add --proxy-http-01

cmd/telebit/README.md

@@ -30,6 +30,8 @@ export LISTEN=":443"
 export LOCALS=https:mgmt.example.com:6468
 # --auth-url
 export AUTH_URL=http://localhost:6468/api
+# --proxy-http-01
+export PROXY_HTTP_01=http://mgmt.example.com:6468
 # --acme-agree
 export ACME_AGREE=true
 # --acme-email

cmd/telebit/telebit.go

@@ -24,6 +24,7 @@ import (
 	"git.rootprojects.org/root/telebit/internal/dbg"
 	"git.rootprojects.org/root/telebit/internal/dns01"
 	"git.rootprojects.org/root/telebit/internal/http01"
+	"git.rootprojects.org/root/telebit/internal/http01proxy"
 	"git.rootprojects.org/root/telebit/internal/iplist"
 	"git.rootprojects.org/root/telebit/internal/mgmt"
 	"git.rootprojects.org/root/telebit/internal/mgmt/authstore"
@@ -225,9 +226,9 @@ func parseFlagsAndENVs() {
 	acmeDirectory := flag.String("acme-directory", "", "ACME Directory URL")
 	clientSecret := flag.String("secret", "", "the same secret used by telebit-relay (used for JWT authentication)")
 	resolverList := flag.String("dns-resolvers", "", "a list of resolvers in the format 8.8.8.8:53,8.8.4.4:53")
+	proxyHTTP01 := flag.String("proxy-http-01", "", "listen on port 80 and forward .well-known/acme-challenge traffic to this url")
 
 	flag.DurationVar(&dnsPropagationDelay, "dns-01-delay", 0, "add an extra delay after dns self-check to allow DNS-01 challenges to propagate")
-
 	flag.BoolVar(&config.enableHTTP01, "acme-http-01", false, "enable HTTP-01 ACME challenges")
 	flag.BoolVar(&config.enableTLSALPN01, "acme-tls-alpn-01", false, "enable TLS-ALPN-01 ACME challenges")
 	flag.StringVar(&config.logPath, "outfile", "", "where to direct output (default system logger or OS stdout)")
@@ -454,6 +455,10 @@ func parseFlagsAndENVs() {
 		config.token = ""
 	}
 
+	if 0 == len(*proxyHTTP01) {
+		*proxyHTTP01 = os.Getenv("PROXY_HTTP_01")
+	}
+
 	if 0 == len(config.tunnelRelay) {
 		config.tunnelRelay = os.Getenv("TUNNEL_RELAY_URL") // "wss://example.com:443"
 	}
@@ -490,6 +495,15 @@ func parseFlagsAndENVs() {
 	if 0 == len(config.apiHostname) {
 		config.apiHostname = os.Getenv("API_HOSTNAME")
 	}
+
+	// Proxy for HTTP-01 requests
+	// TODO needs to be limited to .well-known/acme-challenges
+	if len(*proxyHTTP01) > 0 {
+		go func() {
+			fmt.Printf("Proxying HTTP-01 on port 80 to %s\n", *proxyHTTP01)
+			log.Fatalf("%v", http01proxy.ListenAndServe(*proxyHTTP01, 10*time.Second))
+		}()
+	}
 }
 
 func tokener() string {

examples/relay.env

@@ -32,6 +32,10 @@ LOCALS=https:mgmt.devices.example.com:6468
 # be handled per each specific use case.
 AUTH_URL=http://localhost:6468/api
 
+# PROXY_HTTP_01
+# Proxy traffic on port 80 to the given target
+#PROXY_HTTP_01=https://mgmt.devices.example.com
+
 # For Let's Encrypt ACME registration of the API_HOSTNAME
 # and LOCALS (reverse-proxied traffic).
 # This is NOT for the remote telebit clients!

internal/telebit/telebit.go

@@ -98,6 +98,7 @@ func newReverseProxier(target string, timeout time.Duration, theatre bool) Handl
 			targetQuery := targetURL.RawQuery
 			req.URL.Scheme = targetURL.Scheme
 			req.URL.Host = targetURL.Host
+			req.Host = targetURL.Host
 			req.URL.Path, req.URL.RawPath = joinURLPath(targetURL, req.URL)
 			if targetQuery == "" || req.URL.RawQuery == "" {
 				req.URL.RawQuery = targetQuery + req.URL.RawQuery