From 8b47133661e64d8491308754bb64f8f50bcee545 Mon Sep 17 00:00:00 2001
From: Bel LaPointe <153096461+breel-render@users.noreply.github.com>
Date: Sun, 31 May 2026 08:55:00 -0700
Subject: [PATCH] need manual test

---
 main.go | 52 ++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 4 deletions(-)

diff --git a/main.go b/main.go
index 6bd9330..f7df054 100644
--- a/main.go
+++ b/main.go
@@ -1,9 +1,12 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"log"
 	"net/http"
+	"net/http/httputil"
+	"net/url"
 	"strings"
 )
 
@@ -30,6 +33,11 @@ func main() {
 }
 
 func (c Config) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if c.endpoint(r).To == "" {
+		http.NotFound(w, r)
+		return
+	}
+
 	if r.Method == http.MethodOptions {
 		cors(w)
 		return
@@ -47,7 +55,20 @@ func (c Config) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	http.Error(w, "not yet", http.StatusNotImplemented)
+	endpoint := c.endpoint(r)
+	u, err := url.Parse(endpoint.To)
+	if err != nil {
+		log.Printf("[%s] %v", c.key(r), err)
+	}
+	var transport http.Transport
+	transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	proxy := httputil.NewSingleHostReverseProxy(u)
+	proxy.Transport = redirPurge{
+		proxyHost:     r.Host,
+		targetHost:    u.Host,
+		baseTransport: &transport,
+	}
+	proxy.ServeHTTP(w, r)
 }
 
 func cors(w http.ResponseWriter) {
@@ -59,12 +80,12 @@ func cors(w http.ResponseWriter) {
 	w.WriteHeader(http.StatusOK)
 }
 
-func (c Config) endpoint(r *http.Request) string {
+func (c Config) key(r *http.Request) string {
 	return strings.Split(r.Host, ".")[0]
 }
 
 func (c Config) handleAdmin(w http.ResponseWriter, r *http.Request) bool {
-	switch c.endpoint(r) {
+	switch c.key(r) {
 	case "_":
 		panic("not impl: list")
 	case "home":
@@ -74,7 +95,7 @@ func (c Config) handleAdmin(w http.ResponseWriter, r *http.Request) bool {
 }
 
 func (c Config) basicAuth(w http.ResponseWriter, r *http.Request) bool {
-	basicAuth := c.Endpoints[c.endpoint(r)].BasicAuth
+	basicAuth := c.endpoint(r).BasicAuth
 	if noAuth := basicAuth == ""; noAuth {
 		return true
 	}
@@ -88,3 +109,26 @@ func (c Config) basicAuth(w http.ResponseWriter, r *http.Request) bool {
 
 	return true
 }
+
+func (c Config) endpoint(r *http.Request) Endpoint {
+	return c.Endpoints[c.key(r)]
+}
+
+type redirPurge struct {
+	proxyHost     string
+	targetHost    string
+	baseTransport http.RoundTripper
+}
+
+func (rp redirPurge) RoundTrip(r *http.Request) (*http.Response, error) {
+	resp, err := rp.baseTransport.RoundTrip(r)
+	if err != nil {
+		return resp, err
+	}
+	if loc := resp.Header.Get("Location"); loc != "" {
+		resp.Header.Set("Location", strings.Replace(loc, rp.targetHost, rp.proxyHost, 1))
+	}
+	// google floc https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+	resp.Header.Set("Permissions-Policy", "interest-cohort=()")
+	return resp, err
+}