Verified Commit 36047d22 authored by Aral Balkan's avatar Aral Balkan
Browse files

Replace Greenlock.js with ACME TLS; remove email requirement for ACME

parent 33fd883f
......@@ -8,6 +8,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
Nothing yet.
## [5.0.0] - 2019-03-09
### Changed
- __Privacy and usability__: Now using [ACME TLS](https://source.ind.ie/hypha/tools/acme-tls/) (fork of Greenlock.js) for Let’s Encrypt certificate provisioning. This removes the artificial and privacy-eroding Greenlock.js requirement to specify an email address for Let’s Encrypt certificates.
- __API:__ The `serve()` method now accepts a single parameter object (`options`).
## [4.0.0] - 2019-03-08
### Added
- Add support for globally-trusted Let’s Encrypt TLS certificates.
## [3.0.0] - 2019-03-05
### Removed
......
......@@ -2,7 +2,7 @@
HTTPS Server is a secure [Small Tech](https://ar.al/2019/03/04/small-technology/) personal web server for seamless development and live use.
HTTP Server uses [nodecert](https://source.ind.ie/hypha/tools/nodecert) for seamless locally-trusted TLS certificate provisioning and use during development and [Greenlock](https://git.coolaj86.com/coolaj86/greenlock.js) for seamless globally-trusted [Let’s Encrypt](https://letsencrypt.org/) TLS certificate provisioning and use on live environments.
HTTP Server uses [nodecert](https://source.ind.ie/hypha/tools/nodecert) for seamless locally-trusted TLS certificate provisioning and use during development and [ACME TLS](https://source.ind.ie/hypha/tools/acme-tls) for seamless globally-trusted [Let’s Encrypt](https://letsencrypt.org/) TLS certificate provisioning and use on live environments.
## Install
......@@ -17,7 +17,7 @@ npm i -g @ind.ie/https-server
### Command-line
```sh
https-server [folder-to-serve] [--port N] [--global <email address>] [--version]
https-server [folder-to-serve] [--port N] [--global] [--version]
```
All command-line arguments are optional. By default, an HTTPS server with locally-trusted certificates will be created for you to serve the current folder over port 443.
......@@ -26,9 +26,7 @@ If you do not already have TLS certificates, they will be created for you automa
All dependencies are installed automatically for you if they do not exist if you have apt, pacman, or yum (untested) on Linux or if you have [Homebrew](https://brew.sh/) or [MacPorts](https://www.macports.org/) (untested) on macOS.
If you specify the `--global` flag and provide an email address, globally-trusted Let’s Encrypt TLS certificates are automatically provisioned for you using Greenlock the first time you hit your hostname. The hostname for the certificates is automatically set from the hostname of your system (and the _www._ subdomain is also automatically provisioned). The email address is a requirement of Let’s Encrypt.
__Note:__ the telemetry and “community member” “features” in Greenlock are, of course, disabled in HTTPS Server.
If you specify the `--global` flag, globally-trusted Let’s Encrypt TLS certificates are automatically provisioned for you using ACME-TLS the first time you hit your hostname. The hostname for the certificates is automatically set from the hostname of your system (and the _www._ subdomain is also automatically provisioned).
### API
......@@ -37,11 +35,11 @@ HTTPS Server’s `createServer` method behaves like the built-in _https_ module
#### createServer([options], [requestListener])
- __options__ _(object)___:__ see [https.createServer](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener). Populates the `cert` and `key` properties from the automatically-created [nodecert](https://source.ind.ie/hypha/tools/nodecert/) or Let’s Encrypt certificates and will overwrite them if they exist in the options object you pass in. If you pass in an email address (`options.email`), globally-trusted TLS certificates are obtained from Let’s Encrypt.
- __options__ _(object)___:__ see [https.createServer](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener). Populates the `cert` and `key` properties from the automatically-created [nodecert](https://source.ind.ie/hypha/tools/nodecert/) or Let’s Encrypt certificates and will overwrite them if they exist in the options object you pass in. If your options has `options.global = true` set, globally-trusted TLS certificates are obtained from Let’s Encrypt using ACME TLS.
