Added the ability to scope tokens to a specific client. If
enabled, this has the affect of limiting the token to being used
to list tunnels for that specific client. It can't be used for
the web UI or for any state-changing actions such as creating
new tunnels.
LetsEncrypt currently only supports ports 80/443 for ACME, so if
custom ports are used we need to disable automatically getting
certs.
Also changed it to only emit a warning when ports aren't
reachable from the internet, rather than failing.
Can now bind to ports other than 80/443, using the -http-port and
-https-port arguments.
Assuming you already have the certs you need, HTTPS even works.
Unfortunately you can't get the certs automatically because
LetsEncrypt doesn't support ports other than 80/443 as far as I
know.
TakingNames.io now provides bootstrap domains, which simply
creates an A record based off the ip address of the requesting
server, without requiring any authorization. This allows
boringproxy to always use HTTPS, even when getting the admin
domain.
The requests themselves now must be retrieve from the boringproxy
server by TakingNames.io, over HTTPS. This provides several
security benefits:
* You can tell the user the request is coming from a specific
domain.
* Requests are tied to an ephemeral request-id, to prevent
prebuilt phishing links.
There is currently a single hard-coded exception for setting a
single A record for an IP address. This is needed for
bootstrapping a service that doesn't have any certs yet (ie the
boringproxy admin domain), and will need to display a big scary
message to users.
When using "boringproxy server" it asks for the admin domain. All grand,
but it looks rather strange:
2021/01/05 22:11:05 Starting up
2021/01/05 22:11:05 Enter Admin Domain:
[cursor is here]
It wasn't really clear to me this was asking a question, as it includes
the date like a log message and the cursor is on the next line.
So, change it to just fmt.Print()
Maybe the "starting up" should also be moved a bit further down, but
that would conflict with my other PR 🙃
Before not giving any command didn't really give much feedback beyond
"invalid arguments". This adds a basic usage message, and tells people
that you can use "boringproxy server -h".
I moved the "Starting up" log message because otherwise that would get
printed when asking for "server -h".
I also added error checks for the flag parsing; I think this isn't
*strictly* needed, but I remember running in to problems once by
omitting it (although I've forgotten what that problem was, exactly).
Also fixed a bug where client TLS termination was failing to get
new certs I believe because the TLS listener hadn't started up
yet. I didn't notice it before because I'm running the client and
server on the same machine and the server currently gets certs on
startup even for non-server TLS tunnels
