When using "boringproxy server" it asks for the admin domain. All grand,
but it looks rather strange:
2021/01/05 22:11:05 Starting up
2021/01/05 22:11:05 Enter Admin Domain:
[cursor is here]
It wasn't really clear to me this was asking a question, as it includes
the date like a log message and the cursor is on the next line.
So, change it to just fmt.Print()
Maybe the "starting up" should also be moved a bit further down, but
that would conflict with my other PR 🙃
Before not giving any command didn't really give much feedback beyond
"invalid arguments". This adds a basic usage message, and tells people
that you can use "boringproxy server -h".
I moved the "Starting up" log message because otherwise that would get
printed when asking for "server -h".
I also added error checks for the flag parsing; I think this isn't
*strictly* needed, but I remember running in to problems once by
omitting it (although I've forgotten what that problem was, exactly).
Also fixed a bug where client TLS termination was failing to get
new certs I believe because the TLS listener hadn't started up
yet. I didn't notice it before because I'm running the client and
server on the same machine and the server currently gets certs on
startup even for non-server TLS tunnels
Basically working, but still needs:
* UI for selecting TLS passthrough
* Client Let's Encrypt integration for automatically getting certs.
* More testing. The changes were pretty invasive.
Services like Jellyfin weren't working apparently because the upstream
requests were using chunked encoding. Reading the entire request body
and forwarding it on seems to fix it.
Also overriding the Host header for upstream requests.
API is now the central control point for making authorized
requests. The current architecture is:
* db simply returns all data
* api uses tokens to filter data from db. It includes methods for
returning objects, and HTTP endpoints for return JSON.
* ui calls the api functions to get filtered data.
Also changed order that extractToken looks for tokens. Used to
be cookies then headers then query. Now in reverse, to make it
easier to override, ie for replacing cookies during login.
Required switching to TLS for LetsEncrypt, so I could disable
the HTTP ACME handler. Pretty sure there's a way to keep them
both enabled but this is fine for now.
Allows a few things:
* Can terminate HTTP/2 without the upstream needing to implement
it
* Allows modification of headers in both directions
* Allows logging at the proxy
I had been moving in the direction of implementing a custom SSH
server in golang. That would be pretty easy if using a custom
application protocol, but I want to support tcpip-forward which
looks like it would be a lot more work. It also would be nice to
support generic CLI clients like OpenSSH.
The point of using SSH in the first place is that it's known to be a
solid tunneling solution. To that end, I've decided to rely on
OpenSSH for now, since that program may have tunneled more bits than any
other since the dawn of time. This requires a bit of hackery to generate
SSH keys and place them in authorized_keys (as well as shipping the
private key to the client), but I think this will work well for now.
Plus OpenSSH is already installed on pretty much every server
I'd expect to run boringproxy.
Turns out SSH has robust semantics for opening generic channels.
Looks like I'll be able to set up tunnels without ever needing to
forward ports on the server, since I can connect the channels with
a custom protocol.
Of course I'll eventually want to support generic SSH clients, but
this makes starting much easier.
