pad.libre-service.eu-etherpad/src/node/hooks/express.js

var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");
var express = require('express');
var settings = require('../utils/Settings');
var fs = require('fs');
var path = require('path');
var npm = require("npm/lib/npm.js");
var  _ = require("underscore");

var server;
var serverName;

exports.createServer = function () {
  console.log("Report bugs at https://github.com/ether/etherpad-lite/issues")

  serverName = `Etherpad ${settings.getGitCommit()} (https://etherpad.org)`;

  console.log(`Your Etherpad version is ${settings.getEpVersion()} (${settings.getGitCommit()})`);

  exports.restartServer();

  if (settings.ip === "") {
    // using Unix socket for connectivity
    console.log(`You can access your Etherpad instance using the Unix socket at ${settings.port}`);
  } else {
    console.log(`You can access your Etherpad instance at http://${settings.ip}:${settings.port}/`);
  }

  if (!_.isEmpty(settings.users)) {
    console.log(`The plugin admin page is at http://${settings.ip}:${settings.port}/admin/plugins`);
  } else {
    console.warn("Admin username and password not set in settings.json.  To access admin please uncomment and edit 'users' in settings.json");
  }

  var env = process.env.NODE_ENV || 'development';

  if (env !== 'production') {
    console.warn("Etherpad is running in Development mode.  This mode is slower for users and less secure than production mode.  You should set the NODE_ENV environment variable to production by using: export NODE_ENV=production");
  }
}

exports.restartServer = function () {
  if (server) {
    console.log("Restarting express server");
    server.close();
  }

  var app = express(); // New syntax for express v3

  if (settings.ssl) {
    console.log("SSL -- enabled");
    console.log(`SSL -- server key file: ${settings.ssl.key}`);
    console.log(`SSL -- Certificate Authority's certificate file: ${settings.ssl.cert}`);

    var options = {
      key: fs.readFileSync( settings.ssl.key ),
      cert: fs.readFileSync( settings.ssl.cert )
    };

    if (settings.ssl.ca) {
      options.ca = [];
      for (var i = 0; i < settings.ssl.ca.length; i++) {
        var caFileName = settings.ssl.ca[i];
        options.ca.push(fs.readFileSync(caFileName));
      }
    }

    var https = require('https');
    server = https.createServer(options, app);
  } else {
    var http = require('http');
    server = http.createServer(app);
  }

  app.use(function(req, res, next) {
    // res.header("X-Frame-Options", "deny"); // breaks embedded pads
    if (settings.ssl) {
      // we use SSL
      res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
    }

    // Stop IE going into compatability mode
    // https://github.com/ether/etherpad-lite/issues/2547
    res.header("X-UA-Compatible", "IE=Edge,chrome=1");

    // Enable a strong referrer policy. Same-origin won't drop Referers when
    // loading local resources, but it will drop them when loading foreign resources.
    // It's still a last bastion of referrer security. External URLs should be
    // already marked with rel="noreferer" and user-generated content pages are already
    // marked with <meta name="referrer" content="no-referrer">
    // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
    // https://github.com/ether/etherpad-lite/pull/3636
    res.header("Referrer-Policy", "same-origin");

    // send git version in the Server response header if exposeVersion is true.
    if (settings.exposeVersion) {
      res.header("Server", serverName);
    }

    next();
  });

  if (settings.trustProxy) {
    app.enable('trust proxy');
  }

  hooks.callAll("expressConfigure", {"app": app});
  hooks.callAll("expressCreateServer", {"app": app, "server": server});

  server.listen(settings.port, settings.ip);
}
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks");`
			`var express = require('express');`
			`var settings = require('../utils/Settings');`
			`var fs = require('fs');`
			`var path = require('path');`
Load npm to enable server to see the git revision. 2012-07-08 11:37:24 +02:00			`var npm = require("npm/lib/npm.js");`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`var _ = require("underscore");`

