npm - roster-server - Versions diffs - 2.0.2 → 2.0.4 - Mend

roster-server 2.0.2 → 2.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -176,6 +176,118 @@ When creating a new `RosterServer` instance, you can pass the following options:
 - `local` (boolean): Set to `true` to run in local development mode.
 - `minLocalPort` (number): Minimum port for local mode (default: 4000).
 - `maxLocalPort` (number): Maximum port for local mode (default: 9999).
+- `tlsMode` (string): TLS backend to use — `'auto'` (default), `'greenlock'`, or `'static'`. See [TLS Configuration](#-tls-configuration) below.
+- `tlsDomain` (string): Domain whose cert files are pre-loaded as the server default in static mode (optional).
+- `tls` (object): Additional TLS options passed to `https.createServer` (e.g. `minVersion`, `maxVersion`, `ciphers`).
+## 🔒 TLS Configuration
+RosterServer supports three TLS backends, selectable with the `tlsMode` option.
+### Behavior matrix
+| `tlsMode` | Runtime | HTTPS server |
+|-----------|---------|-------------|
+| `'auto'` (default) | Node.js | Greenlock SNI — certs managed and auto-renewed automatically |
+| `'auto'` (default) | Bun | Static file certs from `greenlockStorePath/live/<domain>/` |
+| `'greenlock'` | any | Always Greenlock SNI |
+| `'static'` | any | Always static file certs |
+Bun's TLS stack does not support Greenlock's async SNICallback, causing a `tlsv1 alert protocol version` error. `'auto'` mode detects the runtime and picks the correct backend transparently.
+### Static mode cert layout
+In `'auto'` (Bun) or `'static'` mode, certs are read per-domain from:
+```
+greenlockStorePath/
+  live/
+    example.com/
+      privkey.pem
+      cert.pem
+      chain.pem
+    api.example.com/
+      privkey.pem
+      cert.pem
+      chain.pem
+```
+Greenlock populates this layout automatically when it renews certificates, so no extra tooling is required.
+### Default TLS options
+The static-cert path enforces secure defaults that can be overridden with the `tls` option:
+```javascript
+{ minVersion: 'TLSv1.2', maxVersion: 'TLSv1.3' }
+```
+### Examples
+**Default — works on both Node and Bun without changes:**
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www'
+    // tlsMode defaults to 'auto'
+});
+roster.start();
+```
+**Force Greenlock on all runtimes:**
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tlsMode: 'greenlock'
+});
+roster.start();
+```
+**Force static certs with a pre-loaded default cert (avoids SNI-less connection failures):**
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tlsMode: 'static',
+    tlsDomain: 'example.com'  // loaded as the server's fallback cert
+});
+roster.start();
+```
+**Custom TLS options (e.g. restrict ciphers):**
+```javascript
+const roster = new Roster({
+    email: 'admin@example.com',
+    wwwPath: '/srv/www',
+    tls: {
+        minVersion: 'TLSv1.2',
+        ciphers: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'
+    }
+});
+roster.start();
+```
+### Smoke test
+After deploying, verify TLS is working:
+```bash
+curl -v https://example.com
+# Should show TLSv1.2 or TLSv1.3 in the handshake — no "alert protocol version" errors
+```
+Server logs will display the active mode on startup:
+```
+Runtime: bun | TLS mode: static
+HTTPS port 443: using static certs from /srv/greenlock.d/live [static]
+HTTPS server listening on port 443
+```
 ## 🏠 Local Development Mode

package/index.js CHANGED Viewed

@@ -172,6 +172,78 @@ class Roster {
             throw new Error('⚠️  Port 80 is reserved for ACME challenge. Please use a different port.');
         }
         this.defaultPort = port;
+        const validTlsModes = ['auto', 'greenlock', 'static'];
+        this.tlsMode = options.tlsMode || 'auto';
+        if (!validTlsModes.includes(this.tlsMode)) {
+            throw new Error(`Invalid tlsMode "${this.tlsMode}". Must be one of: ${validTlsModes.join(', ')}`);
+        }
+        this.tlsDomain = options.tlsDomain || null;
+        this.tlsOptions = options.tls || {};
+    }
+    detectRuntime() {
+        return typeof Bun !== 'undefined' ? 'bun' : 'node';
+    }
+    getEffectiveTlsMode() {
+        if (this.tlsMode !== 'auto') {
+            return this.tlsMode;
+        }
+        return this.detectRuntime() === 'bun' ? 'static' : 'greenlock';
+    }
+    getDefaultTlsOptions() {
+        return Object.assign({ minVersion: 'TLSv1.2', maxVersion: 'TLSv1.3' }, this.tlsOptions);
