roster-server 2.0.0 → 2.0.4

package/README.md

@@ -176,6 +176,118 @@ When creating a new `RosterServer` instance, you can pass the following options:
 - `local` (boolean): Set to `true` to run in local development mode.
 - `minLocalPort` (number): Minimum port for local mode (default: 4000).
 - `maxLocalPort` (number): Maximum port for local mode (default: 9999).
+- `tlsMode` (string): TLS backend to use — `'auto'` (default), `'greenlock'`, or `'static'`. See [TLS Configuration](#-tls-configuration) below.
+- `tlsDomain` (string): Domain whose cert files are pre-loaded as the server default in static mode (optional).
+- `tls` (object): Additional TLS options passed to `https.createServer` (e.g. `minVersion`, `maxVersion`, `ciphers`).
+
+## 🔒 TLS Configuration
+
+RosterServer supports three TLS backends, selectable with the `tlsMode` option.
+
+### Behavior matrix
+
+| `tlsMode` | Runtime | HTTPS server |
+|-----------|---------|-------------|
+| `'auto'` (default) | Node.js | Greenlock SNI — certs managed and auto-renewed automatically |
+| `'auto'` (default) | Bun | Static file certs from `greenlockStorePath/live/<domain>/` |
+| `'greenlock'` | any | Always Greenlock SNI |
+| `'static'` | any | Always static file certs |
+
+Bun's TLS stack does not support Greenlock's async SNICallback, causing a `tlsv1 alert protocol version` error. `'auto'` mode detects the runtime and picks the correct backend transparently.
+
+### Static mode cert layout
+
+In `'auto'` (Bun) or `'static'` mode, certs are read per-domain from:
+
+```
+greenlockStorePath/
+  live/
+    example.com/
+      privkey.pem
+      cert.pem
+      chain.pem
+    api.example.com/
+      privkey.pem
+      cert.pem
+      chain.pem
+```
+
+Greenlock populates this layout automatically when it renews certificates, so no extra tooling is required.
+
+### Default TLS options
+
+The static-cert path enforces secure defaults that can be overridden with the `tls` option:
+
+```javascript
+{ minVersion: 'TLSv1.2', maxVersion: 'TLSv1.3' }
+```
+
+### Examples
+
+**Default — works on both Node and Bun without changes:**
+
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www'
+    // tlsMode defaults to 'auto'
+});
+roster.start();
+```
+
+**Force Greenlock on all runtimes:**
+
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tlsMode: 'greenlock'
+});
+roster.start();
+```
+
+**Force static certs with a pre-loaded default cert (avoids SNI-less connection failures):**
+
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tlsMode: 'static',
+    tlsDomain: 'example.com'  // loaded as the server's fallback cert
+});
+roster.start();
+```
+
+**Custom TLS options (e.g. restrict ciphers):**
+
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tls: {
+        minVersion: 'TLSv1.2',
+        ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'
+    }
+});
+roster.start();
+```
+
+### Smoke test
+
+After deploying, verify TLS is working:
+
+```bash
+curl -v https://example.com
+# Should show TLSv1.2 or TLSv1.3 in the handshake — no "alert protocol version" errors
+```
+
+Server logs will display the active mode on startup:
+
+```
+Runtime: bun | TLS mode: static
+HTTPS port 443: using static certs from /srv/greenlock.d/live [static]
+HTTPS server listening on port 443
+```
 
