to bel.blue

support tcp AND ssl
mto bel.blue thanks render
2025-11-20 17:56:06 -07:00 · 2025-11-20 17:15:22 -07:00 · 2025-11-20 17:14:50 -07:00 · 2025-11-20 08:47:54 -07:00 · 2025-11-20 08:29:11 -07:00 · 2025-11-20 08:28:25 -07:00
19 changed files with 266 additions and 508 deletions
--- a/.config/config.go
+++ b/.config/config.go
@ -1,115 +0,0 @@
-package config
-
-import (
-	"local/rproxy3/storage/packable"
-	"log"
-	"strconv"
-	"strings"
-)
-
-func GetPort() string {
-	v := packable.NewString()
-	conf.Get(nsConf, flagPort, v)
-	return ":" + strings.TrimPrefix(v.String(), ":")
-}
-
-func GetRoutes() map[string]string {
-	v := packable.NewString()
-	conf.Get(nsConf, flagRoutes, v)
-	m := make(map[string]string)
-	for _, v := range strings.Split(v.String(), ",") {
-		if len(v) == 0 {
-			return m
-		}
-		from := v[:strings.Index(v, ":")]
-		to := v[strings.Index(v, ":")+1:]
-		m[from] = to
-	}
-	return m
-}
-
-func GetTCP() (string, bool) {
-	v := packable.NewString()
-	conf.Get(nsConf, flagTCP, v)
-	tcpAddr := v.String()
-	return tcpAddr, notEmpty(tcpAddr)
-}
-
-func GetSSL() (string, string, bool) {
-	v := packable.NewString()
-	conf.Get(nsConf, flagCert, v)
-	certPath := v.String()
-	conf.Get(nsConf, flagKey, v)
-	keyPath := v.String()
-	return certPath, keyPath, notEmpty(certPath, keyPath)
-}
-
-func GetAuth() (string, string, bool) {
-	v := packable.NewString()
-	conf.Get(nsConf, flagUser, v)
-	user := v.String()
-	conf.Get(nsConf, flagPass, v)
-	pass := v.String()
-	return user, pass, notEmpty(user, pass)
-}
-
-func notEmpty(s ...string) bool {
-	for i := range s {
-		if s[i] == "" || s[i] == "/dev/null" {
-			return false
-		}
-	}
-	return true
-}
-
-func GetRate() (int, int) {
-	r := packable.NewString()
-	conf.Get(nsConf, flagRate, r)
-	b := packable.NewString()
-	conf.Get(nsConf, flagBurst, b)
-
-	rate, err := strconv.Atoi(r.String())
-	if err != nil {
-		log.Printf("illegal rate: %v", err)
-		rate = 5
-	}
-	burst, _ := strconv.Atoi(b.String())
-	if err != nil {
-		log.Printf("illegal burst: %v", err)
-		burst = 5
-	}
-
-	return rate, burst
-}
-
-func GetTimeout() int {
-	t := packable.NewString()
-	conf.Get(nsConf, flagTimeout, t)
-
-	timeout, err := strconv.Atoi(t.String())
-	if err != nil || timeout == 5 {
-		return 5
-	}
-
-	return timeout
-}
-
-func GetRewrites(hostMatch string) map[string]string {
-	v := packable.NewString()
-	conf.Get(nsConf, flagRewrites, v)
-	m := make(map[string]string)
-	for _, v := range strings.Split(v.String(), ",") {
-		vs := strings.Split(v, ":")
-		if len(v) < 3 {
-			continue
-		}
-		host := vs[0]
-		if host != hostMatch {
-			continue
-		}
-		from := vs[1]
-		to := strings.Join(vs[2:], ":")
-		m[from] = to
-	}
-	return m
-}
--- a/.config/new.go
+++ b/.config/new.go
@ -1,161 +0,0 @@
-package config
-
-import (
-	"flag"
-	"io/ioutil"
-	"local/rproxy3/storage"
-	"local/rproxy3/storage/packable"
-	"log"
-	"os"
-	"strings"
-
-	yaml "gopkg.in/yaml.v2"
-)
-
-const nsConf = "configuration"
-const flagPort = "p"
-const flagRoutes = "r"
-const flagConf = "c"
-const flagCert = "crt"
-const flagTCP = "tcp"
-const flagKey = "key"
-const flagUser = "user"
-const flagPass = "pass"
-const flagRate = "rate"
-const flagBurst = "burst"
-const flagTimeout = "timeout"
-const flagRewrites = "rw"
-
-var conf = storage.NewMap()
-
-type toBind struct {
-	flag  string
-	value *string
-}
-
-type fileConf struct {
-	Port     string   `yaml:"p"`
-	Routes   []string `yaml:"r"`
-	CertPath string   `yaml:"crt"`
-	TCPPath  string   `yaml:"tcp"`
-	KeyPath  string   `yaml:"key"`
-	Username string   `yaml:"user"`
-	Password string   `yaml:"pass"`
-	Rate     string   `yaml:"rate"`
-	Burst    string   `yaml:"burst"`
-	Timeout  string   `yaml:"timeout"`
-	Rewrites []string `yaml:"rw"`
-}
-
-func Init() error {
-	log.SetFlags(log.Ldate | log.Ltime | log.Llongfile)
-	log.SetFlags(log.Ltime | log.Lshortfile)
-	if err := fromFile(); err != nil {
-		return err
-	}
-	if err := fromFlags(); err != nil {
-		return err
-	}
-	return nil
-}
-
-func fromFile() error {
-	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ContinueOnError)
-	defer func() {
-		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-	}()
-	flag.String(flagConf, "/dev/null", "yaml config file path")
-	flag.Parse()
-	confFlag := flag.Lookup(flagConf)
-	if confFlag == nil || confFlag.Value.String() == "" {
-		return nil
-	}
-	confBytes, err := ioutil.ReadFile(confFlag.Value.String())
-	if err != nil {
-		return err
-	}
-	var c fileConf
-	if err := yaml.Unmarshal(confBytes, &c); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagPort, packable.NewString(c.Port)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagRoutes, packable.NewString(strings.Join(c.Routes, ","))); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagCert, packable.NewString(c.CertPath)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagTCP, packable.NewString(c.TCPPath)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagKey, packable.NewString(c.KeyPath)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagUser, packable.NewString(c.Username)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagPass, packable.NewString(c.Password)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagRate, packable.NewString(c.Rate)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagBurst, packable.NewString(c.Burst)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagTimeout, packable.NewString(c.Timeout)); err != nil {
-		return err
-	}
-	if err := conf.Set(nsConf, flagRewrites, packable.NewString(strings.Join(c.Rewrites, ","))); err != nil {
-		return err
-	}
-	return nil
-}
-
-func fromFlags() error {
-	binds := make([]toBind, 0)
-	binds = append(binds, addFlag(flagPort, "51555", "port to bind to"))
-	binds = append(binds, addFlag(flagConf, "", "configuration file path"))
-	binds = append(binds, addFlag(flagRoutes, "", "comma-separated routes to map, each as from:scheme://to.tld:port"))
-	binds = append(binds, addFlag(flagCert, "", "path to .crt"))
-	binds = append(binds, addFlag(flagTCP, "", "tcp addr"))
-	binds = append(binds, addFlag(flagKey, "", "path to .key"))
-	binds = append(binds, addFlag(flagUser, "", "basic auth username"))
-	binds = append(binds, addFlag(flagPass, "", "basic auth password"))
-	binds = append(binds, addFlag(flagRate, "100", "rate limit per second"))
-	binds = append(binds, addFlag(flagBurst, "100", "rate limit burst"))
-	binds = append(binds, addFlag(flagTimeout, "30", "seconds to wait for limiter"))
-	binds = append(binds, addFlag(flagRewrites, "", "comma-separated from:replace:replacement:oauth to rewrite in response bodies"))
-	flag.Parse()
-
-	for _, bind := range binds {
-		confFlag := flag.Lookup(bind.flag)
-		if confFlag == nil || confFlag.Value.String() == "" {
-			continue
-		}
-		if err := conf.Set(nsConf, bind.flag, packable.NewString(*bind.value)); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func addFlag(key, def, help string) toBind {
-	def = getFlagOrDefault(key, def)
-	v := flag.String(key, def, help)
-	return toBind{
-		flag:  key,
-		value: v,
-	}
-}
-
-func getFlagOrDefault(key, def string) string {
-	v := packable.NewString()
-	if err := conf.Get(nsConf, key, v); err != nil {
-		return def
-	}
-	return v.String()
-}
--- a/.config/new_test.go
+++ b/.config/new_test.go
@ -1,46 +0,0 @@
-package config
-
-import (
-	"flag"
-	"os"
-	"testing"
-)
-
-func TestInit(t *testing.T) {
-	was := os.Args[:]
-	os.Args = []string{"program"}
-	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-	defer func() {
-		os.Args = was[:]
-	}()
-
-	if err := Init(); err != nil {
-		t.Errorf("failed to init: %v", err)
-	}
-}
-
-func TestFromFile(t *testing.T) {
-	was := os.Args[:]
-	os.Args = []string{"program"}
-	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-	defer func() {
-		os.Args = was[:]
-	}()
-
-	if err := fromFile(); err != nil {
-		t.Errorf("failed from file: %v", err)
-	}
-}
-
-func TestFromFlags(t *testing.T) {
-	was := os.Args[:]
-	os.Args = []string{"program"}
-	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
-	defer func() {
-		os.Args = was[:]
-	}()
-
-	if err := fromFlags(); err != nil {
-		t.Errorf("failed from flags: %v", err)
-	}
-}
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+
+export CGO_ENABLED=1 
+export CC=x86_64-linux-musl-gcc   
+exec go build -ldflags="-linkmode external -extldflags '-static'" -o exec-rproxy3
--- a/config/config.go
+++ b/config/config.go
@ -4,15 +4,20 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"regexp"
 	"strings"
 	"time"
+
+	"gopkg.in/yaml.v2"
 )