- __requestListener__ _(function)___:__ see [https.createServer](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener). If you don’t pass a request listener, HTTPS Server will use its default one.
__Returns:__ [https.Server](https://nodejs.org/api/https.html#https_class_https_server) instance, configured with either locally-trusted certificates via nodecert or globally-trusted ones via Greenlock/Let’s Encrypt.
__Returns:__ [https.Server](https://nodejs.org/api/https.html#https_class_https_server) instance, configured with either locally-trusted certificates via nodecert or globally-trusted ones from Let’s Encrypt.
##### Example
......@@ -52,27 +50,31 @@ const express = require('express')
const app = express()
app.use(express.static('.'))
const options = {} // (optional) customise your server
const options = {} // to use globally-trusted certificates instead, set this to {global: true}
const server = httpsServer.createServer(options, app).listen(443, () => {
console.log(` 🎉 Serving on https://localhost\n`)
})
```
#### serve([pathToServe], [callback], [port], [email])
#### serve([options])
Options is an optional parameter object that may contain the following properties, all optional:
- __pathToServe__ _(string)___:__ the directory to serve using [Express](http://expressjs.com/).static.
- __path__ _(string)___:__ the directory to serve using [Express](http://expressjs.com/).static.
- __callback__ _(function)___:__ a function to be called when the server is ready. If you do not specify a callback, you can specify the port as the second argument.
- __port__ _(number)___:__ the port to serve on. Defaults to 443. (On Linux, privileges to bind to the port are automatically obtained for you.)
- __email__ _(string)___:__ the email address to use for globally-trusted Let’s Encrypt certificates. If provided, globally-trusted certificates will be provisioned and used. (If absent, locally-trusted certificates will be provisioned using nodecert.)
- __global__ _(boolean)___:__ if true, globally-trusted Let’s Encrypt certificates will be provisioned (if necesary) and used via ACME TLS. If false (default), locally-trusted certificates will be provisioned (if necesary) and used using nodecert.
__Returns:__ [https.Server](https://nodejs.org/api/https.html#https_class_https_server) instance, configured with either locally or globally-trusted certificates.
##### Example
Using locally-trusted TLS certificates:
```js
const httpsServer = require('https-server')
......@@ -80,6 +82,15 @@ const httpsServer = require('https-server')
const server = httpsServer.serve()
```
Using globally-trusted TLS certificates:
```js
const httpsServer = require('https-server')
// Serve the current directory over https://localhost
const server = httpsServer.serve({global: true})
```
## Help wanted
I can use your help to test HTTPS Server on the following platform/package manager combinations:
......
......@@ -10,7 +10,7 @@ if (arguments._.length > 2 || arguments.help === true) {
const usageFolderToServe = clr('folder-to-serve', 'green')
const usagePortOption = `${clr('--port', 'yellow')} ${clr('N', 'cyan')}`
const usageGlobalOption = `${clr('--global', 'yellow')} ${clr('you@your.site', 'cyan')}`
const usageGlobalOption = `${clr('--global', 'yellow')}`
const usageVersionOption = `${clr('--version', 'yellow')}`
const usage = `
......@@ -20,7 +20,7 @@ if (arguments._.length > 2 || arguments.help === true) {
${usageFolderToServe}\t\tPath to the folder to serve (defaults to current folder).
${usagePortOption}\t\t\tThe port to start the server on (defaults to 443).
${usageGlobalOption}\tUse globally-trusted certificates. The email address is required by Let’s Encrypt.
${usageGlobalOption}\tUse globally-trusted certificates.
${usageVersionOption}\t\t\tDisplay the version.
`.replace(/\n$/, '').replace(/^\n/, '')
......@@ -47,10 +47,10 @@ if (arguments.port !== undefined) {
port = parseInt(arguments.port)
}
// If an email is passed, use it.
let email = undefined
// If global is specified, use it.
let global = false
if (arguments.global !== undefined) {
email = arguments.global
global = arguments.global === 'true'
}
if (!fs.existsSync(pathToServe)) {
......@@ -59,7 +59,11 @@ if (!fs.existsSync(pathToServe)) {
}
// Start the server.
httpsServer.serve(pathToServe, port, email)
httpsServer.serve({
path: pathToServer,
port,
global
})
// Helpers.
