more

build.sh

@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+
+export CGO_ENABLED=1 
+export CC=x86_64-linux-musl-gcc   
+exec go build -ldflags="-linkmode external -extldflags '-static'" -o exec-rproxy3

config/config.go

@@ -13,6 +13,7 @@ import (
 
 type Proxy struct {
 	Auth string
+	From string
 	To   string
 }
 
@@ -60,14 +61,15 @@ func GetRoutes() map[string]Proxy {
 	s := conf.Get("proxy2").GetString()
 	var dict map[string]string
 	if err := yaml.Unmarshal([]byte(s), &dict); err == nil && len(s) > 0 {
-		pattern := regexp.MustCompile(`(([^:]*):)?([a-z0-9]*:.*)`)
+		pattern := regexp.MustCompile(`(([^:]*):)?(([^:]*):)?([a-z0-9]*:.*)`)
 		result := map[string]Proxy{}
 		for k, v := range dict {
 			submatches := pattern.FindAllStringSubmatch(v, -1)
 			log.Printf("%+v", submatches)
 			result[k] = Proxy{
 				Auth: submatches[0][2],
-				To:   submatches[0][3],
+				From: submatches[0][4],
+				To:   submatches[0][5],
 			}
 		}
 		return result

config/new.go

@@ -7,11 +7,8 @@ import (
 	"strings"
 	"time"
 
-	"gitea.inhome.blapointe.com/local/args"
+	"gitea.bel.blue/local/args"
-	"gitea.inhome.blapointe.com/local/logb"
+	"gitea.bel.blue/local/logb"
-
-	"gitea.inhome.blapointe.com/local/args"
-	"gitea.inhome.blapointe.com/local/logb"
 )
 
 var conf *args.ArgSet

go.mod

@@ -1,10 +1,10 @@
-module gitea.inhome.blapointe.com/local/rproxy3
+module gitea.bel.blue/local/rproxy3
 
 go 1.18
 
 require (
-	gitea.inhome.blapointe.com/local/args v0.0.0-20240109214601-658deda479a4
+	gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714
-	gitea.inhome.blapointe.com/local/logb v0.0.0-20231109150430-1221d87a6dbc
+	gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9
 	github.com/google/uuid v1.3.0
 	golang.org/x/time v0.1.0
 )

go.sum

@@ -1,7 +1,7 @@
-gitea.inhome.blapointe.com/local/args v0.0.0-20240109214601-658deda479a4 h1:4qBHjKAiEwRV1A1tN1JK6PsLV1+UwESXKrjGqfCCdNk=
+gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714 h1:JHV86INH1QmPJoyIhdrDLJq7OKta+fJAwbK0pnxI4Hc=
-gitea.inhome.blapointe.com/local/args v0.0.0-20240109214601-658deda479a4/go.mod h1:SqCOE3bE3wvrztVIQGHuyxHKfDjRKU9EWhBdkmkiwyc=
+gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714/go.mod h1:GCzui3GPhOgKgGYNqtW55YkI3vIWCQEHPydGjFhaXV0=
-gitea.inhome.blapointe.com/local/logb v0.0.0-20231109150430-1221d87a6dbc h1:u3akQkq12V8xWXlcDgjZxIK6hqo6f1eHd9KOxAKMoKc=
+gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9 h1:lBkQPYgWZnPxt6CvsSwVh9EZtuvi2lIbGOHPqe/gn1Y=
-gitea.inhome.blapointe.com/local/logb v0.0.0-20231109150430-1221d87a6dbc/go.mod h1:KwilawX4UgD4HxSJAVFEzkuckrnHeQrd49KwUX6GpYU=
+gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9/go.mod h1:+8sJb8UksdadKy43czL7/3TcfBwCkuYT6hFY+RaxP48=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=

main.go

@@ -1,8 +1,8 @@
 package main
 
 import (
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/server"
+	"gitea.bel.blue/local/rproxy3/server"
 )
 
 func main() {

main_test.go

@@ -34,7 +34,7 @@ func TestHTTPSMain(t *testing.T) {
 			"username",
 			"-pass",
 			"password",
-			"-proxy",
+			"-proxy2",
 			"hello," + addr,
 			"-crt",
 			"./testdata/rproxy3server.crt",
@@ -89,7 +89,7 @@ func TestHTTPMain(t *testing.T) {
 			"username",
 			"-pass",
 			"password",
-			"-proxy",
+			"-proxy2",
 			"hello," + addr,
 		}
 		main()

server/new.go

@@ -1,8 +1,8 @@
 package server
 
 import (
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage"
+	"gitea.bel.blue/local/rproxy3/storage"
 
