rm exec

.gitignore

@@ -2,7 +2,6 @@
 *.crt
 *.pem
 testdata
-fproxy
 *.swp
 *.swo
 *.pub

chaining

@@ -0,0 +1,21 @@
+###   MAIN FPROXY ####
+mecrt, mekey = server
+tocrt = nil
+fromcrt = intermediatecrt
+###   INTERMEDIATE ####
+mecrt, mekey = signed by main
+tocrt = main.crt
+fromcrt = endclientcrt
+###   END CLIENT ###
+mycrt, mykey = signed by intermediate
+
+###   FILES ###
+maincrt
+mainkey
+V
+intercrt
+interkey
+V
+endcrt
+endkey
+

config/config.go

@@ -0,0 +1,45 @@
+package config
+
+import (
+	"flag"
+	"os"
+	"strings"
+)
+
+func flagEnvFallback(keyFallback map[string]string) map[string]string {
+	results := map[string]*string{}
+	for k, v := range keyFallback {
+		results[k] = flag.String(k, v, "")
+	}
+	flag.Parse()
+	final := map[string]string{}
+	for k := range results {
+		if *results[k] == keyFallback[k] && os.Getenv(strings.ToUpper(k)) != "" {
+			*results[k] = os.Getenv(strings.ToUpper(k))
+		}
+		final[k] = *results[k]
+	}
+	return final
+}
+
+func New() map[string]string {
+	conf := flagEnvFallback(map[string]string{
+		"toaddr":    "https://bel.house:20018",
+		"mycrt":     "/Volumes/bldisk/client.crt",
+		"mykey":     "/Volumes/bldisk/client.key",
+		"tocrt":     "/Volumes/bldisk/server.crt",
+		"fromcrt":   "/Volumes/bldisk/accept.crt",
+		"port":      "8888",
+		"whitelist": "192.168.0.86,,bel.house,,minio.gcp.blapointe.com",
+		"bypass":    "plex.tv",
+		"secure":    "gcp.blapointe.com",
+		"secret":    "secret",
+	})
+	if !strings.HasPrefix(conf["port"], ":") {
+		conf["port"] = ":" + conf["port"]
+	}
+	if len(conf["bypass"]) != 0 && len(conf["whitelist"]) != 0 {
+		conf["whitelist"] += ",," + conf["bypass"]
+	}
+	return conf
+}