......
......@@ -7,7 +7,7 @@ const childProcess = require('child_process')
const express = require('express')
const morgan = require('morgan')
const Greenlock = require('greenlock')
const AcmeTLS = require('@ind.ie/acme-tls')
const redirectHTTPS = require('redirect-https')
// Requiring nodecert ensures that locally-trusted TLS certificates exist.
......@@ -21,23 +21,16 @@ if (!fs.existsSync(nodecertDirectory)) {
class HttpsServer {
//
// Public.
//
// Returns an https server instance – the same as you’d get with
// require('https').createServer – configured with your locally-trusted nodecert
// certificates by default. If you pass in an email address, globally-trusted
// TLS certificates are obtained from Let’s Encrypt.
// require('https').createServer() – configured with your locally-trusted nodecert
// certificates by default. If you pass in {global: true} in the options object,
// globally-trusted TLS certificates are obtained from Let’s Encrypt.
//
// Note: if you pass in a key and cert in the options object, they will not be
// ===== used and will be overwritten.
createServer (options = {}, requestListener = undefined) {
// TODO: Create local certificate authority and certificates if on development
// ===== or use Greenlock on production to ensure that we have Let’s Encrypt
// certificates set up.
if (options.email !== undefined) {
if (options.global) {
delete options.global // Let’s be nice and not pollute that object.
return this._createTLSServerWithGloballyTrustedCertificate (options, requestListener)
} else {
// Default to using local certificates.
......@@ -46,20 +39,33 @@ class HttpsServer {
}
// Starts a static server serving the contents of the passed path at the passed port
// and returns the server. If an email address is provided, then global certificates
// are obtained and used from Let’s Encrypt.
serve (pathToServe = '.', callback = null, port = undefined, email = undefined) {
// Can also be called as serve(pathToServe, port, [email])
if (typeof callback === 'number') {
email = port
port = callback
callback = null
// Starts a static server. You can customise it by passing an options object with the
// following properties (all optional):
//
// • path: (string) the path to serve (defaults to the current working directory).
// • callback: (function) the callback to call once the server is ready (a default is provided).
// • port: (integer) the port to bind to (between 0 - 49,151; the default is 443).
// • global:
//
serve (options) {
// The options parameter object and all supported properties on the options parameter
// object are optional. Check and populate the defaults.
if (options === undefined) options = {}
const pathToServe = typeof options.path === 'string' ? options.path : '.'
const callback = typeof options.callback === 'function' ? options.callback : null
const port = typeof options.port === 'number' ? options.port : 443
const global = typeof options.global === 'boolean' ? options.global : false
// Check for a valid port range
// (port above 49,151 are ephemeral ports. See https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Dynamic,_private_or_ephemeral_ports)
if (port < 0 || port > 49151) {
throw new Error('Error: specified port must be between 0 and 49,151 inclusive.')
}
if (port === undefined) port = 443 // The default port.
// On Linux, we need to get the Node process special access to so-called privileged
// ports (<1,024). This is meaningless security theatre unless you’re living in 1968
// and using a mainframe and hopefully Linux will join the rest of the modern world
// in dropping this requirement soon (macOS just did in Mojave).
this._ensureWeCanBindToPort(port, pathToServe)
// If a callback isn’t provided, fallback to a default one that gives a status update.
......@@ -82,7 +88,7 @@ class HttpsServer {
let server
try {
server = this.createServer({email}, app).listen(port, callback)
server = this.createServer({global}, app).listen(port, callback)
} catch (error) {
console.log('\nError: could not start server', error)
throw error
......@@ -91,7 +97,6 @@ class HttpsServer {
return server
}
//
// Private.
//
......@@ -112,14 +117,11 @@ class HttpsServer {
_createTLSServerWithGloballyTrustedCertificate (options, requestListener = undefined) {
console.log(' 🌍 [https-server] Using globally-trusted certificates.')
const email = options.email
delete options.email // Let’s be nice and not pollute that object.
