walnut.js/lib/sni-server.js

'use strict';

// Note the odd use of callbacks here.
// We're targetting low-power platforms and so we're trying to
// require everything as lazily as possible until our server
// is actually listening on the socket. Bluebird is heavy.
// Even the built-in modules can take dozens of milliseconds to require
module.exports.create = function (certPaths, serverCallback) {
  // Recognize that this secureContexts cache is local to this CPU core
  var secureContexts = {};

  function createSecureServer() {
    var domainname = 'www.example.com';
    var fs = require('fs');
    var secureOpts = {
      // TODO create backup file just in case this one is ever corrupted
      // NOTE synchronous is faster in this case of initialization
      // NOTE certsPath[0] must be the default (LE) directory (another may be used for OV and EV certs)
      key: fs.readFileSync(certPaths[0] + '/' + domainname + '/privkey.pem', 'ascii')
    , cert: fs.readFileSync(certPaths[0] + '/' + domainname + '/fullchain.pem', 'ascii')
      // https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
      // https://nodejs.org/api/tls.html
      // removed :ECDH+AES256:DH+AES256 and added :!AES256 because AES-256 wastes CPU
    , ciphers: 'ECDH+AESGCM:DH+AESGCM:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256'
    , honorCipherOrder: true
    };

    //SNICallback is passed the domain name, see NodeJS docs on TLS
    secureOpts.SNICallback = function (domainname, cb) {
      // NOTE: '*.proxyable.*' domains will be truncated
      require('./load-certs').load(secureContexts, certPaths, domainname).then(function (context) {
        cb(null, context);
      }, function (err) {
        console.error('[SNI Callback]');
        console.error(err.stack);
        cb(err);
      });
    };

    serverCallback(null, require('https').createServer(secureOpts));
  }

  createSecureServer();
};