Redirect2Me HTTPS Proxy

This is a server that proxies HTTPS requests to a separate (non-HTTPS) server, automatically handling certificate provisioning and renewals.

How it works

• The server listens on port 443.
• If necessary, a certificate is automatically provisioned.
• All requests are proxied to the specified target host:port.

Why?

An HTTPS proxy is a pretty common need, and some form of it exists in most webservers. However, I needed one that was flexible enough to use on the redirect2.me worker nodes. None of these could quite meet my requirements:

• no predetermined list of allowed names
• some resistance to denial-of-service
• only needs to support a single upstream server, potentially on localhost
• only needs to support https (and possibly http)
• certificate storage on the file system or in a Postgresql database
• logging, metrics and monitoring

Configuration

Allowed hostnames

In order to prevent abuse, you may need to limit the hostnames that are allowed. The --allowed parameter:

• all - all hostnames (default)
• api:url - call an external API (Coming soon)
• list:host1,host2,... - list of allowed hostnames (Coming soon)
• etld1 - only hostnames a single level under a public suffix (or www + single level) (Coming soon)

DNS Check

Certificate provisioning will only work if the DNS is configured correctly, so this is checked before provisioning starts. You can disable this by setting --dnscheck=false.

Certificate storage

Coming soon

Local development

go install github.com/cosmtrek/air@latest

Contributions

Contributions are welcome!

License

GNU Affero General Public License v3.0

Credits

• cosmtrek/air

Alternatives

• Apache mod_md
• Caddy
• Traefik
• artyom/leproxy - golang but uses autocert, static allowlist
• j8a - golang using lego
• lets-proxy2
• redirect2www - golang but uses autocert, only redirects (vs proxying)
• letsproxy - Docker image that uses nginx and acme.sh