Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jtolio/lecat

socat-lite with letsencrypt support
https://github.com/jtolio/lecat

Last synced: 2 months ago
JSON representation

socat-lite with letsencrypt support

Host: GitHub
URL: https://github.com/jtolio/lecat
Owner: jtolio
License: other
Created: 2016-02-06T23:24:18.000Z (almost 9 years ago)
Default Branch: master
Last Pushed: 2020-09-11T21:51:14.000Z (over 4 years ago)
Last Synced: 2024-10-16T14:58:05.629Z (3 months ago)
Language: Go
Homepage:
Size: 17.6 KB
Stars: 81
Watchers: 5
Forks: 14
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# lecat

socat-lite with letsencrypt support

## Why?

I often find myself running web services on unprivileged ports such as 8000,
8080, etc, and then later decide I want to access these things on port 80.
In these cases, I often run something like
`sudo socat TCP-LISTEN:80,fork,reuseaddr TCP:localhost:8080`. What this does
is start a small process that listens on port 80 and forwards all incoming
connections to my process on port 8080.

Unfortunately, this isn't HTTPS or SSL. It'd be nice to be able to run a small
binary like socat that listens on 443, does SSL termination, and redirects the
actual unencrypted traffic to localhost:8080. You can do this, too, with
socat, but certs are just such a hassle. OR WERE!

With the advent of [Let's Encrypt](https://letsencrypt.org/), having a small
binary that actually does the entire process of making a key, getting a
valid certificate, and doing the proxying is now possible!

`lecat` is this thing.

## Example Usage

All you gotta do is tell lecat the domain your process is visible from and the
local unencrypted port to forward to.

```
lecat --host your.website.tld --target localhost:8080
```

An example session:

```
$ ./my-unprivileged-thing.py --listen localhost:8080 &
$ go get github.com/jtolds/lecat
$ sudo ~/your/gopath/bin/lecat --host your.website.tld --target localhost:8080
2016/02/07 07:12:25 loading configuration
2016/02/07 07:12:25 no key found at /root/.lecat/server.key, generating
2016/02/07 07:12:35 no cert found at /root/.lecat/server.crt, requesting
2016/02/07 07:12:35 no key found at /root/.lecat/account.key, generating
2016/02/07 07:12:44 (re)registering account key
2016/02/07 07:12:44 getting challenges for "your.website.tld"
2016/02/07 07:12:45 performing sni challenge
2016/02/07 07:12:46 waiting for challenge
2016/02/07 07:12:47 making csr
2016/02/07 07:12:47 getting cert
2016/02/07 07:12:47 listening on [::]:443
```

Running it again will reload existing keys and certificates:

```
$ sudo ~/your/gopath/bin/lecat --host your.website.tld --target localhost:8080
2016/02/07 07:19:13 loading configuration
2016/02/07 07:19:14 listening on [::]:443
```

Lastly, you can also pass `--redirect-addr :80` to have the process start a
small HTTP server listening on port 80 that redirects incoming unencrypted
requests to HTTPS. Be aware that this little HTTP server will set the HSTS
flag on redirected requests, telling incoming browsers to never
try HTTP again for the configured period. If you use this setting and this isn't
the behavior that you want, you'll probably need to clear your domain out of
your browser's HSTS database. Or just keep using SSL.

### sudo?

lecat doesn't really need sudo, it just needs
`setcap 'cap_net_bind_service=+ep' go/bin/lecat`.

## LICENSE

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.