The latest articles on Forem by Aviv Cohen (@colocohen). https://forem.com/colocohen https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3484740%2F70818aa6-e431-41c5-8eed-c812ac483913.jpeg https://forem.com/colocohen en Aviv Cohen Thu, 16 Apr 2026 00:30:50 +0000 https://forem.com/colocohen/tls-in-nodejs-is-a-black-box-heres-an-open-one-38ik https://forem.com/colocohen/tls-in-nodejs-is-a-black-box-heres-an-open-one-38ik <p>Every Node.js app you've ever built uses TLS. Every <code>https.createServer()</code>, every <code>fetch()</code> to an external API, every database connection with <code>ssl: true</code> — all of it goes through TLS.</p> <p>But have you ever actually <em>seen</em> what happens during a TLS handshake? Have you ever tried to control which cipher suite is used for a specific connection? Pinned a certificate? Inspected the key exchange? Read the traffic keys?</p> <p>Probably not. And it's not because you're not curious — it's because <strong>Node.js doesn't let you</strong>.</p> <p>Node's <code>node:tls</code> module is a thin wrapper around OpenSSL, a C library with over 700,000 lines of code. It works, it's fast, and for most use cases it's fine. But it's a black box. You call <code>tls.connect()</code>, something happens in C-land, and you either get a secure connection or an error. What happened in between? Which parameters were negotiated? Could you have made different choices? Good luck finding out.</p> <p>This article is about <a href="https://github.com/colocohen/lemon-tls" rel="noopener noreferrer"><strong>LemonTLS</strong></a> — a pure JavaScript implementation of TLS 1.3 and TLS 1.2 for Node.js. Not a wrapper. Not a binding. The actual protocol, implemented in JavaScript, where you can read every line, set a breakpoint on every step, and control things that OpenSSL has no API for.</p> <h2> Why Would Anyone Reimplement TLS? </h2> <p>Fair question. OpenSSL works. It's been battle-tested for decades. Why would you want a JavaScript implementation?</p> <p>Here are three concrete reasons — and they're not theoretical.</p> <h3> 1. You Can't Control What You Can't See </h3> <p>Try to do any of these in Node.js:</p> <p><strong>Pin a certificate.</strong> You want to make sure your app only connects to a server presenting a specific certificate — not just any certificate signed by any CA. This is critical for banking apps, internal services, and anything where a compromised CA could be disastrous. In Node.js, you have to implement this manually by checking the peer certificate after the handshake. There's no built-in option.</p> <p><strong>Choose a cipher suite per connection.</strong> Node.js sets cipher suites globally. If you have one connection to a legacy server that needs AES-128 and another to a modern API where you want ChaCha20, you can't configure them independently without <code>openssl.cnf</code> hacks.</p> <p><strong>Disable session tickets for a specific server.</strong> Session tickets are great for performance, but they carry security trade-offs (forward secrecy during the ticket lifetime). In Node.js, disabling them requires modifying OpenSSL's configuration file — not something you can do per-connection.</p> <p><strong>Detect bots with JA3 fingerprinting.</strong> Every TLS client sends a ClientHello with a unique combination of extensions, cipher suites, and curves. This creates a fingerprint (JA3) that can identify bots, scrapers, and known malicious clients. Node.js gives you no access to the raw ClientHello.</p> <p>With LemonTLS, all of these are one-liner options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">tls</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lemon-tls</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Certificate pinning</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">bank.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">pins</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</span><span class="dl">'</span><span class="p">]</span> <span class="p">});</span> <span class="c1">// Per-connection cipher and curve selection</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">api.example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">allowedCipherSuites</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x1301</span><span class="p">,</span> <span class="mh">0x1303</span><span class="p">],</span> <span class="c1">// AES-128-GCM + ChaCha20 only</span> <span class="na">groups</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x001d</span><span class="p">],</span> <span class="c1">// X25519 only</span> <span class="na">signatureAlgorithms</span><span class="p">:</span> <span class="p">[</span><span class="mh">0x0804</span><span class="p">],</span> <span class="c1">// RSA-PSS-SHA256 only</span> <span class="na">prioritizeChaCha</span><span class="p">:</span> <span class="kc">true</span> <span class="c1">// Prefer ChaCha20 over AES</span> <span class="p">});</span> <span class="c1">// Disable session tickets</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">cert</span><span class="p">,</span> <span class="na">noTickets</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="c1">// JA3 fingerprinting</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">secureConnection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">socket</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ja3</span> <span class="o">=</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">getJA3</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">ja3</span><span class="p">.</span><span class="nx">hash</span><span class="p">);</span> <span class="c1">// 'e7d705a3286e19ea42f587b344ee6865'</span> <span class="k">if </span><span class="p">(</span><span class="nx">knownBots</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">ja3</span><span class="p">.</span><span class="nx">hash</span><span class="p">))</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>None of these require configuration files, environment variables, or OpenSSL rebuilds. They're just options you pass to a function.</p> <h3> 2. You Can Actually Debug TLS Problems </h3> <p>Everyone who's worked with TLS has seen this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: UNABLE_TO_VERIFY_LEAF_SIGNATURE </code></pre> </div> <p>Or this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: self signed certificate in certificate chain </code></pre> </div> <p>When these happen in Node.js, you're stuck. The error comes from deep inside OpenSSL. You can't set a breakpoint, you can't inspect the certificate chain at the point of failure, you can't see which validation step failed and why.</p> <p>With LemonTLS, TLS is JavaScript. You can:</p> <ul> <li>Set a breakpoint inside the handshake and step through each message</li> <li>Inspect the raw ClientHello and ServerHello</li> <li>Watch key exchange happen in real time</li> <li>See exactly which certificate in the chain failed validation and why </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// See every handshake message</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">handshakeMessage</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">type</span><span class="p">,</span> <span class="nx">raw</span><span class="p">,</span> <span class="nx">parsed</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Handshake:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">parsed</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Wireshark integration — export keys for packet inspection</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">keylog</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">line</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">appendFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">keys.log</span><span class="dl">'</span><span class="p">,</span> <span class="nx">line</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Then in Wireshark: TLS → Pre-Master-Secret log filename → keys.log</span> </code></pre> </div> <p>For development, testing, and debugging — the ability to <em>see</em> what TLS is doing changes everything. Instead of googling cryptic OpenSSL errors, you read JavaScript.</p> <h3> 3. Some Protocols Need TLS Internals </h3> <p>This is the reason LemonTLS was originally built. Some protocols need access to TLS internals that OpenSSL simply doesn't expose through Node.js.</p> <p><strong>QUIC</strong> needs the TLS handshake keys at specific points during the connection setup. It needs to encrypt packets with derived keys, not through a socket — because QUIC runs over UDP, not TCP. Node's <code>node:tls</code> gives you a TCP socket and nothing else. You can't extract the keys, you can't encrypt individual records, you can't run TLS without a TCP connection underneath.</p> <p>LemonTLS solves this with two API levels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// High-level: drop-in replacement for node:tls (works with TCP)</span> <span class="k">import</span> <span class="nx">tls</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lemon-tls</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">socket</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Low-level: state machine only — you handle the transport</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TLSSession</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lemon-tls</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TLSSession</span><span class="p">({</span> <span class="na">isServer</span><span class="p">:</span> <span class="kc">false</span> <span class="p">});</span> <span class="nx">session</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">send</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="cm">/* send over UDP, WebSocket, anything */</span> <span class="p">});</span> <span class="nx">session</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">keys</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">keys</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="cm">/* use these for QUIC encryption */</span> <span class="p">});</span> <span class="nx">session</span><span class="p">.</span><span class="nf">receive</span><span class="p">(</span><span class="nx">incomingData</span><span class="p">);</span> </code></pre> </div> <p>The <code>TLSSession</code> is a pure state machine. It doesn't know or care what transport you're using. Feed it bytes, it produces handshake messages and keys. This is what makes it possible to build protocols like QUIC, DTLS, or any custom transport that needs TLS security — entirely in JavaScript.</p> <h2> Drop-In Replacement: Same API, More Control </h2> <p>Despite all these advanced capabilities, the basic usage is intentionally boring. LemonTLS implements the same API as <code>node:tls</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">tls</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lemon-tls</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// just change the import</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:fs</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// Server — same as node:tls</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.crt</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">(</span><span class="nx">socket</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Protocol:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">getProtocol</span><span class="p">());</span> <span class="c1">// 'TLSv1.3'</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cipher:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">getCipher</span><span class="p">().</span><span class="nx">name</span><span class="p">);</span> <span class="c1">// 'TLS_AES_128_GCM_SHA256'</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from LemonTLS!</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">8443</span><span class="p">);</span> <span class="c1">// Client — same as node:tls</span> <span class="kd">const</span> <span class="nx">socket</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">8443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">rejectUnauthorized</span><span class="p">:</span> <span class="kc">false</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from client!</span><span class="se">\n</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">d</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">d</span><span class="p">.</span><span class="nf">toString</span><span class="p">()));</span> </code></pre> </div> <p><code>createServer()</code>, <code>connect()</code>, <code>TLSSocket</code> as a Duplex stream, <code>getProtocol()</code>, <code>getCipher()</code>, <code>getPeerCertificate()</code>, <code>alpnProtocol</code>, <code>SNICallback</code> — all the methods and events you know from <code>node:tls</code> work exactly the same way.</p> <p>The 27 compatibility methods from Node.js have been verified through automated tests. If your code works with <code>node:tls</code>, changing the import to <code>lemon-tls</code> should just work.</p> <h2> Session Resumption: Faster Reconnections </h2> <p>TLS 1.3 introduced a mechanism where, after the first handshake, the server sends the client a "session ticket" — an encrypted blob that lets the client skip the full handshake on the next connection. Instead of exchanging certificates and doing key agreement from scratch, the client presents the ticket and both sides derive keys immediately.</p> <p>This is especially important for mobile apps and APIs where connections are frequently opened and closed. The difference between a full handshake (1 round-trip) and a resumed handshake (same round-trip, but less computation) adds up.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">let</span> <span class="nx">savedSession</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// First connection — save the ticket</span> <span class="kd">const</span> <span class="nx">socket1</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">8443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">);</span> <span class="nx">socket1</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ticketData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">savedSession</span> <span class="o">=</span> <span class="nx">ticketData</span><span class="p">;</span> <span class="p">});</span> <span class="c1">// Later — resume with the ticket</span> <span class="kd">const</span> <span class="nx">socket2</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">8443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">savedSession</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Resumed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">socket2</span><span class="p">.</span><span class="nx">isResumed</span><span class="p">);</span> <span class="c1">// true</span> <span class="c1">// No certificate exchange happened — faster connection</span> <span class="p">});</span> </code></pre> </div> <p>This works identically to Node.js session resumption, but with one difference: you can actually debug it. If resumption fails, you can inspect the ticket, see the PSK binder validation, and understand exactly why.</p> <h2> Mutual TLS: Both Sides Authenticate </h2> <p>Standard TLS is one-sided — the client verifies the server, but the server doesn't verify the client. For internal services, microservice communication, or zero-trust architectures, you often need both sides to present certificates.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Server: require client certificate</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">serverKey</span><span class="p">,</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">serverCert</span><span class="p">,</span> <span class="na">requestCert</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">ca</span><span class="p">:</span> <span class="p">[</span><span class="nx">clientCA</span><span class="p">]</span> <span class="c1">// Only accept clients signed by this CA</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">secureConnection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">socket</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">peer</span> <span class="o">=</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">getPeerCertificate</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Client:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">peer</span><span class="p">.</span><span class="nx">subject</span><span class="p">.</span><span class="nx">CN</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Valid:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">socket</span><span class="p">.</span><span class="nx">authorized</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Client: present certificate</span> <span class="kd">const</span> <span class="nx">socket</span> <span class="o">=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="mi">8443</span><span class="p">,</span> <span class="dl">'</span><span class="s1">service.internal</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">client.crt</span><span class="dl">'</span><span class="p">),</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">client.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">ca</span><span class="p">:</span> <span class="p">[</span><span class="nx">serverCA</span><span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p>Same API as <code>node:tls</code>. But if something goes wrong with certificate validation — wrong CA, expired cert, hostname mismatch — you can actually trace through the JavaScript to see where and why it failed.</p> <h2> What's Actually Happening: The TLS 1.3 Handshake </h2> <p>One of the benefits of having TLS in JavaScript is that you can actually understand what the protocol does. Here's what happens when you call <code>tls.connect()</code>:</p> <p><strong>Step 1: ClientHello.</strong> The client sends a message listing: supported TLS versions, supported cipher suites, supported key exchange groups, a random nonce, and a key share (the client's half of the key exchange). In TLS 1.3, the client optimistically includes its key share in the first message — this is what makes the handshake only one round-trip.</p> <p><strong>Step 2: ServerHello.</strong> The server picks a cipher suite and key exchange group, includes its own key share, and sends it back. At this point, both sides have everything they need to compute the shared secret.</p> <p><strong>Step 3: Encrypted handshake.</strong> Everything after ServerHello is encrypted. The server sends its certificate, proves it has the private key (via a CertificateVerify message), and sends a Finished message. The client verifies everything, sends its own Finished, and the handshake is complete.</p> <p><strong>Step 4: Application data.</strong> Both sides now have traffic keys derived from the shared secret. All application data is encrypted with AES-GCM or ChaCha20-Poly1305.</p> <p>The entire handshake happens in <strong>one round-trip</strong> — the client sends ClientHello, and the server responds with everything needed to start sending encrypted data. Compare this to TLS 1.2, which required two round-trips.</p> <p>With LemonTLS, you can watch this happen in real time:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">handshakeMessage</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">type</span><span class="p">,</span> <span class="nx">raw</span><span class="p">,</span> <span class="nx">parsed</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[</span><span class="p">${</span><span class="nx">type</span><span class="p">}</span><span class="s2">]`</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">parsed</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">));</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">secureConnect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nf">getNegotiationResult</span><span class="p">());</span> <span class="c1">// { version: 'TLSv1.3', cipher: 'TLS_AES_128_GCM_SHA256',</span> <span class="c1">// group: 'X25519', alpn: 'h2', resumed: false,</span> <span class="c1">// handshakeDuration: 23 }</span> <span class="p">});</span> </code></pre> </div> <h2> The Full Negotiation Picture </h2> <p>After the handshake, you have complete visibility into what was negotiated:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">secureConnect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// What version and cipher were agreed on?</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nf">getProtocol</span><span class="p">());</span> <span class="c1">// 'TLSv1.3'</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nf">getCipher</span><span class="p">());</span> <span class="c1">// { name: 'TLS_AES_128_GCM_SHA256', ... }</span> <span class="c1">// What key exchange was used?</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nf">getEphemeralKeyInfo</span><span class="p">());</span> <span class="c1">// { type: 'X25519', size: 253 }</span> <span class="c1">// Who is the server?</span> <span class="kd">const</span> <span class="nx">cert</span> <span class="o">=</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">getPeerCertificate</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">subject</span><span class="p">.</span><span class="nx">CN</span><span class="p">);</span> <span class="c1">// 'example.com'</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">fingerprint256</span><span class="p">);</span> <span class="c1">// 'AB:CD:EF:...'</span> <span class="c1">// Was this a resumed connection?</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nx">isResumed</span><span class="p">);</span> <span class="c1">// false</span> <span class="c1">// What ALPN protocol was negotiated?</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nx">alpnProtocol</span><span class="p">);</span> <span class="c1">// 'h2'</span> <span class="c1">// Access the raw shared secret (for research)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">socket</span><span class="p">.</span><span class="nf">getSharedSecret</span><span class="p">());</span> <span class="c1">// Buffer&lt;...&gt;</span> <span class="c1">// Export keying material (RFC 5705)</span> <span class="kd">const</span> <span class="nx">material</span> <span class="o">=</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">exportKeyingMaterial</span><span class="p">(</span><span class="mi">32</span><span class="p">,</span> <span class="dl">'</span><span class="s1">my-protocol</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Buffer</span><span class="p">.</span><span class="nf">alloc</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>Every piece of information that was negotiated, exchanged, or derived during the handshake is available to you. Not hidden in a C struct somewhere — accessible as JavaScript values you can log, inspect, and use.</p> <h2> Zero Dependencies, Full Transparency </h2> <p>LemonTLS uses only <code>node:crypto</code> for the raw cryptographic primitives (AES, SHA-256, ECDH). Everything else — the state machine, the handshake logic, the record layer, the key schedule, the certificate parsing — is JavaScript.</p> <p>The entire library is readable. When something goes wrong, you don't get an opaque error from a C library — you get a JavaScript stack trace that points to the exact line where the issue occurred.</p> <p>For security-sensitive applications, auditability matters. You can read the key derivation code, verify the HKDF implementation, check the AEAD encryption. With OpenSSL, you're trusting 700,000 lines of C that even most security researchers don't fully understand.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>lemon-tls </code></pre> </div> <p>For most use cases, change one import:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gd">- import tls from 'node:tls'; </span><span class="gi">+ import tls from 'lemon-tls'; </span></code></pre> </div> <p>Everything else stays the same — and you gain visibility, control, and debuggability that <code>node:tls</code> can't offer.</p> <p><strong>Resources:</strong></p> <ul> <li>📦 <a href="https://www.npmjs.com/package/lemon-tls" rel="noopener noreferrer">npm — lemon-tls</a> </li> <li>💻 <a href="https://github.com/colocohen/lemon-tls" rel="noopener noreferrer">GitHub — lemon-tls</a> </li> <li>📘 <a href="https://datatracker.ietf.org/doc/html/rfc8446" rel="noopener noreferrer">RFC 8446 — TLS 1.3</a> </li> </ul> <h2> Why This Matters </h2> <p>TLS is the most important security protocol on the internet. Every HTTPS request, every secure WebSocket, every encrypted database connection depends on it. And yet, for most Node.js developers, it's a complete black box.</p> <p>It doesn't have to be. TLS is a well-documented protocol with clear RFCs. The only reason it's been opaque is because the implementations have been in C, hidden behind abstraction layers that prioritize convenience over understanding.</p> <p>LemonTLS gives you both: the convenience of a Node.js-compatible API when you just want things to work, and full protocol-level access when you need to understand, debug, or control what's happening. Same API, open box.</p> webdev node javascript security Aviv Cohen Thu, 16 Apr 2026 00:29:07 +0000 https://forem.com/colocohen/add-http3-to-your-nodejs-app-48l3 https://forem.com/colocohen/add-http3-to-your-nodejs-app-48l3 <p>Let's start with a question: when was the last time you thought about what protocol your Node.js server actually speaks?</p> <p>If you're like most developers, the answer is probably "never." You set up Express, called <code>app.listen()</code>, and moved on to building features. And that's totally fine — that's how it should work.</p> <p>But here's the thing: <strong>the internet has moved on</strong>, and your server probably hasn't.</p> <p>Every major browser — Chrome, Firefox, Safari, Edge — already speaks HTTP/3. Google has been serving search results over it since 2020. Cloudflare routes over 30% of its traffic through it. Meta, YouTube, Instagram — all HTTP/3. The biggest companies in the world decided that HTTP/2 over TCP wasn't fast enough, and they built something better.</p> <p>Meanwhile, most Node.js apps are still serving responses over HTTP/1.1. Some have upgraded to HTTP/2. But almost none speak HTTP/3 — because until now, there was no simple way to do it in Node.js.</p> <p>That's what this article is about. We'll look at <strong>why HTTP/3 exists</strong>, <strong>what real problems it solves</strong> (spoiler: if your users are on WiFi or mobile, this matters a lot), and <strong>how to add it to your existing Node.js app</strong> without rewriting a single route.</p> <h2> The Problem Nobody Talks About: TCP Is Holding You Back </h2> <p>TCP has been the backbone of the internet for over 40 years. It's reliable, it's battle-tested, and it's everywhere. So what's wrong with it?</p> <p>Nothing — if you're on a perfect network. But let's be honest: <strong>nobody is on a perfect network</strong>.</p> <h3> Head-of-Line Blocking: The Silent Performance Killer </h3> <p>Imagine you're loading a web page. Your browser opens an HTTP/2 connection and starts downloading 15 resources simultaneously — CSS, JavaScript, images, fonts — all multiplexed over a single TCP connection. Sounds efficient, right?</p> <p>Now imagine one single packet gets lost. Maybe the user is on WiFi and walked a bit too far from the router. Maybe they're on a train and the signal hiccupped for a millisecond.</p> <p>Here's what happens: <strong>TCP freezes everything</strong>.</p> <p>Not just the resource that lost a packet — <em>all 15 resources stop</em>. TCP guarantees in-order delivery, so it holds every subsequent packet hostage until that one lost packet is retransmitted and arrives. Your CSS file is ready, your JavaScript is ready, six images are ready — but nothing can be delivered to the browser until that one missing packet shows up.</p> <p>This is called <strong>head-of-line blocking</strong>, and it's the dirty secret of HTTP/2. The multiplexing that was supposed to make everything faster actually made this problem <em>worse</em> — because now all your streams share the same TCP bottleneck.</p> <p>On a clean fiber connection, you'll barely notice. But on <strong>WiFi</strong> — especially busy coffee shop WiFi, conference WiFi, home WiFi with 12 devices — packet loss happens constantly. On <strong>mobile networks</strong> — 4G/5G with signal fluctuations — it happens even more.</p> <p>The result? Your page loads feel janky. Your API calls sometimes take 200ms and sometimes take 2 seconds, and you can't figure out why. Your WebSocket connections drop and reconnect. It's not your code — it's TCP.</p> <h3> The Handshake Tax </h3> <p>Every time a user opens a new connection to your server over HTTPS, they pay a "handshake tax":</p> <ol> <li> <strong>TCP handshake</strong> — 1 round-trip (SYN → SYN-ACK → ACK)</li> <li> <strong>TLS handshake</strong> — 1 to 2 more round-trips (ClientHello → ServerHello → keys)</li> </ol> <p>That's 2–3 round-trips before a single byte of real data flows.</p> <p>On a fast connection with 20ms latency, that's 40–60ms. Barely noticeable. But on a mobile connection with 150ms latency? That's <strong>300–450ms</strong> of pure waiting. Almost half a second, just for the privilege of <em>starting</em> to talk to your server.</p> <p>And it gets worse. Users don't just connect once — they open new connections to different subdomains, to your CDN, to your API. Each one pays the same tax.</p> <h3> The WiFi-to-Cellular Problem </h3> <p>Here's one that every mobile user has experienced: you're loading a page on WiFi, then you walk out of range. Your phone switches to cellular. What happens?</p> <p><strong>Every single TCP connection dies.</strong></p> <p>TCP connections are identified by four things: source IP, source port, destination IP, destination port. When your phone switches networks, your IP changes — and TCP has no mechanism to migrate connections. They all drop, the browser reopens them, pays the handshake tax again, and resends the requests.</p> <p>If your user was in the middle of uploading a file or streaming data, it's gone. Start over.</p> <h2> Enter QUIC: TCP's Replacement </h2> <p>QUIC isn't an incremental improvement over TCP. It's a <strong>complete replacement</strong> — a new transport protocol built from scratch by Google, then standardized by the IETF (RFC 9000). And it was specifically designed to solve every problem we just described.</p> <h3> Independent Streams: No More Head-of-Line Blocking </h3> <p>QUIC runs over UDP and implements its own reliability layer. But unlike TCP, QUIC knows about <strong>individual streams</strong>. If a packet belonging to stream #3 gets lost, only stream #3 waits for the retransmission. Streams #1, #2, #4–15 keep flowing without interruption.</p> <p>Think about what this means for your users on WiFi. That single lost packet that used to freeze all 15 resources? Now it only affects the one resource it belongs to. The rest of the page continues loading normally.</p> <p><strong>This is the single biggest performance improvement HTTP/3 brings</strong>, and it's most dramatic exactly where your users need it most — on unreliable connections.</p> <h3> Faster Handshakes: 1 Round-Trip (or Zero) </h3> <p>QUIC merges the transport and TLS handshake into a single operation. First connection to a server? <strong>One round-trip</strong> and you're sending data. That 300–450ms tax on mobile drops to 150ms.</p> <p>Reconnecting to a server you've visited before? <strong>Zero round-trips</strong>. QUIC supports 0-RTT resumption — the client can start sending data in the very first packet. For APIs and real-time apps, this is transformative.</p> <h3> Connection Migration: Seamless Network Switches </h3> <p>QUIC connections aren't identified by IP addresses. Instead, each connection has a <strong>Connection ID</strong> — a random token that both sides remember. When your user walks out of WiFi range and their phone switches to cellular, the Connection ID stays the same. The QUIC connection survives.</p> <p>No dropped connections. No re-handshakes. No lost uploads. The user doesn't even notice the switch happened.</p> <h3> Built-in Encryption </h3> <p>Every QUIC connection is encrypted by default using TLS 1.3 — the latest and most secure version. There's no option to run unencrypted QUIC. Security isn't an afterthought or an optional layer — it's fundamental to the protocol.</p> <h2> So Why Isn't Everyone Using HTTP/3 in Node.js? </h2> <p>Good question. The browsers are ready. The protocol is standardized. Major servers support it. So what's the holdup?</p> <p>The problem is that <strong>Node.js doesn't have a built-in QUIC implementation</strong>.</p> <p>Unlike HTTP/1.1 and HTTP/2, which have <code>node:http</code> and <code>node:http2</code>, there's no <code>node:http3</code>. It's been discussed for years, there have been experimental branches, but nothing has shipped. The reason is complex: QUIC requires deep integration with TLS internals that Node's existing APIs don't expose, and the QUIC state machine is genuinely complex — packet scheduling, congestion control, key rotation, connection migration.</p> <p>This left Node.js developers with two options: either proxy through a server like nginx that supports HTTP/3 (adding infrastructure complexity), or use native C++ bindings (adding build complexity and platform-specific pain).</p> <p>Until now.</p> <h2> QUICO: HTTP/3 for Node.js, Pure JavaScript </h2> <p><a href="https://github.com/colocohen/quico" rel="noopener noreferrer"><strong>QUICO</strong></a> is an open-source library that brings full QUIC and HTTP/3 support to Node.js. And it does it with one key design decision: <strong>everything is pure JavaScript</strong>. No C++ bindings, no OpenSSL dependency, no <code>node-gyp</code>, no platform-specific builds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>quico </code></pre> </div> <p>That's all it takes. It works on Linux, macOS, Windows, ARM, Docker, edge devices — anywhere Node.js runs.</p> <p>But the really nice part is the API. QUICO was designed to be a <strong>drop-in replacement</strong> for <code>node:https</code>. If you already know how to use <code>https.createServer()</code>, you already know how to use QUICO.</p> <h3> Your First HTTP/3 Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">quico</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">quico</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:fs</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">quico</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.crt</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text/plain</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from HTTP/3!</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">4433</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">HTTP/3 server on https://localhost:4433</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Look familiar? It should — it's the same pattern as <code>https.createServer()</code>. Same <code>req</code>, same <code>res</code>, same <code>writeHead()</code>, same <code>end()</code>. The only difference is what's happening underneath: instead of TCP + TLS, you're now running QUIC + HTTP/3.</p> <h3> It Works with Express (and Fastify, and Koa) </h3> <p>Here's where it gets interesting. Because QUICO mirrors the <code>node:https</code> API, <strong>your existing frameworks just work</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">express</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">quico</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">quico</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:fs</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">express</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Hello!</span><span class="dl">'</span><span class="p">,</span> <span class="na">protocol</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">httpVersion</span> <span class="c1">// "3.0" ← this is new</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/users</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Your existing routes — nothing changes</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">users</span><span class="p">);</span> <span class="p">});</span> <span class="nx">quico</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">server.crt</span><span class="dl">'</span><span class="p">)</span> <span class="p">},</span> <span class="nx">app</span><span class="p">).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">4433</span><span class="p">);</span> </code></pre> </div> <p>All your routes, all your middleware, all your error handlers — everything stays exactly the same. You're just replacing <code>https.createServer</code> with <code>quico.createServer</code>. That's the whole migration.</p> <p>And your users get: faster connections, no head-of-line blocking, resilient connections on flaky WiFi, and seamless network switches on mobile. Without changing a single line of your application logic.</p> <h3> Making HTTP/3 Requests from Node.js </h3> <p>QUICO also works as a client. Want to make requests to HTTP/3-enabled servers?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">quico</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">quico</span><span class="dl">'</span><span class="p">;</span> <span class="nx">quico</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://www.google.com/</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Status:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">);</span> <span class="c1">// 200</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Protocol:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">res</span><span class="p">.</span><span class="nx">httpVersion</span><span class="p">);</span> <span class="c1">// "3.0"</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">chunk</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">stdout</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="nx">chunk</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The client is smart about protocol negotiation. It uses <code>Alt-Svc</code> headers to discover HTTP/3 support, and if the server doesn't support it, it falls back gracefully to HTTP/2 and then HTTP/1.1. No code changes, no error handling — it just works.</p> <h3> Multi-Domain Hosting with SNI </h3> <p>Running multiple domains on one server? QUICO supports <code>SNICallback</code>, just like <code>node:https</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">quico</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">quico</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">tls</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lemon-tls</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">quico</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="nc">SNICallback</span><span class="p">(</span><span class="nx">servername</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createSecureContext</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`certs/</span><span class="p">${</span><span class="nx">servername</span><span class="p">}</span><span class="s2">.key`</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="s2">`certs/</span><span class="p">${</span><span class="nx">servername</span><span class="p">}</span><span class="s2">.crt`</span><span class="p">)</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">handler</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">4433</span><span class="p">);</span> </code></pre> </div> <p>Same pattern, same mental model. One server, many domains, now over HTTP/3.</p> <h2> WebTransport: The Real Upgrade from WebSocket </h2> <p>If you've ever built a real-time application — chat, gaming, live dashboards, collaborative editing — you've probably used WebSocket. And you've probably struggled with it.</p> <p>WebSocket has fundamental limitations that no amount of library code can fix:</p> <p><strong>It runs on TCP</strong>, which means it suffers from the same head-of-line blocking we talked about. If one message stalls, every message behind it stalls too. For a chat app, maybe that's acceptable. For a game where you need 60 updates per second, it's painful.</p> <p><strong>Everything is reliable and ordered</strong>, even when you don't want it to be. In a game, you don't care about the player's position from 200ms ago — you want the <em>latest</em> position. But WebSocket will dutifully deliver every single update in order, even the stale ones.</p> <p><strong>No multiplexing.</strong> Want to send different types of data — chat messages on one channel, game state on another, voice data on a third? With WebSocket, it's all one stream. You end up building your own multiplexing layer on top.</p> <p><strong>WebTransport</strong> solves all of this. It's built on top of QUIC and gives you:</p> <ul> <li> <strong>Bidirectional streams</strong> — like WebSocket, but multiplexed. Open as many independent channels as you need.</li> <li> <strong>Unidirectional streams</strong> — when you only need to send data one way.</li> <li> <strong>Unreliable datagrams</strong> — fire-and-forget messages with no head-of-line blocking. Perfect for game state, sensor data, or anything where the latest value is all that matters.</li> </ul> <p>And because it runs over QUIC, you get all the benefits: no head-of-line blocking between streams, encrypted by default, and resilient to network changes.</p> <p>Here's what a WebTransport server looks like with QUICO:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">quico</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">quico</span><span class="dl">'</span><span class="p">;</span> <span class="nx">quico</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">KEY</span><span class="p">,</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">CERT</span> <span class="p">},</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">:protocol</span><span class="dl">'</span><span class="p">]</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">webtransport</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Accept the WebTransport session</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">);</span> <span class="c1">// Handle bidirectional streams from the client</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">stream</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">stream</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">chunk</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Received:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">chunk</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">Acknowledged</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">end</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">end</span><span class="p">());</span> <span class="p">});</span> <span class="c1">// Handle unreliable datagrams</span> <span class="nx">req</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">datagram</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Process real-time data (game state, sensor data, etc.)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">sendDatagram</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="c1">// echo back</span> <span class="p">});</span> <span class="c1">// The server can also open streams toward the client</span> <span class="kd">const</span> <span class="nx">push</span> <span class="o">=</span> <span class="nx">res</span><span class="p">.</span><span class="nf">createBidirectionalStream</span><span class="p">();</span> <span class="nx">push</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">Welcome! Server-initiated stream.</span><span class="dl">'</span><span class="p">);</span> <span class="nx">push</span><span class="p">.</span><span class="nf">end</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Regular HTTP/3 request</span> <span class="nx">res</span><span class="p">.</span><span class="nf">writeHead</span><span class="p">(</span><span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">text/plain</span><span class="dl">'</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">end</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello HTTP/3!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">listen</span><span class="p">(</span><span class="mi">4433</span><span class="p">);</span> </code></pre> </div> <p>And on the client side — in the browser — you use the standard WebTransport API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">wt</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebTransport</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://yourserver.com:4433/live</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nx">wt</span><span class="p">.</span><span class="nx">ready</span><span class="p">;</span> <span class="c1">// Reliable bidirectional stream (like WebSocket, but multiplexed)</span> <span class="kd">const</span> <span class="nx">stream</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">wt</span><span class="p">.</span><span class="nf">createBidirectionalStream</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">writer</span> <span class="o">=</span> <span class="nx">stream</span><span class="p">.</span><span class="nx">writable</span><span class="p">.</span><span class="nf">getWriter</span><span class="p">();</span> <span class="k">await</span> <span class="nx">writer</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello</span><span class="dl">'</span><span class="p">));</span> <span class="c1">// Unreliable datagrams (like UDP — latest value wins)</span> <span class="kd">const</span> <span class="nx">dgramWriter</span> <span class="o">=</span> <span class="nx">wt</span><span class="p">.</span><span class="nx">datagrams</span><span class="p">.</span><span class="nx">writable</span><span class="p">.</span><span class="nf">getWriter</span><span class="p">();</span> <span class="k">await</span> <span class="nx">dgramWriter</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">().</span><span class="nf">encode</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">x</span><span class="p">:</span> <span class="nx">player</span><span class="p">.</span><span class="nx">x</span><span class="p">,</span> <span class="na">y</span><span class="p">:</span> <span class="nx">player</span><span class="p">.</span><span class="nx">y</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="p">})));</span> </code></pre> </div> <p>Notice that the browser-side code uses the <strong>standard WebTransport API</strong> — no special client library needed. QUICO on the server, native browser API on the client. That's it.</p> <p>For testing without a browser, QUICO also includes a Node.js WebTransport client with the same API, so you can write integration tests entirely in Node.</p> <h2> What's Under the Hood </h2> <p>You might be wondering: how does a pure JavaScript library implement a protocol as complex as QUIC?</p> <p>QUICO implements the full stack from the ground up:</p> <ul> <li> <strong>UDP layer</strong> — uses Node's built-in <code>dgram</code> module for raw UDP sockets</li> <li> <strong>QUIC transport</strong> (RFC 9000) — packet parsing, frame encoding, connection IDs, ACK processing, flow control, and key rotation</li> <li> <strong>TLS 1.3</strong> — handled by <a href="https://github.com/colocohen/lemon-tls" rel="noopener noreferrer">LemonTLS</a>, a pure JavaScript TLS implementation that provides the cryptographic layer QUIC requires (AES-128-GCM, AES-256-GCM, X25519, P-256, P-384)</li> <li> <strong>HTTP/3</strong> (RFC 9114) — request/response mapping onto QUIC streams</li> <li> <strong>QPACK</strong> (RFC 9204) — header compression with static and dynamic tables</li> <li> <strong>WebTransport</strong> (RFC 9297) — bidirectional streams, unidirectional streams, and datagrams</li> </ul> <p>No OpenSSL. No native code. Every packet, every frame, every byte is JavaScript you can step through in a debugger.</p> <p>The fact that this is all JavaScript means something important for you as a developer: <strong>you can actually understand what's happening</strong>. If something goes wrong, you can set a breakpoint and trace it. You can't do that with a C++ QUIC library.</p> <h3> Tested Against the Real World </h3> <p>This isn't a spec-only implementation. QUICO has been tested for interoperability against the QUIC implementations powering real production traffic:</p> <ul> <li> <strong>Google</strong> — the creators of QUIC</li> <li> <strong>Cloudflare</strong> — one of the largest HTTP/3 deployments in the world</li> <li><strong>Facebook / Meta</strong></li> <li><strong>Microsoft</strong></li> <li> <strong>nginx</strong> — the QUIC-enabled branch</li> </ul> <p>When you use QUICO to connect to these servers, it works. When these servers connect to your QUICO server, it works. That level of interoperability matters.</p> <h2> How to Test Locally </h2> <p>QUIC requires TLS 1.3 with ECDSA certificates. Regular self-signed RSA certificates won't work. The easiest way to set up local development is with <a href="https://github.com/FiloSottile/mkcert" rel="noopener noreferrer">mkcert</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install mkcert (one-time setup)</span> brew <span class="nb">install </span>mkcert <span class="c"># macOS</span> <span class="c"># or: choco install mkcert # Windows</span> <span class="c"># or: apt install mkcert # Linux</span> <span class="c"># Create a local CA and generate certificates</span> mkcert <span class="nt">-install</span> mkcert localhost 127.0.0.1 ::1 </code></pre> </div> <p>This creates <code>localhost+2.pem</code> and <code>localhost+2-key.pem</code> files that QUICO can use directly.</p> <p>To test with curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--http3</span> https://localhost:4433 <span class="nt">--insecure</span> </code></pre> </div> <p>To test with Chrome:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>chrome <span class="nt">--enable-quic</span> <span class="nt">--quic-version</span><span class="o">=</span>h3 <span class="se">\</span> <span class="nt">--origin-to-force-quic-on</span><span class="o">=</span>localhost:4433 <span class="se">\</span> https://localhost:4433 </code></pre> </div> <h2> What You Get Today </h2> <p>QUICO gives you a fully working HTTP/3 server and client with QPACK header compression, WebTransport (bidirectional streams, unidirectional streams, and datagrams), automatic H3 → H2 → H1 fallback, and drop-in compatibility with Express, Fastify, and Koa. TLS 1.3 is handled internally with support for multiple cipher suites and key exchange algorithms.</p> <p>It's been tested for interoperability against Google, Cloudflare, Facebook, Microsoft, and nginx — the same servers handling real production traffic today.</p> <p>The library is in active development and improving fast. Check the <a href="https://github.com/colocohen/quico" rel="noopener noreferrer">GitHub repo</a> for the latest status and to follow along.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>quico </code></pre> </div> <p>If you have an existing HTTPS server, the migration is one line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code><span class="gd">- import https from 'node:https'; </span><span class="gi">+ import quico from 'quico'; </span><span class="err"> </span><span class="gd">- https.createServer({ key, cert }, app).listen(443); </span><span class="gi">+ quico.createServer({ key, cert }, app).listen(4433); </span></code></pre> </div> <p>Everything else stays the same.</p> <p><strong>Resources:</strong></p> <ul> <li>📦 <a href="https://www.npmjs.com/package/quico" rel="noopener noreferrer">npm — quico</a> </li> <li>💻 <a href="https://github.com/colocohen/quico" rel="noopener noreferrer">GitHub — quico</a> </li> <li>📘 <a href="https://www.rfc-editor.org/rfc/rfc9000" rel="noopener noreferrer">QUIC RFC 9000</a> </li> <li>📘 <a href="https://www.rfc-editor.org/rfc/rfc9114" rel="noopener noreferrer">HTTP/3 RFC 9114</a> </li> </ul> <h2> Why This Matters </h2> <p>We're at an interesting moment in web infrastructure. HTTP/3 and QUIC aren't future technology — they're <em>current</em> technology that most servers haven't adopted yet. The browsers are ready. The protocols are standardized. The big players are already there.</p> <p>The gap has been tooling. For Node.js developers specifically, there hasn't been a simple path to HTTP/3. QUICO fills that gap.</p> <p>Your users are already on networks where QUIC makes a real difference — WiFi with interference, cellular with handoffs, VPNs with added latency. The improvements aren't theoretical: faster handshakes, no head-of-line blocking, connections that survive network switches.</p> <p>And the best part? You don't have to rewrite anything to get there.</p> webdev node javascript Aviv Cohen Thu, 16 Apr 2026 00:27:03 +0000 https://forem.com/colocohen/webrtc-works-great-in-demos-in-production-it-falls-apart-heres-the-fix-f9h https://forem.com/colocohen/webrtc-works-great-in-demos-in-production-it-falls-apart-heres-the-fix-f9h <p>You've seen the WebRTC demo. Two browsers, a few lines of code, and suddenly there's a video call running peer-to-peer. No server in the middle, no third-party SDK, just the browser's built-in API. Magic.</p> <p>Then you try to build an actual product with it.</p> <p>The camera toggle breaks the call. Adding screen share crashes the negotiation. One user switches from WiFi to cellular and disappears. The DataChannel fills up and the app freezes. You spend three days debugging an issue that only happens when both peers add a track at the same time. You Google "WebRTC glare" and find a 40-line code snippet from MDN that still doesn't cover all edge cases.</p> <p>This is the WebRTC experience for virtually every developer who's tried to build something real with it. The demos work. The products don't. And the gap between "demo" and "product" is enormous.</p> <h2> Why WebRTC Breaks in the Real World </h2> <p>The browser's <code>RTCPeerConnection</code> API is a low-level protocol binding. It gives you access to every knob and lever of the WebRTC protocol — but it also expects <em>you</em> to coordinate them all correctly. And the coordination is where everything goes wrong.</p> <h3> Glare: The Bug Nobody Warns You About </h3> <p>This is the most common and least understood WebRTC failure. Here's what happens:</p> <p>Both peers want to renegotiate at the same time. Maybe one user turns on their camera while the other starts screen sharing. Both sides call <code>createOffer()</code> and send it. Now each peer receives an offer while it's already in the "have-local-offer" state.</p> <p>The WebRTC spec calls this <strong>glare</strong>. The native API doesn't handle it. It just throws an error or silently corrupts the state. The MDN documentation has a "perfect negotiation" pattern that tries to solve this — but it's 40 lines of tricky code, it doesn't handle all edge cases, and it behaves differently across browsers.</p> <p>In a two-person call, glare happens every time both users change their media simultaneously. In a group call, it happens constantly.</p> <h3> Signals That Arrive Out of Order </h3> <p>The native API assumes that signaling messages — offers, answers, ICE candidates — arrive in exactly the order they were sent. If an ICE candidate arrives before the offer it belongs to, <code>addIceCandidate()</code> silently fails. The connection never establishes, and there's no error message telling you why.</p> <p>On a perfect WebSocket connection, messages arrive in order. But in the real world, signaling might go through HTTP, through a message queue, through a serverless function, or through any transport that doesn't guarantee ordering. One message taking 10ms longer than another is enough to break everything.</p> <h3> Renegotiation Storms </h3> <p>User turns on camera → negotiation starts. User immediately toggles mic → another negotiation needed. The first negotiation is still in flight. Now the SDP state is confused — the second negotiation is based on a description that hasn't been applied yet.</p> <p>This happens every time users quickly toggle media, and it's especially bad during the first few seconds of a call when everyone is adjusting their settings. The result: corrupted state, dropped tracks, or a call that just stops working.</p> <h3> The Connection Dropped — Now What? </h3> <p>User walks from one room to another. WiFi signal drops for two seconds, reconnects. In a normal app, this would be seamless. In WebRTC, the ICE candidates expire, the connection state goes to "disconnected" or "failed", and... now what?</p> <p>The native API gives you <code>iceConnectionState</code> — a string that changes. It doesn't give you <code>disconnect</code> or <code>reconnect</code> events. It doesn't automatically restart ICE. It doesn't tell you whether the connection is recoverable or dead. Building a "reconnecting..." UI requires polling the state, debouncing transitions, and guessing.</p> <h3> SDP: 4KB of Text for a Simple Connection </h3> <p>Every WebRTC offer and answer includes a Session Description Protocol (SDP) blob. For a simple DataChannel-only connection, this is 2-3KB of text. Add video and it's 4KB+. Add simulcast and you're looking at massive text blocks that need to be sent through your signaling server.</p> <p>This isn't just wasted bandwidth — it's a real problem for transport-constrained signaling. If you're using MQTT, SMS, or any size-limited transport, SDP becomes a bottleneck.</p> <h3> No Telemetry Without Pain </h3> <p>Want to show the user their connection quality? Bitrate? Packet loss? Resolution? The native API gives you <code>getStats()</code> — a function that returns 30+ different report types. You need to poll it manually, iterate through the reports, match them to the correct stream by MID, compute deltas between polls, and correlate inbound and outbound reports.</p> <p>Every app with a quality indicator reimplements this logic. Every implementation has bugs.</p> <h2> stable-webrtc: All of This, Handled </h2> <p><a href="https://github.com/colocohen/stable-webrtc" rel="noopener noreferrer"><strong>stable-webrtc</strong></a> is a library that wraps <code>RTCPeerConnection</code> and handles all of the above internally. The API is simple — the hard problems happen behind the scenes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>stable-webrtc </code></pre> </div> <h3> The Simplest WebRTC Connection </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">peer1</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">();</span> <span class="kd">var</span> <span class="nx">peer2</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">();</span> <span class="c1">// Relay signaling (in production: WebSocket, HTTP, MQTT, anything)</span> <span class="nx">peer1</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">peer2</span><span class="p">.</span><span class="nf">signal</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="nx">peer2</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">peer1</span><span class="p">.</span><span class="nf">signal</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="c1">// Connected</span> <span class="nx">peer1</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">peer1</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from peer1!</span><span class="dl">'</span><span class="p">));</span> <span class="nx">peer2</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">msg</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Received:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">msg</span><span class="p">.</span><span class="nf">toString</span><span class="p">()));</span> </code></pre> </div> <p>No role assignment. No ICE configuration. No state machine management. Just create two peers, connect their signaling, and it works.</p> <p>Notice what's missing: there's no "who is the initiator?" decision. Both peers embed a random nonce in their signaling messages. The peer with the higher nonce becomes the initiator automatically. Roles are resolved before any SDP is generated — eliminating an entire class of bugs at the source.</p> <h2> A Video Call That Actually Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">peer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">();</span> <span class="c1">// Signaling</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="nx">msg</span> <span class="o">=&gt;</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">signal</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="c1">// Send camera</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">mediaDevices</span><span class="p">.</span><span class="nf">getUserMedia</span><span class="p">({</span> <span class="na">video</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">audio</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">stream</span> <span class="o">=&gt;</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">addStream</span><span class="p">(</span><span class="nx">stream</span><span class="p">));</span> <span class="c1">// Receive remote video</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">stream</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">mediaStream</span><span class="p">,</span> <span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">video</span><span class="dl">'</span><span class="p">).</span><span class="nx">srcObject</span> <span class="o">=</span> <span class="nx">mediaStream</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>That's a working video call. But the real test isn't whether it connects — it's what happens next:</p> <p><strong>User toggles camera off and on?</strong> Handled. The library serializes all negotiations through a 6-state machine. Only one negotiation happens at a time. If a new track change arrives while one is in flight, it queues and coalesces.</p> <p><strong>Both users add a track simultaneously?</strong> Handled. Glare is resolved via epoch-rotating politeness — one side always yields, and who yields alternates to prevent starvation. No deadlocks, no dropped tracks.</p> <p><strong>User switches WiFi to cellular?</strong> Handled. The library monitors connection state and automatically triggers ICE restart with configurable timeouts and backoff.</p> <p><strong>Screen share added on top of camera?</strong> Handled. The tagged streams API keeps everything organized:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Camera</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">mediaDevices</span><span class="p">.</span><span class="nf">getUserMedia</span><span class="p">({</span> <span class="na">video</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">audio</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">stream</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">stream</span><span class="p">(</span><span class="dl">'</span><span class="s1">camera</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">video_track</span><span class="p">:</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">getVideoTracks</span><span class="p">()[</span><span class="mi">0</span><span class="p">],</span> <span class="na">audio_track</span><span class="p">:</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">getAudioTracks</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Screen share</span> <span class="nb">navigator</span><span class="p">.</span><span class="nx">mediaDevices</span><span class="p">.</span><span class="nf">getDisplayMedia</span><span class="p">({</span> <span class="na">video</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">then</span><span class="p">(</span><span class="nx">stream</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">stream</span><span class="p">(</span><span class="dl">'</span><span class="s1">screen</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">video_track</span><span class="p">:</span> <span class="nx">stream</span><span class="p">.</span><span class="nf">getVideoTracks</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Stop screen share — just null the track</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">stream</span><span class="p">(</span><span class="dl">'</span><span class="s1">screen</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">video_track</span><span class="p">:</span> <span class="kc">null</span> <span class="p">});</span> <span class="c1">// On the receiving side, you know what each stream is</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">stream</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">mediaStream</span><span class="p">,</span> <span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">tag_id</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">camera</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">camera</span><span class="dl">'</span><span class="p">).</span><span class="nx">srcObject</span> <span class="o">=</span> <span class="nx">mediaStream</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">tag_id</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">screen</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">screen</span><span class="dl">'</span><span class="p">).</span><span class="nx">srcObject</span> <span class="o">=</span> <span class="nx">mediaStream</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>No transceiver management, no m-line ordering bugs, no SDP manipulation. Tag your streams with a name, and the library handles the rest.</p> <h2> Connection Status Without Polling </h2> <p>Building a "reconnecting..." indicator with the native API requires polling <code>iceConnectionState</code>, debouncing rapid transitions, and writing custom logic. With <code>stable-webrtc</code>, it's events:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">showStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">Connected</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">disconnect</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">showStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">Reconnecting (</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">info</span><span class="p">.</span><span class="nx">reason</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">)...</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// ICE restart happens automatically — nothing to do</span> <span class="p">});</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">reconnect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">showStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">Connected</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">showStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">Disconnected</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>When the connection drops, the library starts an automatic ICE restart sequence: wait 3 seconds (configurable) in case it recovers naturally, then restart ICE, up to 5 retries with backoff. If it recovers, you get a <code>reconnect</code> event. If it doesn't, you get <code>close</code>. Your code just updates the UI.</p> <h2> Per-Stream Quality Metrics — No getStats() Wrestling </h2> <p>Showing bitrate, packet loss, or resolution per stream normally requires polling <code>getStats()</code>, parsing 30+ report types, matching by MID, and computing deltas. With <code>stable-webrtc</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">streamstats</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">tagId</span><span class="p">,</span> <span class="nx">direction</span><span class="p">,</span> <span class="nx">stats</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">direction</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">receiving</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nf">showBitrate</span><span class="p">(</span><span class="nx">tagId</span><span class="p">,</span> <span class="nx">stats</span><span class="p">.</span><span class="nx">video</span><span class="p">.</span><span class="nx">bitrate</span><span class="p">);</span> <span class="nf">showFPS</span><span class="p">(</span><span class="nx">tagId</span><span class="p">,</span> <span class="nx">stats</span><span class="p">.</span><span class="nx">video</span><span class="p">.</span><span class="nx">fps</span><span class="p">);</span> <span class="nf">showResolution</span><span class="p">(</span><span class="nx">tagId</span><span class="p">,</span> <span class="nx">stats</span><span class="p">.</span><span class="nx">video</span><span class="p">.</span><span class="nx">width</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">x</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">stats</span><span class="p">.</span><span class="nx">video</span><span class="p">.</span><span class="nx">height</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">stats</span><span class="p">.</span><span class="nx">video</span><span class="p">.</span><span class="nx">packetLoss</span> <span class="o">&gt;</span> <span class="mi">5</span><span class="p">)</span> <span class="p">{</span> <span class="nf">showQualityWarning</span><span class="p">(</span><span class="nx">tagId</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Each <code>streamstats</code> event gives you <code>{ bitrate, fps, width, height, codec, packetLoss, jitter }</code> for both video and audio, per tagged stream. The library handles the polling, the delta computation, and the report-to-stream matching internally.</p> <p>Want to check the connection type and latency?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connectioninfo</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">type</span><span class="p">);</span> <span class="c1">// 'direct-udp', 'direct-tcp', 'relayed'</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">rtt</span><span class="p">);</span> <span class="c1">// 12.3 (milliseconds)</span> <span class="p">});</span> </code></pre> </div> <h2> SDP Compression: 3KB → 50 Bytes </h2> <p>This is a detail that most developers don't think about, but it matters. Every time you renegotiate (add a track, switch camera, start screen share), a new SDP offer is generated and sent through your signaling server. A typical offer is 3-4KB of text.</p> <p><code>stable-webrtc</code> compresses every signaling message using four competing strategies — compact binary encoding, diff against previous SDP, deflate compression, and diff+deflate. The smallest payload wins automatically.</p> <p>The result: a typical renegotiation (adding a video track) goes from 3KB to about 50-100 bytes. That's small enough for a single UDP packet, an MQTT message, or even an SMS.</p> <p>And once the DataChannel is open, signaling messages automatically route through the peer-to-peer connection itself — bypassing your server entirely. Renegotiation latency drops to the raw round-trip time between peers.</p> <h2> Mesh Networks: N Peers </h2> <p>Building a group call? Each participant maintains a connection to every other participant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">peers</span> <span class="o">=</span> <span class="p">{};</span> <span class="kd">function</span> <span class="nf">connectTo</span><span class="p">(</span><span class="nx">remoteId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">peer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">();</span> <span class="nx">peers</span><span class="p">[</span><span class="nx">remoteId</span><span class="p">]</span> <span class="o">=</span> <span class="nx">peer</span><span class="p">;</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">server</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="nx">remoteId</span><span class="p">,</span> <span class="na">signal</span><span class="p">:</span> <span class="nx">data</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello from </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">myId</span><span class="p">);</span> <span class="p">});</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">stream</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">mediaStream</span><span class="p">,</span> <span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">addVideoElement</span><span class="p">(</span><span class="nx">remoteId</span><span class="p">,</span> <span class="nx">mediaStream</span><span class="p">);</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">peer</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// When signaling arrives from the server</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">fromId</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">peers</span><span class="p">[</span><span class="nx">fromId</span><span class="p">])</span> <span class="nf">connectTo</span><span class="p">(</span><span class="nx">fromId</span><span class="p">);</span> <span class="nx">peers</span><span class="p">[</span><span class="nx">fromId</span><span class="p">].</span><span class="nf">signal</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Each connection independently handles its own glare resolution, ICE management, and media negotiation. No centralized coordinator needed.</p> <h2> Works in Node.js Too </h2> <p><code>stable-webrtc</code> isn't browser-only. In Node.js, pass a WebRTC binding:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">wrtc</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@roamhq/wrtc</span><span class="dl">'</span><span class="p">);</span> <span class="kd">var</span> <span class="nx">peer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">({</span> <span class="na">wrtc</span><span class="p">:</span> <span class="nx">wrtc</span> <span class="p">});</span> </code></pre> </div> <p>Same API, same behavior. This is useful for building server-side recording, media processing pipelines, testing infrastructure, or any scenario where you need a WebRTC peer that isn't a browser.</p> <h2> Security: Verifying Who You're Talking To </h2> <p>Every WebRTC connection creates a short-lived DTLS certificate. Normally, you trust that your signaling server hasn't been compromised. But for sensitive applications — messaging, payments, healthcare — you can verify the peer's identity cryptographically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">fingerprints</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">localFP</span><span class="p">,</span> <span class="nx">remoteFP</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Both peers see both fingerprints</span> <span class="c1">// You can sign them with your app's identity key</span> <span class="c1">// and verify the other side did the same</span> <span class="c1">// → proof that no MITM tampered with the connection</span> <span class="p">});</span> </code></pre> </div> <p>This is optional — connections work without it. But it's there when you need it.</p> <h2> What's Actually Inside </h2> <p>Under the simple API, here's what <code>stable-webrtc</code> is managing for you:</p> <p><strong>A 6-state negotiation machine</strong> that serializes all offer/answer exchanges, preventing concurrent negotiations from corrupting SDP state.</p> <p><strong>Epoch-rotating glare resolution</strong> where which peer yields alternates with each successful negotiation, preventing both starvation and deadlocks.</p> <p><strong>ICE candidate queueing</strong> that holds candidates per-ufrag until the remote description is applied, then drains them in the right order.</p> <p><strong>Transceiver recycling</strong> that reuses inactive transceivers instead of stopping them, keeping m-line ordering stable across renegotiations.</p> <p><strong>DataChannel backpressure</strong> with bounded queues, watermark-based pacing, and drain notifications to prevent memory bloat during high-throughput data transfer.</p> <p><strong>Automatic ICE restart</strong> with configurable timeouts, retry limits, and exponential backoff.</p> <p><strong>SDP compression</strong> with four competing strategies and automatic checksum verification.</p> <p><strong>Connection telemetry</strong> computed from <code>getStats()</code> with proper delta calculation, report matching, and per-stream aggregation.</p> <p>All of this runs internally. You never see it. You just get a connection that works.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>stable-webrtc </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">var</span> <span class="nx">peer</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StableWebRTC</span><span class="p">();</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">signal</span><span class="dl">'</span><span class="p">,</span> <span class="nx">data</span> <span class="o">=&gt;</span> <span class="nf">sendToRemotePeer</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connect</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Connected!</span><span class="dl">'</span><span class="p">));</span> <span class="nx">peer</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">msg</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Received:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">msg</span><span class="p">));</span> </code></pre> </div> <p><strong>Resources:</strong></p> <ul> <li>📦 <a href="https://www.npmjs.com/package/stable-webrtc" rel="noopener noreferrer">npm — stable-webrtc</a> </li> <li>💻 <a href="https://github.com/colocohen/stable-webrtc" rel="noopener noreferrer">GitHub — stable-webrtc</a> </li> </ul> <h2> The Point </h2> <p>WebRTC is an incredible technology. Peer-to-peer video, audio, and data in the browser, with no plugins and no intermediary servers. But the native API was designed for protocol implementers, not application developers. The gap between "it connects in a demo" and "it works reliably in production" is measured in months of debugging.</p> <p>That gap doesn't need to exist. The hard problems — glare, renegotiation, signaling order, ICE management, SDP bloat, telemetry — are solvable. They just need to be solved once, in a library, instead of in every application that touches WebRTC.</p> <p>That's what <code>stable-webrtc</code> does. All the hard parts, handled. All the simple parts, simple.</p> webrtc node webdev javascript Aviv Cohen Thu, 16 Apr 2026 00:24:54 +0000 https://forem.com/colocohen/stop-using-certbot-manage-ssl-certificates-from-your-nodejs-code-32i1 https://forem.com/colocohen/stop-using-certbot-manage-ssl-certificates-from-your-nodejs-code-32i1 <p>You know the ritual. You spin up a new server, install certbot, run the command, hope it works, set up a cron job for renewal, pray it doesn't silently fail three months later at 3am, and if it does — your users wake up to a scary browser warning and you wake up to a panicked Slack message.</p> <p>And that's the <em>good</em> scenario. The bad scenario is when you're running Node.js behind nginx just for SSL termination. Your app handles everything — routing, middleware, WebSockets, API logic — but nginx sits in front of it for one reason: HTTPS certificates. An entire reverse proxy, with its own configuration language, its own process, its own failure modes, just to handle TLS.</p> <p>Or maybe you've gone the cloud route. You pay for AWS Certificate Manager or Cloudflare's managed certificates. They work great — until you need a certificate for something that isn't behind their load balancer. An internal service, a custom protocol, a TURN server, a mail server.</p> <p>What if your Node.js app could just... get its own certificates? Automatically? Without any external tools?</p> <h2> ACME: The Protocol Behind Let's Encrypt </h2> <p>Before we look at code, it helps to understand what's actually happening when you get a free SSL certificate.</p> <p>Let's Encrypt (and ZeroSSL, and other free CAs) use a protocol called <strong>ACME</strong> — Automatic Certificate Management Environment (RFC 8555). It's an API. Your client talks to the CA's server, proves you control a domain, and gets a signed certificate back.</p> <p>The proof of domain control usually works like this: the CA says "put this specific value in a DNS TXT record for your domain." You do it. The CA checks. If the record is there, you clearly control the domain. Certificate issued.</p> <p>The protocol itself isn't complicated. But the <em>implementation</em> is: you need to generate keys, create a signed JWT for every request, encode a CSR in DER format with ASN.1, handle nonce rotation, poll for authorization status, and deal with edge cases like <code>badNonce</code> errors and rate limits.</p> <p>Most developers don't want to learn ASN.1 DER encoding. They just want HTTPS.</p> <h2> cert-manager: HTTPS Certificates in 10 Lines </h2> <p><a href="https://github.com/colocohen/cert-manager" rel="noopener noreferrer"><strong>cert-manager</strong></a> is a zero-dependency ACME client for Node.js. It handles the entire certificate lifecycle — from key generation to renewal — with an event-driven API that hides all the protocol complexity.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>cert-manager </code></pre> </div> <p>Here's a wildcard certificate for your domain:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">ssl</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cert-manager</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">order</span> <span class="o">=</span> <span class="nx">ssl</span><span class="p">.</span><span class="nf">createOrder</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">wildcard</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Set these DNS TXT records at your provider, then:</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Set DNS records:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">records</span><span class="p">);</span> <span class="nf">done</span><span class="p">();</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">cert</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">cert</span><span class="p">);</span> <span class="c1">// Server certificate (PEM)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">ca</span><span class="p">);</span> <span class="c1">// CA chain (PEM)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">key</span><span class="p">);</span> <span class="c1">// Private key (PEM)</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">);</span> <span class="c1">// Expiry date</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> </code></pre> </div> <p>That's it. No manual account creation. No CSR generation. No JWS signing. No nonce management. Everything — key generation, account registration, order creation, DNS challenge setup, verification polling, challenge completion, and certificate download — happens automatically, step by step.</p> <p>You subscribe to events. The library handles the protocol.</p> <h2> What Happens When You Call <code>order.start()</code> </h2> <p>It's worth understanding the flow, because it shows how much complexity the library absorbs:</p> <p><strong>1. Key generation.</strong> Two ECDSA P-256 keys are generated — one for the ACME account, one for the certificate. If you provide existing keys, they're reused.</p> <p><strong>2. Account registration.</strong> The library creates a signed request to the CA, registers an account with your email, and stores the account URL. Next time, it reuses the same account.</p> <p><strong>3. CAA preflight.</strong> Before even starting the order, the library checks your domain's CAA records to make sure the CA is allowed to issue for it. This catches misconfigurations early instead of failing after DNS setup.</p> <p><strong>4. Order creation.</strong> A new certificate order is created with the CA, requesting the domain (and <code>*.domain</code> if wildcard is enabled).</p> <p><strong>5. DNS challenge.</strong> The CA responds with DNS TXT records that need to be set. The library emits the <code>dns</code> event with the exact records and waits for you to call <code>done()</code>.</p> <p><strong>6. Verification.</strong> The library polls DNS (using fallback resolvers 8.8.8.8 and 1.1.1.1) to confirm the records are visible before telling the CA to check. This prevents the common failure mode where the CA checks before DNS has propagated.</p> <p><strong>7. Challenge completion.</strong> The library submits the challenge responses and polls the CA until all authorizations are valid.</p> <p><strong>8. Finalization.</strong> A CSR is generated, signed, DER-encoded, and submitted. The CA signs it and returns the certificate.</p> <p><strong>9. Certificate event.</strong> You get <code>cert.cert</code>, <code>cert.ca</code>, <code>cert.key</code>, and <code>cert.expiresAt</code>. Done.</p> <p>If anything fails along the way — a <code>badNonce</code> error, a timeout, a DNS propagation delay — the library retries automatically. You get an <code>error</code> event only when it's genuinely unrecoverable.</p> <h2> DNS Provider Integration: Use Whatever You Have </h2> <p>The <code>dns</code> event gives you complete control. The library doesn't assume you use a specific DNS provider — it just tells you what records to set and waits for you to call <code>done()</code>. This means any provider with an API works:</p> <p><strong>Cloudflare:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">pending</span> <span class="o">=</span> <span class="nx">records</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">records</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">record</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://api.cloudflare.com/client/v4/zones/</span><span class="p">${</span><span class="nx">ZONE_ID</span><span class="p">}</span><span class="s2">/dns_records`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">CF_TOKEN</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TXT</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">120</span> <span class="p">}),</span> <span class="p">}).</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">--</span><span class="nx">pending</span> <span class="o">&lt;=</span> <span class="mi">0</span><span class="p">)</span> <span class="nf">done</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>AWS Route 53:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">var</span> <span class="nx">changes</span> <span class="o">=</span> <span class="nx">records</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">r</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">Action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UPSERT</span><span class="dl">'</span><span class="p">,</span> <span class="na">ResourceRecordSet</span><span class="p">:</span> <span class="p">{</span> <span class="na">Name</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">Type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TXT</span><span class="dl">'</span><span class="p">,</span> <span class="na">TTL</span><span class="p">:</span> <span class="mi">120</span><span class="p">,</span> <span class="na">ResourceRecords</span><span class="p">:</span> <span class="p">[{</span> <span class="na">Value</span><span class="p">:</span> <span class="s2">`"</span><span class="p">${</span><span class="nx">r</span><span class="p">.</span><span class="nx">value</span><span class="p">}</span><span class="s2">"`</span> <span class="p">}]</span> <span class="p">}</span> <span class="p">}));</span> <span class="nx">route53</span><span class="p">.</span><span class="nf">changeResourceRecordSets</span><span class="p">({</span> <span class="na">HostedZoneId</span><span class="p">:</span> <span class="nx">ZONE_ID</span><span class="p">,</span> <span class="na">ChangeBatch</span><span class="p">:</span> <span class="p">{</span> <span class="na">Changes</span><span class="p">:</span> <span class="nx">changes</span> <span class="p">},</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">done</span><span class="p">());</span> <span class="p">});</span> </code></pre> </div> <p>DigitalOcean, GoDaddy, Namecheap, your own DNS server — if it has an API, it works. You could even use it with <a href="https://github.com/colocohen/dnssec-server" rel="noopener noreferrer">dnssec-server</a> to manage DNS programmatically and complete the challenge without any external API calls at all.</p> <h2> Automatic Renewal: Set It and Forget It </h2> <p>Getting a certificate once is nice. Making sure it renews every 90 days without you thinking about it is what you actually need.</p> <p>The <strong>manager</strong> handles multi-domain certificate management with persistent storage and automatic renewal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">ssl</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cert-manager</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">mgr</span> <span class="o">=</span> <span class="nx">ssl</span><span class="p">.</span><span class="nf">manager</span><span class="p">({</span> <span class="na">dir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./certs</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">wildcard</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">api.example.com</span><span class="dl">'</span><span class="p">);</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">other.com</span><span class="dl">'</span><span class="p">);</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setDnsRecords</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">records</span><span class="p">).</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">done</span><span class="p">());</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">cert</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="dl">'</span><span class="s1">certificate ready!</span><span class="dl">'</span><span class="p">);</span> <span class="nf">reloadServer</span><span class="p">(</span><span class="nx">cert</span><span class="p">);</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">renewing</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">daysLeft</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="dl">'</span><span class="s1">renewing,</span><span class="dl">'</span><span class="p">,</span> <span class="nx">daysLeft</span><span class="p">,</span> <span class="dl">'</span><span class="s1">days left</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> </code></pre> </div> <p>That's a production certificate manager. It stores certificates and keys to disk, tracks expiry dates, and renews 7 days before expiration. On process restart, <code>mgr.start()</code> reads the stored state and picks up where it left off — no need to call <code>add()</code> again.</p> <p>The manager includes protections that come from experience with real-world certificate management: domains are processed one at a time (never parallel, to avoid rate limits), failed domains are throttled (minimum 4 hours between retries), each domain has a 10-minute timeout, and domains that have never been attempted are prioritized.</p> <h2> Zero Dependencies — And What That Actually Means </h2> <p><code>cert-manager</code> uses only Node.js built-in modules. That sounds like a nice-to-have, but for a crypto library it's significant.</p> <p>The ACME protocol requires several cryptographic operations: ECDSA key generation, JWS (JSON Web Signature) creation, CSR generation with ASN.1 DER encoding, and HMAC signing for External Account Binding. Most Node.js ACME libraries pull in <code>node-forge</code>, <code>jose</code>, or other dependencies for these operations.</p> <p><code>cert-manager</code> implements all of it from scratch using <code>node:crypto</code>. The ASN.1 DER encoder, the JWS signer, the CSR builder — all in a few hundred lines of JavaScript. This means:</p> <ul> <li>No supply chain risk from third-party crypto dependencies</li> <li>No version conflicts with other packages in your project</li> <li>The code is small enough to audit (the entire <code>src/</code> directory is seven files)</li> </ul> <h2> Works With Let's Encrypt and ZeroSSL </h2> <p>Let's Encrypt is the default provider, but ZeroSSL works too — useful if you need more certificates than Let's Encrypt's rate limits allow, or if you want a different CA for redundancy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">ssl</span><span class="p">.</span><span class="nf">createOrder</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">zerossl</span><span class="dl">'</span><span class="p">,</span> <span class="na">eab</span><span class="p">:</span> <span class="p">{</span> <span class="na">kid</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_EAB_KID</span><span class="dl">'</span><span class="p">,</span> <span class="na">hmacKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_EAB_HMAC_KEY</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Any ACME-compatible CA will work with the same API.</p> <h2> Testing with Staging </h2> <p>Let's Encrypt has strict rate limits on production certificates. While developing your integration, use the staging environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">ssl</span><span class="p">.</span><span class="nf">createOrder</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">staging</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Uses Let's Encrypt staging — no rate limits</span> <span class="p">});</span> </code></pre> </div> <p>The staging CA issues real certificates signed by a fake root — they'll show browser warnings, but they validate that your entire flow (DNS records, verification, issuance) works correctly before you switch to production.</p> <h2> Putting It All Together: HTTPS Server With Auto-Renewal </h2> <p>Here's what a self-managing HTTPS server looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">ssl</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cert-manager</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">https</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">node:https</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">currentCert</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">mgr</span> <span class="o">=</span> <span class="nx">ssl</span><span class="p">.</span><span class="nf">manager</span><span class="p">({</span> <span class="na">dir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./certs</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">admin@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="dl">'</span><span class="s1">myapp.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">wildcard</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setDnsRecords</span><span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">records</span><span class="p">).</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="nf">done</span><span class="p">());</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">domain</span><span class="p">,</span> <span class="nx">cert</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">currentCert</span> <span class="o">=</span> <span class="nx">cert</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Certificate ready, expires:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">cert</span><span class="p">.</span><span class="nx">expiresAt</span><span class="p">);</span> <span class="p">});</span> <span class="nx">mgr</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> <span class="c1">// Server uses SNICallback to always serve the latest certificate</span> <span class="kd">var</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">https</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">SNICallback</span><span class="p">:</span> <span class="p">(</span><span class="nx">servername</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">currentCert</span><span class="p">)</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">tls</span><span class="dl">'</span><span class="p">).</span><span class="nf">createSecureContext</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">currentCert</span><span class="p">.</span><span class="nx">key</span><span class="p">,</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">currentCert</span><span class="p">.</span><span class="nx">cert</span> <span class="o">+</span> <span class="dl">'</span><span class="se">\n</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">currentCert</span><span class="p">.</span><span class="nx">ca</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">),</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="nx">app</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">443</span><span class="p">);</span> </code></pre> </div> <p>No certbot. No cron. No nginx. The certificate renews itself, and the server picks up the new certificate automatically through <code>SNICallback</code>.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>cert-manager </code></pre> </div> <p>Start with staging to validate your setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">ssl</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cert-manager</span><span class="dl">'</span><span class="p">;</span> <span class="kd">var</span> <span class="nx">order</span> <span class="o">=</span> <span class="nx">ssl</span><span class="p">.</span><span class="nf">createOrder</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">yourdomain.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">you@yourdomain.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">staging</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">dns</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">records</span><span class="p">,</span> <span class="nx">done</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Set these DNS records:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">records</span><span class="p">);</span> <span class="c1">// Set them manually or via API, then:</span> <span class="nf">done</span><span class="p">();</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">certificate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">cert</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">It works! Switch staging to false for production.</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">order</span><span class="p">.</span><span class="nf">start</span><span class="p">();</span> </code></pre> </div> <p><strong>Resources:</strong></p> <ul> <li>📦 <a href="https://www.npmjs.com/package/cert-manager" rel="noopener noreferrer">npm — cert-manager</a> </li> <li>💻 <a href="https://github.com/colocohen/cert-manager" rel="noopener noreferrer">GitHub — cert-manager</a> </li> <li>📘 <a href="https://datatracker.ietf.org/doc/html/rfc8555" rel="noopener noreferrer">RFC 8555 — ACME</a> </li> <li>📘 <a href="https://letsencrypt.org/docs/" rel="noopener noreferrer">Let's Encrypt Documentation</a> </li> </ul> <h2> The Bigger Picture </h2> <p>Certificate management shouldn't be a separate system. It shouldn't require a separate tool, a separate configuration language, a separate daemon running on your server. It's a fundamental part of running an HTTPS service — and it belongs in your application code.</p> <p>When your certificates are managed by the same code that serves your app, everything simplifies. Deployment is one process. Monitoring is one log stream. Renewal is automatic. And when something goes wrong, you debug it the same way you debug everything else — in JavaScript, with the tools you already know.</p> <p>Your server, your certificates, your code. No middlemen.</p> webdev javascript node security Aviv Cohen Thu, 16 Apr 2026 00:22:42 +0000 https://forem.com/colocohen/stop-paying-for-turn-run-your-own-in-nodejs-28ch https://forem.com/colocohen/stop-paying-for-turn-run-your-own-in-nodejs-28ch <p>If you've ever built a WebRTC application, you've hit this wall: two users try to connect, and it works perfectly in your office. Then you deploy, and 15% of your users can't connect at all.</p> <p>The problem is NAT. Most devices sit behind a firewall or router that blocks incoming connections. When two users are both behind NATs, neither can reach the other directly. The WebRTC connection fails silently, and your users stare at a spinner that never goes away.</p> <p>The solution is a <strong>TURN server</strong> — a relay that both peers can reach, which forwards traffic between them. It's the fallback that makes WebRTC work for <em>everyone</em>, not just people on favorable networks.</p> <p>The catch? Running a TURN server has traditionally meant either paying a third-party service ($50–500/month depending on usage) or installing <strong>coturn</strong> — a C daemon with a 3,000-line configuration file, its own database for credentials, and its own deployment and monitoring story.</p> <p>What if your TURN server was just another part of your Node.js app?</p> <h2> Why Your WebRTC App Needs TURN </h2> <p>Let's be clear about when TURN is needed and when it isn't.</p> <p><strong>STUN</strong> (Session Traversal Utilities for NAT) handles the easy case. A user behind a NAT sends a request to a STUN server, which tells them their public IP and port. Armed with this information, most peers can connect directly. STUN is lightweight, stateless, and free — Google runs public STUN servers that anyone can use.</p> <p><strong>TURN</strong> (Traversal Using Relays around NAT) handles the hard case. When both peers are behind <strong>symmetric NATs</strong> — common in corporate networks, university WiFi, and some mobile carriers — direct connection is impossible. No amount of STUN magic will help. The only option is to relay traffic through a server that both sides can reach.</p> <p>How often does this happen? Studies show that <strong>10–20% of WebRTC connections require TURN relay</strong>. On corporate and mobile networks, it can be higher. If you don't have a TURN server, those users simply can't use your app.</p> <p>This is why every production WebRTC application needs TURN — not as a nice-to-have, but as a reliability requirement.</p> <h2> The Current Options Aren't Great </h2> <p><strong>Paying a service:</strong> Twilio, Xirsys, and others offer hosted TURN. They work, but they're expensive at scale. Video traffic through TURN can consume significant bandwidth, and you're paying per gigabyte. For a startup with 1,000 daily users, the bill adds up fast.</p> <p><strong>Running coturn:</strong> The standard open-source option. It's written in C, mature, and feature-complete. But it's also a separate daemon with its own configuration language, its own credential database, its own process management, and its own deployment story. If your stack is Node.js, coturn is a foreign body you have to learn, deploy, and maintain separately.</p> <p><strong>node-turn:</strong> The only Node.js option — but it hasn't been updated in 5 years, supports only basic STUN/TURN, and has no TCP support, no TLS, no hooks, and no production features.</p> <h2> turn-server: STUN/TURN as a Node.js Library </h2> <p><a href="https://github.com/colocohen/turn-server" rel="noopener noreferrer"><strong>turn-server</strong></a> is a complete STUN/TURN implementation — both server and client — built from scratch in JavaScript with zero dependencies. It's not a wrapper around coturn. It's a full implementation of the protocol stack (RFC 8489, RFC 8656, RFC 6062) that you <code>require()</code> into your app.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>turn-server </code></pre> </div> <h3> A Working TURN Server </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nf">createServer</span><span class="p">({</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">mechanism</span><span class="p">:</span> <span class="dl">'</span><span class="s1">long-term</span><span class="dl">'</span><span class="p">,</span> <span class="na">realm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">alice</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">relay</span><span class="p">:</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">externalIp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">203.0.113.5</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3478</span> <span class="p">});</span> </code></pre> </div> <p>That's a production-capable TURN server. Point your WebRTC clients at it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">new</span> <span class="nc">RTCPeerConnection</span><span class="p">({</span> <span class="na">iceServers</span><span class="p">:</span> <span class="p">[{</span> <span class="na">urls</span><span class="p">:</span> <span class="dl">'</span><span class="s1">turn:your-server.com:3478</span><span class="dl">'</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alice</span><span class="dl">'</span><span class="p">,</span> <span class="na">credential</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span> <span class="p">}]</span> <span class="p">});</span> </code></pre> </div> <p>Connections that can go direct will go direct (via STUN). Connections that can't will relay through your server (via TURN). Your users don't know the difference — everything just works.</p> <h2> Production Configuration </h2> <p>The minimal example above works, but a production server needs more control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nf">createServer</span><span class="p">({</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">mechanism</span><span class="p">:</span> <span class="dl">'</span><span class="s1">long-term</span><span class="dl">'</span><span class="p">,</span> <span class="na">realm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">secret</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-shared-secret</span><span class="dl">'</span> <span class="c1">// Time-limited REST API credentials</span> <span class="p">},</span> <span class="na">relay</span><span class="p">:</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">externalIp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">203.0.113.5</span><span class="dl">'</span> <span class="p">},</span> <span class="na">maxConnections</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="na">userQuota</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// Max allocations per user</span> <span class="na">totalQuota</span><span class="p">:</span> <span class="mi">5000</span><span class="p">,</span> <span class="c1">// Max total allocations</span> <span class="na">maxDataSize</span><span class="p">:</span> <span class="mi">65535</span><span class="p">,</span> <span class="c1">// Max packet size</span> <span class="na">idleTimeout</span><span class="p">:</span> <span class="mi">300000</span><span class="p">,</span> <span class="c1">// Clean up dead clients after 5 min</span> <span class="p">});</span> <span class="c1">// Dynamic auth — look up credentials from your database</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">authenticate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">realm</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">db</span><span class="p">.</span><span class="nf">getHmacKey</span><span class="p">(</span><span class="nx">username</span><span class="p">,</span> <span class="nx">realm</span><span class="p">).</span><span class="nf">then</span><span class="p">(</span><span class="nx">key</span> <span class="o">=&gt;</span> <span class="nf">cb</span><span class="p">(</span><span class="nx">key</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// Graceful shutdown</span> <span class="nx">process</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">SIGTERM</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">server</span><span class="p">.</span><span class="nf">drain</span><span class="p">(</span><span class="mi">30000</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">process</span><span class="p">.</span><span class="nf">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// Listen on multiple transports</span> <span class="nx">server</span><span class="p">.</span><span class="nf">listen</span><span class="p">([</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3478</span> <span class="p">},</span> <span class="c1">// UDP + TCP</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5349</span><span class="p">,</span> <span class="na">transport</span><span class="p">:</span> <span class="dl">'</span><span class="s1">tls</span><span class="dl">'</span><span class="p">,</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">CERT</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">KEY</span> <span class="p">},</span> <span class="c1">// TLS</span> <span class="p">]);</span> </code></pre> </div> <p>Notice the <code>secret</code> option — this enables the TURN REST API, which generates time-limited credentials. Instead of storing usernames and passwords, your backend generates temporary credentials per session. This is the standard approach for production WebRTC.</p> <h2> 14 Hooks: Control Every Decision </h2> <p>This is where <code>turn-server</code> really differentiates itself from coturn. Every decision point in the server is exposed as a hook — accept or reject, with full context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Control who can connect</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">accept</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="nf">isAllowed</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">source</span><span class="p">.</span><span class="nx">ip</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// Control who can allocate relay resources</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">beforeAllocate</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nf">isPremiumUser</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">username</span><span class="p">))</span> <span class="p">{</span> <span class="nx">info</span><span class="p">.</span><span class="nx">lifetime</span> <span class="o">=</span> <span class="mi">3600</span><span class="p">;</span> <span class="c1">// Premium users get longer allocations</span> <span class="p">}</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">});</span> <span class="c1">// Control what gets relayed</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">beforeRelay</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">size</span> <span class="o">&lt;</span> <span class="mi">65535</span><span class="p">);</span> <span class="c1">// Drop oversized packets</span> <span class="p">});</span> <span class="c1">// Track usage</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">onRelayed</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">metrics</span><span class="p">.</span><span class="nf">trackBandwidth</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">size</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">direction</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>There are 14 hooks in total, covering every phase: connection acceptance, authentication, authorization, quota checks, allocation, permissions, channel binding, TCP connect, and data relay. If no hook listener is attached, the action is auto-approved — so you only hook what you care about.</p> <p>With coturn, this level of control requires writing C plugins or using external databases with custom schemas. Here, it's JavaScript callbacks.</p> <h2> It's Also a Client </h2> <p>Most TURN libraries are server-only. <code>turn-server</code> includes a complete client implementation — useful for testing, for building server-side WebRTC applications, and for NAT diagnostics.</p> <p><strong>Get your public IP:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">getPublicIP</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="nf">getPublicIP</span><span class="p">((</span><span class="nx">err</span><span class="p">,</span> <span class="nx">info</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Public IP:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">ip</span><span class="p">);</span> <span class="c1">// "203.0.113.42"</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Mapped port:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">info</span><span class="p">.</span><span class="nx">port</span><span class="p">);</span> <span class="c1">// 54321</span> <span class="p">});</span> </code></pre> </div> <p><strong>Detect your NAT type:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">detectNAT</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="nf">detectNAT</span><span class="p">(</span><span class="dl">'</span><span class="s1">stun:stun.example.com:3478</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">result</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">type</span><span class="p">);</span> <span class="c1">// 'full-cone', 'restricted-cone', 'symmetric-or-port-restricted'</span> <span class="p">});</span> </code></pre> </div> <p><strong>Allocate a TURN relay programmatically:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">connect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="nf">connect</span><span class="p">(</span><span class="dl">'</span><span class="s1">turn:turn.example.com:3478</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">alice</span><span class="dl">'</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="dl">'</span><span class="s1">password123</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">socket</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">allocate</span><span class="p">({</span> <span class="na">lifetime</span><span class="p">:</span> <span class="mi">600</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">allocate:success</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Relay address ready</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">peer</span><span class="p">,</span> <span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Data from </span><span class="p">${</span><span class="nx">peer</span><span class="p">.</span><span class="nx">ip</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">peer</span><span class="p">.</span><span class="nx">port</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The client handles auto-refresh of allocations, permissions, and channels, UDP retransmission with exponential backoff, automatic retry on authentication challenges, and DNS SRV resolution.</p> <h2> Performance: Where It Matters </h2> <p>The most common concern with a JavaScript TURN server is performance. Fair question — TURN is a data relay, and relay performance matters.</p> <p>Here's the key insight: 99% of TURN traffic uses <strong>ChannelData</strong> — a minimal 4-byte header format that bypasses the full STUN encoding. It's designed for high-throughput relay with near-zero overhead.</p> <p><code>turn-server</code> decodes ChannelData at <strong>9.3 million messages per second</strong> on a single core using zero-copy <code>Uint8Array.subarray()</code>. The control plane (allocations, permissions, refreshes) uses full STUN encoding at 36K–218K messages per second — but these operations happen a few times per minute, not per packet.</p> <p>For context: a 720p video call uses roughly 100–200 packets per second. A single-core JavaScript TURN server can handle thousands of simultaneous video calls before becoming a bottleneck.</p> <h2> Interoperability: Tested Against the Real World </h2> <p><code>turn-server</code> has been tested in both directions:</p> <p><strong>Its client → coturn server:</strong> Connect to an existing coturn installation, allocate relays, send data. Works.</p> <p><strong>coturn client → its server:</strong> Point coturn's <code>turnutils_uclient</code> at the Node.js server. Works.</p> <p><strong>Chrome/Firefox → its server:</strong> Standard <code>RTCPeerConnection</code> with <code>iceServers</code> configuration. Works.</p> <p>The wire protocol implementation covers all 62 IANA-registered STUN attributes and passes all 22 RFC 5769 test vectors — the standard conformance test for STUN/TURN implementations.</p> <h2> Embed It, Don't Deploy It </h2> <p>The biggest advantage of a Node.js TURN server isn't performance or features — it's <strong>operational simplicity</strong>.</p> <p>Instead of deploying and managing a separate coturn daemon alongside your Node.js app, your TURN server is just another module in your application. Same process, same deployment, same monitoring, same logging, same scaling strategy.</p> <p>Need to authenticate TURN users against your existing user database? It's a callback, not a database schema migration. Need to track bandwidth per user for billing? It's a hook, not a log parser. Need to dynamically adjust quotas? Change a variable, not a configuration file.</p> <p>Your infrastructure, your code, your rules.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>turn-server </code></pre> </div> <p>Minimum viable TURN server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">turn-server</span><span class="dl">'</span><span class="p">;</span> <span class="nf">createServer</span><span class="p">({</span> <span class="na">auth</span><span class="p">:</span> <span class="p">{</span> <span class="na">mechanism</span><span class="p">:</span> <span class="dl">'</span><span class="s1">long-term</span><span class="dl">'</span><span class="p">,</span> <span class="na">realm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">test</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="na">relay</span><span class="p">:</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">externalIp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">YOUR_PUBLIC_IP</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}).</span><span class="nf">listen</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3478</span> <span class="p">});</span> </code></pre> </div> <p>Then in your WebRTC client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">new</span> <span class="nc">RTCPeerConnection</span><span class="p">({</span> <span class="na">iceServers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">urls</span><span class="p">:</span> <span class="dl">'</span><span class="s1">stun:your-server.com:3478</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">urls</span><span class="p">:</span> <span class="dl">'</span><span class="s1">turn:your-server.com:3478</span><span class="dl">'</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">,</span> <span class="na">credential</span><span class="p">:</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span> <span class="p">}</span> <span class="p">]</span> <span class="p">});</span> </code></pre> </div> <p><strong>Resources:</strong></p> <ul> <li>📦 <a href="https://www.npmjs.com/package/turn-server" rel="noopener noreferrer">npm — turn-server</a> </li> <li>💻 <a href="https://github.com/colocohen/turn-server" rel="noopener noreferrer">GitHub — turn-server</a> </li> <li>📘 <a href="https://datatracker.ietf.org/doc/html/rfc8489" rel="noopener noreferrer">RFC 8489 — STUN</a> </li> <li>📘 <a href="https://datatracker.ietf.org/doc/html/rfc8656" rel="noopener noreferrer">RFC 8656 — TURN</a> </li> </ul> turn node devops webrtc Aviv Cohen Wed, 17 Sep 2025 18:57:20 +0000 https://forem.com/colocohen/building-your-own-load-balancer-in-nodejs-on4 https://forem.com/colocohen/building-your-own-load-balancer-in-nodejs-on4 <h2> Why you need a load balancer </h2> <p>Imagine your website suddenly becomes popular. Hundreds or thousands of users are visiting at the same time.<br><br> If all of them land on one server, that server will slow down, maybe even crash.</p> <p>The natural solution is to run more than one server — maybe two, three, or ten — and spread the traffic between them.<br><br> The missing piece is a <strong>“traffic director”</strong> that decides who goes where. That’s what a <strong>load balancer</strong> is: it makes sure no single server carries all the weight.</p> <h2> Different approaches to load balancing </h2> <p>There are several ways to share traffic. Each approach works differently and comes with its own pros and cons:</p> <h3> 1) Reverse Proxy </h3> <p><strong>How it works:</strong> All traffic first goes through one main server — the reverse proxy. It accepts every request and forwards it to another backend server. This can be done at the transport layer or the application layer.</p> <p><strong>Example:</strong> A network load balancer forwarding TCP packets to different machines; or Nginx acting as a reverse proxy for HTTP requests.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Simple to configure.</li> <li>Works with any application.</li> <li>Easy to add features like TLS termination, WebSockets, or header manipulation.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Everything passes through one “gatekeeper.”</li> <li>If that proxy server gets overloaded or is physically far from the user, performance suffers.</li> <li>It can become a single point of failure.</li> </ul> </li> </ul> <h3> 2) Redirector Server </h3> <p><strong>How it works:</strong> Instead of proxying every request forever, the main server can redirect the client to a more specific server or subdomain. For example, the proxy receives the first request, decides that this user should go to eu.example.com, and responds with a redirect. From then on, the client talks directly to that server.</p> <p><strong>Example:</strong> A Node.js server that checks the client’s IP location, then replies: “302 Redirect → us1.example.com” or “eu2.example.com.”</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>After the first step, traffic no longer flows through the main proxy — reducing load on it.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Users still depend on that central server for the first connection.</li> <li>If it’s busy or goes down, new sessions can’t be routed correctly.</li> </ul> </li> </ul> <h3> 3) Anycast / IP‑level routing (used by Cloudflare, Google, etc.) </h3> <p><strong>How it works:</strong> The same IP address is announced from multiple geographic locations using BGP. Internet routing automatically directs users to the nearest announcement.</p> <p><strong>Example:</strong> 1.2.3.4 is announced from Amsterdam and New York; BGP delivers client traffic to the closest point.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Very fast.</li> <li>Automatic.</li> <li>Resilient.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Requires BGP announcements and AS management.</li> <li>Only available to large providers.</li> <li>Not realistic for small companies or developers.</li> </ul> </li> </ul> <h3> 4) DNS-based Routing </h3> <p><strong>How it works:</strong> Your authoritative DNS server returns different IP answers depending on the query (by looking at client subnet via ECS, resolver IP, or other decision inputs). This effectively routes clients to different data centers before any TCP connection happens.</p> <p><strong>Example:</strong> For example.com, US users get 192.0.2.10, EU users get 198.51.100.20.</p> <ul> <li>✅ <strong>Pros:</strong> <ul> <li>Lightweight.</li> <li>Scalable.</li> <li>Avoids a single choke point.</li> </ul> </li> <li>⚠️ <strong>Cons:</strong> <ul> <li>Changes are not instant.</li> <li>Some delay because of caching and resolver behavior.</li> </ul> </li> </ul> <h2> The Best Approach: DNS‑based routing </h2> <p>The most practical way to balance traffic without expensive hardware or complex BGP setups is to <strong>use DNS itself</strong>.<br><br> Every connection on the internet starts with a DNS lookup — so if you control the DNS answers, you control where users connect.</p> <p>Think of DNS as a <strong>super‑lightweight version of HTTP</strong>:</p> <ul> <li>The client asks: <em>“What’s the IP of example.com?”</em> </li> <li>Your authoritative server replies: <em>“Connect to 203.0.113.10.”</em> </li> </ul> <p>One tiny request, one tiny response — no heavy proxy in the middle. </p> <p>By taking advantage of this mechanism, you can decide on the fly:</p> <ul> <li>🌍 Which server is closest to the user (geo-routing).</li> <li>❤️ Which servers are healthy and ready (health-aware routing).</li> <li>⚖️ How to split traffic between servers (weighted or canary testing).</li> </ul> <p>This makes DNS a traffic director built into the internet itself — fast, lightweight, and surprisingly flexible.</p> <p>Most traditional DNS software only gives static answers from a zone file. But if you want dynamic answers — logic that changes per user, per query, per moment — that’s where Node.js shines. With a few lines of JavaScript you can program the authoritative server itself and take full control.</p> <h2> Implementing a DNS‑Based Load Balancer with Node.js </h2> <p>To actually build a DNS‑based load balancer, you need a library that can act as an authoritative DNS server. And in the Node.js ecosystem there’s one library that really makes this possible: <a href="https://www.npmjs.com/package/dnssec-server" rel="noopener noreferrer"><strong>dnssec-server</strong></a>.</p> <p>Unlike traditional DNS software, which mostly relies on static zone files, <code>dnssec-server</code> lets you generate answers programmatically — with the same simplicity as Node’s built‑in HTTP module. That means your application can decide, in real time, what IPs to return. It’s the only Node.js library that brings this level of dynamic control and DNSSEC support out of the box.</p> <p>Here’s how it works at a high level:</p> <ol> <li>📩 A DNS query arrives (for example, <code>example.com</code> type A). </li> <li>⚙️ Your handler function runs, where you can inspect the query, check GeoIP, consult a health map, or apply custom logic. </li> <li>📤 You return one or more answers (<code>A</code> for IPv4, <code>AAAA</code> for IPv6), each with its own TTL. </li> </ol> <p>Let’s see it in practice.</p> <h3> Example 1 — Geo‑based answer (A/AAAA), annotated </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Import the library and GeoIP helper</span> <span class="kd">const</span> <span class="nx">dns_server</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">geoip</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">geoip-lite</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 🌍 Region → IP mapping for both IPv4 (A) and IPv6 (AAAA)</span> <span class="kd">const</span> <span class="nx">EDGES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">192.0.2.10</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:10::10</span><span class="dl">'</span> <span class="p">},</span> <span class="na">eu</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">198.51.100.20</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:20::20</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// 🔍 Simple region picker by country code</span> <span class="kd">function</span> <span class="nf">pickRegion</span><span class="p">(</span><span class="nx">ip</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">looked</span> <span class="o">=</span> <span class="nx">geoip</span><span class="p">.</span><span class="nf">lookup</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> <span class="o">||</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">cc</span> <span class="o">=</span> <span class="nx">looked</span><span class="p">.</span><span class="nx">country</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">US</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">EU</span> <span class="o">=</span> <span class="p">{</span> <span class="na">DE</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">FR</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">NL</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">IT</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">ES</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">PL</span><span class="p">:</span><span class="mi">1</span><span class="p">,</span> <span class="na">SE</span><span class="p">:</span><span class="mi">1</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">EU</span><span class="p">[</span><span class="nx">cc</span><span class="p">]</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">eu</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 🚀 Create the DNS server</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">dns_server</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only handle queries for our domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">==</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nf">pickRegion</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">remoteAddress</span><span class="p">);</span> <span class="c1">// 📡 Add IPv4 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">A</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 📡 Add IPv6 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">AAAA</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Each query for <code>example.com</code> is checked against the user’s IP. We decide if the user is closer to <code>us</code> or <code>eu</code>, then send back both A (IPv4) and AAAA (IPv6) records with a 30s TTL.