push.rocks/smartproxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(certProvisioner): Refactor: Introduce unified CertProvisioner to centralize certificate provisioning and renewal; remove legacy ACME config from Port80Handler and update SmartProxy to delegate certificate lifecycle management.

Browse Source
This commit is contained in:
Philipp Kunz
2025-05-02 11:19:14 +00:00
parent 09aadc702e
commit 8a396a04fa
11 changed files with 447 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files

162
ts/port80handler/classes.port80handler.ts
View File

@ -1,7 +1,6 @@
import * as plugins from '../plugins.js';
import { IncomingMessage, ServerResponse } from 'http';
import * as fs from 'fs';
import * as path from 'path';
// (fs and path I/O moved to CertProvisioner)
// ACME HTTP-01 challenge handler storing tokens in memory (diskless)
class DisklessHttp01Handler {
private storage: Map<string, string>;
@ -87,9 +86,7 @@ interface IPort80HandlerOptions {
useProduction?: boolean;
httpsRedirectPort?: number;
enabled?: boolean; // Whether ACME is enabled at all
autoRenew?: boolean; // Whether to automatically renew certificates
certificateStore?: string; // Directory to store certificates
skipConfiguredCerts?: boolean; // Skip domains that already have certificates
// (Persistence moved to CertProvisioner)
}
/**
@ -163,10 +160,7 @@ export class Port80Handler extends plugins.EventEmitter {
contactEmail: options.contactEmail ?? 'admin@example.com',
useProduction: options.useProduction ?? false, // Safer default: staging
httpsRedirectPort: options.httpsRedirectPort ?? 443,
enabled: options.enabled ?? true, // Enable by default
autoRenew: options.autoRenew ?? true, // Auto-renew by default
certificateStore: options.certificateStore ?? './certs', // Default store location
skipConfiguredCerts: options.skipConfiguredCerts ?? false
enabled: options.enabled ?? true // Enable by default
};
}
@ -201,10 +195,6 @@ export class Port80Handler extends plugins.EventEmitter {
return new Promise((resolve, reject) => {
try {
// Load certificates from store if enabled
if (this.options.certificateStore) {
this.loadCertificatesFromStore();
}
this.server = plugins.http.createServer((req, res) => this.handleRequest(req, res));
@ -370,10 +360,7 @@ export class Port80Handler extends plugins.EventEmitter {
console.log(`Certificate set for ${domain}`);
// Save certificate to store if enabled
if (this.options.certificateStore) {
this.saveCertificateToStore(domain, certificate, privateKey);
}
// (Persistence of certificates moved to CertProvisioner)
// Emit certificate event
this.emitCertificateEvent(Port80HandlerEvents.CERTIFICATE_ISSUED, {
@ -408,134 +395,7 @@ export class Port80Handler extends plugins.EventEmitter {
};
}
/**
* Saves a certificate to the filesystem store
* @param domain The domain for the certificate
* @param certificate The certificate (PEM format)
* @param privateKey The private key (PEM format)
* @private
*/
private saveCertificateToStore(domain: string, certificate: string, privateKey: string): void {
// Skip if certificate store is not enabled
if (!this.options.certificateStore) return;
try {
const storePath = this.options.certificateStore;
// Ensure the directory exists
if (!fs.existsSync(storePath)) {
fs.mkdirSync(storePath, { recursive: true });
console.log(`Created certificate store directory: ${storePath}`);
}
const certPath = path.join(storePath, `${domain}.cert.pem`);
const keyPath = path.join(storePath, `${domain}.key.pem`);
// Write certificate and private key files
fs.writeFileSync(certPath, certificate);
fs.writeFileSync(keyPath, privateKey);
// Set secure permissions for private key
try {
fs.chmodSync(keyPath, 0o600);
} catch (err) {
console.log(`Warning: Could not set secure permissions on ${keyPath}`);
}
console.log(`Saved certificate for ${domain} to ${certPath}`);
