Reverse proxy with automatically obtains TLS certificates from Let's Encrypt

Build Status Coverage Status Go Report Card GolangCI Mentioned in Awesome Go

Русскоязычное описание ниже (Russian below).

English description

Home page: https://github.com/rekby/lets-proxy2

Features:

  • http-01 and tls-alpn-01 validation
  • HTTPS (with certificate autoissue) and HTTP reverse proxy
  • Zero config for start usage
  • Time limit for issue certificate
  • Auto include subdomains in certificate (default: domain and www.domain)
  • Logging for stderr and/or file
  • Self rotate log files (can disable by config)
  • Can configure backend in dependence of incoming connection IP:Port
  • Custom headers to backend
  • Self check domain before issue cert (prevent DoS cert issue attack by requests with bad domains)
  • Blacklist/whitelist of domains
  • Lock certificates (force to use manual issued certificate without internal checks)
  • Optional access to internal metrics with Prometheus format

It is next generation of https://github.com/rekby/lets-proxy, rewrited from scratch.

It is improove logging and internal structure for better test coverage and simpler support. Add config support instead of many command line flags.

A reverse-proxy server to handle https requests transparently. By default Lets-proxy handles https requests to port 443 and proxies them as http to port 80 on the same IP address.

Lets-proxy adds the http headers, X-Forwarded-For which contains the IP address. It obtains valid TLS certificates from Let's Encrypt and handles https for free, in an automated way, including certificate renewal, and without warning in browsers.

The program was created for shared hosting and can handle many thousands of domains per server. It is simple to implement and doesn't need settings to start the program on personal server/vps.

Quick start:

./lets-proxy or lets-proxy.exe

Use --help key for details:

./lets-proxy --help or lets-proxy.exe --help

Русский (Russian):

Сайт программы: https://github.com/rekby/lets-proxy2

Сейчас это тестовая версия, программа в процессе разработчик и она не готова для реального использования.

Возможности:

  • Авторизация доменов по протоколам http-01 and tls-alpn-01
  • Проксирование HTTPS (с автовыпуском сертификата) and HTTP
  • Начать использование можно без настроек
  • Ограничение времени на получение сертификата
  • Автоматическое получение сертификата для домена и поддоменов (default: domain and www.domain)
  • Вывод логов в файл и/или на стандартный вывод ошибок
  • Самостоятельная ротация лог-файлов (отключается в настройках)
  • Можно настроить адрес перенаправления запроса в заивисмости от адреса приема запроса.
  • Настраиваемые дополнительные заголовки для передачи на внутренний сервер
  • Самостоятельная проверка возможности выпуска сертификата перед его запросов (для исключения DoS-атак путем запросов с неправильными доменами)
  • Белый/чёрный списки доменов для выпуска сертификатов
  • Фиксированный сертификат (возможность использовать самостоятельно полученный сертификат, без внутренних проверок и автообновления)
  • Опциональный доступ к внутренним метрикам в формате Prometheus

Эта программа - следующая итерация после https://github.com/rekby/lets-proxy, переписанная с нуля.

Улучшено логирование, внутреннее устройство кода - для упрощения тестирования и поддержки/развития. Добавлена поддержка файла настроек вместо огромного списка флагов.

Реверс-прокси сервер для прозрачной обработки https-запросов. Для начала использования достаточно просто запустить его на сервере с запущенным http-сервером. При этом lets-proxy начнёт слушать порт 433 и передавать запросы на порт 80 с тем же IP-адресом. К запросу будет добавляться заголовок X-Forwarded-For с IP-адресом источника запроса. Сертификаты для работы https получаются в реальном времени от letsencrypt.org. Это правильные (не самоподписанные) бесплатные сертификаты, которым доверяют браузеры.

Программа разрабатывается для использования на виртуальном хостинге и может работать с тысячами доменов на каждом сервере. С другой стороны она проста и не требует начальных настроек для запуска на персональном сервере.

