Repository files navigation

socat-lite with letsencrypt support

I often find myself running web services on unprivileged ports such as 8000,8080, etc, and then later decide I want to access these things on port 80.In these cases, I often run something likesudo socat TCP-LISTEN:80,fork,reuseaddr TCP:localhost:8080. What this doesis start a small process that listens on port 80 and forwards all incomingconnections to my process on port 8080.

Unfortunately, this isn't HTTPS or SSL. It'd be nice to be able to run a smallbinary like socat that listens on 443, does SSL termination, and redirects theactual unencrypted traffic to localhost:8080. You can do this, too, withsocat, but certs are just such a hassle. OR WERE!

With the advent ofLet's Encrypt, having a smallbinary that actually does the entire process of making a key, getting avalid certificate, and doing the proxying is now possible!

lecat is this thing.

All you gotta do is tell lecat the domain your process is visible from and thelocal unencrypted port to forward to.

lecat --host your.website.tld --target localhost:8080

An example session:

$ ./my-unprivileged-thing.py --listen localhost:8080 &$ go get github.com/jtolds/lecat$ sudo ~/your/gopath/bin/lecat --host your.website.tld --target localhost:80802016/02/07 07:12:25 loading configuration2016/02/07 07:12:25 no key found at /root/.lecat/server.key, generating2016/02/07 07:12:35 no cert found at /root/.lecat/server.crt, requesting2016/02/07 07:12:35 no key found at /root/.lecat/account.key, generating2016/02/07 07:12:44 (re)registering account key2016/02/07 07:12:44 getting challenges for "your.website.tld"2016/02/07 07:12:45 performing sni challenge2016/02/07 07:12:46 waiting for challenge2016/02/07 07:12:47 making csr2016/02/07 07:12:47 getting cert2016/02/07 07:12:47 listening on [::]:443

Running it again will reload existing keys and certificates:

$ sudo ~/your/gopath/bin/lecat --host your.website.tld --target localhost:80802016/02/07 07:19:13 loading configuration2016/02/07 07:19:14 listening on [::]:443

Lastly, you can also pass--redirect-addr :80 to have the process start asmall HTTP server listening on port 80 that redirects incoming unencryptedrequests to HTTPS. Be aware that this little HTTP server will set the HSTSflag on redirected requests, telling incoming browsers to nevertry HTTP again for the configured period. If you use this setting and this isn'tthe behavior that you want, you'll probably need to clear your domain out ofyour browser's HSTS database. Or just keep using SSL.

lecat doesn't really need sudo, it just needssetcap 'cap_net_bind_service=+ep' go/bin/lecat.

Copyright 2016 JT Olds

Licensed under the Apache License, Version 2.0 (the "License");you may not use this file except in compliance with the License.You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License.