 	"golang.org/x/time/rate"
 )

server/proxy.go

@@ -10,11 +10,8 @@ import (
 	"net/url"
 	"strings"
 
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
+	"gitea.bel.blue/local/rproxy3/storage/packable"
-
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
 )
 
 type redirPurge struct {
@@ -61,6 +58,12 @@ func (s *Server) lookupAuth(host string) (string, error) {
 	return v.String(), err
 }
 
+func (s *Server) lookupFrom(host string) (string, error) {
+	v := packable.NewString()
+	err := s.db.Get(nsRouting, host+"//from", v)
+	return v.String(), err
+}
+
 func mapKey(host string) string {
 	host = strings.Split(host, ".")[0]
 	host = strings.Split(host, ":")[0]

server/routes.go

@@ -1,7 +1,7 @@
 package server
 
 import (
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
 )
 
 func (s *Server) Routes() error {

server/server.go

@@ -12,17 +12,15 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"
+	"text/template"
 	"time"
 
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage"
+	"gitea.bel.blue/local/rproxy3/storage"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
+	"gitea.bel.blue/local/rproxy3/storage/packable"
-
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
 
 	"github.com/google/uuid"
 	"golang.org/x/time/rate"
@@ -34,8 +32,9 @@ type listenerScheme int
 
 const (
 	schemeHTTP listenerScheme = iota
-	schemeHTTPS listenerScheme = iota
+	schemeHTTPS
-	schemeTCP   listenerScheme = iota
+	schemeTCP
+	schemeTCPTLS
 )
 
 func (ls listenerScheme) String() string {
@@ -46,6 +45,8 @@ func (ls listenerScheme) String() string {
 		return "https"
 	case schemeTCP:
 		return "tcp"
+	case schemeTCPTLS:
+		return "tcptls"
 	}
 	return ""
 }
@@ -66,6 +67,9 @@ func (s *Server) Route(src string, dst config.Proxy) error {
 	if err != nil {
 		return err
 	}
+	if err := s.db.Set(nsRouting, src+"//from", packable.NewString(dst.From)); err != nil {
+		return err
+	}
 	if err := s.db.Set(nsRouting, src+"//auth", packable.NewString(dst.Auth)); err != nil {
 		return err
 	}
@@ -101,15 +105,52 @@ func (s *Server) Run() error {
 	case schemeTCP:
 		addr, _ := config.GetTCP()
 		return s.ServeTCP(addr)
+	case schemeTCPTLS:
+		addr, _ := config.GetTCP()
+		cert, key, _ := config.GetSSL()
+		return s.ServeTCPTLS(addr, cert, key)
 	}
 	return errors.New("did not load server")
 }
 
+func (s *Server) ServeTCPTLS(addr, c, k string) error {
+	certificate, err := tls.LoadX509KeyPair(c, k)
+	if err != nil {
+		return err
+	}
+	certificates := []tls.Certificate{certificate}
+	listen, err := net.Listen("tcp", s.addr)
+	if err != nil {
+		return err
+	}
+	defer listen.Close()
+	config := &tls.Config{
+		Certificates:             certificates,
+		MinVersion:               tls.VersionTLS12,
+		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		PreferServerCipherSuites: true,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
+	}
+	config.BuildNameToCertificate()
+	tlsListener := tls.NewListener(listen, config)
+	return s.serveTCP(addr, tlsListener)
+}
+
 func (s *Server) ServeTCP(addr string) error {
 	listen, err := net.Listen("tcp", s.addr)
 	if err != nil {
 		return err
 	}
+	defer listen.Close()
+	return s.serveTCP(addr, listen)
+}
+
+func (s *Server) serveTCP(addr string, listen net.Listener) error {
 	for {
 		c, err := listen.Accept()
 		if err != nil {
@@ -158,6 +199,15 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		switch mapKey(r.Host) {
+		case "_":
+			s.List(w)
+			return
+		case "home":
+			s.Home(w, r)
+			return
+		}
+
 		if auth, err := s.lookupAuth(mapKey(r.Host)); err != nil {
 			log.Printf("failed to lookup auth for %s (%s): %v", r.Host, mapKey(r.Host), err)
 			w.Header().Set("WWW-Authenticate", "Basic")
@@ -166,12 +216,44 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			log.Printf("failed to auth: expected %q but got %q", auth, p)
 			w.Header().Set("WWW-Authenticate", "Basic")
 			http.Error(w, "unexpected basic auth", http.StatusUnauthorized)
+		} else if from, err := s.lookupFrom(mapKey(r.Host)); err != nil {
+			log.Printf("failed to lookup from for %s (%s): %v", r.Host, mapKey(r.Host), err)
+			http.Error(w, err.Error(), http.StatusBadGateway)
+		} else if err := assertFrom(from, r.RemoteAddr); err != nil {
+			log.Printf("failed to from: expected %q but got %q: %v", from, r.RemoteAddr, err)
+			http.Error(w, "unexpected from", http.StatusUnauthorized)
 		} else {
 			foo(w, r)
 		}
 	}
 }
 