 ## 🏠 Local Development Mode
 

package/index.js

@@ -172,6 +172,78 @@ class Roster {
             throw new Error('⚠️  Port 80 is reserved for ACME challenge. Please use a different port.');
         }
         this.defaultPort = port;
+
+        const validTlsModes = ['auto', 'greenlock', 'static'];
+        this.tlsMode = options.tlsMode || 'auto';
+        if (!validTlsModes.includes(this.tlsMode)) {
+            throw new Error(`Invalid tlsMode "${this.tlsMode}". Must be one of: ${validTlsModes.join(', ')}`);
+        }
+        this.tlsDomain = options.tlsDomain || null;
+        this.tlsOptions = options.tls || {};
+    }
+
+    detectRuntime() {
+        return typeof Bun !== 'undefined' ? 'bun' : 'node';
+    }
+
+    getEffectiveTlsMode() {
+        if (this.tlsMode !== 'auto') {
+            return this.tlsMode;
+        }
+        return this.detectRuntime() === 'bun' ? 'static' : 'greenlock';
+    }
+
+    getDefaultTlsOptions() {
+        return Object.assign({ minVersion: 'TLSv1.2', maxVersion: 'TLSv1.3' }, this.tlsOptions);
+    }
+
+    createSNICallback() {
+        return (domain, callback) => {
+            try {
+                const certPath = path.join(this.greenlockStorePath, 'live', domain);
+                const keyPath = path.join(certPath, 'privkey.pem');
+                const certFilePath = path.join(certPath, 'cert.pem');
+                const chainPath = path.join(certPath, 'chain.pem');
+
+                if (fs.existsSync(keyPath) && fs.existsSync(certFilePath) && fs.existsSync(chainPath)) {
+                    const key = fs.readFileSync(keyPath, 'utf8');
+                    const cert = fs.readFileSync(certFilePath, 'utf8');
+                    const chain = fs.readFileSync(chainPath, 'utf8');
+
+                    callback(null, tls.createSecureContext({ key, cert: cert + chain }));
+                } else {
+                    callback(new Error(`No certificate files available for ${domain} at ${certPath}`));
+                }
+            } catch (error) {
+                callback(error);
+            }
+        };
+    }
+
+    createStaticHttpsServer(dispatcher) {
+        const tlsOpts = Object.assign(this.getDefaultTlsOptions(), {
+            SNICallback: this.createSNICallback()
+        });
+
+        if (this.tlsDomain) {
+            const certPath = path.join(this.greenlockStorePath, 'live', this.tlsDomain);
+            const keyPath = path.join(certPath, 'privkey.pem');
+            const certFilePath = path.join(certPath, 'cert.pem');
+            const chainPath = path.join(certPath, 'chain.pem');
+
+            const missing = [keyPath, certFilePath, chainPath].filter(p => !fs.existsSync(p));
+            if (missing.length > 0) {
+                throw new Error(
+                    `Static TLS cert files missing for domain "${this.tlsDomain}":\n` +
+                    missing.map(p => `  - ${p}`).join('\n')
+                );
+            }
+
+            tlsOpts.key = fs.readFileSync(keyPath, 'utf8');
+            tlsOpts.cert = fs.readFileSync(certFilePath, 'utf8') + fs.readFileSync(chainPath, 'utf8');
+        }
+
+        return https.createServer(tlsOpts, dispatcher);
     }
 
     async loadSites() {
@@ -579,6 +651,10 @@ class Roster {
                 };
             };
 
+            const runtime = this.detectRuntime();
+            const effectiveTlsMode = this.getEffectiveTlsMode();
+            log.info(`Runtime: ${runtime} | TLS mode: ${effectiveTlsMode}`);
+
             httpServer.listen(80, this.hostname, () => {
                 log.info('HTTP server listening on port 80');
             });
@@ -595,84 +671,53 @@ class Roster {
                     if (virtualServer) {
                         virtualServer.processUpgrade(req, socket, head);
                     } else {
-                        // No virtual server found, destroy the socket
                         socket.destroy();
                     }
                 };
             };
 
+            const attachHttpsListeners = (httpsServer, portNum, upgradeHandler) => {
+                httpsServer.on('upgrade', upgradeHandler);
+                httpsServer.on('error', (error) => {
+                    log.error(`HTTPS server error on port ${portNum}:`, error.message);
+                });
+                httpsServer.on('tlsClientError', (error) => {
+                    if (!error.message.includes('http request')) {
+                        log.error(`TLS error on port ${portNum}:`, error.message);
+                    }
+                });
+            };
+
             // Handle different port types
             for (const [port, portData] of Object.entries(sitesByPort)) {
                 const portNum = parseInt(port);
                 const dispatcher = createDispatcher(portData);
                 const upgradeHandler = createUpgradeHandler(portData);
 
-                if (portNum === this.defaultPort) {
-                    // Use Greenlock for default port (443) with SSL
-                    const httpsServer = glx.httpsServer(null, dispatcher);
-                    this.portServers[portNum] = httpsServer;
+                let httpsServer;
 