// Certificates are automatically obtained for the hostname and the www. subdomain of the hostname
// for the machine that we are running on.
const hostname = os.hostname()
const greenlock = Greenlock.create({
const acmeTLS = AcmeTLS.create({
// Note: while testing, you might want to use the staging server at:
// ===== https://acme-staging-v02.api.letsencrypt.org/directory
server: 'https://acme-v02.api.letsencrypt.org/directory',
......@@ -130,18 +132,18 @@ class HttpsServer {
agreeTos: true,
telemetry: false,
communityMember: false,
email,
// email: ' ',
})
// Create an HTTP server to handle redirects for the Let’s Encrypt ACME HTTP-01 challenge method that we use.
const httpsRedirectionMiddleware = redirectHTTPS()
const httpServer = http.createServer(greenlock.middleware(httpsRedirectionMiddleware))
const httpServer = http.createServer(acmeTLS.middleware(httpsRedirectionMiddleware))
httpServer.listen(80, () => {
console.log(' 👉 [https-server] (Globally-trusted TLS) HTTP → HTTPS redirection active.')
})
// Add the TLS options from Greenlock to any existing options that might have been passed in.
Object.assign(options, greenlock.tlsOptions)
// Add the TLS options from ACME TLS to any existing options that might have been passed in.
Object.assign(options, acmeTLS.tlsOptions)
// Create and return the HTTPS server.
return https.createServer(options, requestListener)
......
{
"name": "@ind.ie/https-server",
"version": "3.0.0",
"version": "5.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
......@@ -9,6 +9,40 @@
"resolved": "https://registry.npmjs.org/@coolaj86/urequest/-/urequest-1.3.7.tgz",
"integrity": "sha512-PPrVYra9aWvZjSCKl/x1pJ9ZpXda1652oJrPBYy5rQumJJMkmTBN3ux+sK2xAUwVvv2wnewDlaQaHLxLwSHnIA=="
},
"@ind.ie/acme-tls": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/@ind.ie/acme-tls/-/acme-tls-1.0.0.tgz",
"integrity": "sha512-zAhWNDTdQ2g4qZbEHf6h2fRpPHWssJ5Dtfnmnto5a/nPcrsa/KgsUNKVaZZstQGJV6wCEFWFitG0rPZWj/G46g==",
"requires": {
"@ind.ie/acme-v2": "^1.0.1",
"acme": "^1.2.0",
"cert-info": "^1.5.1",
"le-challenge-fs": "^2.0.2",
"le-sni-auto": "^2.1.3",
"le-store-certbot": "^2.1.7",
"rsa-compat": "^2.0.3"
}
},
"@ind.ie/acme-v2": {
"version": "1.0.1",
"resolved": "https://registry.npmjs.org/@ind.ie/acme-v2/-/acme-v2-1.0.1.tgz",
"integrity": "sha512-j3eDjDMRtmphkFkPUNOugjtEQIb6deSW6XFdS43twZmrVVjasNaYUmuAGoJw3dgWsGwdlviowouG0LlafGSFJA==",
"requires": {
"@coolaj86/urequest": "^1.3.6",
"rsa-compat": "^1.9.2"
},
"dependencies": {
"rsa-compat": {
"version": "1.9.2",
"resolved": "https://registry.npmjs.org/rsa-compat/-/rsa-compat-1.9.2.tgz",
"integrity": "sha512-XY4I/74W+QENMd99zVsyHQcxYxWTXd0EihVXsI4oeb1bz7DYxEKasQrjyzYPnR1tZT7fTPu5HP/vTKfs9lzdGA==",
"requires": {
"node-forge": "^0.7.6",
"ursa-optional": "^0.9.10"
}
}
}
},
"@ind.ie/nodecert": {
"version": "1.0.6",
"resolved": "https://registry.npmjs.org/@ind.ie/nodecert/-/nodecert-1.0.6.tgz",
......@@ -36,8 +70,7 @@