+func assertFrom(from, remoteAddr string) error {
+	if from == "" {
+		return nil
+	}
+
+	pattern := regexp.MustCompile(`[0-9](:[0-9]+)$`).FindStringSubmatchIndex(remoteAddr)
+	if len(pattern) == 4 {
+		remoteAddr = remoteAddr[:pattern[2]]
+	}
+
+	remoteIP := net.ParseIP(remoteAddr)
+	if remoteIP == nil {
+		return fmt.Errorf("cannot parse remote %q", remoteAddr)
+	}
+
+	_, net, err := net.ParseCIDR(from)
+	if err != nil {
+		panic(err)
+	}
+	if net.Contains(remoteIP) {
+		return nil
+	}
+
+	return fmt.Errorf("expected like %q but got like %q", from, remoteAddr)
+}
+
 func withMeta(w http.ResponseWriter, r *http.Request) (*http.Request, func()) {
 	meta := map[string]string{
 		"ts":     strconv.FormatInt(time.Now().Unix(), 10),
@@ -208,6 +290,93 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.Pre(s.Proxy)(w, r)
 }
 
+func (s *Server) Home(w http.ResponseWriter, r *http.Request) {
+	keys := s.db.Keys(nsRouting)
+	routePrefixes := map[string]string{}
+	for _, key := range keys {
+		u, _ := s.lookup(key)
+		if u != nil && u.String() != "" {
+			routePrefixes[strings.Split(key, "/")[0]] = ""
+		}
+	}
+	priority := map[string]string{
+		"wyze0":         "Home Camera 0",
+		"wyze1":         "Home Camera 1",
+		"wyze2":         "Home Camera 2",
+		"wyze3":         "Home Camera 3",
+		"whereis":       "Map of Belling",
+		"moolah":        "Money",
+		"autobookshelf": "Ebooks",
+		"jackett":       "The 7 Seas",
+		"vpntor":        "The 7 Seas Downloader",
+	}
+	for k, v := range priority {
+		if _, ok := routePrefixes[k]; ok {
+			routePrefixes[k] = v
+		}
+	}
+	t := strings.ReplaceAll(`
+		<DOCTYPE! html>
+		<html>
+			<header>
+			</header>
+			<body>
+				{{- $baseDomain := .baseDomain }}
+				{{- $scheme := .scheme }}
+				{{- range $k, $v := .routePrefixes }}
+					{{- $url := printf "%s://%s.%s" $scheme $k $baseDomain }}
+					{{ if ne $v "" }}
+						<a style="font-size: 2em" href="{{ $url }}">{{ $k }} ({{ $v }})</a><br>
+					{{ end }}
+				{{- end }}
+				{{- range $k, $v := .routePrefixes }}
+					{{- $url := printf "%s://%s.%s" $scheme $k $baseDomain }}
+					{{ if eq $v "" }}
+						<a href="{{ $url }}">{{ $k }}</a><br>
+					{{ end }}
+				{{- end }}
+			</body>
+			<footer>
+			</footer>
+		</html>
+	`, "\t", "  ")
+	tmpl, err := template.New("home").Parse(t)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html")
+
+	if err := tmpl.Execute(w, map[string]any{
+		"routePrefixes": routePrefixes,
+		"domain":        r.Host,
+		"baseDomain":    strings.Join(strings.Split(r.Host, ".")[1:], "."),
+		"scheme":        getScheme().String(),
+	}); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+}
+
+func (s *Server) List(w http.ResponseWriter) {
+	keys := s.db.Keys(nsRouting)
+	hostURL := map[string]string{}
+	hostFrom := map[string]string{}
+	for _, key := range keys {
+		u, _ := s.lookup(key)
+		if u != nil && strings.TrimSuffix(key, "//auth") == key {
+			hostURL[key] = u.String()
+		}
+		if u != nil && strings.TrimSuffix(key, "//from") == key {
+			hostFrom[key] = u.String()
+		}
+	}
+	json.NewEncoder(w).Encode(map[string]any{
+		"hostsToURLs": hostURL,
+		"hostsToFrom": hostFrom,
+	})
+}
+
 type corsResponseWriter struct {
 	r *http.Request
 	http.ResponseWriter
@@ -282,11 +451,15 @@ func (s *Server) alt() {
 
 func getScheme() listenerScheme {
 	scheme := schemeHTTP
-	if _, _, ok := config.GetSSL(); ok {
+	_, _, ssl := config.GetSSL()
+	if ssl {
 		scheme = schemeHTTPS
 	}
 	if _, ok := config.GetTCP(); ok {
 		scheme = schemeTCP
+		if ssl {
+			scheme = schemeTCPTLS
+		}
 	}
 	return scheme
 }

server/server_test.go

@@ -8,11 +8,8 @@ import (
 	"strings"
 	"testing"
 