Быстрый старт:

./lets-proxy или lets-proxy.exe

Used libraries (alphabet ordered):

Owner
Timofey Koolin
Timofey Koolin
https://github.com/rekby/lets-proxy2
Comments
  • Update lets-proxy to lets-proxy2 with inplace change binary

    Update lets-proxy to lets-proxy2 with inplace change binary

    @rekby

    Since Let's Encrypt deprecated this month the V1 API , I'm having a hard time making my let's proxy work (I’m using this version: v0.15.1.9 commit 5092600a725e48e16abae6e8cb7134e9244c1ce6 os=linux-amd64)

    This is one of the entries in my log: time="2020-06-25T22:09:17Z" level=error msg="Can't create new authorization for domain 'hvacservicehouston.com': HTTP error: 403 Forbidden\nmap[Date:[Thu, 25 Jun 2020 22:09:12 GMT] Content-Type:[application/problem+json] Content-Length:[230] Boulder-Requester:[54508640] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0002VNfonRNGw9QGfcKd-ZTo05afir-QEwOCdfFXGA-Ez8U] Server:[nginx]]\n{\n \"type\": \"urn:acme:error:unauthorized\",\n \"detail\": \"Error creating new authz :: Validations for new domains are disabled in the V1 API (https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)\",\n \"status\": 403\n}"

    and this is the script I used to run it as a service in my Ubuntu box:

    
../lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
	-allowed-ips=1.1.1.1. \
	--service-name=lets-proxy \
	--service-action=reinstall \
	-in-memory-cnt=20000 \
	-real-ip-header=X-Forwarded-For \
	-loglevel=warning \
	-logout=log/lets-proxy.log \
	-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start

    Then, I updated the script to use a new acme-server by adding the -acme-server parameter

    ./lets-proxy --service-name=lets-proxy --service-action=stop
./lets-proxy \
	-allowed-ips=1.1.1.1 \
	--service-name=lets-proxy \
	--service-action=reinstall \
	-in-memory-cnt=20000 \
        -acme-server="https://acme-v02.api.letsencrypt.org/directory" \
	-real-ip-header=X-Forwarded-For \
	-loglevel=warning \
	-logout=log/lets-proxy.log \
	-logrotate-count=2
./lets-proxy --service-name=lets-proxy --service-action=start

    but now, I'm getting this error

    time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'hvacservicehouston.com': context deadline exceeded" 
time="2020-06-25T22:56:18Z" level=error msg="Can't get acme client for authorize domain 'www.hvacservicehouston.com': context deadline exceeded" 
time="2020-06-25T22:56:18Z" level=error msg="Retrieve certificate for domains '[hvacservicehouston.com www.hvacservicehouston.com]' has error 'Authorized domains doesn't contain main domain', create temporary self-signed certificate"

    I installed lets-proxy2 (Version: 'v0.23.11+build-837, Build time 2020-03-07 22:24:36+00:00, commit 93071751399bc09e33d0d8842bdd52f6210b2080, go version go1.10 linux/amd64', Os: 'linux', Arch: ‘amd64') but I’m stuck in how to configure the config_default.toml file to use the same values as I am using them with the current setup.

    Please help, I'm stuck on that and ACME V1 will be disconnected in a few more days.

  • Must be cert exactly one: cert or last error

    Must be cert exactly one: cert or last error

    2020-06-26T17:30:59.857Z dpanic cert_manager/cert-state.go:51 Must be cert exactly one: cert or last error. Cert set as nil. {"connection_id": "31d1f03c-e30f-4e40-877c-dd46f43d6573", "domain": "www.pueblonuevomexicanrestaurant.com (punycode:www.pueblonuevomexicanrestaurant.com)", "cert_name": "

  • NET::ERR_CERT_REVOKED

    NET::ERR_CERT_REVOKED

    All websites using lets proxy are now showing NET::ERR_CERT_REVOKED

    It looks like this may be related to this thread - https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449/9

    Apparently, Let's Encrypt revoked all certificates using TLS-ALPN-01

    Is it possible to reissue the certificates using Let's Proxy?

    Thanks for your assistance.

  • This site can’t provide a secure connection - ERR_SSL_PROTOCOL_ERROR

    This site can’t provide a secure connection - ERR_SSL_PROTOCOL_ERROR

    We have a domain that is working with www but failing on non-www with:

    This site can’t provide a secure connection barkestoneassociates.com sent an invalid response. ERR_SSL_PROTOCOL_ERROR

    The error logs say:

