diff --git a/cmd/telebit/README.md b/cmd/telebit/README.md index 4cdce29..38f6ccf 100644 --- a/cmd/telebit/README.md +++ b/cmd/telebit/README.md @@ -30,6 +30,8 @@ export LISTEN=":443" export LOCALS=https:mgmt.example.com:6468 # --auth-url export AUTH_URL=http://localhost:6468/api +# --proxy-http-01 +export PROXY_HTTP_01=http://mgmt.example.com:6468 # --acme-agree export ACME_AGREE=true # --acme-email diff --git a/cmd/telebit/telebit.go b/cmd/telebit/telebit.go index 4678c0e..cf7113d 100644 --- a/cmd/telebit/telebit.go +++ b/cmd/telebit/telebit.go @@ -24,6 +24,7 @@ import ( "git.rootprojects.org/root/telebit/internal/dbg" "git.rootprojects.org/root/telebit/internal/dns01" "git.rootprojects.org/root/telebit/internal/http01" + "git.rootprojects.org/root/telebit/internal/http01proxy" "git.rootprojects.org/root/telebit/internal/iplist" "git.rootprojects.org/root/telebit/internal/mgmt" "git.rootprojects.org/root/telebit/internal/mgmt/authstore" @@ -225,9 +226,9 @@ func parseFlagsAndENVs() { acmeDirectory := flag.String("acme-directory", "", "ACME Directory URL") clientSecret := flag.String("secret", "", "the same secret used by telebit-relay (used for JWT authentication)") resolverList := flag.String("dns-resolvers", "", "a list of resolvers in the format 8.8.8.8:53,8.8.4.4:53") + proxyHTTP01 := flag.String("proxy-http-01", "", "listen on port 80 and forward .well-known/acme-challenge traffic to this url") flag.DurationVar(&dnsPropagationDelay, "dns-01-delay", 0, "add an extra delay after dns self-check to allow DNS-01 challenges to propagate") - flag.BoolVar(&config.enableHTTP01, "acme-http-01", false, "enable HTTP-01 ACME challenges") flag.BoolVar(&config.enableTLSALPN01, "acme-tls-alpn-01", false, "enable TLS-ALPN-01 ACME challenges") flag.StringVar(&config.logPath, "outfile", "", "where to direct output (default system logger or OS stdout)") @@ -454,6 +455,10 @@ func parseFlagsAndENVs() { config.token = "" } + if 0 == len(*proxyHTTP01) { + *proxyHTTP01 = os.Getenv("PROXY_HTTP_01") + } + if 0 == len(config.tunnelRelay) { config.tunnelRelay = os.Getenv("TUNNEL_RELAY_URL") // "wss://example.com:443" } @@ -490,6 +495,15 @@ func parseFlagsAndENVs() { if 0 == len(config.apiHostname) { config.apiHostname = os.Getenv("API_HOSTNAME") } + + // Proxy for HTTP-01 requests + // TODO needs to be limited to .well-known/acme-challenges + if len(*proxyHTTP01) > 0 { + go func() { + fmt.Printf("Proxying HTTP-01 on port 80 to %s\n", *proxyHTTP01) + log.Fatalf("%v", http01proxy.ListenAndServe(*proxyHTTP01, 10*time.Second)) + }() + } } func tokener() string { diff --git a/examples/relay.env b/examples/relay.env index 249b4dd..e058efa 100644 --- a/examples/relay.env +++ b/examples/relay.env @@ -32,6 +32,10 @@ LOCALS=https:mgmt.devices.example.com:6468 # be handled per each specific use case. AUTH_URL=http://localhost:6468/api +# PROXY_HTTP_01 +# Proxy traffic on port 80 to the given target +#PROXY_HTTP_01=https://mgmt.devices.example.com + # For Let's Encrypt ACME registration of the API_HOSTNAME # and LOCALS (reverse-proxied traffic). # This is NOT for the remote telebit clients! diff --git a/internal/telebit/telebit.go b/internal/telebit/telebit.go index febae65..5e84ffc 100644 --- a/internal/telebit/telebit.go +++ b/internal/telebit/telebit.go @@ -98,6 +98,7 @@ func newReverseProxier(target string, timeout time.Duration, theatre bool) Handl targetQuery := targetURL.RawQuery req.URL.Scheme = targetURL.Scheme req.URL.Host = targetURL.Host + req.Host = targetURL.Host req.URL.Path, req.URL.RawPath = joinURLPath(targetURL, req.URL) if targetQuery == "" || req.URL.RawQuery == "" { req.URL.RawQuery = targetQuery + req.URL.RawQuery