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage"
+	"gitea.bel.blue/local/rproxy3/storage"
-
-	"gitea.inhome.blapointe.com/local/rproxy3/config"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage"
 
 	"golang.org/x/time/rate"
 )
@@ -41,20 +38,42 @@ func TestServerStart(t *testing.T) {
 }
 
 func mockServer() *Server {
+	s := _mockServer()
 	portServer := httptest.NewServer(nil)
-	port := strings.Split(portServer.URL, ":")[2]
+	s.addr = ":" + strings.Split(portServer.URL, ":")[2]
 	portServer.Close()
+
+	return s
+}
+
+func _mockServer() *Server {
 	s := &Server{
 		db:      storage.NewMap(),
-		addr:    ":" + port,
 		limiter: rate.NewLimiter(rate.Limit(50), 50),
 	}
 	if err := s.Routes(); err != nil {
 		panic(fmt.Sprintf("cannot initiate server routes; %v", err))
 	}
+	if err := s.Route("test", config.Proxy{To: "http://icanhazip.com"}); err != nil {
+		panic(err.Error())
+	}
+	if err := s.Route("wyze0", config.Proxy{To: "http://wyze0.scratch.com"}); err != nil {
+		panic(err.Error())
+	}
 	return s
 }
 
+func TestServerHome(t *testing.T) {
+	s := _mockServer()
+	r := httptest.NewRequest(http.MethodGet, "https://home.int.bel.blue", nil)
+	w := httptest.NewRecorder()
+	s.Home(w, r)
+	if w.Code != http.StatusOK {
+		t.Fatalf("(%d) %s", w.Code, w.Body.Bytes())
+	}
+	t.Logf("%s", w.Body.Bytes())
+}
+
 func TestServerRoute(t *testing.T) {
 	server := mockServer()
 	p := config.Proxy{
@@ -108,3 +127,32 @@ func TestCORS(t *testing.T) {
 		}
 	})
 }
+
+func TestAssertFrom(t *testing.T) {
+	cases := map[string]struct {
+		from   string
+		remote string
+		err    bool
+	}{
+		"empty": {},
+		"ipv6 localhost": {
+			from:   "::1/128",
+			remote: "::1:12345",
+		},
+		"ipv4 localhost": {
+			from:   "127.0.0.1/32",
+			remote: "127.0.0.1:12345",
+		},
+	}
+
+	for name, d := range cases {
+		c := d
+		t.Run(name, func(t *testing.T) {
+			err := assertFrom(c.from, c.remote)
+			got := err != nil
+			if got != c.err {
+				t.Errorf("expected err=%v but got %v", c.err, err)
+			}
+		})
+	}
+}

storage/db.go

@@ -2,7 +2,8 @@ package storage
 
 import (
 	"errors"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )
 
 var ErrNotFound = errors.New("not found")
@@ -10,5 +11,6 @@ var ErrNotFound = errors.New("not found")
 type DB interface {
 	Get(string, string, packable.Packable) error
 	Set(string, string, packable.Packable) error
+	Keys(string) []string
 	Close() error
 }

storage/db_test.go

@@ -1,9 +1,10 @@
 package storage
 
 import (
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
 	"os"
 	"testing"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )
 
 func TestDB(t *testing.T) {

storage/map.go

@@ -2,7 +2,8 @@ package storage
 
 import (
 	"fmt"
-	"gitea.inhome.blapointe.com/local/rproxy3/storage/packable"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )
 
 type Map map[string]map[string][]byte
@@ -40,6 +41,15 @@ func (m Map) Close() error {
 	return nil
 }
 
+func (m Map) Keys(ns string) []string {
+	m2, _ := m[ns]
+	result := make([]string, 0, len(m2))
+	for k := range m2 {
+		result = append(result, k)
+	}
+	return result
+}
+
 func (m Map) Get(ns, key string, value packable.Packable) error {
 	if _, ok := m[ns]; !ok {
 		m[ns] = make(map[string][]byte)