    2021-03-08T15:15:48.737Z        info    tlslistener/tlslistenershandler.go:231  TLS Handshake   {"connection_id": "a3ebd36c-3b97-480b-b52c-a57fd412f171", "error": "have no certificate for domain"}
2021-03-08T15:15:48.811Z        info    cert_manager/manager.go:156     Get certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "original_domain": "barkestoneassociates.com"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "cert_name": "barkestoneassociates.com.ecdsa", "error": "x509: certificate is valid for www.barkestoneassocia$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:165
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:166     Got certificate {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "certificate": "tls nil", "error": "have no certificate for domain"}
2021-03-08T15:15:48.812Z        info    cert_manager/manager.go:171     ECDSA certificate was failed, try to get RSA certificate        {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)"}
2021-03-08T15:15:48.812Z        error   cert_manager/manager.go:233     Can't get certificate from local state  {"connection_id": "454194ea-c78f-4f9f-ab6c-57e5c951a86c", "domain": "barkestoneassociates.com (punycode:barkestoneassociates.com)", "retry_type": "rsa", "cert_name": "barkestoneassociates.com.rsa", "error": "x509: certificate is valid for ww$
github.com/rekby/lets-proxy2/internal/log.levelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:203
github.com/rekby/lets-proxy2/internal/log.LevelParam
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:193
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).getCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:233
github.com/rekby/lets-proxy2/internal/cert_manager.(*Manager).GetCertificate
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/cert_manager/manager.go:173
crypto/tls.(*Config).getCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/common.go:870
crypto/tls.(*serverHandshakeStateTLS13).pickCertificate
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:364
crypto/tls.(*serverHandshakeStateTLS13).handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server_tls13.go:52
crypto/tls.(*Conn).serverHandshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/handshake_server.go:53
crypto/tls.(*Conn).Handshake
        /home/travis/.gimme/versions/go1.14.linux.amd64/src/crypto/tls/conn.go:1342
github.com/rekby/lets-proxy2/internal/tlslistener.(*ListenersHandler).handleTCPTLSConnection
        /home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:230

    It's almost as if it is trying to get a pre-existing certificate but is failing?

  • Add support for a fallback certificate

    Add support for a fallback certificate

    Currently, if there is any problem issuing a certificate, the connection is dropped and a warning is logged - "Can't issue certificate".

    For my use case, it would be preferable for the connection to continue using an existing certificate that we provide - not an automatically-issued letsencrypt certificate. This way, development or testing environments, or situations where letsencrypt isn't working properly, or other unusual cases can function without the connection just dropping.

    I am using the attached patch to load our "fallback" certificate which is used if a letsencrypt certificate cannot be issued, but it's not very well written as I'm not very familiar with Go - it was pieced together by copying bits of the existing code, and relies on having a hard-coded filename.

    I'd be happy to donate a small amount to support getting this functionality properly added as a configuration option, so that a fallback certificate could be selected (or possibly a mapping of existing domain patterns to certificate files, to skip the letsencrypt logic all together for some incoming connections) and used as opposed to just hanging up.

    Thanks for all your hard work on this project!

    diff --git a/internal/cert_manager/manager.go b/internal/cert_manager/manager.go
index 0344535..0cdc1e3 100644
--- a/internal/cert_manager/manager.go
+++ b/internal/cert_manager/manager.go
@@ -202,7 +202,13 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (resultCert *tls.Ce
 			zap.Time("expire", res.Leaf.NotAfter))
 		return res, nil
 	}
-	logger.Warn("Can't issue certificate", zap.Error(err))
+	logger.Warn("Can't issue certificate, falling back to default", zap.Error(err))
+	fallback, err := tls.LoadX509KeyPair("fallback.crt", "fallback.key")
+	if err == nil {
+		return &fallback, nil
+	}
+
+	logger.Error("Can't fallback, giving up", zap.Error(err))
 	return nil, errHaveNoCert
 
 }
  • Obtaining a certificate goes into an endless loop and fails.

    Obtaining a certificate goes into an endless loop and fails.

    Getting some certificate goes into an endless loop and fails. I turned on the debug to figure it out. File in attachment. This does not happen with all certificates. lets-proxy.log

  • Too many redirects

    Too many redirects

    I have this set up running as a service.

    We use a .htaccess file to force https - this however, gives an error in the browser of 'Too Many Redirects".

