{"id":13337967,"url":"https://github.com/Probely/simple-tls-proxy","last_synced_at":"2025-03-11T08:32:05.149Z","repository":{"id":94397618,"uuid":"155450107","full_name":"Probely/simple-tls-proxy","owner":"Probely","description":"A simple Nginx-based TLS 1.3 proxy with Let's Encrypt automatic certificate renewals","archived":false,"fork":false,"pushed_at":"2025-03-10T13:19:14.000Z","size":85,"stargazers_count":13,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-10T14:27:26.451Z","etag":null,"topics":["aws","docker","gcp","nginx","reverse-proxy","terraform","tls","tls13"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Probely.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-30T20:14:19.000Z","updated_at":"2025-03-10T13:19:21.000Z","dependencies_parsed_at":"2024-10-23T19:28:05.052Z","dependency_job_id":"407fd4f0-e138-4764-826e-32294359eca7","html_url":"https://github.com/Probely/simple-tls-proxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Probely%2Fsimple-tls-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Probely%2Fsimple-tls-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Probely%2Fsimple-tls-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Probely%2Fsimple-tls-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Probely","download_url":"https://codeload.github.com/Probely/simple-tls-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243000831,"owners_count":20219751,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","docker","gcp","nginx","reverse-proxy","terraform","tls","tls13"],"created_at":"2024-07-29T19:15:16.560Z","updated_at":"2025-03-11T08:32:04.771Z","avatar_url":"https://github.com/Probely.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Introduction\n\nsimple-tls-proxy is an Nginx-based TLS reverse proxy container with modern TLS settings and automatic certificate renewals. \n\nIt can can be placed in front of an existing HTTP website to enable HTTPS functionality with, hopefully, minimal hassle. You can think of it as a (limited) TLS terminator. You are free to change the configuration to better suit your needs, of course.\n\n![Network architecture overview](/images/architecture.png)\n\nWe provide two Terraform configurations that will automatically create the required cloud infrastructure and deploy the TLS reverse proxy. This way, you can easily try out the TLS configurations on AWS or GCP.\n\nWe also detail the manual steps required to run the examples on a stand-alone virtual machine. This assumes that the VM has an assigned public IP, and is reachable on ports 80 and 443. \n\nPlease note that these examples are meant to be used as proof-of-concept only. We are using \"bleeding edge\" package versions, since there is no official support for TLS 1.3 in the Nginx Docker images yet. The deployments run on a single-instance, and do not scale automatically. We advise you to not use this setup in production. We plan to provide scalable examples for this setup, Kubernetes, and Amazon ECS.\n\nWith the exception of the stand-alone example, familiarity with AWS or GCP is required. If you have any issue running any of our example deployments, please let us know in the comments section. We will do our best to help you out.\n\n# Directory structure\n\n```\n.\n├── deployments\n│   ├── aws.............. Amazon Web Services Terraform files\n│   ├── gcp.............. Google Cloud Plataform terraform files\n│   └── stand-alone...... Stand-alone docker-compose configuration\n├── docker\n│   ├── nginx............ Let's Encrypt and TLS 1.3 enabled Nginx\n│   └── tls-controller... Requests certificates and builds Nginx configs\n├── LICENSE\n├── Makefile\n├── README.md\n└── systemd.............. Systemd support files\n```\n\n# Stand-alone deployment\n\n## Requirements\n\nThis setup needs a dedicated virtual machine with the following requirements:\n  * [Docker](https://docs.docker.com/engine/installation/);\n  * [Docker Compose](https://docs.docker.com/compose/install/);\n  * Systemd (available in most Linux distributions);\n  * Public IP;\n  * Public DNS hostname, pointing to the IP above;\n  * Ports 80 and 443 available;\n  * Ports 80 and 443 reachable from the Internet.\n\n## Procedure\n\nLog in to the virtual machine and run the following commands:\n\n```bash\ngit clone https://github.com/Probely/simple-tls-proxy\ncd simple-tls-proxy\npushd deployments/stand-alone\ncp sample/sample-deployment.env deployment.env\n```\n\nNext, edit the `deployment.env` file, and set the values according to your setup. Make sure that the `LETSENCRYPT_EMAIL` and `PROXY_BACKEND_HOSTS` variables are set correctly. \n\nFinally, run these commands:\n\n```bash\npopd\nsudo make install\n```\n\nYou can check the logs with:\n\n```bash\n# Let's Encrypt status messages\nsudo journalctl -fu tls-proxy-controller\n# Nginx logs\nsudo journalctl -fu tls-proxy\n```\n\nIf everything is configured correctly, you should see Let's Encrypt log entries confirming that the certificate was fetched correctly.