fproxy/new.go

@@ -0,0 +1,264 @@
+package fproxy
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"sort"
+	"strings"
+)
+
+type FProxy struct {
+	transport   *http.Transport
+	sserver     *http.Server
+	iserver     *http.Server
+	httpport    string
+	tlsport     string
+	whitelist   []string
+	bypass      []string
+	secure      []string
+	localhost   []string
+	mykey       string
+	mycrt       string
+	fromcrt     string
+	tocrt       string
+	sockssecret string
+}
+
+func GetPort() string {
+	s := httptest.NewUnstartedServer(nil)
+	s.Close()
+	return ":" + strings.Split(s.Listener.Addr().String(), ":")[1]
+}
+
+func (fp *FProxy) Apply(conf map[string]string) error {
+	if v, ok := conf["secret"]; ok && v != "" {
+		fp.sockssecret = v
+	}
+	if v, ok := conf["whitelist"]; ok && v != "" {
+		fp.WithWhitelist(strings.Split(v, ",,"))
+	}
+	if v, ok := conf["bypass"]; ok && v != "" {
+		fp.WithBypass(strings.Split(v, ",,"))
+	}
+	if v, ok := conf["secure"]; ok && v != "" {
+		fp.WithSecure(strings.Split(v, ",,"))
+	}
+	if v, ok := conf["port"]; ok {
+		fp.setPorts(v)
+	} else {
+		fp.setPorts()
+	}
+
+	if v, ok := conf["mycrt"]; ok && v != "" {
+		if err := fp.WithCerts(v, conf["mykey"]); err != nil {
+			return err
+		}
+	}
+
+	if v, ok := conf["fromcrt"]; ok && v != "" {
+		if err := fp.WithFrom(v); err != nil {
+			return err
+		}
+	}
+
+	if v, ok := conf["tocrt"]; ok && v != "" {
+		if err := fp.WithTo(conf["toaddr"], v); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func New(ports ...string) *FProxy {
+	fp := &FProxy{
+		transport: &http.Transport{},
+		sserver:   &http.Server{},
+		iserver:   &http.Server{},
+		localhost: []string{
+			"[::1]",
+			"127.0.0.1",
+			"::1",
+			"bel.pc",
+			"192.168.",
+			"172.17.0.",
+		},
+	}
+	sort.Strings(fp.localhost)
+	fp.sserver.Handler = fp
+	fp.iserver.Handler = fp
+	return fp
+}
+
+func (fp *FProxy) setPorts(ports ...string) {
+	if len(ports) == 0 {
+		ports = []string{GetPort()}
+	}
+	if len(ports) > 0 {
+		p := string(strings.TrimPrefix(ports[0], ":")[0] + byte(1))
+		if p[0] == '7' {
+			p = "1"
+		}
+		ports = []string{ports[0], ":" + p + strings.TrimPrefix(ports[0], ":")[1:]}
+	}
+	fp.httpport = ports[0]
+	fp.tlsport = ports[1]
+	fp.sserver.Addr = fp.httpport
+	fp.iserver.Addr = fp.httpport
+	return
+}
+
+func NewClient(clientCrt, clientKey, proxyCrt, proxyPort string) (*http.Client, error) {
+	return (&FProxy{
+		httpport: proxyPort,
+	}).NewClient(clientCrt, clientKey, proxyCrt)
+}
+
+func (fp *FProxy) NewClient(certs ...string) (*http.Client, error) {
+	myport := fp.httpport
+	if !strings.HasPrefix(myport, ":") {
+		myport = ":" + myport
+	}
+	proxyCrt := fp.mycrt
+	clientCrt := ""
+	clientKey := ""
+	if len(certs) > 1 {
+		clientCrt = certs[0]
+		clientKey = certs[1]
+		if len(certs) > 2 && certs[2] != "" {
+			proxyCrt = certs[2]
+		}
+	}
+	hclient := &http.Client{}
+	transport := &http.Transport{
+		Proxy: func(r *http.Request) (*url.URL, error) {
+			if clientCrt == "" {
+				return url.Parse("http://localhost" + myport)
+			} else {
+				return url.Parse("https://localhost" + myport)
+			}
+		},
+	}
+	if proxyCrt == "" {
+		hclient.Transport = transport
+		return hclient, nil
+	}
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+	cert, err := ioutil.ReadFile(proxyCrt)
+	if err != nil {
+		return nil, err
+	}
+	rootCAs.AppendCertsFromPEM(cert)
+	transport.TLSClientConfig = &tls.Config{
+		RootCAs: rootCAs,
+	}
+	transport.TLSClientConfig.BuildNameToCertificate()
+
+	if clientCrt == "" {
+		hclient.Transport = transport
+		return hclient, nil
+	} else if clientKey == "" {
+		return nil, errors.New("FProxy requires cert files")
+	}
+
+	clientCert, err := tls.LoadX509KeyPair(clientCrt, clientKey)
+	if err != nil {
+		return nil, err
+	}
+	transport.TLSClientConfig.Certificates = []tls.Certificate{clientCert}
+	transport.TLSClientConfig.BuildNameToCertificate()
+
+	hclient.Transport = transport
+	return hclient, nil
+}
+
+func (fp *FProxy) WithTo(addr, tocrt string) error {
+	fp.tocrt = tocrt
+	toCert, err := ioutil.ReadFile(tocrt)
+	if err != nil {
+		return err
+	}
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return err
+	}
+	rootCAs.AppendCertsFromPEM(toCert)
+	if fp.transport.TLSClientConfig == nil {
+		fp.transport.TLSClientConfig = &tls.Config{}
+	}
+	fp.transport.TLSClientConfig.RootCAs = rootCAs
+	fp.transport.Proxy = func(*http.Request) (*url.URL, error) {
+		u, err := url.Parse(addr)
+		if err != nil {
+			return nil, err
+		}
+		u.Scheme = "https"
+		return u, nil
+	}
+	return nil
+}
+
+func (fp *FProxy) WithFrom(fromcrt string) error {
+	fp.fromcrt = fromcrt
+	if fp.sserver.TLSConfig == nil {
+		fp.sserver.TLSConfig = &tls.Config{}
+	}
+
+	caCert, err := ioutil.ReadFile(fromcrt)
+	if err != nil {
+		return err
+	}
+	clientCAs := x509.NewCertPool()
+	clientCAs.AppendCertsFromPEM(caCert)
+
+	fp.sserver.TLSConfig.ClientCAs = clientCAs
+	fp.sserver.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	fp.sserver.TLSConfig.MinVersion = tls.VersionTLS12
+	fp.sserver.TLSConfig.CurvePreferences = []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}
+	fp.sserver.TLSConfig.PreferServerCipherSuites = true
+	fp.sserver.TLSConfig.CipherSuites = []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	}
+	fp.sserver.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0)
+	return nil
+}
+
+func (fp *FProxy) WithCerts(crt, key string) error {
+	fp.mycrt = crt
+	fp.mykey = key
+	clientCert, err := tls.LoadX509KeyPair(crt, key)
+	if err != nil {
+		return err
+	}
+	if fp.transport.TLSClientConfig == nil {
+		fp.transport.TLSClientConfig = &tls.Config{}
+	}
+	fp.transport.TLSClientConfig.Certificates = []tls.Certificate{clientCert}
+	return nil
+}
+
+func (fp *FProxy) WithWhitelist(whitelist []string) {
+	sort.Strings(whitelist)
+	fp.whitelist = whitelist
+}
+
+func (fp *FProxy) WithBypass(bypass []string) {
+	sort.Strings(bypass)
+	fp.bypass = bypass
+}
+
+func (fp *FProxy) WithSecure(secure []string) {
+	sort.Strings(secure)
+	fp.secure = secure
+}

