package goxy import ( "crypto/tls" "fmt" "net" "net/http" "net/http/httputil" "net/url" ) type Server struct { DataFile string Routes SNI wwwServer http.Server tlsServer http.Server rpcServer http.Server } // SNI holds certificates type SNI map[string]*tls.Certificate // GetCertificate returns certificate for SNI negotiation func (s SNI) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) { if v, ok := s[h.ServerName]; ok { return v, nil } return nil, fmt.Errorf("no cert for %q", h.ServerName) } func (s SNI) addCertificate(host string, cert, key []byte) error { c, err := tls.X509KeyPair(cert, key) if err != nil { return err } slug, _, err := net.SplitHostPort(host) if err != nil { slug = host } s[slug] = &c return nil } func NewServer(dataFile, listenWWW, listenTLS, listenRPC string) (*Server, error) { if listenRPC == "" { listenRPC = RPCPort } server := &Server{ DataFile: dataFile, Routes: make(Routes), SNI: make(SNI), wwwServer: http.Server{Addr: listenWWW}, tlsServer: http.Server{Addr: listenTLS}, rpcServer: http.Server{Addr: listenRPC}, } server.tlsServer.TLSConfig = &tls.Config{ GetCertificate: server.getCertificate, } if dataFile != "" { server.Load(dataFile) } registerRPC(server) http.Handle("/debug/route", server) return server, server.UpdateMux() } func NewRedirect(host string) http.Handler { return http.RedirectHandler(host, http.StatusMovedPermanently) } func NewReverseProxy(target *url.URL) *httputil.ReverseProxy { return httputil.NewSingleHostReverseProxy(target) } // Update routes from in-memory state func (s *Server) UpdateMux() error { wwwMux := http.NewServeMux() tlsMux := http.NewServeMux() for host, route := range s.Routes { serverName, err := url.Parse(route.Host) if err != nil { return err } upstream, err := url.Parse(route.Upstream) if err != nil { return err } switch serverName.Scheme { case "http", "": wwwMux.Handle(host, NewReverseProxy(upstream)) case "https": err := s.SNI.addCertificate(host, route.Cert, route.Key) if err != nil { return err } tlsMux.Handle(host, NewReverseProxy(upstream)) wwwMux.Handle(host, NewRedirect("https://"+host)) case "ws": wwwMux.Handle(host, NewWebSocketProxy(upstream)) case "wss": err := s.SNI.addCertificate(host, route.Cert, route.Key) if err != nil { return err } tlsMux.Handle(host, NewWebSocketProxy(upstream)) wwwMux.Handle(host, NewRedirect("wss://"+host)) } } s.wwwServer.Handler = wwwMux s.tlsServer.Handler = tlsMux return nil } func (s *Server) Start() error { errc := make(chan error) go func() { errc <- s.wwwServer.ListenAndServe() }() go func() { errc <- s.tlsServer.ListenAndServeTLS("", "") }() go func() { errc <- s.rpcServer.ListenAndServe() }() return <-errc }