+    }
+    createSNICallback() {
+        return (domain, callback) => {
+            try {
+                const certPath = path.join(this.greenlockStorePath, 'live', domain);
+                const keyPath = path.join(certPath, 'privkey.pem');
+                const certFilePath = path.join(certPath, 'cert.pem');
+                const chainPath = path.join(certPath, 'chain.pem');
+                if (fs.existsSync(keyPath) && fs.existsSync(certFilePath) && fs.existsSync(chainPath)) {
+                    const key = fs.readFileSync(keyPath, 'utf8');
+                    const cert = fs.readFileSync(certFilePath, 'utf8');
+                    const chain = fs.readFileSync(chainPath, 'utf8');
+                    callback(null, tls.createSecureContext({ key, cert: cert + chain }));
+                } else {
+                    callback(new Error(`No certificate files available for ${domain} at ${certPath}`));
+                }
+            } catch (error) {
+                callback(error);
+            }
+        };
+    }
+    createStaticHttpsServer(dispatcher) {
+        const tlsOpts = Object.assign(this.getDefaultTlsOptions(), {
+            SNICallback: this.createSNICallback()
+        });
+        if (this.tlsDomain) {
+            const certPath = path.join(this.greenlockStorePath, 'live', this.tlsDomain);
+            const keyPath = path.join(certPath, 'privkey.pem');
+            const certFilePath = path.join(certPath, 'cert.pem');
+            const chainPath = path.join(certPath, 'chain.pem');
+            const missing = [keyPath, certFilePath, chainPath].filter(p => !fs.existsSync(p));
+            if (missing.length > 0) {
+                throw new Error(
+                    `Static TLS cert files missing for domain "${this.tlsDomain}":\n` +
+                    missing.map(p => `  - ${p}`).join('\n')
+                );
+            }
+            tlsOpts.key = fs.readFileSync(keyPath, 'utf8');
+            tlsOpts.cert = fs.readFileSync(certFilePath, 'utf8') + fs.readFileSync(chainPath, 'utf8');
+        }
+        return https.createServer(tlsOpts, dispatcher);
     }
     async loadSites() {
@@ -579,6 +651,10 @@ class Roster {
                 };
             };
+            const runtime = this.detectRuntime();
+            const effectiveTlsMode = this.getEffectiveTlsMode();
+            log.info(`Runtime: ${runtime} | TLS mode: ${effectiveTlsMode}`);
             httpServer.listen(80, this.hostname, () => {
                 log.info('HTTP server listening on port 80');
             });
@@ -595,84 +671,53 @@ class Roster {
                     if (virtualServer) {
                         virtualServer.processUpgrade(req, socket, head);
                     } else {
-                        // No virtual server found, destroy the socket
                         socket.destroy();
                     }
                 };
             };
+            const attachHttpsListeners = (httpsServer, portNum, upgradeHandler) => {
+                httpsServer.on('upgrade', upgradeHandler);
+                httpsServer.on('error', (error) => {
+                    log.error(`HTTPS server error on port ${portNum}:`, error.message);
+                });
+                httpsServer.on('tlsClientError', (error) => {
+                    if (!error.message.includes('http request')) {
+                        log.error(`TLS error on port ${portNum}:`, error.message);
+                    }
+                });
+            };
             // Handle different port types
             for (const [port, portData] of Object.entries(sitesByPort)) {
                 const portNum = parseInt(port);
                 const dispatcher = createDispatcher(portData);
                 const upgradeHandler = createUpgradeHandler(portData);
-                if (portNum === this.defaultPort) {
-                    // Use Greenlock for default port (443) with SSL
-                    const httpsServer = glx.httpsServer(null, dispatcher);
-                    this.portServers[portNum] = httpsServer;
+                let httpsServer;
-                    // Handle WebSocket upgrade events
-                    httpsServer.on('upgrade', upgradeHandler);
-                    httpsServer.listen(portNum, this.hostname, () => {
-                        log.info(`HTTPS server listening on port ${portNum}`);