fproxy/new_test.go

@@ -0,0 +1,252 @@
+package fproxy
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"os/exec"
+	"path"
+	"testing"
+	"time"
+)
+
+func Test_New(t *testing.T) {
+	New()
+}
+
+func Test_Apply(t *testing.T) {
+	fp := New()
+
+	level1 := getKeyPair("server", "")
+	defer os.RemoveAll(path.Dir(level1))
+	level2 := getKeyPair("server", level1)
+	defer os.RemoveAll(path.Dir(level2))
+	level3 := getKeyPair("client", level2)
+	defer os.RemoveAll(path.Dir(level3))
+
+	if err := fp.Apply(map[string]string{
+		"whitelist": "hello,,world",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"mycrt":     level2 + ".crt",
+		"mykey":     level2 + ".key",
+		"tocrt":     level1 + ".crt",
+		"fromcrt":   level3 + ".crt",
+	}); err != nil {
+		t.Errorf("failed to apply: %v", err)
+	}
+}
+
+func Test_Single_Clear(t *testing.T) {
+	fp1 := New()
+
+	if err := fp1.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "",
+		"tocrt":     "",
+		"mycrt":     "",
+		"mykey":     "",
+		"fromcrt":   "",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	client, err := fp1.NewClient()
+	if err != nil {
+		t.Fatalf("failed to make client: %v", err)
+	}
+
+	fp1.Start()
+	defer fp1.Close()
+	time.Sleep(time.Second * 2)
+
+	if _, err := client.Get("http://google.com"); err != nil {
+		t.Fatalf("failed to http GET: %v", err)
+	}
+	if resp, err := client.Get("https://google.com"); err != nil {
+		t.Fatalf("failed to https GET: %v", err)
+	} else if _, err := ioutil.ReadAll(resp.Body); err != nil {
+		t.Fatalf("cannot ready https google body: %v", err)
+	}
+}
+
+func Test_Single(t *testing.T) {
+	fp1 := New()
+
+	level1 := getKeyPair("server", "")
+	defer os.RemoveAll(path.Dir(level1))
+	level3 := getKeyPair("client", level1)
+	defer os.RemoveAll(path.Dir(level3))
+
+	if err := fp1.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "",
+		"tocrt":     "",
+		"mycrt":     level1 + ".crt",
+		"mykey":     level1 + ".key",
+		"fromcrt":   level3 + ".crt",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	client, err := fp1.NewClient(level3+".crt", level3+".key")
+	if err != nil {
+		t.Fatalf("failed to make client: %v", err)
+	}
+
+	fp1.Start()
+	defer fp1.Close()
+	time.Sleep(time.Second * 2)
+
+	if _, err := client.Get("http://google.com"); err != nil {
+		t.Fatalf("failed to http GET: %v", err)
+	}
+	if resp, err := client.Get("https://google.com"); err != nil {
+		t.Fatalf("failed to https GET: %v", err)
+	} else if _, err := ioutil.ReadAll(resp.Body); err != nil {
+		t.Fatalf("cannot ready https google body: %v", err)
+	}
+}
+
+func Test_Chain_ClearEnd(t *testing.T) {
+	fp1 := New()
+	fp2 := New()
+
+	level1 := getKeyPair("server", "")
+	defer os.RemoveAll(path.Dir(level1))
+	level2 := getKeyPair("server", level1)
+	defer os.RemoveAll(path.Dir(level2))
+
+	if err := fp1.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "",
+		"tocrt":     "",
+		"mycrt":     level1 + ".crt",
+		"mykey":     level1 + ".key",
+		"fromcrt":   level2 + ".crt",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	if err := fp2.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "https://localhost" + fp1.sserver.Addr,
+		"tocrt":     level1 + ".crt",
+		"mycrt":     level2 + ".crt",
+		"mykey":     level2 + ".key",
+		"fromcrt":   "",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	client, err := fp2.NewClient()
+	if err != nil {
+		t.Fatalf("failed to make client: %v", err)
+	}
+
+	fp1.Start()
+	fp2.Start()
+	defer fp1.Close()
+	defer fp2.Close()
+	time.Sleep(time.Second * 2)
+
+	if _, err := client.Get("http://google.com"); err != nil {
+		t.Fatalf("failed to GET: %v", err)
+	}
+	if resp, err := client.Get("https://google.com"); err != nil {
+		t.Fatalf("failed to GET: %v", err)
+	} else if _, err := ioutil.ReadAll(resp.Body); err != nil {
+		t.Fatalf("cannot ready https google body: %v", err)
+	}
+}
+
+func Test_Chain(t *testing.T) {
+	fp1 := New()
+	fp2 := New()
+
+	level1 := getKeyPair("server", "")
+	defer os.RemoveAll(path.Dir(level1))
+	level2 := getKeyPair("server", level1)
+	defer os.RemoveAll(path.Dir(level2))
+	level3 := getKeyPair("client", level2)
+	defer os.RemoveAll(path.Dir(level3))
+
+	if err := fp1.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "",
+		"tocrt":     "",
+		"mycrt":     level1 + ".crt",
+		"mykey":     level1 + ".key",
+		"fromcrt":   level2 + ".crt",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	if err := fp2.Apply(map[string]string{
+		"whitelist": "hello,,world,,google.com",
+		"bypass":    "hello,,world",
+		"secure":    "hello,,world",
+		"toaddr":    "https://localhost" + fp1.sserver.Addr,
+		"tocrt":     level1 + ".crt",
+		"mycrt":     level2 + ".crt",
+		"mykey":     level2 + ".key",
+		"fromcrt":   level3 + ".crt",
+	}); err != nil {
+		t.Fatalf("failed to apply: %v", err)
+	}
+
+	client, err := fp2.NewClient(level3+".crt", level3+".key")
+	if err != nil {
+		t.Fatalf("failed to make client: %v", err)
+	}
+
+	fp1.Start()
+	fp2.Start()
+	defer fp1.Close()
+	defer fp2.Close()
+	time.Sleep(time.Second * 2)
+
+	if _, err := client.Get("http://google.com"); err != nil {
+		t.Fatalf("failed to GET: %v", err)
+	}
+	if _, err := client.Get("https://google.com"); err != nil {
+		t.Fatalf("failed to GET: %v", err)
+	}
+}
+
+func getKeyPair(mode, parent string) string {
+	pcrt := ""
+	pkey := ""
+	if parent != "" {
+		pcrt = parent + ".crt"
+		pkey = parent + ".key"
+	}
+	d, err := ioutil.TempDir("", "fproxytest-"+mode)
+	if err != nil {
+		panic(err)
+	}
+	cmd := exec.Command("bash", path.Join(
+		os.Getenv("GOPATH"),
+		"src",
+		"local20181107",
+		"cert-maker",
+		"openssl.sh",
+	), mode, "", "localhost", pcrt, pkey)
+	cmd.Dir = d
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Printf("OUTPUT: %s", out)
+		panic(err)
+	}
+	return path.Join(d, mode)
+}

