pixl-server-web 2.0.4 → 2.0.6

package/README.md

@@ -35,6 +35,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_brotli_opts](#http_brotli_opts)
 	* [http_default_acl](#http_default_acl)
 	* [http_blacklist](#http_blacklist)
+	* [http_allow_hosts](#http_allow_hosts)
 	* [http_rewrites](#http_rewrites)
 	* [http_redirects](#http_redirects)
 	* [http_log_requests](#http_log_requests)
@@ -59,6 +60,8 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_req_max_dump_debounce](#http_req_max_dump_debounce)
 	* [http_public_ip_offset](#http_public_ip_offset)
 	* [http_legacy_callback_support](#http_legacy_callback_support)
+	* [http_startup_message](#http_startup_message)
+	* [http_debug_ttl](#http_debug_ttl)
 	* [https](#https)
 	* [https_port](#https_port)
 	* [https_alt_ports](#https_alt_ports)
@@ -68,6 +71,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [https_force](#https_force)
 	* [https_header_detect](#https_header_detect)
 	* [https_timeout](#https_timeout)
+	* [https_bind_address](#https_bind_address)
 - [Custom URI Handlers](#custom-uri-handlers)
 	* [Access Control Lists](#access-control-lists)
 	* [Internal File Redirects](#internal-file-redirects)
@@ -132,12 +136,12 @@ let server = new PixlServer({
 	__version: "1.0",
 	
 	config: {
-		"log_dir": "/let/log",
+		"log_dir": "/var/log",
 		"debug_level": 9,
 		
 		"WebServer": {
 			"http_port": 80,
-			"http_htdocs_dir": "/let/www/html"
+			"http_htdocs_dir": "/var/www/html"
 		}
 	},
 	
@@ -169,7 +173,7 @@ components: [
 ]
 ```
 
-This example is a very simple web server configuration, which will listen on port 80 and serve static files out of `/let/www/html`.  However, if the URI is `/my/custom/uri`, a custom callback function is fired and can serve up any response it wants.  This is a great way to implement an API.
+This example is a very simple web server configuration, which will listen on port 80 and serve static files out of `/var/www/html`.  However, if the URI is `/my/custom/uri`, a custom callback function is fired and can serve up any response it wants.  This is a great way to implement an API.
 
 # Configuration
 
@@ -204,7 +208,7 @@ This example would cause the server to *only* listen on localhost, and not any e
 
 ## http_htdocs_dir
 
-This is the path to the directory to serve static files out of, e.g. `/let/www/html`.
+This is the path to the directory to serve static files out of, e.g. `/var/www/html`.
 
 ## http_max_upload_size
 
@@ -443,24 +447,18 @@ When a new incoming connection is established, the socket IP is immediately chec
 
 ## http_allow_hosts
 
-The `http_allow_hosts` property allows you to specify a list of hosts to allow on incoming requests.  Specifically, this matches the incoming HTTP `Host` request header, and the value must match at least one entry in the array (case-insensitive).  For example, if you are hosting your application behind a domain name, you may want to restrict incoming requests so that they must explicitly point to your domain name (and disallow requests to the IP address).  Here is how to set this up:
+The `http_allow_hosts` property allows you to specify a limited set of hosts to allow for incoming requests.  Specifically, this matches the incoming HTTP `Host` request header, or SNI (TLS handshake) host for HTTPS, and the value must match at least one entry in the array (case-insensitive).  For example, if you are hosting your application behind a domain name, you may want to restrict incoming requests so that they must explicitly point to your domain name.  Here is how to set this up:
 
 ```json
 	"http_allow_hosts": ["mydomain.com"]
 ```
 
-In the above example, only requests to `mydomain.com` would be allowed.  All other domains or IP addresses in the URL would be rejected with a `HTTP 403 Forbidden` error.  Include multiple entries in the array for things like subdomains:
+In the above example, only requests to `mydomain.com` would be allowed.  All other domains or IP addresses in the URL would be rejected with a `HTTP 403 Forbidden` error (or in the case of SNI / TLS handshake the socket is simply closed).  Include multiple entries in the array for things like subdomains:
 
