colebrumley / tlspxy Goto Github PK

When using the TCP proxy, if the -remote-addr is a hostname tlspxy resolves the hostname, attempts to connect via the IP, and then complains if there are no IP SANs in the cert for that address.

This will create problems for most public services, which do not add SANs for every IP they serve from (the google example in the docs being a prime one)

And remove the gh-pages branch

Need to stop trusting Content-Length header when using the HTTP proxy. It's frequently missing or -1, which gives an inaccurate transfer byte count.

I'm getting a segfault on OSX when loading the system roots on Go 1.9:

DEBU[0000] Loading default remote TLS config [verify: true, system roots: true] 
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x1168e9b]

goroutine 1 [running]:
crypto/x509.(*CertPool).AddCert(0x0, 0xc42029c000)
	/usr/local/Cellar/go/1.9/libexec/src/crypto/x509/cert_pool.go:95 +0x6b
crypto/x509.(*CertPool).AppendCertsFromPEM(0x0, 0xc420200000, 0x41f85, 0x7fe00, 0x0)
	/usr/local/Cellar/go/1.9/libexec/src/crypto/x509/cert_pool.go:128 +0x13a
main.loadSysroots(0x0, 0xc420057be8, 0x2, 0x2)
	/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/roots_darwin.go:16 +0xaa
main.SetSystemCAPool(0x0, 0x40, 0xc420057be8, 0x2)
	/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/ca.go:8 +0x2b
main.configRemoteTLS(0xc420048c30, 0xc42000e160, 0xc420048c30, 0x151dc40)
	/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/remotetls.go:44 +0x38a
main.main()
	/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/main.go:83 +0x434

When terminating TLS and forwarding to an insecure remote, setting -remote-tls-verify=false should be enough to, you know, not verify remote TLS. Currently, since the default setting for -remote-tls-sysroots is true, TLS is attempted even if it's been disabled.

Change the default for -remote-tls-sysroots to false

Since we're using httputil.ReverseProxy for the HTTP proxy and our own code for TCP, we need to make sure the logging style and content are consistent across both types.

Currently we only load config files in the current directory. That's kinda dumb. We should allow the user to define config files or directories via the CLI, being careful to ensure that the existing config priority structure is honored (i.e. don't let a CLI-defined file overwrite flag settings).

I have not tested this on Windows at all, but I know there will be issues with system root CAs and probably other things. Find out what those things are and fix 'em.

HTTPS server is not listening over TLS, but forwards correctly.

mergo isn't merging configs like it should (i.e. configs aren't getting overwritten by later ones). Implement custom config merging funcs that correctly overwrite earlier values.