This is a server that proxies HTTPS requests to a separate (non-HTTPS) server, automatically handling certificate provisioning and renewals.
- The server listens on port 443.
- If necessary, a certificate is automatically provisioned.
- All requests are proxied to the specified target
host:port.
An HTTPS proxy is a pretty common need, and some form of it exists in most webservers. However, I needed one that was flexible enough to use on the redirect2.me worker nodes. None of these could quite meet my requirements:
- no predetermined list of allowed names
- some resistance to denial-of-service
- only needs to support a single upstream server, potentially on localhost
- only needs to support https (and possibly http)
- certificate storage on the file system or in a Postgresql database
- logging, metrics and monitoring
In order to prevent abuse, you may need to limit the hostnames that are allowed. The --allowed parameter:
all- all hostnames (default)api:url- call an external API (Coming soon)list:host1,host2,...- list of allowed hostnames (Coming soon)etld1- only hostnames a single level under a public suffix (orwww+ single level) (Coming soon)
Certificate provisioning will only work if the DNS is configured correctly, so this is checked before provisioning starts. You can disable this by setting --dnscheck=false.
Coming soon
go install github.com/cosmtrek/air@latest
Contributions are welcome!
GNU Affero General Public License v3.0
- Apache mod_md
- Caddy
- Traefik
- artyom/leproxy - golang but uses autocert, static allowlist
- j8a - golang using lego
- lets-proxy2
- redirect2www - golang but uses autocert, only redirects (vs proxying)
- letsproxy - Docker image that uses nginx and acme.sh