feat: config nginx to pass https request that have no server block defined to the application, '@cocreate/server' and '@cocreate/acme' will get or create sll and update nginx stream and server block. At this point nginx will handle ssl termination

Author: frankpagan

src/index.js

@@ -3,6 +3,7 @@ const exec = util.promisify(require('node:child_process').exec);
 let fs = require('fs');
 const os = require('os');
 
+const conf = "/etc/nginx/nginx.conf"
 const available = "/etc/nginx/sites-available/"
 const enabled = "/etc/nginx/sites-enabled/"
 class CoCreateNginx {
@@ -27,8 +28,6 @@ class CoCreateNginx {
                     console.log('Nginx installed successfully');
                 }
 
-                await exec('sudo chmod 777 /etc/nginx/nginx.conf');
-
                 let stream = `user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
@@ -40,27 +39,68 @@ events {
 }
 
 http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ssl_protocols TLSv1.2 TLSv1.3;  
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    # resolver [YOUR_DNS_RESOLVER_IP] valid=300s;  # Replace with your DNS resolver IP
+    resolver_timeout 5s;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'";
+
+    server_tokens off;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    gzip on;
+    gzip_disable "msie6";
+
     include /etc/nginx/conf.d/*.conf;
     include /etc/nginx/sites-enabled/*;
 }
 
 stream {
+    map $ssl_preread_server_name $upstream {
+        default nodejs_ssl;
+    }
+
     server {
         listen 443;
-        proxy_pass 127.0.0.1:8443; # Node.js app listening on port 8443
+        proxy_pass $upstream;
+        ssl_preread on;
+    }
+
+    upstream nginx_ssl {
+        server 127.0.0.1:12345;  # Nginx handles SSL
+    }
+
+    upstream nodejs_ssl {
+        server 127.0.0.1:8443;  # Node.js SSL
     }
 }
 `
-                // fs.writeFileSync('/etc/nginx/nginx.conf', stream)
+                await exec(`sudo chmod 777 ${conf}`);
+                fs.writeFileSync(conf, stream)
 
-                await exec('sudo chmod 777 /etc/nginx/sites-available');
-                await exec('sudo chmod 777 /etc/nginx/sites-enabled');
-                if (!fs.existsSync(`${enabled}main`)) {
-                    let main = `server {
+                await exec(`sudo chmod 777 ${available}`);
+                await exec(`sudo chmod 777 ${enabled}`);
+                let main = `server {
     listen 80;
     listen [::]:80;
 
-    location / {
+    location /.well-known/acme-challenge/ {
         proxy_pass http://localhost:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -73,25 +113,29 @@ stream {
         proxy_buffers 4 256k;
         proxy_busy_buffers_size 256k;
     }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 `
-
-                    fs.writeFileSync(`${available}main`, main)
-                    await exec(`sudo ln -s ${available}main ${enabled}`);
-
-                    if (fs.existsSync(`${enabled}default`))
-                        fs.unlinkSync(`${enabled}default`)
-                    if (fs.existsSync(`${available}default`))
-                        fs.unlinkSync(`${available}default`)
-
-                    let test = await exec(`sudo nginx -t`);
-                    if (test.stderr.includes('test is successful')) {
-                        await exec(`sudo systemctl reload nginx`);
-                        console.log('main test passed reloading nginx')
-                    } else {
-                        console.log('main test failed')
-                    }
-
+                if (fs.existsSync(`${enabled}main.txt`))
+                    fs.writeFileSync(`${available}main.txt`, main)
+                else {
+                    fs.writeFileSync(`${available}main.txt`, main)
+                    await exec(`sudo ln -s ${available}main.txt ${enabled}`);
+                }
+                if (fs.existsSync(`${enabled}default`))
+                    fs.unlinkSync(`${enabled}default`)
+                if (fs.existsSync(`${available}default`))
+                    fs.unlinkSync(`${available}default`)
+
+                let test = await exec(`sudo nginx -t`);
+                if (test.stderr.includes('test is successful')) {
+                    await exec(`sudo systemctl reload nginx`);
+                    console.log('main test passed reloading nginx')
+                } else {
+                    console.log('main test failed')
                 }
 
             } else if (platform === 'darwin') {
@@ -119,32 +163,35 @@ stream {
             const hostParts = host.split('.')
             const domain = hostParts[0];
             const tld = hostParts[1];
+            const stream = fs.readFileSync(conf, 'utf8');
+            const modifiedStream = stream.replace('default nodejs_ssl;', `\t\t${host} nginx_ssl;\ndefault nodejs_ssl;`);
+            fs.writeFileSync(conf, modifiedStream);
+
             const server = `
 server {
-    server_name  ~^(?<sub>.+)\.${domain}\.${tld} ${host};
+    listen 12345 ssl http2;
+    server_name ~^(?<sub>.+)\.${domain}\.${tld} ${host};
   
     location / {
-            proxy_pass http://localhost:8080;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "Upgrade";
-
-            fastcgi_buffers 16 16k;
-            fastcgi_buffer_size 32k;
-            proxy_buffer_size 128k;
-            proxy_buffers 4 256k;
-            proxy_busy_buffers_size 256k;
+        proxy_pass http://localhost:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
 
+        fastcgi_buffers 16 16k;
+        fastcgi_buffer_size 32k;
+        proxy_buffer_size 128k;
+        proxy_buffers 4 256k;
+        proxy_busy_buffers_size 256k;
     }
 
-    listen 443 ssl http2;
-    ssl_certificate /etc/certificates/${host}/fullchain.pem;
-    ssl_certificate_key /etc/certificates/${host}/private-key.pem;
-}
+    ssl_certificate /etc/certificates/${host}/fullchain.pem;  # Adjust to your certificate path
+    ssl_certificate_key /etc/certificates/${host}/private-key.pem;  # Adjust to your key path
 
+}
 `;
 
             fs.writeFileSync(`${available}${host}`, server)