 ```json
 	"http_allow_hosts": ["mydomain.com", "www.mydomain.com"]
 ```
 
-Note that if your users have to specify a port number in the URL, this must be specified in the `http_allow_hosts` array as well (it matches the `Host` request header exactly).  So for example, if you are hosting an app on a non-standard port number, but you want to restrict the host, include the port like this:
-
-```json
-	"http_allow_hosts": ["mydomain.com:3000"]
-```
-
 If the `http_allow_hosts` array is empty or omitted entirely, all hosts are allowed.  This is the default behavior.
 
 ## http_rewrites
@@ -748,6 +746,24 @@ This adds support for legacy applications, which require JSONP callback-style AP
 
 Only enable this if you are supporting a legacy application which is hosted on a private, trusted network.
 
+## http_startup_message
+
+When set to `true` and running in debug or foreground mode (i.e. `--debug` or `--foreground` CLI flags on startup), this will emit a message to the console on startup detailing all the socket listeners, ports, and URL endpoints you can hit.  Example conaole message:
+
+```
+Web Server Listeners:
+
+	Listening for HTTP on port 3020, network '::' (all)
+	--> http://192.168.3.25:3020/
+
+	Listening for HTTPS on port 3021, network '::' (all)
+	--> https://192.168.3.25:3021/
+```
+
+## http_debug_ttl
+
+When set to `true` and running in debug mode (i.e. `--debug` CLI flag on startup), this will override the value of [http_static_ttl](#http_static_ttl) with `0`.  Useful for local development, i.e. reloading your web app in the browser.
+
 ## https
 
 This boolean allows you to enable HTTPS (SSL) support in the web server.  It defaults to `false`.  Note that you must also set `https_port`, and possibly `https_cert_file` and `https_key_file` for this to work.
@@ -894,15 +910,15 @@ Note that the `Content-Type` response header is automatically set based on the t
 If you would like to host static files in other places besides [http_htdocs_dir](#http_htdocs_dir), possibly with different options, then look no further than the `addDirectoryHandler()` method.  This allows you to set up static file handling with a custom base URI, a custom base directory on disk, and apply other options as well.  You can call this method as many times as you like to setup multiple static file directories.  Example:
 
 ```js
-server.WebServer.addDirectoryHandler( /^\/mycustomdir/, '/let/www/custom' );
+server.WebServer.addDirectoryHandler( /^\/mycustomdir/, '/var/www/custom' );
 ```
 
-The above example would catch all incoming requests starting with `/mycustomdir`, and serve up static files inside of the `/let/www/custom` directory on disk (and possibly nested directories as well).  So a URL such as `http://MYSERVER/mycustomdir/foo/file1.txt` would map to the file `/let/www/custom/foo/file1.txt` on disk.
+The above example would catch all incoming requests starting with `/mycustomdir`, and serve up static files inside of the `/var/www/custom` directory on disk (and possibly nested directories as well).  So a URL such as `http://MYSERVER/mycustomdir/foo/file1.txt` would map to the file `/var/www/custom/foo/file1.txt` on disk.
 
 In this case a default TTL is applied to all files via [http_static_ttl](#http_static_ttl).  If you would like to customize the TTL for your custom static directory, as well as specify other options, pass in an object as the 3rd argument to `addDirectoryHandler()`.  Example of this:
 
 ```js
-server.WebServer.addDirectoryHandler( /^\/mycustomdir/, '/let/www/custom', {
+server.WebServer.addDirectoryHandler( /^\/mycustomdir/, '/var/www/custom', {
 	acl: true
 	ttl: 3600,
 	headers: {
@@ -1821,10 +1837,10 @@ curl -s https://dl.eff.org/certbot-auto > /usr/local/bin/certbot-auto
 chmod a+x /usr/local/bin/certbot-auto
 ```
 
-We'll be using the [Webroot](https://certbot.eff.org/docs/using.html#webroot) method for authorization.  Make sure you have a web server running on your server and listening on port 80 (only plain HTTP is required at this point).  Assuming your web server's document root path is `/let/www/html` issue this command:
+We'll be using the [Webroot](https://certbot.eff.org/docs/using.html#webroot) method for authorization.  Make sure you have a web server running on your server and listening on port 80 (only plain HTTP is required at this point).  Assuming your web server's document root path is `/var/www/html` issue this command:
 
