walnut.js/lib/sni-server.js

'use strict';

// Note the odd use of callbacks here.
// We're targetting low-power platforms and so we're trying to
// require everything as lazily as possible until our server
// is actually listening on the socket. Bluebird is heavy.
// Even the built-in modules can take dozens of milliseconds to require
module.exports.create = function (certPaths, serverCallback) {
  // Recognize that this secureContexts cache is local to this CPU core
  var secureContexts = {};

  function createSecureServer() {
    var domainname = 'www.example.com';
    var fs = require('fs');
    var secureOpts = {
      // TODO create backup file just in case this one is ever corrupted
      // NOTE synchronous is faster in this case of initialization
      // NOTE certsPath[0] must be the default (LE) directory (another may be used for OV and EV certs)
      key: fs.readFileSync(certPaths[0] + '/' + domainname + '/privkey.pem', 'ascii')
    , cert: fs.readFileSync(certPaths[0] + '/' + domainname + '/fullchain.pem', 'ascii')
      // https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
      // https://nodejs.org/api/tls.html
      // removed :ECDH+AES256:DH+AES256 and added :!AES256 because AES-256 wastes CPU
    , ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256'
    , honorCipherOrder: true
    };

    secureContexts['www.example.com'] = require('tls').createSecureContext(secureOpts);
    secureContexts['example.com'] = secureContexts['www.example.com'];

    //SNICallback is passed the domain name, see NodeJS docs on TLS
    secureOpts.SNICallback = function (domainname, cb) {
      // NOTE: '*.proxyable.*' domains will be truncated
      require('./load-certs').load(secureContexts, certPaths, domainname).then(function (context) {
        cb(null, context);
      }, function (err) {
        console.error('[SNI Callback]');
        console.error(err.stack);
        cb(err);
      });
    };

    serverCallback(null, require('https').createServer(secureOpts));
  }

  createSecureServer();
};
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00			`'use strict';`

Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`// Note the odd use of callbacks here.`
			`// We're targetting low-power platforms and so we're trying to`
			`// require everything as lazily as possible until our server`
			`// is actually listening on the socket. Bluebird is heavy.`
			`// Even the built-in modules can take dozens of milliseconds to require`
			`module.exports.create = function (certPaths, serverCallback) {`
			`// Recognize that this secureContexts cache is local to this CPU core`
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00			`var secureContexts = {};`

			`function createSecureServer() {`
Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`var domainname = 'www.example.com';`
			`var fs = require('fs');`
			`var secureOpts = {`
			`// TODO create backup file just in case this one is ever corrupted`
			`// NOTE synchronous is faster in this case of initialization`
			`// NOTE certsPath[0] must be the default (LE) directory (another may be used for OV and EV certs)`
			`key: fs.readFileSync(certPaths[0] + '/' + domainname + '/privkey.pem', 'ascii')`
			`, cert: fs.readFileSync(certPaths[0] + '/' + domainname + '/fullchain.pem', 'ascii')`
			`// https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/`
			`// https://nodejs.org/api/tls.html`
			`// removed :ECDH+AES256:DH+AES256 and added :!AES256 because AES-256 wastes CPU`
			`, ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256'`
			`, honorCipherOrder: true`
			`};`

load default tls certs 2015-11-23 08:42:25 +00:00			`secureContexts['www.example.com'] = require('tls').createSecureContext(secureOpts);`
			`secureContexts['example.com'] = secureContexts['www.example.com'];`

Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`//SNICallback is passed the domain name, see NodeJS docs on TLS`
			`secureOpts.SNICallback = function (domainname, cb) {`
			`// NOTE: '.proxyable.' domains will be truncated`
			`require('./load-certs').load(secureContexts, certPaths, domainname).then(function (context) {`
			`cb(null, context);`
			`}, function (err) {`
			`console.error('[SNI Callback]');`
			`console.error(err.stack);`
			`cb(err);`
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00			`});`
Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`};`
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00
Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`serverCallback(null, require('https').createServer(secureOpts));`
			`}`
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00
Near-minimal app boot Aside from a few external process calls there are now zero external dependencies required as part of the node.js boot process. Yay! 2015-11-06 11:05:32 +00:00			`createSecureServer();`
Houston, this is big bird. We are multicore! 2015-11-04 09:22:00 +00:00			`};`