} catch (err) {
console.error(`Error saving certificate for ${domain}:`, err);
}
}
/**
* Loads certificates from the certificate store
* @private
*/
private loadCertificatesFromStore(): void {
if (!this.options.certificateStore) return;
try {
const storePath = this.options.certificateStore;
// Ensure the directory exists
if (!fs.existsSync(storePath)) {
fs.mkdirSync(storePath, { recursive: true });
console.log(`Created certificate store directory: ${storePath}`);
return;
}
// Get list of certificate files
const files = fs.readdirSync(storePath);
const certFiles = files.filter(file => file.endsWith('.cert.pem'));
// Load each certificate
for (const certFile of certFiles) {
const domain = certFile.replace('.cert.pem', '');
const keyFile = `${domain}.key.pem`;
// Skip if key file doesn't exist
if (!files.includes(keyFile)) {
console.log(`Warning: Found certificate for ${domain} but no key file`);
continue;
}
// Skip if we should skip configured certs
if (this.options.skipConfiguredCerts) {
const domainInfo = this.domainCertificates.get(domain);
if (domainInfo && domainInfo.certObtained) {
console.log(`Skipping already configured certificate for ${domain}`);
continue;
}
}
// Load certificate and key
try {
const certificate = fs.readFileSync(path.join(storePath, certFile), 'utf8');
const privateKey = fs.readFileSync(path.join(storePath, keyFile), 'utf8');
// Extract expiry date
let expiryDate: Date | undefined;
try {
const matches = certificate.match(/Not After\s*:\s*(.*?)(?:\n|$)/i);
if (matches && matches[1]) {
expiryDate = new Date(matches[1]);
}
} catch (err) {
console.log(`Warning: Could not extract expiry date from certificate for ${domain}`);
}
// Check if domain is already registered
let domainInfo = this.domainCertificates.get(domain);
if (!domainInfo) {
// Register domain if not already registered
domainInfo = {
options: {
domainName: domain,
sslRedirect: true,
acmeMaintenance: true
},
certObtained: false,
obtainingInProgress: false
};
this.domainCertificates.set(domain, domainInfo);
}
// Set certificate
domainInfo.certificate = certificate;
domainInfo.privateKey = privateKey;
domainInfo.certObtained = true;
domainInfo.expiryDate = expiryDate;
console.log(`Loaded certificate for ${domain} from store, valid until ${expiryDate?.toISOString() || 'unknown'}`);
} catch (err) {
console.error(`Error loading certificate for ${domain}:`, err);
}
}
} catch (err) {
console.error('Error loading certificates from store:', err);
}
}
/**
* Check if a domain is a glob pattern
@ -625,13 +485,19 @@ export class Port80Handler extends plugins.EventEmitter {
const { domainInfo, pattern } = domainMatch;
const options = domainInfo.options;
// Serve or forward ACME HTTP-01 challenge requests
if (req.url && req.url.startsWith('/.well-known/acme-challenge/') && options.acmeMaintenance) {
// Handle ACME HTTP-01 challenge requests or forwarding
if (req.url && req.url.startsWith('/.well-known/acme-challenge/')) {
// Forward ACME requests if configured
if (options.acmeForward) {
this.forwardRequest(req, res, options.acmeForward, 'ACME challenge');
return;
}
// If not managing ACME for this domain, return 404
if (!options.acmeMaintenance) {
res.statusCode = 404;
res.end('Not found');
return;
}
// Serve challenge response from in-memory storage
const token = req.url.split('/').pop() || '';
const keyAuth = this.acmeHttp01Storage.get(token);
@ -795,9 +661,7 @@ export class Port80Handler extends plugins.EventEmitter {
domainInfo.expiryDate = expiryDate;
console.log(`Certificate ${isRenewal ? 'renewed' : 'obtained'} for ${domain}`);
if (this.options.certificateStore) {
this.saveCertificateToStore(domain, certificate, privateKey);
}
// Persistence moved to CertProvisioner
const eventType = isRenewal
? Port80HandlerEvents.CERTIFICATE_RENEWED
: Port80HandlerEvents.CERTIFICATE_ISSUED;