-                    // Handle WebSocket upgrade events
-                    httpsServer.on('upgrade', upgradeHandler);
-
-                    httpsServer.listen(portNum, this.hostname, () => {
-                        log.info(`HTTPS server listening on port ${portNum}`);
-                    });
+                if (portNum === this.defaultPort && effectiveTlsMode === 'greenlock') {
+                    log.info(`HTTPS port ${portNum}: using Greenlock SNI (certs managed automatically)`);
+                    httpsServer = glx.httpsServer(null, dispatcher);
                 } else {
-                    // Create HTTPS server for custom ports using Greenlock certificates
-                    const httpsOptions = {
-                        // SNI callback to get certificates dynamically
-                        SNICallback: (domain, callback) => {
-                            try {
-                                const certPath = path.join(this.greenlockStorePath, 'live', domain);
-                                const keyPath = path.join(certPath, 'privkey.pem');
-                                const certFilePath = path.join(certPath, 'cert.pem');
-                                const chainPath = path.join(certPath, 'chain.pem');
-
-                                if (fs.existsSync(keyPath) && fs.existsSync(certFilePath) && fs.existsSync(chainPath)) {
-                                    const key = fs.readFileSync(keyPath, 'utf8');
-                                    const cert = fs.readFileSync(certFilePath, 'utf8');
-                                    const chain = fs.readFileSync(chainPath, 'utf8');
-
-                                    callback(null, tls.createSecureContext({
-                                        key: key,
-                                        cert: cert + chain
-                                    }));
-                                } else {
-                                    callback(new Error(`No certificate files available for ${domain}`));
-                                }
-                            } catch (error) {
-                                callback(error);
-                            }
-                        }
-                    };
-
-                    const httpsServer = https.createServer(httpsOptions, dispatcher);
-
-                    // Handle WebSocket upgrade events
-                    httpsServer.on('upgrade', upgradeHandler);
-
-                    httpsServer.on('error', (error) => {
-                        log.error(`HTTPS server error on port ${portNum}:`, error.message);
-                    });
-
-                    httpsServer.on('tlsClientError', (error) => {
-                        // Suppress HTTP request errors to avoid log spam
-                        if (!error.message.includes('http request')) {
-                            log.error(`TLS error on port ${portNum}:`, error.message);
-                        }
+                    const modeLabel = portNum === this.defaultPort ? effectiveTlsMode : 'static';
+                    log.info(`HTTPS port ${portNum}: using static certs from ${path.join(this.greenlockStorePath, 'live')} [${modeLabel}]`);
+                    const httpsOptions = Object.assign(this.getDefaultTlsOptions(), {
+                        SNICallback: this.createSNICallback()
                     });
+                    httpsServer = https.createServer(httpsOptions, dispatcher);
+                }
 
-                    this.portServers[portNum] = httpsServer;
+                attachHttpsListeners(httpsServer, portNum, upgradeHandler);
+                this.portServers[portNum] = httpsServer;
 
-                    httpsServer.listen(portNum, this.hostname, (error) => {
-                        if (error) {
-                            log.error(`Failed to start HTTPS server on port ${portNum}:`, error.message);
-                        } else {
-                            log.info(`HTTPS server listening on port ${portNum}`);
-                        }
-                    });
-                }
+                httpsServer.listen(portNum, this.hostname, (error) => {
+                    if (error) {
+                        log.error(`Failed to start HTTPS server on port ${portNum}:`, error.message);
+                    } else {
+                        log.info(`HTTPS server listening on port ${portNum}`);
+                    }
+                });
             }
         });
     }

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "roster-server",
-    "version": "2.0.0",
+    "version": "2.0.4",
     "description": "👾 RosterServer - A domain host router to host multiple HTTPS.",
     "main": "index.js",
     "scripts": {

package/vendor/greenlock-express/greenlock-shim.js

@@ -44,16 +44,16 @@ module.exports.create = function(opts) {
             console.warn("         npx greenlock add --subject example.com --altnames example.com");
             return;
         }
-        console.info("Ready to Serve:");
+        // console.info("Ready to Serve:");
 
         var max = 3;
         if (sites.length >= 1) {
             sites.slice(0, max).forEach(function(site) {
-                console.info("\t", site.altnames.join(" "));
+                // console.info("\t", site.altnames.join(" "));
             });
         }
         if (sites.length > max) {
-            console.info("and %d others", sites.length - max);
+            // console.info("and %d others", sites.length - max);
         }
     });