    The .htaccess files is as below:

    <IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{HTTP:X-FORWARDED-PROTO} !(^.+)
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]

RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>
  • on 127.0.0.53:53: no such host

    on 127.0.0.53:53: no such host 

    2019-07-15T19:36:24.297Z	info	cert_manager/manager.go:115	Get certificate	{"connection_id": "747cd9b9-06f7-4486-84ac-23700a55a9b9", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "original_domain": "verneluna.xxxx.com"}
2019-07-15T19:36:24.300Z	info	domain_checker/ip_list.go:98	Resolve domain ip addresses	{"connection_id": "747cd9b9-06f7-4486-84ac-23700a55a9b9", "cert_name": "verneluna.xxxx.com", "ips": null, "error": "lookup www.verneluna.xxxx.com on 127.0.0.53:53: no such host"}
2019-07-15T19:36:24.300Z	warn	cert_manager/manager.go:310	Need domain doesn't authorized.	{"connection_id": "747cd9b9-06f7-4486-84ac-23700a55a9b9", "cert_name": "verneluna.xxxx.com", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "authorized_domains": []}
2019-07-15T19:36:24.300Z	warn	cert_manager/manager.go:197	Can't issue certificate	{"connection_id": "747cd9b9-06f7-4486-84ac-23700a55a9b9", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "cert_name": "verneluna.xxxx.com", "error": "need domain doesn't authorized"}
2019-07-15T19:36:24.300Z	info	tlslistener/tlslistenershandler.go:228	TLS Handshake	{"connection_id": "747cd9b9-06f7-4486-84ac-23700a55a9b9", "error": "have no certificate for domain"}
2019/07/15 19:36:24 http: TLS handshake error from 37.228.241.159:16966: have no certificate for domain
2019-07-15T19:36:24.379Z	info	cert_manager/manager.go:115	Get certificate	{"connection_id": "87087a5d-0d54-413f-b8b6-5773cd4f794d", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "original_domain": "verneluna.xxxx.com"}
2019-07-15T19:36:24.381Z	info	domain_checker/ip_list.go:98	Resolve domain ip addresses	{"connection_id": "87087a5d-0d54-413f-b8b6-5773cd4f794d", "cert_name": "verneluna.xxxx.com", "ips": null, "error": "lookup www.verneluna.xxxx.com on 127.0.0.53:53: no such host"}
2019-07-15T19:36:24.383Z	warn	cert_manager/manager.go:310	Need domain doesn't authorized.	{"connection_id": "87087a5d-0d54-413f-b8b6-5773cd4f794d", "cert_name": "verneluna.xxxx.com", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "authorized_domains": []}
2019-07-15T19:36:24.383Z	warn	cert_manager/manager.go:197	Can't issue certificate	{"connection_id": "87087a5d-0d54-413f-b8b6-5773cd4f794d", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "cert_name": "verneluna.xxxx.com", "error": "need domain doesn't authorized"}
2019-07-15T19:36:24.384Z	info	tlslistener/tlslistenershandler.go:228	TLS Handshake	{"connection_id": "87087a5d-0d54-413f-b8b6-5773cd4f794d", "error": "have no certificate for domain"}
2019/07/15 19:36:24 http: TLS handshake error from 37.228.241.159:16933: have no certificate for domain
2019-07-15T19:36:24.383Z	info	cert_manager/manager.go:115	Get certificate	{"connection_id": "4eb69b39-f03b-47a5-994f-c4a66b1842f0", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "original_domain": "verneluna.xxxx.com"}
2019-07-15T19:36:24.387Z	info	domain_checker/ip_list.go:98	Resolve domain ip addresses	{"connection_id": "4eb69b39-f03b-47a5-994f-c4a66b1842f0", "cert_name": "verneluna.xxxx.com", "ips": null, "error": "lookup www.verneluna.xxxx.com on 127.0.0.53:53: no such host"}
2019-07-15T19:36:24.388Z	warn	cert_manager/manager.go:310	Need domain doesn't authorized.	{"connection_id": "4eb69b39-f03b-47a5-994f-c4a66b1842f0", "cert_name": "verneluna.xxxx.com", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "authorized_domains": []}
2019-07-15T19:36:24.388Z	warn	cert_manager/manager.go:197	Can't issue certificate	{"connection_id": "4eb69b39-f03b-47a5-994f-c4a66b1842f0", "domain": "verneluna.xxxx.com (punycode:verneluna.xxxx.com)", "cert_name": "verneluna.xxxx.com", "error": "need domain doesn't authorized"}
2019-07-15T19:36:24.389Z	info	tlslistener/tlslistenershandler.go:228	TLS Handshake	{"connection_id": "4eb69b39-f03b-47a5-994f-c4a66b1842f0", "error": "have no certificate for domain"}
2019/07/15 19:36:24 http: TLS handshake error from 37.228.241.159:16979: have no certificate for domain
  • // in url -> 'silent' 301 converting POST to get

    // in url -> 'silent' 301 converting POST to get

    When an URL contains double '/', the proxy issues a 301 redirect to a GET on the url without '/', discarding POST data.

