2012-07-03 23:30:40 +02:00
var hooks = require ( "ep_etherpad-lite/static/js/pluginfw/hooks" ) ;
var express = require ( 'express' ) ;
var settings = require ( '../utils/Settings' ) ;
var fs = require ( 'fs' ) ;
var path = require ( 'path' ) ;
2012-07-08 11:37:24 +02:00
var npm = require ( "npm/lib/npm.js" ) ;
2012-07-03 23:30:40 +02:00
var _ = require ( "underscore" ) ;
2020-09-21 06:42:29 +02:00
const util = require ( 'util' ) ;
2012-07-03 23:30:40 +02:00
var serverName ;
2020-09-21 06:42:29 +02:00
exports . server = null ;
exports . createServer = async ( ) => {
2012-11-22 01:12:30 +01:00
console . log ( "Report bugs at https://github.com/ether/etherpad-lite/issues" )
2012-07-03 23:30:40 +02:00
2019-04-16 00:54:54 +02:00
serverName = ` Etherpad ${ settings . getGitCommit ( ) } (https://etherpad.org) ` ;
2019-04-16 00:34:29 +02:00
2018-08-27 01:29:37 +02:00
console . log ( ` Your Etherpad version is ${ settings . getEpVersion ( ) } ( ${ settings . getGitCommit ( ) } ) ` ) ;
2012-07-03 23:30:40 +02:00
2020-09-21 06:42:29 +02:00
await exports . restartServer ( ) ;
2012-07-03 23:30:40 +02:00
2020-03-30 00:27:22 +02:00
if ( settings . ip === "" ) {
// using Unix socket for connectivity
console . log ( ` You can access your Etherpad instance using the Unix socket at ${ settings . port } ` ) ;
} else {
console . log ( ` You can access your Etherpad instance at http:// ${ settings . ip } : ${ settings . port } / ` ) ;
}
2019-04-16 00:17:56 +02:00
if ( ! _ . isEmpty ( settings . users ) ) {
2018-08-27 01:29:37 +02:00
console . log ( ` The plugin admin page is at http:// ${ settings . ip } : ${ settings . port } /admin/plugins ` ) ;
2019-04-16 00:17:56 +02:00
} else {
2012-07-03 23:30:40 +02:00
console . warn ( "Admin username and password not set in settings.json. To access admin please uncomment and edit 'users' in settings.json" ) ;
}
2019-04-16 00:17:56 +02:00
2018-04-03 11:59:10 +02:00
var env = process . env . NODE _ENV || 'development' ;
2019-04-16 00:17:56 +02:00
if ( env !== 'production' ) {
2018-04-03 11:59:10 +02:00
console . warn ( "Etherpad is running in Development mode. This mode is slower for users and less secure than production mode. You should set the NODE_ENV environment variable to production by using: export NODE_ENV=production" ) ;
}
2012-07-03 23:30:40 +02:00
}
2020-09-21 06:42:29 +02:00
exports . restartServer = async ( ) => {
if ( exports . server ) {
2012-07-03 23:30:40 +02:00
console . log ( "Restarting express server" ) ;
2020-09-21 06:42:29 +02:00
await util . promisify ( exports . server . close ) . bind ( exports . server ) ( ) ;
2012-07-03 23:30:40 +02:00
}
2012-09-21 17:12:22 +02:00
var app = express ( ) ; // New syntax for express v3
2012-11-22 10:12:58 +01:00
if ( settings . ssl ) {
2018-08-27 01:29:37 +02:00
console . log ( "SSL -- enabled" ) ;
console . log ( ` SSL -- server key file: ${ settings . ssl . key } ` ) ;
console . log ( ` SSL -- Certificate Authority's certificate file: ${ settings . ssl . cert } ` ) ;
2019-04-16 00:34:29 +02:00
2014-12-14 22:01:28 +01:00
var options = {
2012-11-22 10:12:58 +01:00
key : fs . readFileSync ( settings . ssl . key ) ,
cert : fs . readFileSync ( settings . ssl . cert )
} ;
2019-04-16 00:17:56 +02:00
2015-04-22 20:29:19 +02:00
if ( settings . ssl . ca ) {
options . ca = [ ] ;
2019-04-16 00:17:56 +02:00
for ( var i = 0 ; i < settings . ssl . ca . length ; i ++ ) {
2015-04-22 20:29:19 +02:00
var caFileName = settings . ssl . ca [ i ] ;
options . ca . push ( fs . readFileSync ( caFileName ) ) ;
}
}
2019-04-16 00:34:29 +02:00
2012-11-22 10:12:58 +01:00
var https = require ( 'https' ) ;
2020-09-21 06:42:29 +02:00
exports . server = https . createServer ( options , app ) ;