 ```sh
-/usr/local/bin/certbot-auto certonly --webroot -w /let/www/html -d mydomain.com
+/usr/local/bin/certbot-auto certonly --webroot -w /var/www/html -d mydomain.com
 ```
 
 If you need certificates for multiple subdomains, you can repeat the `-d` flag, e.g. `-d mydomain.com -d www.mydomain.com`.
@@ -1878,7 +1894,7 @@ Toss that command into a shell script in `/etc/cron.daily/` and it'll run daily
 /usr/local/bin/certbot-auto renew --post-hook "/opt/myapp/bin/control.sh restart" >/dev/null 2>&1
 ```
 
-Certbot produces its own log file here: `/let/log/letsencrypt/letsencrypt.log`
+Certbot produces its own log file here: `/var/log/letsencrypt/letsencrypt.log`
 
 ## Request Max Dump
 
@@ -1892,11 +1908,11 @@ To enable this feature, set the [http_req_max_dump_enabled](#http_req_max_dump_e
 
 ```json
 "http_req_max_dump_enabled": true,
-"http_req_max_dump_dir": "/let/log/web-server-dumps",
+"http_req_max_dump_dir": "/var/log/web-server-dumps",
 "http_req_max_dump_debounce": 10
 ```
 
-This would generate dump files in the `/let/log/web-server-dumps` directory every 10 seconds, while one or more maximum limits are maxed out.
+This would generate dump files in the `/var/log/web-server-dumps` directory every 10 seconds, while one or more maximum limits are maxed out.
 
 The dump files themselves are in JSON format, and contain everything from the [Stats API](#stats), as well as a list of all active and pending requests.  For each request, an object like the following is provided:
 

package/lib/https.js

@@ -56,7 +56,7 @@ module.exports = class HTTP2 {
 			
 			if (max_conns && (self.numConns >= max_conns)) {
 				// reached maximum concurrent connections, abort new ones
-				self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { ip: ip, port: port, max: max_conns });
+				self.logError('maxconns', "Maximum concurrent connections reached, denying request from: " + ip, { host: socket.servername || '', ip: ip, port: port, max: max_conns });
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
@@ -65,14 +65,23 @@ module.exports = class HTTP2 {
 			}
 			if (self.server.shut) {
 				// server is shutting down, abort new connections
-				self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { ip: ip, port: port});
+				self.logError('shutdown', "Server is shutting down, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port});
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
 				return;
 			}
 			if (ip && self.aclBlacklist.checkAny(ip)) {
-				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { ip: ip, port: port });
+				self.logError('blacklist', "IP is blacklisted, denying connection from: " + ip, { host: socket.servername || '', ip: ip, port: port });
+				socket.end();
+				socket.unref();
+				socket.destroy(); // hard close
+				return;
+			}
+			
+			// SNI: check allow list at socket connect time
+			if (self.httpsAllowHosts.length && !self.httpsAllowHosts.includes( ('' + socket.servername).toLowerCase() )) {
+				self.logError('allowhosts', "SNI host not allowed: " + (socket.servername || 'n/a'), { host: socket.servername || '', ip: ip, port: port });
 				socket.end();
 				socket.unref();
 				socket.destroy(); // hard close
@@ -82,7 +91,7 @@ module.exports = class HTTP2 {
 			var id = self.getNextId('cs');
 			self.conns[ id ] = socket;
 			self.numConns++;
-			self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { ip: ip, port: port, num_conns: self.numConns });
+			self.logDebug(8, "New incoming HTTPS (SSL) connection: " + id, { host: socket.servername || '', ip: ip, port: port, num_conns: self.numConns });
 			
 			// Disable the Nagle algorithm.
 			socket.setNoDelay( true );

package/lib/request.js

@@ -72,7 +72,7 @@ module.exports = class Request {
 		}
 		
 		// custom host allow list
-		if (this.allowHosts.length && !this.allowHosts.includes( ('' + request.headers['host']).toLowerCase() )) {
+		if (this.allowHosts.length && !this.allowHosts.includes( ('' + request.headers['host']).toLowerCase().replace(/\:\d+$/, '') )) {
 			this.logError(403, "Forbidden: Host not allowed: " + (request.headers['host'] || 'n/a'), {
 				id: args.id,
 				host: request.headers['host'] || '',