},
"acme-v2": {
"version": "1.5.2",
"resolved": "https://registry.npmjs.org/acme-v2/-/acme-v2-1.5.2.tgz",
"integrity": "sha512-Ux0cFCxHeaGGeGyPGMLHBLIGF05OYaxuh4TvaVzwkVVRib/gPpioa50CGj2pnQimH/MRkg0VtWCEdfE45MV/0g==",
"resolved": "git+https://aral@source.ind.ie/hypha/forks/acme-v2.js#87753bdb6d85c709a2c876b15dbb3355f2437e86",
"requires": {
"@coolaj86/urequest": "^1.3.6",
"rsa-compat": "^1.9.2"
......@@ -55,20 +88,17 @@
}
},
"ansi-escape-sequences": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/ansi-escape-sequences/-/ansi-escape-sequences-4.0.1.tgz",
"integrity": "sha512-G3Aona26cXv8nWIwID6MP11WSishqnyOPQjYaVJ7CfY2Xgu5sHOXM39nQg6XtyfF9++oLV6l2uFGojBb4zglGA==",
"version": "4.1.0",
"resolved": "https://registry.npmjs.org/ansi-escape-sequences/-/ansi-escape-sequences-4.1.0.tgz",
"integrity": "sha512-dzW9kHxH011uBsidTXd14JXgzye/YLb2LzeKZ4bsgl/Knwx8AtbSFkkGxagdNOoh0DlqHCmfiEjWKBaqjOanVw==",
"requires": {
"array-back": "^2.0.0"
"array-back": "^3.0.1"
}
},
"array-back": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/array-back/-/array-back-2.0.0.tgz",
"integrity": "sha512-eJv4pLLufP3g5kcZry0j6WXpIbzYw9GUB4mVJZno9wfwiBxbizTnHCw3VJb07cBihbFX48Y7oSrW9y+gt4glyw==",
"requires": {
"typical": "^2.6.1"
}
"version": "3.0.1",
"resolved": "https://registry.npmjs.org/array-back/-/array-back-3.0.1.tgz",
"integrity": "sha512-nzD+aqgQPTZlUGH6tE8JEjYPpnuBUFghPbq6zEWBHUmCHGQKWD9pf1PIuc2bMBtzi2OoIaoTJwgBV3h0ztdrFg=="
},
"array-flatten": {
"version": "1.1.1",
......@@ -352,20 +382,6 @@
"path-is-absolute": "^1.0.0"
}
},
"greenlock": {
"version": "2.6.8",
"resolved": "https://registry.npmjs.org/greenlock/-/greenlock-2.6.8.tgz",
"integrity": "sha512-TYm9XrbtGkcFIwfonCzuAGCJXteyZRQxoaHYlDG2OPAihtVAlsM+KAVKsLlzLJ+oVEWj5XPLBnWU9NtwLrRX+Q==",
"requires": {
"acme": "^1.2.0",
"acme-v2": "^1.5.0",
"cert-info": "^1.5.1",
"le-challenge-fs": "^2.0.2",
"le-sni-auto": "^2.1.3",
"le-store-certbot": "^2.1.7",
"rsa-compat": "^2.0.3"
}
},
"has": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/has/-/has-1.0.3.tgz",
......@@ -805,11 +821,6 @@
"mime-types": "~2.1.18"
}
},
"typical": {
"version": "2.6.1",
"resolved": "https://registry.npmjs.org/typical/-/typical-2.6.1.tgz",
"integrity": "sha1-XAgOXWYcu+OCWdLnCjxyU+hziB0="
},
"unpipe": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
......
{
"name": "@ind.ie/https-server",
"version": "4.0.0",
"version": "5.0.0",
"description": "A secure Small Tech personal web server for seamless development and live use.",
"main": "index.js",
"bin": "bin/https-server.js",
......@@ -20,9 +20,9 @@
"license": "AGPL-3.0-or-later",
"dependencies": {
"@ind.ie/nodecert": "^1.0.6",
"ansi-escape-sequences": "^4.0.1",
"ansi-escape-sequences": "^4.1.0",
"express": "^4.16.4",
"greenlock": "^2.6.8",
"@ind.ie/acme-tls": "^1.0.0",
"minimist": "^1.2.0",
"morgan": "^1.9.1",
"redirect-https": "^1.3.0"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment