tlsproxy

command module
v0.0.25 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 16, 2023 License: MIT Imports: 9 Imported by: 0

README

pr release CodeQL

TLS Termination Proxy

This repo contains a simple lightweight TLS termination proxy that uses letsencrypt to provide TLS encryption for any number of TCP or HTTP servers and server names concurrently on the same port.

Its functionality is similar to an stunnel server, but without the need to configure and run certbot separately. It is intended to work smoothly with c2fmzq-server, and should also work with most other servers.

Overview of features:

  • Use Let's Encrypt automatically to get TLS certificates (http-01 & tls-alpn-01 challenges).
  • Terminate TLS connections, and forward the data to any TCP server in plaintext.
  • Terminate TLS connections, and forward the data to any TLS server. The data is encrypted in transit, but the proxy sees the plaintext.
  • Terminate TCP connections, and forward the TLS connection to any TLS server (passthrough). The proxy doesn't see the plaintext.
  • Terminate HTTPS connections, and forward the requests to HTTP or HTTPS servers (http/1 only, not recommended with c2fmzq-server).
  • TLS client authentication & authorization (when the proxy terminates the TLS connections).
  • User authentication with OpenID Connect and SAML (for HTTP and HTTPS connections). Optionally issue JSON Web Tokens (JWT) to authenticated users to use with the backend services.
  • Access control by IP address.
  • Routing based on Server Name Indication (SNI), with optional default route when SNI isn't used.
  • Simple round-robin load balancing between servers.
  • Support any ALPN protocol in TLS, TLSPASSTHROUGH, or TCP mode.
  • Use the same TCP address (IPAddr:port) for any number of server names, e.g. foo.example.com and bar.example.com on the same xxx.xxx.xxx.xxx:443.
flowchart LR
  subgraph Incoming TLS Connections
    h1(www.example.com)
    h2(foo.example.com)
    h3(bar.example.com)
    h4(...)
  end
  prx(((TLSPROXY)))
  subgraph Backend Services
    be1(HTTP Server)
    be2(HTTPS Server)
    be3(IMAP, SMTP, SSH)
    be4(Any TCP or TLS Server)
  end
  h1-->prx
  h2-->prx
  h3-->prx
  h4-->prx
  prx-->be1
  prx-->be2
  prx-->be3
  prx-->be4

Example config:

# Indicate acceptance of the Let's Encrypt Terms of Service.
acceptTOS: true

# The HTTP address must be reachable from the internet via port 80 for the
# letsencrypt ACME http-01 challenge to work. If the httpAddr is empty, the
# proxy will only use tls-alpn-01 and tlsAddr must be reachable on port 443.
# See https://letsencrypt.org/docs/challenge-types/
# Normal HTTP requests received on this port are redirected to port 443.
httpAddr: ":10080"

# The proxy will receive TLS connections at this address and forward them to
# the backends.
tlsAddr: ":10443"

# Each backend has a list of server names (DNS names that clients connect to),
# and addresses (where to forward connections).
backends:

# In HTTP mode, HTTPS requests to example.com and www.example.com are forwarded
# to the listed addresses using round robin load balancing.
- serverNames:
  - example.com
  - www.example.com
  mode: http
  addresses:
  - 192.168.0.10:80
  - 192.168.0.11:80
  - 192.168.0.12:80

# In HTTPS mode, HTTPS requests to other.example.com are forwarded to the listed
# addresses just like in http mode. The connection between the proxy and the
# backend server(s) uses TLS. The identity of the server is verified with
# forwardServerName, forwardRootCAs, and/or insecureSkipVerify.
- serverNames:
  - other.example.com
  mode: https
  addresses:
  - 192.168.1.100:443
  insecureSkipVerify: true

# In TCP mode, incoming TLS connections are forwarded to the listed addresses
# using unencrypted TCP connections. The connections are distributed between
# backend servers using round robin load balancing.
- serverNames:
  - ssh.example.com
  mode: tcp
  addresses:
  - 192.168.2.200:22

# In TLS mode, incoming TLS connections are forwarded to the listed addresses
# using TLS. The connections are distributed between backend servers using round
# robin load balancing. The identity of the server is verified with
# forwardServerName, forwardRootCAs, and/or insecureSkipVerify.
- serverNames:
  - secure.example.com
  mode: tls
  addresses:
  - 192.168.3.123:8443
  forwardServerName: secure-internal.example.com

# In all modes (except tlspassthrough), the client identity can be verified by
# setting clientAuth, and optionally setting rootCAs and acl.
- serverNames:
  - restricted.example.com
  mode: https
  clientAuth:
    rootCAs: |
      -----BEGIN CERTIFICATE-----
      .....
      -----END CERTIFICATE-----
    acl:
    - CN=admin-user
  addresses:
  - 192.168.4.100:443
  forwardServerName: restricted-internal.example.com

# In TLSPASSTHROUGH mode, incoming TLS connections are forwarded directly to the
# backend servers. The proxy only sees the encrypted content transmitted between
# the client and the backend servers. The backend servers need to have their own
# TLS certificates and, if client authentication is required, they need to do it
# themselves.
- serverNames:
  - passthrough.example.com
  mode: tlspassthrough
  addresses:
  - 192.168.5.66:8443

See the godoc and the examples directory for more details.

How to download and run tlsproxy

From source

Install from the source code:

go install github.com/c2FmZQ/tlsproxy@latest

Or, clone the repository:

git clone https://github.com/c2FmZQ/tlsproxy.git
cd tlsproxy
go build -o tlsproxy

Then, run it with:

<path>/tlsproxy --config=config.yaml
Docker image

Use the docker image, e.g.

docker run                                 \
  --name=tlsproxy                          \
  --user=1000:1000                         \
  --restart=always                         \
  --volume=${CONFIGDIR}:/config            \
  --volume=${CACHEDIR}:/.cache             \
  --publish=80:10080                       \
  --publish=443:10443                      \
  --env=TLSPROXY_PASSPHRASE="<passphrase>" \
  c2fmzq/tlsproxy:latest

The proxy reads the config from ${CONFIGDIR}/config.yaml.

${TLSPROXY_PASSPHRASE} is used to encrypt the TLS secrets.

Precompiled binaries

Download a precompiled binary from the release page.

Documentation

Overview

tlsproxy is a simple TLS terminating proxy that uses Let's Encrypt to provide TLS encryption for any TCP and HTTP servers.

Directories

Path Synopsis
Package certmanager implements an X509 certificate manager that can replace https://pkg.go.dev/golang.org/x/crypto/acme/autocert#Manager for testing purposes.
Package certmanager implements an X509 certificate manager that can replace https://pkg.go.dev/golang.org/x/crypto/acme/autocert#Manager for testing purposes.
examples
backend module
Package proxy implements a simple lightweight TLS termination proxy that uses Let's Encrypt to provide TLS encryption for any number of TCP and HTTP servers and server names concurrently on the same port.
Package proxy implements a simple lightweight TLS termination proxy that uses Let's Encrypt to provide TLS encryption for any number of TCP and HTTP servers and server names concurrently on the same port.
internal/netw
Package netw is a wrapper around network connections that stores annotations and records metrics.
Package netw is a wrapper around network connections that stores annotations and records metrics.
internal/tokenmanager
Package tokenmanager implements a simple JSON Web Token (JWT) and JSON Web Key (JWK) management system.
Package tokenmanager implements a simple JSON Web Token (JWT) and JSON Web Key (JWK) management system.
Command tlsproxy establishes a TLS connection with a TLS server and redirects the stream to its stdin and stdout.
Command tlsproxy establishes a TLS connection with a TLS server and redirects the stream to its stdin and stdout.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL