory'
+  server: 'https://acme-v01.api.letsencrypt.org/directory'
 
 , challenges: {
 		// TODO dns-01
@@ -181,8 +182,15 @@ program.greenlock = greenlock.create({
 
 , agreeTos: program.agreeTos
 
-, approveDomains: program.servernames // approveDomains
+, approveDomains: approveDomains
 
+//, approvedDomains: program.servernames
+
+});
+//program.tlsOptions.SNICallback = program.greenlock.SNICallback;
+/*
+program.middleware = program.greenlock.middleware(function (req, res) {
+  res.end('Hello, World!');
 });
 */
 

handlers.js

@@ -6,37 +6,43 @@ var packerStream = require('tunnel-packer').Stream;
 var redirectHttps = require('redirect-https')();
 
 module.exports.create = function (program) {
-  program.httpServer = http.createServer(function (req, res) {
+  var tunnelAdminTlsOpts = {};
-    console.log('req.socket.encrypted', req.socket.encrypted);
-    res.end("Look! I can do a thing!");
-  });
 
-  program.httpInsecureServer = http.createServer(function (req, res) {
+  // Probably a reverse proxy on an internal network
+  program.httpServer = http.createServer(program.greenlock.middleware(function (req, res) {
+    console.log('req.socket.encrypted', req.socket.encrypted);
+    res.statusCode = 404;
+    res.end("File not found.\n");
+  }));
+  program.handleHttp = function (servername, socket) {
+    console.log("handleHttp('" + servername + "', socket)");
+    socket.__my_servername = servername;
+    program.httpServer.emit('connection', socket);
+  };
+
+  // Probably something that needs to be redirected to https
+  program.httpInsecureServer = http.createServer(program.greenlock.middleware(function (req, res) {
     res.setHeader('Connection', 'close');
     redirectHttps(req, res);
-  });
+  }));
-  program.httpTunnelServer = http.createServer(function (req, res) {
+  program.handleInsecureHttp = function (servername, socket) {
-    console.log('req.socket.encrypted', req.socket.encrypted);
+    console.log("handleInsecureHttp('" + servername + "', socket)");
-    res.end('Hello, World!');
+    socket.__my_servername = servername;
-  });
+    program.httpInsecureServer.emit('connection', socket);
+  };
+
+
+  //
+  // SNI is not recogonized / cannot be handled
+  //
   program.httpInvalidSniServer = http.createServer(function (req, res) {
     res.end("You're doing strange things that make me feel uncomfortable. Please don't touch me there any more.");
   });
-  program.tlsTunnelServer = tls.createServer(program.tlsOptions, function (tlsSocket) {
-    console.log('tls connection');
-    // things get a little messed up here
-    (program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket);
-  });
   program.tlsInvalidSniServer = tls.createServer(program.tlsOptions, function (tlsSocket) {
     console.log('tls connection');
     // things get a little messed up here
     program.httpInvalidSniServer.emit('connection', tlsSocket);
   });
-  program.handleInsecureHttp = function (servername, socket) {
-    console.log("handleInsecureHttp('" + servername + "', socket)");
-    socket.__my_servername = servername;
-    program.httpInsecureServer.emit('connection', socket);
-  };
   program.httpsInvalid = function (servername, socket) {
     // none of these methods work:
     // httpsServer.emit('connection', socket);  // this didn't work
@@ -57,6 +63,26 @@ module.exports.create = function (program) {
       console.error(err);
     });
   };
+
+  //
+  // To ADMIN / CONTROL PANEL of the Tunnel Server Itself
+  //
+  program.httpTunnelServer = http.createServer(function (req, res) {
+    console.log('req.socket.encrypted', req.socket.encrypted);
+    res.end('Hello, World!');
+  });
+  Object.keys(program.tlsOptions).forEach(function (key) {
+    tunnelAdminTlsOpts[key] = program.tlsOptions[key];
+  });
+  tunnelAdminTlsOpts.SNICallback = (program.greenlock && program.greenlock.httpsOptions && function (servername, cb) {
+    console.log("time to handle '" + servername + "'");
+    program.greenlock.httpsOptions.SNICallback(servername, cb);
+  }) || tunnelAdminTlsOpts.SNICallback;
+  program.tlsTunnelServer = tls.createServer(tunnelAdminTlsOpts, function (tlsSocket) {
+    console.log('tls connection');
+    // things get a little messed up here
+    (program.httpTunnelServer || program.httpServer).emit('connection', tlsSocket);
+  });
   program.httpsTunnel = function (servername, socket) {
     // none of these methods work:
     // httpsServer.emit('connection', socket);  // this didn't work
@@ -65,7 +91,7 @@ module.exports.create = function (program) {
 
     var myDuplex = packerStream.create(socket);
 
-    console.log('httpsTunnel servername', servername);
+    console.log('httpsTunnel (Admin) servername', servername);
     program.tlsTunnelServer.emit('connection', myDuplex);
 
     socket.on('data', function (chunk) {
@@ -73,7 +99,7 @@ module.exports.create = function (program) {
       myDuplex.push(chunk);
     });
     socket.on('error', function (err) {
-      console.error('[error] httpsTunnel TODO close');
+      console.error('[error] httpsTunnel (Admin) TODO close');
       console.error(err);
     });
   };

wstunneld.js

@@ -307,13 +307,20 @@ module.exports.create = function (copts) {
         var nextDevice;
 
         if (-1 !== copts.servernames.indexOf(servername)) {
+          console.log("Lock and load, admin interface time!");
           copts.httpsTunnel(servername, browser);
           return;
         }
 
+        if (!servername) {
+          console.log("No SNI was given, so there's nothing we can do here");
+          copts.httpsInvalid(servername, browser);
+          return;
+        }
+
         nextDevice = Devices.next(deviceLists, servername);
-        if (!servername || !nextDevice) {
+        if (!nextDevice) {
-          console.log('this is a server or an unknown');
+          console.log("No devices match the given servername");
           copts.httpsInvalid(servername, browser);
           return;
         }
@@ -347,7 +354,7 @@ module.exports.create = function (copts) {
               pipeWs(servername, service, browser, Devices.next(deviceLists, servername));
               return;
             }
-            copts.handleInsecureHttp(servername, browser);
+            copts.handleHttp(servername, browser);
           }
           else {
             // redirect to https