    It also doesn't log the POST either.

  • NET::ERR_CERT_AUTHORITY_INVALID

    NET::ERR_CERT_AUTHORITY_INVALID

    I recently moved from vs1 to vs2 of 'lets-proxy' and in the main this is working.

    However, I've noticed that occasionally I'll get the below error:

    NET::ERR_CERT_AUTHORITY_INVALID

    Looking in console, I can see the following information:

    Issuer: Let's Encrypt Authority X3
Expires on: 4 Nov 2020
Current date: 6 Aug 2020
This page is not secure (broken HTTPS).

Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).

Connection - secure connection settings
The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.

Resources - all served securely
All resources on this page are served securely.

    Looking in the 'lets-proxy' logs I can see:

    "error": "remote error: tls: unknown certificate"

    It seems as though it is saying the site connection is secure but the certificate is not valid or from a trusted certificate?

    Any help on this would be appreciated.

    Many thanks

  • Too many open files issue

    Too many open files issue

    Hi @rekby

    I managed to install the lets-proxy2 service but from time to time, it stops working and the log shows this entry:

    Close listener {"local_addr": "[::]:443", "error": "accept tcp [::]:443: accept4: too many open files"}

    Any suggestion how to fix those?

    My entry looks like this in the config.toml file

    # Seconds for issue every certificate. Cancel issue and return error if timeout.
IssueTimeout = 300

# For prevent infinite loop and consume all memory if cycle in includes
MaxConfigFilesRead = 30000

# After KeepAliveTimeoutSeconds of inactive incoming connection will close.
KeepAliveTimeoutSeconds = 900

    Current Log error:

    2020-06-30T03:50:15.933Z	error	tlslistener/tlslistenershandler.go:117	Close listener	{"local_addr": "[::]:443", "error": "accept tcp [::]:443: accept4: too many open files"}
github.com/rekby/lets-proxy2/internal/log.infoError
	/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:170
github.com/rekby/lets-proxy2/internal/log.InfoError
	/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/log/log.go:107
github.com/rekby/lets-proxy2/internal/tlslistener.handleConnections
	/home/travis/gopath/src/github.com/rekby/lets-proxy2/internal/tlslistener/tlslistenershandler.go:117
2020-06-30T03:50:15.934Z	error	cmd/main.go:169	Handle request stopped	{"error": "listener closed"}
github.com/rekby/lets-proxy2/internal/log.debugError
  • Optimize certificates renew

    Optimize certificates renew

    Now certificates renew independent each from other without any special order. It is ok for low number of subdomains for every domain name.

    But lets encrypt have rate limits for issue certificates for one domain. It mean renew certificates may be optimized for lower consume the limits.

    For example batch subdomains of one domain within one certificate request, then calc right time for renew for possible to issue max new certificates, etc.

  • Add performance tests

    Add performance tests

    Add system of benchmark the proxy: how many requests/bytes per second it can handle, how much memory and CPU consumed.

    It must by test as code - for simple repeat for future (and if possible - for previous) versions.

  • Add plugin system

    Add plugin system

    Add system for write external plugins.

    Plugin can hook some of certificate/request lifecycle.

    At start point it can be external storage for certificates, dns challenge.

Related tags
Server Applications lets-proxy2
ready-to-use RTSP / RTMP server and proxy that allows to read, publish and proxy video and audio streams
 ready-to-use RTSP / RTMP server and proxy that allows to read, publish and proxy video and audio streams

rtsp-simple-server is a simple, ready-to-use and zero-dependency RTSP / RTMP server and proxy, a software that allows users to publish, read and proxy live video and audio streams. RTSP is a specification that describes how to perform these operations with the help of a server, that is contacted by both publishers and readers and relays the publisher's streams to the readers.

Dec 31, 2022
A proxy server than converts JSON request bodies to protocol buffers
 A proxy server than converts JSON request bodies to protocol buffers

Welcome to Protoxy ?? What is Protoxy? Protoxy allows you to test your REST APIs that use Protocol Buffer serialization through Postman and other API

Nov 1, 2022
Manage Lets Encrypt certificates for a Kubernetes cluster.