fproxy/serve.go

@@ -0,0 +1,335 @@
+package fproxy
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"local/encoder"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+
+	socks5 "github.com/armon/go-socks5"
+	"golang.org/x/net/proxy"
+)
+
+func deny(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusUnauthorized)
+	fmt.Fprintln(w, "You shouldn't be here")
+}
+
+func (fp *FProxy) Start() {
+	if fp.fromcrt != "" {
+		go func() {
+			conf := &socks5.Config{
+				Credentials: fp,
+				Rules:       fp,
+			}
+			server, err := socks5.New(conf)
+			if err != nil {
+				panic(err)
+			}
+
+			if err := server.ListenAndServe("tcp", fp.tlsport); err != nil {
+				panic(err)
+			}
+		}()
+	}
+	go func() {
+		if fp.fromcrt != "" {
+			if err := fp.sserver.ListenAndServeTLS(fp.mycrt, fp.mykey); err != http.ErrServerClosed {
+				log.Fatal(err)
+			}
+		} else {
+			if err := fp.iserver.ListenAndServe(); err != http.ErrServerClosed {
+				log.Fatal(err)
+			}
+		}
+	}()
+}
+
+func (fp *FProxy) Valid(user, pass string) bool {
+	enc, err := encoder.New(nil, &encoder.Salter{}, &encoder.AES{Key: []byte(fp.sockssecret)})
+	if err != nil {
+		return false
+	}
+	userb, err := enc.Decode([]byte(user))
+	if err != nil {
+		return false
+	}
+	passb, err := enc.Decode([]byte(pass))
+	if err != nil {
+		return false
+	}
+	should, err := ioutil.ReadFile(fp.fromcrt)
+	if err != nil {
+		return false
+	}
+	if string(userb) != string(should[:30]) || string(passb) != string(should[len(should)-30:]) {
+		return false
+	}
+	log.Print(fp.httpport, "directly connecting socks")
+	return true
+}
+
+func (fp *FProxy) Allow(ctx context.Context, r *socks5.Request) (context.Context, bool) {
+	if !fp.fromLocal(r.RemoteAddr.IP.String()) {
+		log.Print(fp.httpport, "denying socks from non-local", r.RemoteAddr.IP.String())
+		return ctx, false
+	}
+	if len(fp.whitelist) > 0 && !contains(fp.whitelist, baseHost(r.DestAddr.FQDN)) && !contains(fp.whitelist, baseHost(r.DestAddr.IP.String())) {
+		log.Print(fp.httpport, "denying socks to non-whitelist", r.DestAddr.FQDN)
+		return ctx, false
+	}
+	return ctx, true
+}
+
+func (fp *FProxy) Close() error {
+	fp.iserver.Shutdown(context.TODO())
+	return fp.sserver.Shutdown(context.TODO())
+}
+
+func (fp *FProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if !fp.fromLocal(r.RemoteAddr) {
+		log.Print(fp.httpport, "denying non-local", r.RemoteAddr)
+		deny(w, r)
+		return
+	}
+	if !fp.toWhitelist(r) {
+		log.Print(fp.httpport, "denying non-whitelist", r.URL)
+		deny(w, r)
+		return
+	}
+	if contains(fp.bypass, baseHost(r.URL.Host)) {
+		log.Printf("%v: %v: %v", fp.httpport, "BYPASS NO PROXY ", r.URL)
+		fp.Passthrough(w, r)
+		return
+	}
+	if r.Method == http.MethodConnect && fp.transport.Proxy == nil {
+		log.Print(fp.httpport, "CONNECT no transport proxy ", r.Host)
+		fp.Connect(w, r)
+		return
+	}
+	if r.Method == http.MethodConnect && fp.transport.Proxy != nil {
+		log.Print(fp.httpport, "CONNECT transport proxy = ", r.Host, "via", fmt.Sprint(fp.transport.Proxy(r)))
+		fp.Connect(w, r)
+		return
+	}
+	if fp.transport.Proxy != nil {
+		log.Print(fp.httpport, "* PROXY ", r.Host, "via", fmt.Sprint(fp.transport.Proxy(r)))
+	} else {
+		log.Print(fp.httpport, "* NO PROXY ", r.Host)
+	}
+	fp.ProxyRequest(w, r)
+}
+
+func (fp *FProxy) Connect(w http.ResponseWriter, r *http.Request) {
+	if fp.transport.Proxy == nil {
+		fp.Passthrough(w, r)
+		return
+	}
+	u, err := fp.transport.Proxy(r)
+	if err != nil {
+		panic(err)
+	}
+	uHost, uPort, err := net.SplitHostPort(u.Host)
+	if err != nil {
+		panic(err)
+	}
+	switch uPort[0] {
+	case '6':
+		uPort = "1" + uPort[1:]
+	default:
+		uPort = string(uPort[0]+byte(1)) + uPort[1:]
+	}
+	host := net.JoinHostPort(uHost, uPort)
+
+	enc, err := encoder.New(nil, &encoder.Salter{}, &encoder.AES{Key: []byte(fp.sockssecret)})
+	if err != nil {
+		panic(err)
+	}
+	should, err := ioutil.ReadFile(fp.mycrt)
+	if err != nil {
+		panic(err)
+	}
+	user, err := enc.Encode(should[:30])
