diff --git a/core/config.js b/core/config.js index 7e5d92a1..2564c256 100644 --- a/core/config.js +++ b/core/config.js @@ -230,11 +230,19 @@ function getDefaultConfig() { firstMenuNewUser : 'sshConnectedNewUser', }, webSocket : { - port : 8810, // ws:// - enabled : false, - securePort : 8811, // wss:// - must provide certPem and keyPem - certPem : paths.join(__dirname, './../config/https_cert.pem'), - keyPem : paths.join(__dirname, './../config/https_cert_key.pem'), + ws : { + // non-secure ws:// + enabled : false, + port : 8810, + }, + wss : { + // secure ws:// + // must provide valid certPem and keyPem + enabled : false, + port : 8811, + certPem : paths.join(__dirname, './../config/https_cert.pem'), + keyPem : paths.join(__dirname, './../config/https_cert_key.pem'), + }, }, }, diff --git a/core/servers/login/websocket.js b/core/servers/login/websocket.js index cc0270b1..9e480ac9 100644 --- a/core/servers/login/websocket.js +++ b/core/servers/login/websocket.js @@ -118,12 +118,15 @@ exports.getModule = class WebSocketLoginServer extends LoginServerModule { // * insecure websocket (ws://) // * secure (tls) websocket (wss://) // - const config = _.get(Config, 'loginServers.webSocket') || { enabled : false }; - if(!config || true !== config.enabled || !(config.port || config.securePort)) { + const config = _.get(Config, 'loginServers.webSocket'); + if(!_.isObject(config)) { return; } - if(config.port) { + const wsPort = _.get(config, 'ws.port'); + const wssPort = _.get(config, 'wss.port'); + + if(true === _.get(config, 'ws.enabled') && _.isNumber(wsPort)) { const httpServer = http.createServer( (req, resp) => { // dummy handler resp.writeHead(200); @@ -136,10 +139,10 @@ exports.getModule = class WebSocketLoginServer extends LoginServerModule { }; } - if(config.securePort) { + if(_.isObject(config, 'wss') && true === _.get(config, 'wss.enabled') && _.isNumber(wssPort)) { const httpServer = https.createServer({ - key : fs.readFileSync(Config.loginServers.webSocket.keyPem), - cert : fs.readFileSync(Config.loginServers.webSocket.certPem), + key : fs.readFileSync(config.wss.keyPem), + cert : fs.readFileSync(config.wss.certPem), }); this.secure = { @@ -157,7 +160,7 @@ exports.getModule = class WebSocketLoginServer extends LoginServerModule { } const serverName = `${ModuleInfo.name} (${serverType})`; - const port = parseInt(_.get(Config, [ 'loginServers', 'webSocket', 'secure' === serverType ? 'securePort' : 'port' ] )); + const port = parseInt(_.get(Config, [ 'loginServers', 'webSocket', 'secure' === serverType ? 'wss' : 'ws', 'port' ] )); if(isNaN(port)) { Log.error( { server : serverName, port : port }, 'Cannot load server (invalid port)' ); diff --git a/docs/servers/websocket.md b/docs/servers/websocket.md index 435e4482..be5eb739 100644 --- a/docs/servers/websocket.md +++ b/docs/servers/websocket.md @@ -27,11 +27,22 @@ don't already have it defined). ````hjson loginServers: { webSocket : { - port: 8810 - enabled: true - securePort: 8811 - certPem: /path/to/https_cert.pem - keyPem: /path/to/https_cert_key.pem + ws: { + // non-secure ws:// + port: 8810 + enabled: true + } + wss: { + // secure-over-tls wss:// + port: 8811 + enabled: true + certPem: /path/to/https_cert.pem + keyPem: /path/to/https_cert_key.pem + } + // set proxied to true to allow TLS-terminated proxied connections + // containing the "X-Forwarded-Proto: https" header to be treated + // as secure + proxied: true } } ````