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "2.0.4",
+	"version": "2.0.6",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",

package/web_server.js

@@ -114,6 +114,12 @@ class WebServer extends Component {
 		// listen for tick events to swap stat buffers
 		this.server.on( 'tick', this.tick.bind(this) );
 		
+		// show post-startup foreground console message if applicable
+		if ((this.server.debug || this.server.foreground) && this.config.get('http_startup_message')) {
+			// add a slight delay to increase chances of user seeing it in the console
+			this.server.on('ready', function() { setTimeout( self.postStartupMessage.bind(self), 250 ); } );
+		}
+		
 		// start listeners
 		this.startAll(callback);
 	}
@@ -247,6 +253,52 @@ class WebServer extends Component {
 		
 		// custom host list
 		this.allowHosts = (this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
+		this.httpsAllowHosts = (this.config.get('https_allow_hosts') || this.config.get('http_allow_hosts') || []).map( function(host) { return host.toLowerCase(); } );
+		
+		// set static TTL to 0 in debug mode
+		if (this.server.debug && this.config.get('http_debug_ttl')) {
+			this.logDebug(5, "Setting static TTL to 0 for debug mode");
+			this.config.set('http_static_ttl', 0);
+		}
+	}
+	
+	postStartupMessage() {
+		// show startup message in console (debug / foreground only)
+		var self = this;
+		var stats = this.getStats();
+		var text = '';
+		
+		text += "\nWeb Server Listeners:\n";
+		
+		stats.listeners.forEach( function(info) {
+			// {"address":"::1","family":"IPv6","port":3013,"ssl":true}
+			var type = info.ssl ? 'HTTPS' : 'HTTP';
+			var host = info.address;
+			text += `\n\tListening for ${type} on port ${info.port}, network '${info.address}'`;
+			
+			switch (info.address) {
+				case '::1':
+				case '127.0.0.1':
+					text += ' (localhost)';
+					host = 'localhost';
+				break;
+				
+				case '::':
+				case '0.0.0.0':
+					text += ' (all)';
+					host = self.server.ip; // best guess (ipv4)
+				break;
+			}
+			
+			text += "\n";
+			var url = (info.ssl ? 'https://' : 'http://') + host;
+			if (info.ssl && (info.port != 443)) url += ':' + info.port;
+			if (!info.ssl & (info.port != 80)) url += ':' + info.port;
+			url += '/';
+			text += "\t--> " + url + "\n";
+		} );
+		
+		console.log(text);
 	}
 	
 	startAll(callback) {
@@ -345,7 +397,9 @@ class WebServer extends Component {
 		var num_sockets = 0;
 		
 		listener_info = this.listeners.map( function(listener) {
-			return listener.address();
+			var info = listener.address() || { port: 'n/a' };
+			if (listener.setSecureContext) info.ssl = true;
+			return info;
 		} );
 		
 		for (var key in this.conns) {
@@ -392,11 +446,6 @@ class WebServer extends Component {
 			}
 		}
 		
-		var ports = [ this.config.get('http_port') ];
-		if (this.config.get('https')) {
-			ports.push( this.config.get('https_port') );
-		}
-		
 		return {
 			server: {
 				uptime_sec: Math.floor(now / 1000) - this.server.started,
@@ -404,7 +453,7 @@ class WebServer extends Component {
 				ip: this.server.ip,
 				name: this.server.__name,
 				version: this.server.__version,
-				ports: ports
+				ports: listener_info.map( function(info) { return info.port; } )
 			},
 			stats: stats,
 			listeners: listener_info,
@@ -542,7 +591,8 @@ class WebServer extends Component {
 			// close all listeners
 			this.listeners.forEach( function(listener) {
 				var info = listener.address() || { port: 'n/a' };
-				listener.close( function() { self.logDebug(3, "HTTP server on port " + info.port + " has shut down.", info); } );
+				if (listener.setSecureContext) info.ssl = true;
+				listener.close( function() { self.logDebug(3, (info.ssl ? "HTTPS": "HTTP") + " server on port " + info.port + " has shut down.", info); } );
 			} );
 			
 			this.requests = {};