/tcpproxy

Proxy TCP connections based on static rules, HTTP Host headers, and SNI server names (Go package or binary)

Primary LanguageGoApache License 2.0Apache-2.0

tcpproxy

This is a fork of https://github.com/google/tcpproxy/

For usage, see https://godoc.org/github.com/aviddiviner/tcpproxy/

Notable differences with this package:

  1. The old Matcher type has been replaced with more of a "routing" matcher. The old type did a simple boolean match against the found hostname:

    // Matcher reports whether hostname matches the Matcher's criteria.
type Matcher func(ctx context.Context, hostname string) bool

    The new Matcher also returns its Target (where an incoming matched connection is sent), allowing you to dynamically retarget based on the hostname:

    // Matcher checks whether a hostname matches its criteria and, if true, returns
// the target where the incoming matched connection should be sent to.
type Matcher func(ctx context.Context, hostname string) (t Target, ok bool)

  2. Some new matchers have been added;

    1. SuffixMatcher which directs all hosts with the given domain suffix to a target, and
    2. ConsulMatcher which directs hosts based on DNS lookups in Consul of service names matching that host's subdomain.

  3. The logic around ACME tls-sni-01 challenges (and AddStopACMESearch function) has been removed. This feature was found vulnerable to certain exploits1 and disabled by Let's Encrypt2.

  1. https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/
  2. https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188