</p> <h3> Example 2 — Health‑aware answer (skip unhealthy regions), annotated </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Import the library</span> <span class="kd">const</span> <span class="nx">dns_server</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// 🩺 Track health of each region (updated by background checks)</span> <span class="kd">let</span> <span class="nx">health</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span> <span class="na">eu</span><span class="p">:</span><span class="kc">true</span> <span class="p">};</span> <span class="c1">// 🌍 Region → IP mapping</span> <span class="kd">const</span> <span class="nx">EDGES</span> <span class="o">=</span> <span class="p">{</span> <span class="na">us</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">192.0.2.10</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:10::10</span><span class="dl">'</span> <span class="p">},</span> <span class="na">eu</span><span class="p">:</span> <span class="p">{</span> <span class="na">A</span><span class="p">:</span> <span class="dl">'</span><span class="s1">198.51.100.20</span><span class="dl">'</span><span class="p">,</span> <span class="na">AAAA</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2001:db8:20::20</span><span class="dl">'</span> <span class="p">}</span> <span class="p">};</span> <span class="c1">// ⚙️ Function to choose the best healthy region</span> <span class="kd">function</span> <span class="nf">bestRegion</span><span class="p">(){</span> <span class="k">if </span><span class="p">(</span><span class="nx">health</span><span class="p">.</span><span class="nx">eu</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">eu</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">health</span><span class="p">.</span><span class="nx">us</span><span class="p">)</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="dl">'</span><span class="s1">us</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// fallback</span> <span class="p">}</span> <span class="c1">// 🚀 Create the DNS server</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nx">dns_server</span><span class="p">.</span><span class="nf">createServer</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Only handle queries for our domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">==</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">region</span> <span class="o">=</span> <span class="nf">bestRegion</span><span class="p">();</span> <span class="c1">// 📡 Add IPv4 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">A</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 📡 Add IPv6 answer if requested</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span> <span class="o">||</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">ANY</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AAAA</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">30</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="nx">EDGES</span><span class="p">[</span><span class="nx">region</span><span class="p">].</span><span class="nx">AAAA</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>We maintain a small health map that tells us which regions are alive. If EU is healthy we send users there, otherwise they go to US. The logic is simple, but powerful enough to keep traffic flowing smoothly.</p> <h2> Pointing your Domain to Your Node.js Server </h2> <p>The DNS server that answers is not necessarily the same server that hosts your site files. In many cases, you may be using DNS services from your domain registrar (e.g. Namecheap, GoDaddy), a cloud provider (e.g. AWS Route 53, Cloudflare DNS), or traditional DNS software like <strong>BIND</strong> running on a separate server.</p> <p>If you haven’t explicitly set up your own authoritative DNS server, then by default your DNS is being served by one of those services.</p> <p>Here is how to set your domain’s NS (Name Server) records to point to your machine:</p> <p>Everyone who has ever configured a domain has seen something like this:</p> <ul> <li> <code>ns1.example.com</code> → points to IP of your Node.js DNS server. </li> <li> <code>ns2.example.com</code> → secondary server for redundancy.</li> </ul> <p>For example, in Namecheap’s dashboard you would:</p> <ol> <li>Go to <strong>Domain List</strong>. </li> <li>Select your domain, click <strong>Manage</strong>. </li> <li>Under <strong>Nameservers</strong>, choose <strong>Custom DNS</strong>. </li> <li>Enter <code>ns1.example.com</code> and <code>ns2.example.com</code> and IP address for each of them. </li> </ol> <p>Once saved and propagated, queries for your domain will start hitting your Node.js server. From there you have full programmatic control over the answers you return, and that means your DNS layer becomes part of your application logic — agile and reactive, adapting to your needs without relying on third‑party services.</p> <h2> Join the discussion </h2> <p>💬 Have questions? Ideas for improvements? Or maybe you’ve tried building your own DNS‑based load balancer and want to share your experience?<br><br> Feel free to leave a comment or start a discussion — your feedback helps improve the tools and guides for everyone.</p> webdev devops dns kubernetes Aviv Cohen Thu, 11 Sep 2025 04:37:12 +0000 https://forem.com/colocohen/enable-dnssec-support-in-your-nodejs-application-b4j https://forem.com/colocohen/enable-dnssec-support-in-your-nodejs-application-b4j <h2> The Internet Relies on DNS – and That’s Where the Problem Begins </h2> <p>Every visit to a website, every time an app communicates with a server – it all starts with a simple but critical step: <strong>translating a domain name into an IP address</strong>. The DNS system is the phone book of the Internet. Without DNS, we’d be stuck typing long IP numbers instead of easy-to-remember names like <code>example.com</code>.</p> <p>But DNS was born in a different era. In the 1980s, the Internet was still a small academic network. Nobody imagined it would become a global infrastructure supporting banks, governments, e-commerce, and billions of users. As a result, <strong>DNS was designed without cryptographic security</strong>. In simple terms: when you get an answer from DNS – who guarantees it’s really correct?</p> <p>Here lies the problem: an attacker can intercept your query or inject a fake answer, tricking you into visiting a malicious site. This isn’t theoretical – such attacks, known as <strong>DNS Spoofing</strong> or <strong>Cache Poisoning</strong>, have happened many times. A user thinks they are visiting <code>bank.com</code>, but in reality ends up on a fraudulent server.</p> <h2> “But I Have SSL – Isn’t That Enough?” </h2> <p>This is a common misconception. For years the world has moved to HTTPS with SSL/TLS certificates. Shouldn’t that guarantee security?</p> <p>The truth is more nuanced:</p> <ul> <li> <strong>SSL/TLS</strong> protects communication between the user and the server – but only <em>after</em> the user has reached the correct server.</li> <li> <strong>DNSSEC</strong> protects the step before that – ensuring the user even gets to the right server in the first place.</li> </ul> <p>In other words:</p> <ul> <li>DNSSEC makes sure the phone book isn’t lying.</li> <li>TLS ensures the conversation with the right number is encrypted.</li> </ul> <p>In reality, there have been cases where Certificate Authorities (CAs) were compromised, issuing fraudulent certificates. If the user reached the wrong server in the first place, TLS couldn’t save them. That’s where DNSSEC comes in – preventing that initial deception.</p> <h2> The Challenges and Developments in DNSSEC </h2> <p>Although DNSSEC has existed for two decades, adoption is still limited. There are several reasons: existing tools are complex and require deep expertise (like BIND or PowerDNS), awareness among developers is low, support from some TLDs and registrars is incomplete, and business pressure is often lacking – even major sites and banks sometimes don’t implement DNSSEC.</p> <p>That said, the tide is shifting. Services like <strong>Google Public DNS</strong> and <strong>Cloudflare 1.1.1.1</strong> validate DNSSEC by default. Governments around the world are beginning to require public-sector domains to be signed. Organizations like <strong>ICANN</strong> and the IETF continue to push new policies and standards. Research shows steady growth in the number of signed domains, though not yet at a sufficient pace.</p> <p>The importance of DNSSEC in 2025 is clear: threats are increasing – from attacks on databases, to widespread use of insecure public WiFi, to society’s total dependence on the Internet. DNSSEC has gone from a “nice-to-have” to a critical layer of defense. It doesn’t replace SSL – it <strong>complements it</strong>. SSL secures communication with the server, while DNSSEC ensures the user actually reached the right server. Together, they complete the trust chain.</p> <h2> Business and Reputational Benefits of DNSSEC </h2> <p>Beyond the technical advantages, DNSSEC also has reputational and business value:</p> <ul> <li>✅ <strong>Message to customers</strong>: A DNSSEC-signed site signals seriousness and responsibility.</li> <li>✅ <strong>Competitive advantage</strong>: Few sites adopt it, so those who do stand out.</li> <li>✅ <strong>Potential SEO impact</strong>: In the past, Google gradually removed non-SSL sites from search results. It’s possible the same could happen with DNSSEC in the future. The more security measures your site implements, the more you signal – both to people and to algorithms – that you’re authoritative and trustworthy.</li> <li>✅ <strong>Regulatory readiness</strong>: Many governments are beginning to mandate DNSSEC for public institutions. Businesses that adopt it early will be prepared.</li> </ul> <h2> A New Open-Source Library for DNSSEC in Node.js </h2> <p>When I looked for a way to run DNSSEC in a Node.js project, I found no simple tools. Existing libraries like <code>dns-packet</code> can only parse DNS messages – not sign them. Serious solutions exist in other languages, but they require heavy installations.</p> <p>And this is no small issue: Node.js has become a critical foundation for countless Internet services, applications, and websites. When managing a large app with dozens of services, it’s far more convenient and efficient to keep everything inside Node.js – rather than adding external servers just for DNSSEC. The lack of a native Node.js solution is one reason adoption has been so slow.</p> <p>By the way, since this library runs directly on Node.js, you can also manage complementary DevOps services in the same codebase you already use to build and maintain your systems. This centralizes management and reduces reliance on external tools that require extra learning and maintenance – something most developers don’t have the time or attention for.</p> <p>A new open-source project called <a href="https://github.com/colocohen/dnssec-server" rel="noopener noreferrer">dnssec-server</a> was released to fill this gap:</p> <ul> <li>📦 An open-source Node.js library with a simple API.</li> <li>🔐 Real-time signing of every DNS record.</li> <li>⚡ Lightweight and fast – run it as a script without external daemons.</li> <li>🌍 Supports multiple domains and dynamic zones.</li> <li>🛠 Designed for developers – run locally, test, and integrate into your projects.</li> </ul> <h2> Dynamic DNS Responses with Node.js </h2> <p>An important point is that this library isn’t just about DNSSEC. It also allows you to generate <strong>dynamic responses</strong> based on the incoming query. In traditional setups, most DNS servers behave like static HTML websites: they always return the same answer for the same record. With <strong>dnssec-server</strong>, you can behave more like a dynamic PHP site – adjusting responses on the fly depending on context, logic, or external data sources.</p> <p>This opens the door to advanced use cases: geo‑based answers, load balancing logic, conditional records, or even integrating with other Node.js services in real time – all with DNSSEC signing included.</p> <h2> Basic Usage Example </h2> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tls</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">tls</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">DNSServer</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">dnssec-server</span><span class="dl">'</span><span class="p">);</span> <span class="nx">DNSServer</span><span class="p">.</span><span class="nf">createServer</span><span class="p">({</span> <span class="na">tls</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// enable DNS over TLS (DoT) on port 853 by default</span> <span class="na">SNICallback</span><span class="p">:</span> <span class="nf">function </span><span class="p">(</span><span class="nx">servername</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">createSecureContext</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">key.pem</span><span class="dl">'</span><span class="p">),</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">cert.pem</span><span class="dl">'</span><span class="p">)</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="nf">function </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">transport</span><span class="p">}</span><span class="s2">] from </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">remoteAddress</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">remotePort</span><span class="p">}</span><span class="s2"> q=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">type</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="kd">class</span><span class="p">}</span><span class="s2"> DO=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">flag_do</span><span class="p">}</span><span class="s2"> ECS=</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">ecsAddress</span><span class="o">||</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nx">ecsSourcePrefixLength</span><span class="o">||</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">name</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">answers</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">A</span><span class="dl">'</span><span class="p">,</span> <span class="na">class</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IN</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">address</span><span class="p">:</span> <span class="dl">'</span><span class="s1">200.10.10.1</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">header</span><span class="p">.</span><span class="nx">rcode</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// NXDOMAIN</span> <span class="nx">res</span><span class="p">.</span><span class="nx">authority</span><span class="p">.</span><span class="nf">push</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SOA</span><span class="dl">'</span><span class="p">,</span> <span class="na">class</span><span class="p">:</span> <span class="dl">'</span><span class="s1">IN</span><span class="dl">'</span><span class="p">,</span> <span class="na">ttl</span><span class="p">:</span> <span class="mi">300</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">mname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ns1.example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">rname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hostmaster.example.com.</span><span class="dl">'</span><span class="p">,</span> <span class="na">serial</span><span class="p">:</span> <span class="mi">2025081001</span><span class="p">,</span> <span class="na">refresh</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">retry</span><span class="p">:</span> <span class="mi">600</span><span class="p">,</span> <span class="na">expire</span><span class="p">:</span> <span class="mi">604800</span><span class="p">,</span> <span class="na">minimum</span><span class="p">:</span> <span class="mi">300</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>Check with a DNS client (depending on transport):</p> <ul> <li>Classic UDP/TCP on port 53: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> dig @127.0.0.1 example.com +dnssec </code></pre> </div> <ul> <li>DNS over TLS (DoT) on port 853 (e.g., with <code>kdig</code>): </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kdig +tls @127.0.0.1 <span class="nt">-p</span> 853 example.com A +dnssec </code></pre> </div> <p>You’ll get a response with an RRSIG signature when DNSSEC is enabled, proving the data is authentic and hasn’t been altered.</p> <h3> Feels Like Handling HTTP Requests </h3> <p>Notice how similar this is to returning responses for HTTP requests:</p> <ul> <li> <code>req</code> carries details about the incoming DNS query (name, type, class, transport, EDNS flags).</li> <li> <code>res</code> is your response builder: you push answers/authority/additional sections and call <code>res.send()</code>.</li> <li>You can plug in your own logic, read from databases/APIs, implement georouting or A/B switching, and emit different records dynamically — with DNSSEC signing layered on top.</li> <li>DoT via <code>tls</code> + <code>SNICallback</code> mirrors the familiar TLS setup developers already use in web servers.</li> </ul> <p>This programming model lowers the barrier for Node.js teams: the same patterns you use for HTTP services apply to DNS — in code you control, alongside the rest of your stack.</p> <h2> Conclusion </h2> <p>The Internet can’t keep relying on unsigned DNS. More and more organizations – including global DNS providers and governments – are pushing DNSSEC adoption. Yet most websites, even those handling sensitive financial data, still don’t use it.</p> <p>The lack of easy Node.js tools has been a major barrier. <strong>dnssec-server</strong> was built to address this gap and let developers integrate DNSSEC naturally into the Node.js systems they already manage.</p> <p>🔗 <a href="https://github.com/colocohen/dnssec-server" rel="noopener noreferrer">GitHub – dnssec-server</a></p> node security webdev programming