			`var server;`
			`var serverName;`

			`exports.createServer = function () {`
Fix urls, use github.com/ether Signed-off-by: Hyacinthe Cartiaux <hyacinthe.cartiaux@uni.lu> 2012-11-22 01:12:30 +01:00			`console.log("Report bugs at https://github.com/ether/etherpad-lite/issues")`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00
Change everywhere the link to https://etherpad.org (it was plain http) 2019-04-16 00:54:54 +02:00			serverName = `Etherpad ${settings.getGitCommit()} (https://etherpad.org)`;
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
logs: on the server, use template literals when possible It's just synctactic sugar, but it is always better than executing string concatenations in one's mind. Do not do this with files in src/static, because we want to keep IE 11 compatibility. 2018-08-27 01:29:37 +02:00			console.log(`Your Etherpad version is ${settings.getEpVersion()} (${settings.getGitCommit()})`);
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00
			`exports.restartServer();`

settings: document the possibility of using Unix sockets We have been supporting Unix sockets by ages, because express.listen() (http://expressjs.com/en/4x/api.html#app.listen_path_callback) re-exposes net.server.listen() (https://nodejs.org/api/net.html#net_server_listen), which in turn supports Unix sockets. The only remaining thing to do was documenting it. Fixes #3312 2020-03-30 00:27:22 +02:00			`if (settings.ip === "") {`
			`// using Unix socket for connectivity`
			console.log(`You can access your Etherpad instance using the Unix socket at ${settings.port}`);
			`} else {`
			console.log(`You can access your Etherpad instance at http://${settings.ip}:${settings.port}/`);
			`}`

Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`if (!_.isEmpty(settings.users)) {`
logs: on the server, use template literals when possible It's just synctactic sugar, but it is always better than executing string concatenations in one's mind. Do not do this with files in src/static, because we want to keep IE 11 compatibility. 2018-08-27 01:29:37 +02:00			console.log(`The plugin admin page is at http://${settings.ip}:${settings.port}/admin/plugins`);
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`} else {`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`console.warn("Admin username and password not set in settings.json. To access admin please uncomment and edit 'users' in settings.json");`
			`}`
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00
Update express.js 2018-04-03 11:59:10 +02:00			`var env = process.env.NODE_ENV \|\| 'development';`
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00
			`if (env !== 'production') {`
Update express.js 2018-04-03 11:59:10 +02:00			`console.warn("Etherpad is running in Development mode. This mode is slower for users and less secure than production mode. You should set the NODE_ENV environment variable to production by using: export NODE_ENV=production");`
			`}`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`}`

			`exports.restartServer = function () {`
			`if (server) {`
			`console.log("Restarting express server");`
			`server.close();`
			`}`

Differentiate between http server and express app 2012-09-21 17:12:22 +02:00			`var app = express(); // New syntax for express v3`
initial https version fix #1148 2012-11-22 10:12:58 +01:00
			`if (settings.ssl) {`
logs: on the server, use template literals when possible It's just synctactic sugar, but it is always better than executing string concatenations in one's mind. Do not do this with files in src/static, because we want to keep IE 11 compatibility. 2018-08-27 01:29:37 +02:00			`console.log("SSL -- enabled");`
			console.log(`SSL -- server key file: ${settings.ssl.key}`);
			console.log(`SSL -- Certificate Authority's certificate file: ${settings.ssl.cert}`);
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
dont make local variables global 2014-12-14 22:01:28 +01:00			`var options = {`
initial https version fix #1148 2012-11-22 10:12:58 +01:00			`key: fs.readFileSync( settings.ssl.key ),`
			`cert: fs.readFileSync( settings.ssl.cert )`
			`};`
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00
Adding support for providing intermediate CA certificates when running etherpad-lite with ssl through Node/expressjs 2015-04-22 20:29:19 +02:00			`if (settings.ssl.ca) {`
			`options.ca = [];`
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`for (var i = 0; i < settings.ssl.ca.length; i++) {`
Adding support for providing intermediate CA certificates when running etherpad-lite with ssl through Node/expressjs 2015-04-22 20:29:19 +02:00			`var caFileName = settings.ssl.ca[i];`
			`options.ca.push(fs.readFileSync(caFileName));`
			`}`
			`}`
Remove trailing whitespaces Hoping to minimize future diffs. Not touching vendorized libraries. 2019-04-16 00:34:29 +02:00
initial https version fix #1148 2012-11-22 10:12:58 +01:00			`var https = require('https');`
			`server = https.createServer(options, app);`
			`} else {`
			`var http = require('http');`
			`server = http.createServer(app);`
			`}`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`app.use(function(req, res, next) {`
Enable HSTS for TLS connections Don't use X-Frame-Options: deny for now 2014-06-17 13:21:38 +02:00			`// res.header("X-Frame-Options", "deny"); // breaks embedded pads`
Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`if (settings.ssl) {`
			`// we use SSL`
Enable HSTS for TLS connections Don't use X-Frame-Options: deny for now 2014-06-17 13:21:38 +02:00			`res.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");`
allow strict transport if ssl is on and stop x-frame-options, this might break embedded pads, please test 2013-03-14 23:03:20 +01:00			`}`

