#tlspxy
tlspxy
aims to provide a simple and flexible proxy server that accommodates as many TLS scenarios as possible while remaining easy to use.
See the wiki for usage information.
A small TLS termination proxy
Home Page: https://github.com/colebrumley/tlspxy/wiki
License: MIT License
When using the TCP proxy, if the -remote-addr
is a hostname tlspxy resolves the hostname, attempts to connect via the IP, and then complains if there are no IP SANs in the cert for that address.
This will create problems for most public services, which do not add SANs for every IP they serve from (the google example in the docs being a prime one)
And remove the gh-pages branch
Need to stop trusting Content-Length
header when using the HTTP proxy. It's frequently missing or -1
, which gives an inaccurate transfer byte count.
I'm getting a segfault on OSX when loading the system roots on Go 1.9:
DEBU[0000] Loading default remote TLS config [verify: true, system roots: true]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x1168e9b]
goroutine 1 [running]:
crypto/x509.(*CertPool).AddCert(0x0, 0xc42029c000)
/usr/local/Cellar/go/1.9/libexec/src/crypto/x509/cert_pool.go:95 +0x6b
crypto/x509.(*CertPool).AppendCertsFromPEM(0x0, 0xc420200000, 0x41f85, 0x7fe00, 0x0)
/usr/local/Cellar/go/1.9/libexec/src/crypto/x509/cert_pool.go:128 +0x13a
main.loadSysroots(0x0, 0xc420057be8, 0x2, 0x2)
/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/roots_darwin.go:16 +0xaa
main.SetSystemCAPool(0x0, 0x40, 0xc420057be8, 0x2)
/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/ca.go:8 +0x2b
main.configRemoteTLS(0xc420048c30, 0xc42000e160, 0xc420048c30, 0x151dc40)
/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/remotetls.go:44 +0x38a
main.main()
/Users/cole.brumley/lib/go/src/github.com/colebrumley/tlspxy/main.go:83 +0x434
When terminating TLS and forwarding to an insecure remote, setting -remote-tls-verify=false
should be enough to, you know, not verify remote TLS. Currently, since the default setting for -remote-tls-sysroots
is true
, TLS is attempted even if it's been disabled.
Change the default for -remote-tls-sysroots
to false
Since we're using httputil.ReverseProxy
for the HTTP proxy and our own code for TCP, we need to make sure the logging style and content are consistent across both types.
Currently we only load config files in the current directory. That's kinda dumb. We should allow the user to define config files or directories via the CLI, being careful to ensure that the existing config priority structure is honored (i.e. don't let a CLI-defined file overwrite flag settings).
I have not tested this on Windows at all, but I know there will be issues with system root CAs and probably other things. Find out what those things are and fix 'em.
HTTPS server is not listening over TLS, but forwards correctly.
mergo
isn't merging configs like it should (i.e. configs aren't getting overwritten by later ones). Implement custom config merging funcs that correctly overwrite earlier values.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.