+	if err != nil {
+		panic(err)
+	}
+	pass, err := enc.Encode(should[len(should)-30:])
+	if err != nil {
+		panic(err)
+	}
+
+	dialer, err := proxy.SOCKS5("tcp", host, &proxy.Auth{
+		User:     string(user),
+		Password: string(pass),
+	}, proxy.Direct)
+	if err != nil {
+		panic(err)
+	}
+
+	dest_conn, err := dialer.Dial("tcp", r.Host)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	client_conn, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+	}
+
+	transfer := func(destination io.WriteCloser, source io.ReadCloser) {
+		defer destination.Close()
+		defer source.Close()
+		io.Copy(destination, source)
+	}
+	go transfer(dest_conn, client_conn)
+	go transfer(client_conn, dest_conn)
+}
+
+func (fp *FProxy) ProxyRequest(w http.ResponseWriter, r *http.Request) {
+	copyHeader := func(dst, src http.Header) {
+		for k, vv := range src {
+			for _, v := range vv {
+				dst.Add(k, v)
+			}
+		}
+	}
+	transport := fp.transport
+	resp, err := transport.RoundTrip(r)
+	if err != nil {
+		log.Print("ProxyRequest ERR", err)
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	defer resp.Body.Close()
+	copyHeader(w.Header(), resp.Header)
+	w.WriteHeader(resp.StatusCode)
+	io.Copy(w, resp.Body)
+}
+
+func (fp *FProxy) old_Proxy_Request(w http.ResponseWriter, r *http.Request) {
+	fp.setScheme(r)
+	proxy := httputil.NewSingleHostReverseProxy(withoutPath(r.URL))
+	v := "?"
+	if fp.transport.Proxy != nil {
+		proxy.Transport = fp.transport
+		v = strings.Split(fmt.Sprintln(fp.transport.Proxy(r)), " ")[0]
+	}
+	log.Printf("%s: proxying %q %q -> %q", fp.sserver.Addr, r.Method, withoutPath(r.URL).String(), v)
+	proxy.ServeHTTP(w, r)
+	return
+}
+
+func (fp *FProxy) Passthrough(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Scheme == "http" {
+		proxy := httputil.NewSingleHostReverseProxy(withoutPath(r.URL))
+		proxy.ServeHTTP(w, r)
+		return
+	}
+	dest_conn, err := net.DialTimeout("tcp", r.Host, 30*time.Second)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	client_conn, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+	}
+
+	transfer := func(destination io.WriteCloser, source io.ReadCloser) {
+		defer destination.Close()
+		defer source.Close()
+		io.Copy(destination, source)
+	}
+
+	go transfer(dest_conn, client_conn)
+	go transfer(client_conn, dest_conn)
+}
+
+func (fp *FProxy) setScheme(r *http.Request) {
+	if r.URL.Scheme == "" {
+		r.URL.Scheme = "http"
+	}
+	if strings.HasSuffix(r.URL.Host, ":443") {
+		r.URL.Scheme = "https"
+		//r.URL.Host = r.URL.Host[:len(r.URL.Host)-len(":443")]
+	}
+	if contains(fp.secure, baseHost(r.URL.Host)) {
+		r.URL.Scheme = "https"
+	}
+}
+
+func (fp *FProxy) toWhitelist(r *http.Request) bool {
+	return len(fp.whitelist) == 0 || contains(fp.whitelist, baseHost(r.URL.Host))
+}
+
+func (fp *FProxy) fromLocal(remote string) bool {
+	if fp.fromcrt != "" {
+		return true
+	}
+	for _, h := range fp.localhost {
+		if strings.HasPrefix(remote, h) {
+			return true
+		}
+	}
+	return false
+}
+
+func contains(list []string, element string) bool {
+	ind := sort.SearchStrings(list, element)
+	if ind < 0 || ind >= len(list) {
+		return false
+	}
+	return list[ind] == element
+}
+
+func baseHost(host string) string {
+	host = strings.Replace(host, "www.", "", -1)
+	host = strings.Replace(host, "http://", "", -1)
+	host = strings.Replace(host, "https://", "", -1)
+	host = strings.Split(host, ":")[0]
+	if ok, err := regexp.MatchString("[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+", host); err != nil {
+		panic(err)
+	} else if !ok {
+		hosts := strings.Split(host, ".")
+		if len(hosts) > 1 {
+			host = fmt.Sprintf("%s.%s", hosts[len(hosts)-2], hosts[len(hosts)-1])
+		}
+	}
+	return host
+}
+
+func withoutPath(u *url.URL) *url.URL {
+	return &url.URL{
+		Scheme:     u.Scheme,
+		Opaque:     u.Opaque,
+		User:       u.User,
+		Host:       u.Host,
+		Path:       "",
+		RawPath:    "",
+		ForceQuery: u.ForceQuery,
+		RawQuery:   u.RawQuery,
+		Fragment:   u.Fragment,
+	}
+}

main.go

@@ -1,228 +1,25 @@
 package main
 
 import (
-	"crypto/tls"
+	"local/fproxy/config"
-	"crypto/x509"
+	"local/fproxy/fproxy"
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"local1/logger"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
 	"os"
-	"strings"
+	"os/signal"
-	"time"
+	"syscall"
 )
 
-type Server struct {
-	transport *http.Transport
-	whitelist []string
-	bypass    []string
-	secure    []string
-}
-
-func NewServer(addr, clientcrt, clientkey, servercrt string, whitelist, bypass, secure []string) (*Server, error) {
-	caCert, err := ioutil.ReadFile(servercrt)
-	if err != nil {
-		return nil, err
-	}
-	rootCAs, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, err
-	}
-	rootCAs.AppendCertsFromPEM(caCert)
-	clientCert, err := tls.LoadX509KeyPair(clientcrt, clientkey)
-	if err != nil {
-		return nil, err
-	}
-	return &Server{
-		transport: &http.Transport{
-			Proxy: func(r *http.Request) (*url.URL, error) {
-				return url.Parse(addr)
-			},
-			TLSClientConfig: &tls.Config{
-				RootCAs:      rootCAs,
-				Certificates: []tls.Certificate{clientCert},
-			},
-		},
-		whitelist: whitelist,
-		bypass:    bypass,
-		secure:    secure,
-	}, nil
-}
-
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// fix scheme if necessary
-	fixScheme(r)
-	// if not from localhost
-	if !fromLocalhost(r.RemoteAddr) {
-		logger.Log("Denying non-localhost", r.RemoteAddr)
-		denyAccess(w)
-		return
-	}
-	if !toWhitelist(s.whitelist, r.URL.Host) {
-		logger.Log("Denying non-whitelisted", r.URL.Host)
-		denyAccess(w)
-		return
-	}
-	if toWhitelist(s.bypass, r.URL.Host) {
-		logger.Log("Bypassing", r.URL.String())
-		s.passthrough(w, r)
-		return
-	}
-	if toWhitelist(s.secure, r.URL.Host) {
-		logger.Log("Securing", r.URL.String(), r.Host)
-		r.URL.Scheme = "https"
-	}
-	//logger.Log("Proxying", r.URL.String())
-	// proxy via stuncaddsies
-	s.handleHTTP(w, r)
-}
-
-func (s *Server) passthrough(w http.ResponseWriter, r *http.Request) {
-	if r.URL.Scheme == "http" {
-		proxy := httputil.NewSingleHostReverseProxy(pathlessURL(r.URL))
-		proxy.ServeHTTP(w, r)
-		return
-	}
-	dest_conn, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusServiceUnavailable)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-	hijacker, ok := w.(http.Hijacker)
-	if !ok {
-		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
-		return
-	}
-	client_conn, _, err := hijacker.Hijack()
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusServiceUnavailable)
-	}
-
-	transfer := func(destination io.WriteCloser, source io.ReadCloser) {
-		defer destination.Close()
-		defer source.Close()
-		io.Copy(destination, source)
-	}
-
-	go transfer(dest_conn, client_conn)
-	go transfer(client_conn, dest_conn)
-}
-
-func (s *Server) handleHTTP(w http.ResponseWriter, r *http.Request) {
-	proxy := httputil.NewSingleHostReverseProxy(pathlessURL(r.URL))
-	proxy.Transport = s.transport
-	proxy.ServeHTTP(w, r)
-	return
-}
-
-func copyHeader(dst, src http.Header) {
-	for k, vv := range src {
-		for _, v := range vv {
-			dst.Add(k, v)
-		}
-	}
-}
-
-func fixScheme(r *http.Request) {
-	if r.URL.Scheme == "" {
-		r.URL.Scheme = "http"
-	}
-	if strings.HasSuffix(r.URL.Host, ":443") {
-		r.URL.Scheme = "https"
-		r.URL.Host = r.URL.Host[:len(r.URL.Host)-len(":443")]
-	}
-	//r.URL.Scheme = "https"
-}
-
-func toWhitelist(okay []string, host string) bool {
-	host = strings.Split(host, ":")[0]
-	host = strings.Replace(host, "www.", "", -1)
-	host = strings.Replace(host, "http://", "", -1)
-	host = strings.Replace(host, "https://", "", -1)
-	hosts := strings.Split(host, ".")
-	if len(hosts) > 1 {
-		host = hosts[len(hosts)-2] + "." + hosts[len(hosts)-1]
-	}
-	for i := range okay {
-		if strings.Contains(okay[i], host) {
-			return true
-		}
-	}
-	return false
-}
-
-func fromLocalhost(addr string) bool {
-	return strings.Contains(addr, "[::1]") || addr == "127.0.0.1" || addr == "::1" || strings.Contains(addr, "bel.pc") || strings.Contains(addr, "192.168.0.")
-}
-
-func denyAccess(w http.ResponseWriter) {
-	w.WriteHeader(http.StatusUnauthorized)
-	fmt.Fprintln(w, "You shouldn't be here")
-}
-
-func pathlessURL(u *url.URL) *url.URL {
-	return &url.URL{
-		Scheme:     u.Scheme,
-		Opaque:     u.Opaque,
-		User:       u.User,
-		Host:       u.Host,
-		Path:       "",
-		RawPath:    "",
-		ForceQuery: u.ForceQuery,
-		RawQuery:   u.RawQuery,
-		Fragment:   u.Fragment,
-	}
-}
-
-func transfer(destination io.WriteCloser, source io.ReadCloser) {
-	defer destination.Close()
-	defer source.Close()
-	io.Copy(destination, source)
-}
-
-func flagEnvFallback(keyFallback map[string]string) map[string]string {
-	results := map[string]*string{}
-	for k, v := range keyFallback {
-		results[k] = flag.String(k, v, "")
-	}
-	flag.Parse()
-	final := map[string]string{}
-	for k := range results {
-		if *results[k] == keyFallback[k] && os.Getenv(strings.ToUpper(k)) != "" {
-			*results[k] = os.Getenv(strings.ToUpper(k))
-		}
-		final[k] = *results[k]
-	}
-	return final
-}
-
 func main() {
-	conf := flagEnvFallback(map[string]string{
+	conf := config.New()
-		"stunaddr":  "https://bel.house:20018",
+
-		"clientcrt": "/Volumes/bldisk/client.crt",
+	fp := fproxy.New(conf["port"])
-		"clientkey": "/Volumes/bldisk/client.key",
+	if err := fp.Apply(conf); err != nil {
-		"servercrt": "/Volumes/bldisk/server.crt",
+		panic(err)
-		"port":      "8888",
-		"whitelist": "192.168.0.86,,bel.house,,minio.gcp.blapointe.com",
-		"bypass":    "plex.tv",
-		"secure":    "gcp.blapointe.com",
-	})
-	if !strings.HasPrefix(conf["port"], ":") {
-		conf["port"] = ":" + conf["port"]
 	}
-	whitelist := strings.Split(conf["whitelist"], ",,")
+
-	bypass := strings.Split(conf["bypass"], ",,")
+	fp.Start()
-	secure := strings.Split(conf["secure"], ",,")
+	defer fp.Close()
-	logger.Log(conf)
+
-	server, err := NewServer(conf["stunaddr"], conf["clientcrt"], conf["clientkey"], conf["servercrt"], append(whitelist, bypass...), bypass, secure)
+	sigc := make(chan os.Signal)
-	if err != nil {
+	signal.Notify(sigc, syscall.SIGINT)
-		logger.Fatal(err)
+	<-sigc
-	}
-	logger.Fatal(http.ListenAndServe(conf["port"], server))
 }

main_test.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"local/fproxy/fproxy"
+	"testing"
+)
+
+func Test_StandaloneClient(t *testing.T) {
+	conf := map[string]string{
+		"toaddr":    "",
+		"mycrt":     "./testdata/mainserver.crt",
+		"mykey":     "./testdata/mainserver.key",
+		"tocrt":     "",
+		"fromcrt":   "./testdata/interclient.crt",
+		"port":      fproxy.GetPort(),
+		"whitelist": "google.com,,plex.tv",
+		"bypass":    "plex.tv",
+		"secure":    "",
+		"secret":    "secret",
+	}
+	fp := fproxy.New(conf["port"])
+	if err := fp.Apply(conf); err != nil {
+		t.Fatalf("error applying conf: %v", err)
+	}
+
+	client, err := fproxy.NewClient("./testdata/interclient.crt", "./testdata/interclient.key", "./testdata/mainserver.crt", conf["port"])
+	if err != nil {
+		t.Fatalf("cannot make client: %v", err)
+	}
+
+	ready := make(chan struct{})
+	go func() {
+		fp.Start()
+		ready <- struct{}{}
+		<-ready
+		fp.Close()
+		ready <- struct{}{}
+	}()
+	<-ready
+
+	if resp, err := client.Get("http://google.com"); err != nil {
+		t.Errorf("client cannot get: %v", err)
+	} else if resp.StatusCode > 399 {
+		t.Errorf("client status > 399: %v", resp.StatusCode)
+	}
+
+	if resp, err := client.Get("https://google.com"); err != nil {
+		t.Errorf("client cannot get: %v", err)
+	} else if resp.StatusCode > 399 {
+		t.Errorf("client status > 399: %v", resp.StatusCode)
+	}
+
+	ready <- struct{}{}
+	<-ready
+}

oldmain.go

@@ -0,0 +1,262 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+)
+
+type Server struct {
+	transport *http.Transport
+	server    *http.Server
+	whitelist []string
+	bypass    []string
+	secure    []string
+}
+
+func NewServer(port, addr, mecrt, mekey, tocrt, fromcrt string, whitelist, bypass, secure []string) (*Server, error) {
+	caCert, err := ioutil.ReadFile(tocrt)
+	if err != nil {
+		return nil, err
+	}
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+	rootCAs.AppendCertsFromPEM(caCert)
+
+	clientCert, err := tls.LoadX509KeyPair(mecrt, mekey)
+	if err != nil {
+		return nil, err
+	}
+
+	acceptCaCert, err := ioutil.ReadFile(fromcrt)
+	if err != nil {
+		return nil, err
+	}
+	clientCAs := x509.NewCertPool()
+	clientCAs.AppendCertsFromPEM(acceptCaCert)
+
+	s := &Server{
+		transport: &http.Transport{
+			Proxy: func(r *http.Request) (*url.URL, error) {
+				return url.Parse(addr)
+			},
+			TLSClientConfig: &tls.Config{
+				RootCAs:      rootCAs,
+				Certificates: []tls.Certificate{clientCert},
+			},
+		},
+		whitelist: whitelist,
+		bypass:    bypass,
+		secure:    secure,
+	}
+	s.server = &http.Server{
+		Addr:    "11244",
+		Handler: s,
+		TLSConfig: &tls.Config{
+			ClientCAs:                clientCAs,
+			ClientAuth:               tls.RequireAndVerifyClientCert,
+			MinVersion:               tls.VersionTLS12,
+			CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+			PreferServerCipherSuites: true,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+				tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			},
+		},
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
+	}
+	return s, nil
+}
+
+func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	// fix scheme if necessary
+	fixScheme(r)
+	// if not from localhost
+	if !fromLocalhost(r.RemoteAddr) {
+		log.Print("Denying non-localhost", r.RemoteAddr)
+		denyAccess(w)
+		return
+	}
+	if !toWhitelist(s.whitelist, r.URL.Host) {
+		log.Print("Denying non-whitelisted", r.URL.Host)
+		denyAccess(w)
+		return
+	}
+	if toWhitelist(s.bypass, r.URL.Host) {
+		log.Print("Bypassing", r.URL.String())
+		s.passthrough(w, r)
+		return
+	}
+	if toWhitelist(s.secure, r.URL.Host) {
+		log.Print("Securing", r.URL.String(), r.Host)
+		r.URL.Scheme = "https"
+	}
+	//log.Print("Proxying", r.URL.String(), r.Host, *r)
+	// proxy via stuncaddsies
+	s.handleHTTP(w, r)
+}
+
+func (s *Server) passthrough(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Scheme == "http" {
+		proxy := httputil.NewSingleHostReverseProxy(pathlessURL(r.URL))
+		proxy.ServeHTTP(w, r)
+		return
+	}
+	dest_conn, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	client_conn, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+	}
+
+	transfer := func(destination io.WriteCloser, source io.ReadCloser) {
+		defer destination.Close()
+		defer source.Close()
+		io.Copy(destination, source)
+	}
+
+	go transfer(dest_conn, client_conn)
+	go transfer(client_conn, dest_conn)
+}
+
+func (s *Server) handleHTTP(w http.ResponseWriter, r *http.Request) {
+	proxy := httputil.NewSingleHostReverseProxy(pathlessURL(r.URL))
+	proxy.Transport = s.transport
+	proxy.ServeHTTP(w, r)
+	return
+}
+
+func copyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+func fixScheme(r *http.Request) {
+	if r.URL.Scheme == "" {
+		r.URL.Scheme = "http"
+	}
+	if strings.HasSuffix(r.URL.Host, ":443") {
+		r.URL.Scheme = "https"
+		r.URL.Host = r.URL.Host[:len(r.URL.Host)-len(":443")]
+	}
+	//r.URL.Scheme = "https"
+}
+
+func toWhitelist(okay []string, host string) bool {
+	host = strings.Split(host, ":")[0]
+	host = strings.Replace(host, "www.", "", -1)
+	host = strings.Replace(host, "http://", "", -1)
+	host = strings.Replace(host, "https://", "", -1)
+	hosts := strings.Split(host, ".")
+	if len(hosts) > 1 {
+		host = hosts[len(hosts)-2] + "." + hosts[len(hosts)-1]
+	}
+	for i := range okay {
+		if strings.Contains(okay[i], host) {
+			return true
+		}
+	}
+	return false
+}
+
+func fromLocalhost(addr string) bool {
+	return strings.Contains(addr, "[::1]") || strings.HasPrefix(addr, "127.0.0.1") || addr == "::1" || strings.Contains(addr, "bel.pc") || strings.Contains(addr, "192.168.0.")
+}
+
+func denyAccess(w http.ResponseWriter) {
+	w.WriteHeader(http.StatusUnauthorized)
+	fmt.Fprintln(w, "You shouldn't be here")
+}
+
+func pathlessURL(u *url.URL) *url.URL {
+	return &url.URL{
+		Scheme:     u.Scheme,
+		Opaque:     u.Opaque,
+		User:       u.User,
+		Host:       u.Host,
+		Path:       "",
+		RawPath:    "",
+		ForceQuery: u.ForceQuery,
+		RawQuery:   u.RawQuery,
+		Fragment:   u.Fragment,
+	}
+}
+
+func transfer(destination io.WriteCloser, source io.ReadCloser) {
+	defer destination.Close()
+	defer source.Close()
+	io.Copy(destination, source)
+}
+
+func flagEnvFallback(keyFallback map[string]string) map[string]string {
+	results := map[string]*string{}
+	for k, v := range keyFallback {
+		results[k] = flag.String(k, v, "")
+	}
+	flag.Parse()
+	final := map[string]string{}
+	for k := range results {
+		if *results[k] == keyFallback[k] && os.Getenv(strings.ToUpper(k)) != "" {
+			*results[k] = os.Getenv(strings.ToUpper(k))
+		}
+		final[k] = *results[k]
+	}
+	return final
+}
+
+func oldmain() {
+	conf := flagEnvFallback(map[string]string{
+		"stunaddr":  "https://bel.house:20018",
+		"mecrt":     "/Volumes/bldisk/client.crt",
+		"mekey":     "/Volumes/bldisk/client.key",
+		"tocrt":     "/Volumes/bldisk/server.crt",
+		"fromcrt":   "/Volumes/bldisk/accept.crt",
+		"port":      "8888",
+		"whitelist": "192.168.0.86,,bel.house,,minio.gcp.blapointe.com",
+		"bypass":    "plex.tv",
+		"secure":    "gcp.blapointe.com",
+	})
+	if !strings.HasPrefix(conf["port"], ":") {
+		conf["port"] = ":" + conf["port"]
+	}
+	whitelist := strings.Split(conf["whitelist"], ",,")
+	bypass := strings.Split(conf["bypass"], ",,")
+	secure := strings.Split(conf["secure"], ",,")
+	log.Print(conf)
+	server, err := NewServer(conf["port"], conf["stunaddr"], conf["mecrt"], conf["mekey"], conf["tocrt"], conf["fromcrt"], append(whitelist, bypass...), bypass, secure)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if conf["fromcrt"] != "" {
+		log.Fatal(server.server.ListenAndServeTLS(conf["mecrt"], conf["mekey"]))
+	} else {
+		log.Fatal(http.ListenAndServe(conf["port"], server))
+	}
+}

work.sh

@@ -0,0 +1,14 @@
+#! /bin/bash
+cd "$(dirname "${BASH_SOURCE[0]}")"
+if [ ! -d /Volumes/bldisk ]; then
+   bash ./ramdisk.sh
+   pushd /Volumes/bldisk/
+   for i in secret client.crt client.key server.crt; do
+      read -p "Ready for $i?" asdf
+      pbpaste > $i
+   done
+   popd
+fi
+port="${1:-9181}"
+echo Proxy on :$port
+go build -o /tmp/out && /tmp/out -fromcrt "" -port $port -secret "$(cat /Volumes/bldisk/secret)" -toaddr https://bel.house:41312 -bypass youtube.com,,googlevideo.com,,youtu.be -whitelist 192.168.0.86,,scratch.com,,192.168.0.1