Skip to content

Proxy server that handles HTTPS including certificate provisioning and renewal

License

Notifications You must be signed in to change notification settings

redirect2me/r2me-https-proxy

Repository files navigation

Redirect2Me HTTPS Proxy r2proxy logo

This is a server that proxies HTTPS requests to a separate (non-HTTPS) server, automatically handling certificate provisioning and renewals.

How it works

  • The server listens on port 443.
  • If necessary, a certificate is automatically provisioned.
  • All requests are proxied to the specified target host:port.

Why?

An HTTPS proxy is a pretty common need, and some form of it exists in most webservers. However, I needed one that was flexible enough to use on the redirect2.me worker nodes. None of these could quite meet my requirements:

  • no predetermined list of allowed names
  • some resistance to denial-of-service
  • only needs to support a single upstream server, potentially on localhost
  • only needs to support https (and possibly http)
  • certificate storage on the file system or in a Postgresql database
  • logging, metrics and monitoring

Configuration

Allowed hostnames

In order to prevent abuse, you may need to limit the hostnames that are allowed. The --allowed parameter:

  • all - all hostnames (default)
  • api:url - call an external API (Coming soon)
  • list:host1,host2,... - list of allowed hostnames (Coming soon)
  • etld1 - only hostnames a single level under a public suffix (or www + single level) (Coming soon)

DNS Check

Certificate provisioning will only work if the DNS is configured correctly, so this is checked before provisioning starts. You can disable this by setting --dnscheck=false.

Certificate storage

Coming soon

Local development

go install github.com/cosmtrek/air@latest

Contributions

Contributions are welcome!

License

GNU Affero General Public License v3.0

Credits

certmagic Git Github golang Let's Encrypt Pico CSS Python svgrepo

Alternatives