2012-11-22 10:12:58 +01:00
} else {
var http = require ( 'http' ) ;
2020-09-21 06:42:29 +02:00
exports . server = http . createServer ( app ) ;
2012-11-22 10:12:58 +01:00
}
2012-07-03 23:30:40 +02:00
2019-04-16 00:17:56 +02:00
app . use ( function ( req , res , next ) {
2014-06-17 13:21:38 +02:00
// res.header("X-Frame-Options", "deny"); // breaks embedded pads
2019-04-16 00:17:56 +02:00
if ( settings . ssl ) {
// we use SSL
2014-06-17 13:21:38 +02:00
res . header ( "Strict-Transport-Security" , "max-age=31536000; includeSubDomains" ) ;
2013-03-14 23:03:20 +01:00
}
2015-04-24 15:17:49 +02:00
// Stop IE going into compatability mode
// https://github.com/ether/etherpad-lite/issues/2547
res . header ( "X-UA-Compatible" , "IE=Edge,chrome=1" ) ;
2019-04-15 16:02:46 +02:00
referer: change referrer policy. Stop sending referers as much as possible
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636
What's already there:
* `meta name=referrer`: already done in 1.6.1:
https://github.com/ether/etherpad-lite/pull/3044
https://caniuse.com/#feat=referrer-policy
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
(Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])
The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
https://github.com/ether/etherpad-lite/pull/2498
https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
(Firefox>=37, I can't find more info about support)
This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
(Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)
* `Referrer-Policy: same-origin`: the last bastion of referrer security
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
(Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)
meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.
[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
most probably incompatible (but I may be wrong on that, they may support
both, but I have no way to test it currently). The next Edge release will be
based on Chromium, so for that the Chrome version applies.
2019-11-23 08:18:07 +01:00
// Enable a strong referrer policy. Same-origin won't drop Referers when
// loading local resources, but it will drop them when loading foreign resources.
// It's still a last bastion of referrer security. External URLs should be
// already marked with rel="noreferer" and user-generated content pages are already
// marked with <meta name="referrer" content="no-referrer">
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
// https://github.com/ether/etherpad-lite/pull/3636
res . header ( "Referrer-Policy" , "same-origin" ) ;
2019-04-15 16:02:46 +02:00
// send git version in the Server response header if exposeVersion is true.
if ( settings . exposeVersion ) {
res . header ( "Server" , serverName ) ;
}
2012-07-03 23:30:40 +02:00
next ( ) ;
} ) ;
2019-04-16 00:17:56 +02:00
if ( settings . trustProxy ) {
2020-04-14 01:10:19 +02:00
/ *
* If 'trust proxy' === true , the client ’ s IP address in req . ip will be the
* left - most entry in the X - Forwarded - * header .
*
* Source : https : //expressjs.com/en/guide/behind-proxies.html
* /
2013-04-24 12:19:41 +02:00
app . enable ( 'trust proxy' ) ;
}
2015-04-07 14:55:05 +02:00
hooks . callAll ( "expressConfigure" , { "app" : app } ) ;
2020-09-21 06:42:29 +02:00
hooks . callAll ( 'expressCreateServer' , { app , server : exports . server } ) ;
2012-07-03 23:30:40 +02:00
2020-09-21 06:42:29 +02:00
await util . promisify ( exports . server . listen ) . bind ( exports . server ) ( settings . port , settings . ip ) ;
} ;
exports . shutdown = async ( hookName , context ) => {
if ( ! exports . server ) return ;
await util . promisify ( exports . server . close ) . bind ( exports . server ) ( ) ;
} ;