Kubernetes Certificate Manager This project is loosely based on https://github.com/kelseyhightower/kube-cert-manager It took over most of its document

Mar 11, 2022
Order TLS certificates using ACME TLS-ALPN-01

Order TLS certificates using ACME TLS-ALPN-01

Jan 4, 2023
gproxy is a tiny service/library for creating lets-encrypt/acme secured gRPC and http reverse proxies
 gproxy is a tiny service/library for creating lets-encrypt/acme secured gRPC and http reverse proxies

gproxy is a reverse proxy service AND library for creating flexible, expression-based, lets-encrypt/acme secured gRPC/http reverse proxies GProxy as a

Sep 11, 2022
REST API written in GO with PostgreSQL and Nginx Proxy + Certbot Let's Encrypt HTTPS certificates + Graphical Frontend in PHP. Deployed via docker-compose.

SSOA-PT REST APP Services Backend: REST API in Go Database: PostgreSQL Web Proxy: Nginx Let's Encrypt HTTPS certificates with certbot Frontend: PHP Ap

Mar 19, 2022
Certificator - The tool that requests certificates from ACME supporting CA, solves DNS challenges, and stores certificates in Vault

certificator The tool that requests certificates from ACME supporting CA, solves

Jun 23, 2022
A Go module that obtains the iksm_session cookie for use with the Nintendo Switch Online Splatoon 2 libraries

SplatNetIksm SplatNetIksm is a Go module that obtains the iksm_session cookie for use with the Nintendo Switch Online Splatoon 2 libraries. Adapted fr

Feb 23, 2022
An opinionated helper for generating tls certificates

Certificates helper This is an opinionated helper for generating tls certificates. It outputs only in PEM format but this enables you easily generate

Dec 17, 2022
Certificate monitoring utility for watching tls certificates and reporting the result as metrics.
 Certificate monitoring utility for watching tls certificates and reporting the result as metrics.

cert-checker cert-checker is a certificate monitoring utility for watching tls certificates. These checks get exposed as Prometheus metrics to be view

Dec 6, 2022
Discover expired TLS certificates in the services of a kubernetes cluster

About verify-k8s-certs is a daemon (prometheus exporter) to discover expired TLS certificates in a kubernetes cluster. It exposes the informations as

Feb 1, 2022
For whatever reason you want to transfer TLS certificates in kubernetes to Qiniu CDN

Qiniu Certificate Sync For whatever reason you want to transfer TLS certificates in kubernetes to Qiniu CDN This app will upload provided TLS secrets

Oct 21, 2021
Monitors the expiry time of tls certificates and exports prometheus metrics

Certificate Monitor Monitors the expiry time of tls certificates and exports prometheus metrics. Target domains can be automatically discovered via in

Feb 7, 2022
Placeholder for the future project (lets-go-chat)Placeholder for the future project (lets-go-chat)

Placeholder for the future project (lets-go-chat)Placeholder for the future project (lets-go-chat)

Jan 10, 2022
Http-server - A HTTP server and can be accessed via TLS and non-TLS mode

Application server.go runs a HTTP/HTTPS server on the port 9090. It gives you 4

Feb 3, 2022
Reverse Proxying + Static File Serving + Let's Encrypt + multiple hosts

Slashing This is a HTTPS server, which aims to replace my personal nginx usages. Currently, it serves Reverse Proxying (e.g. to a Python-Flask,Java,PH

Jul 29, 2021
A basic file server automatically generates self certificates and serves the given folder.

A basic file server automatically generates self certificates and serves the given folder.

Jul 20, 2022
A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes
 A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

csi-driver-spiffe csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for Kubernetes to work along cert-manager. This CSI driver tr

Dec 1, 2022
rconn is a multiplatform program for creating generic reverse connections. Lets you consume services that are behind firewall or NAT without opening ports or port-forwarding.
 rconn is a multiplatform program for creating generic reverse connections. Lets you consume services that are behind firewall or NAT without opening ports or port-forwarding.

rconn (r[everse] conn[ection]) is a multiplatform program for creating reverse connections. It lets you consume services that are behind NAT and/or fi

Jan 1, 2023
mt-multiserver-proxy is a reverse proxy designed for linking multiple Minetest servers together

mt-multiserver-proxy mt-multiserver-proxy is a reverse proxy designed for linking multiple Minetest servers together. It is the successor to multiserv

Nov 17, 2022