TLS Termination Proxy
This repo contains a simple lightweight TLS termination proxy that uses letsencrypt to provide TLS encryption for any number of TCP servers and server names concurrently on the same port.
Its functionality is similar to an stunnel server, but without the need to configure and run certbot separately. It is intended to work smoothly with c2fmzq-server, and should work with any TCP server.
Example config:
# The HTTP address must be reachable from the internet via port 80 for the
# letsencrypt ACME http-01 challenge to work. If the httpAddr is empty, the
# proxy will only use tls-alpn-01 and tlsAddr must be reachable on port 443.
# See https://letsencrypt.org/docs/challenge-types/
httpAddr: ":10080"
# The proxy will receive TLS connections at this address and forward them to
# the backends.
tlsAddr: ":10443"
# Each backend has a list of server names (DNS names that clients connect to),
# and addresses (where to forward connections).
backends:
- serverNames:
- example.com
- www.example.com
addresses:
- 192.168.0.10:80
- 192.168.0.11:80
- 192.168.0.12:80
- serverNames:
- other.example.com
addresses:
- 192.168.1.100:443
useTLS: true
insecureSkipVerify: true
- serverNames:
- secure.example.com
clientAuth: true
clientCAs: |
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
addresses:
- 192.168.2.200:443
useTLS: true
forwardServerName: secure-internal.example.com
See the examples directory and internal/config.go for more details.
Run the proxy with:
go run ./proxy --config=config.yaml
Or, use the docker image, e.g.
docker run \
--name=tlsproxy \
--user=1000:1000 \
--restart=always \
--volume=${CONFIGDIR}:/config \
--volume=${CACHEDIR}:/.cache \
--publish=80:10080 \
--publish=443:10443 \
c2fmzq/tlsproxy:latest
The proxy reads the config from ${CONFIGDIR}/config.yaml
.
⚠ ${CACHEDIR}
is used to store TLS secrets. It should only be accessible by the UID running tlsproxy.