-                    });
+                if (portNum === this.defaultPort && effectiveTlsMode === 'greenlock') {
+                    log.info(`HTTPS port ${portNum}: using Greenlock SNI (certs managed automatically)`);
+                    httpsServer = glx.httpsServer(null, dispatcher);
                 } else {
-                    // Create HTTPS server for custom ports using Greenlock certificates
-                    const httpsOptions = {
-                        // SNI callback to get certificates dynamically
-                        SNICallback: (domain, callback) => {
-                            try {
-                                const certPath = path.join(this.greenlockStorePath, 'live', domain);
-                                const keyPath = path.join(certPath, 'privkey.pem');
-                                const certFilePath = path.join(certPath, 'cert.pem');
-                                const chainPath = path.join(certPath, 'chain.pem');
-                                if (fs.existsSync(keyPath) && fs.existsSync(certFilePath) && fs.existsSync(chainPath)) {
-                                    const key = fs.readFileSync(keyPath, 'utf8');
-                                    const cert = fs.readFileSync(certFilePath, 'utf8');
-                                    const chain = fs.readFileSync(chainPath, 'utf8');
-                                    callback(null, tls.createSecureContext({
-                                        key: key,
-                                        cert: cert + chain
-                                    }));
-                                } else {
-                                    callback(new Error(`No certificate files available for ${domain}`));
-                                }
-                            } catch (error) {
-                                callback(error);
-                            }
-                        }
-                    };
-                    const httpsServer = https.createServer(httpsOptions, dispatcher);
-                    // Handle WebSocket upgrade events
-                    httpsServer.on('upgrade', upgradeHandler);
-                    httpsServer.on('error', (error) => {
-                        log.error(`HTTPS server error on port ${portNum}:`, error.message);
-                    });
-                    httpsServer.on('tlsClientError', (error) => {
-                        // Suppress HTTP request errors to avoid log spam
-                        if (!error.message.includes('http request')) {
-                            log.error(`TLS error on port ${portNum}:`, error.message);
-                        }
+                    const modeLabel = portNum === this.defaultPort ? effectiveTlsMode : 'static';
+                    log.info(`HTTPS port ${portNum}: using static certs from ${path.join(this.greenlockStorePath, 'live')} [${modeLabel}]`);
+                    const httpsOptions = Object.assign(this.getDefaultTlsOptions(), {
+                        SNICallback: this.createSNICallback()
                     });
+                    httpsServer = https.createServer(httpsOptions, dispatcher);
+                }
-                    this.portServers[portNum] = httpsServer;
+                attachHttpsListeners(httpsServer, portNum, upgradeHandler);
+                this.portServers[portNum] = httpsServer;
-                    httpsServer.listen(portNum, this.hostname, (error) => {
-                        if (error) {
-                            log.error(`Failed to start HTTPS server on port ${portNum}:`, error.message);
-                        } else {
-                            log.info(`HTTPS server listening on port ${portNum}`);
-                        }
-                    });
-                }
+                httpsServer.listen(portNum, this.hostname, (error) => {
+                    if (error) {
+                        log.error(`Failed to start HTTPS server on port ${portNum}:`, error.message);
+                    } else {
+                        log.info(`HTTPS server listening on port ${portNum}`);
+                    }
+                });
             }
         });
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "roster-server",
-    "version": "2.0.2",
+    "version": "2.0.4",
     "description": "👾 RosterServer - A domain host router to host multiple HTTPS.",
     "main": "index.js",
     "scripts": {