Add no-tls, http1 & http2 SNI-controlled TLS endpoints

pimterry · pimterry · commit 2b1dc67c525e · 2025-06-13T17:19:52.000+02:00
You can now visit no-tls.testserver.host to get a server that will
reject all TLS connections, http1.testserver.host to get an HTTP/1-only
server, or http2.testserver.host to get an HTTP/2-only server. This can
also be combined with all HTTP endpoints.
diff --git a/src/server.ts b/src/server.ts
@@ -41,6 +41,7 @@ async function generateTlsConfig(options: ServerOptions) {
     if (!options.acmeProvider) {
         console.log('Using self signed certificates');
         return {
+            rootDomain,
             key: defaultCert.key,
             cert: defaultCert.cert,
             ca: caCert.cert,
@@ -62,6 +63,7 @@ async function generateTlsConfig(options: ServerOptions) {
     acmeCA.tryGetCertificateSync(rootDomain); // Preload the root domain every time
 
     return {
+        rootDomain,
         key: defaultCert.key,
         cert: defaultCert.cert,
         ca: caCert.cert,
diff --git a/src/tls-handler.ts b/src/tls-handler.ts
@@ -3,6 +3,7 @@ import * as tls from 'tls';
 import { ConnectionProcessor } from './process-connection.js';
 
 interface TlsHandlerConfig {
+    rootDomain: string;
     key: string;
     cert: string;
     ca: string;
@@ -13,6 +14,18 @@ interface TlsHandlerConfig {
     };
 }
 
+const supportedProtocolFilters: { [key: string]: string } = {
+    'http2': 'h2',
+    'http1': 'http/1.1'
+};
+
+const getSNIPrefixParts = (servername: string, rootDomain: string) => {
+    const serverNamePrefix = servername.endsWith(rootDomain)
+        ? servername.slice(0, -rootDomain.length - 1)
+        : servername;
+    return serverNamePrefix.split('.');
+};
+
 export async function createTlsHandler(
     tlsConfig: TlsHandlerConfig,
     connProcessor: ConnectionProcessor
@@ -21,8 +34,29 @@ export async function createTlsHandler(
         key: tlsConfig.key,
         cert: tlsConfig.cert,
         ca: [tlsConfig.ca],
-        ALPNProtocols: ['h2', 'http/1.1'],
+
+        ALPNCallback: ({ servername, protocols: clientProtocols }) => {
+            // If specific protocol(s) are provided as part of the server name,
+            // only negotiate those via ALPN.
+            const serverNameParts = getSNIPrefixParts(servername, tlsConfig.rootDomain);
+
+            let protocolFilterNames = serverNameParts.filter(protocol =>
+                supportedProtocolFilters[protocol]
+            );
+            const serverProtocols = protocolFilterNames.length > 0
+                ? protocolFilterNames.map(protocol => supportedProtocolFilters[protocol])
+                : Object.values(supportedProtocolFilters);
+
+            // Follow the clients preferences, within the protocols we support:
+            return clientProtocols.find(protocol => serverProtocols.includes(protocol));
+        },
         SNICallback: (domain: string, cb: Function) => {
+            const serverNameParts = getSNIPrefixParts(domain, tlsConfig.rootDomain);
+            if (serverNameParts.includes('no-tls')) {
+                // This closes the unwanted TLS connection without response
+                return cb(new Error('Intentionally rejecting TLS connection'), null);
+            }
+
             try {
                 const generatedCert = tlsConfig.generateCertificate(domain);
                 cb(null, tls.createSecureContext({
diff --git a/test/https.spec.ts b/test/https.spec.ts
@@ -1,6 +1,7 @@
 import * as net from 'net';
 import * as http from 'http';
 import * as https from 'https';
+import * as tls from 'tls';
 import * as streamConsumers from 'stream/consumers';
 
 import { expect } from 'chai';
@@ -21,7 +22,7 @@ describe("HTTPS requests", () => {
 
     afterEach(async () => {
         await server.destroy();
-    })
+    });
 
     it("can connect successfully", async () => {
         const address = `https://localhost:${serverPort}/echo`;
@@ -49,4 +50,76 @@ Connection: keep-alive
         );
     });
 
+    it("cannot connect to no-tls.* connect successfully", async () => {
+        const conn = tls.connect({
+            port: serverPort,
+            servername: 'no-tls.localhost',
+            rejectUnauthorized: false // Needed as it's untrusted
+        });
+
+        const result = await new Promise<string>((resolve, reject) => {
+            conn.on('secureConnect', () => resolve('Connected'));
+            conn.on('error', (err) => resolve(`Failed: ${err.message}`));
+        });
+        conn.destroy();
+
+        expect(result).to.equal('Failed: Client network socket disconnected before secure TLS connection was established');
+    });
+
+    it("negotiates http2 for http2.*", async () => {
+        const conn = tls.connect({
+            port: serverPort,
+            servername: 'http2.localhost',
+            ALPNProtocols: ['http/1.1', 'h2'],
+            rejectUnauthorized: false // Needed as it's untrusted
+        });
+
+        const selectedProtocol = await new Promise<any>((resolve, reject) => {
+            conn.on('secureConnect', () => resolve(conn.alpnProtocol));
+            conn.on('error', reject);
+        });
+        conn.destroy();
+
+        expect(selectedProtocol).to.equal('h2');
+    });
+
+    it("negotiates http1.1 for http1.*", async () => {
+        const conn = tls.connect({
+            port: serverPort,
+            servername: 'http1.localhost',
+            ALPNProtocols: ['h2', 'http/1.1'],
+            rejectUnauthorized: false // Needed as it's untrusted
+        });
+
+        const selectedProtocol = await new Promise<any>((resolve, reject) => {
+            conn.on('secureConnect', () => resolve(conn.alpnProtocol));
+            conn.on('error', reject);
+        });
+        conn.destroy();
+
+        expect(selectedProtocol).to.equal('http/1.1');
+    });
+
+    it("follows client ALPN preference if all are supported", async () => {
+        await Promise.all([
+            ['h2', 'http/1.1'],
+            ['http/1.1', 'h2']
+        ].map(async (protocols) => {
+            const conn = tls.connect({
+                port: serverPort,
+                servername: 'do-anything.localhost',
+                ALPNProtocols: protocols,
+                rejectUnauthorized: false // Needed as it's untrusted
+            });
+
+            const selectedProtocol = await new Promise<any>((resolve, reject) => {
+                conn.on('secureConnect', () => resolve(conn.alpnProtocol));
+                conn.on('error', reject);
+            });
+            conn.destroy();
+            expect(selectedProtocol).to.equal(protocols[0]);
+        }));
+    });
+
+
 });