fixes #2547 2015-04-24 15:17:49 +02:00			`// Stop IE going into compatability mode`
			`// https://github.com/ether/etherpad-lite/issues/2547`
			`res.header("X-UA-Compatible", "IE=Edge,chrome=1");`
Parameters: the version is exposed in http header only when configured Currently the version is exposed in a 'Server' http headers. This commit allows to parameterize it in the settings. By defaults it is not exposed. Fixes #3423 2019-04-15 16:02:46 +02:00
referer: change referrer policy. Stop sending referers as much as possible Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636 What's already there: * `meta name=referrer`: already done in 1.6.1: https://github.com/ether/etherpad-lite/pull/3044 https://caniuse.com/#feat=referrer-policy https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1]) The previous two commits (by @joelpurra) I backported in this batch: * `<a rel=noreferrer>`: a pull request denied before: https://github.com/ether/etherpad-lite/pull/2498 https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types (Firefox>=37, I can't find more info about support) This commit adds the following: * `<a rel="noopener">`: fixing a not-so-well-known way to extract referer https://html.spec.whatwg.org/multipage/links.html#link-type-noopener (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge) * `Referrer-Policy: same-origin`: the last bastion of referrer security https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge) meta name=referrer wasn't enough. I happened to leak a few referrers with my Firefox browser, though for some browsers it could have been enough. [1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it most probably incompatible (but I may be wrong on that, they may support both, but I have no way to test it currently). The next Edge release will be based on Chromium, so for that the Chrome version applies. 2019-11-23 08:18:07 +01:00			`// Enable a strong referrer policy. Same-origin won't drop Referers when`
			`// loading local resources, but it will drop them when loading foreign resources.`
			`// It's still a last bastion of referrer security. External URLs should be`
			`// already marked with rel="noreferer" and user-generated content pages are already`
			`// marked with <meta name="referrer" content="no-referrer">`
			`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy`
			`// https://github.com/ether/etherpad-lite/pull/3636`
			`res.header("Referrer-Policy", "same-origin");`

Parameters: the version is exposed in http header only when configured Currently the version is exposed in a 'Server' http headers. This commit allows to parameterize it in the settings. By defaults it is not exposed. Fixes #3423 2019-04-15 16:02:46 +02:00			`// send git version in the Server response header if exposeVersion is true.`
			`if (settings.exposeVersion) {`
			`res.header("Server", serverName);`
			`}`

Make the server restart on plugin install 2012-07-03 23:30:40 +02:00			`next();`
			`});`

Settings.js, express.js: trivial reformatting Future commits by Tristram Gräbener will modify them. 2019-04-16 00:17:56 +02:00			`if (settings.trustProxy) {`
updated to use settings updated handler/SocketIORouter.js to use new setting updated hooks/express.js to use new setting updated utils/Settings.js to accept new setting updated settings.json.template so new setting is present 2013-04-24 12:19:41 +02:00			`app.enable('trust proxy');`
			`}`
update for express 4.x 2015-04-07 14:55:05 +02:00
			`hooks.callAll("expressConfigure", {"app": app});`
Differentiate between http server and express app 2012-09-21 17:12:22 +02:00			`hooks.callAll("expressCreateServer", {"app": app, "server": server});`
Make the server restart on plugin install 2012-07-03 23:30:40 +02:00
			`server.listen(settings.port, settings.ip);`
attempt to put correct init in right place but could be wrong 2012-09-12 20:38:53 +02:00			`}`