\n\n# Amazon Web Services deployment\n\n## Requirements\n\n  * A working AWS [account](https://docs.docker.com/compose/install/);\n  * [Install](https://docs.aws.amazon.com/cli/latest/userguide/installing.html) the  AWS Command Line Interface (CLI);\n  * [Configure](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) the AWS CLI;\n  * Install [Terraform](https://www.terraform.io/intro/getting-started/install.html).\n\n## Procedure\n\nRun these commands on the machine you have the AWS CLI and Terraform installed:\n\n```bash\ngit clone https://github.com/Probely/simple-tls-proxy\ncd deployments/aws\n```\n\nEdit the `default.auto.tfvars` file and set the following variables:\n  * `letsencrypt_email`\n  * `backend_hosts`\n  * `public_key`\n\nSpecific guidance on how to choose proper values is provided inside the file.\n\nWhen all required variables are set, run the following:\n\n```bash\nterraform apply\n```\n\nWait for Terraform to finish. It can take a few minutes.\n\nNext, you need to determine your instance's IP address.\n\n```bash\n# The region argument may not be needed, depending on your AWS CLI configuration.\nPROXY_INSTANCE_IP=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=tls-proxy-playground' --query 'Reservations[].Instances[].PublicIpAddress' --output text --region eu-west-3)\necho $PROXY_INSTANCE_IP\n```\n\n**Create a DNS entry with the hostname used in `proxy_backend_hosts` and point it to the IP address obtained above.**\n\nWait for 5–10 minutes. The virtual machine requires some time to initialize and install all required packages.\n\nIf you want to check the progress or just look around, you can log in to the virtual machine using the SSH key defined in `public_key`.\n\n```bash\nssh centos@$PROXY_INSTANCE_IP -i /path/to/key\n```\n\nIf the `yum` process is still running in the VM, wait a bit more for the installation to finish.\n\nAfter the installation ends, you can check the logs with these commands:\n\n```bash\n# Let's Encrypt status messages\nsudo journalctl -fu tls-proxy-controller\n# Nginx logs\nsudo journalctl -fu tls-proxy\n```\n\n# Google Cloud Platform deployment\n\n## Requirements\n  * A working GCP [account](https://console.cloud.google.com);\n  * [Install](https://cloud.google.com/sdk/install) the Google Cloud SDK;\n  * [Configure](https://cloud.google.com/sdk/docs/initializing) the Google Cloud SDK;\n  * Install [Terraform](https://www.terraform.io/intro/getting-started/install.html).\n\n## Procedure\n\nRun these commands on the machine you have the Google Cloud SDK and Terraform installed:\n\n```bash\ngit clone https://github.com/Probely/simple-tls-proxy\ncd deployments/gcp\n```\n\nEdit the default.auto.tfvars file and set the following variables.\n\n  * `project_id`\n  * `letsencrypt_email`\n  * `backend_hosts`\n\nSpecific guidance on how to choose proper values is provided inside the file.\n\nWhen all required variables are set, run the following:\n\n```bash\nterraform apply\n```\n\nWait for Terraform to finish. It can take a few minutes.\n\nNext, you need to determine your instance IP address.\n\n```bash\ngcloud --format=\"value(networkInterfaces[0].accessConfigs[0].natIP)\" compute instances list --filter tls-proxy-playground\n```\n\n**Create a DNS entry with the hostname used in `proxy_backend_hosts` and point it to the IP address obtained above.**\n\nWait 5–10 minutes. The virtual machine requires some time to initialize and install all required packages.\n\nIf you want to check the progress or just look around, you can log in to the machine using `gcloud`. \n\n```bash\n# The zone argument may not be needed, depending on your gcloud configuration.\ngcloud compute ssh tls-proxy-playground --zone=europe-west4-a\n```\n\nIf the `yum` process is still running in the VM, wait a bit more for the installation to finish.\n\nAfter the installation ends, you can check the logs with these commands:\n\n```bash\n# Let's Encrypt status messages\nsudo journalctl -fu tls-proxy-controller\n# Nginx logs\nsudo journalctl -fu tls-proxy\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FProbely%2Fsimple-tls-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FProbely%2Fsimple-tls-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FProbely%2Fsimple-tls-proxy/lists"}