 type Proxy struct {
-	To string
+	Auth string
+	From string
+	To   string
 }

-func parseProxy(s string) (string, Proxy) {
+func parseOneProxyCSV(s string) (string, Proxy) {
 	p := Proxy{}
 	key := ""
 	l := strings.Split(s, ",")
@ -25,16 +30,6 @@ func parseProxy(s string) (string, Proxy) {
 	return key, p
 }

-func GetAuthelia() (string, bool) {
-	authelia := conf.Get("authelia").GetString()
-	return authelia, authelia != ""
-}
-
-func GetBOAuthZ() (string, bool) {
-	boauthz := conf.Get("oauth").GetString()
-	return boauthz, boauthz != ""
-}
-
 func GetAuth() (string, string, bool) {
 	user := conf.Get("user").GetString()
 	pass := conf.Get("pass").GetString()
@ -63,11 +58,31 @@ func GetRate() (int, int) {
 }

 func GetRoutes() map[string]Proxy {
-	list := conf.Get("proxy").GetString()
+	s := conf.Get("proxy2").GetString()
+	var dict map[string]string
+	if err := yaml.Unmarshal([]byte(s), &dict); err == nil && len(s) > 0 {
+		pattern := regexp.MustCompile(`(([^:]*):)?(([^:]*):)?([a-z0-9]*:.*)`)
+		result := map[string]Proxy{}
+		for k, v := range dict {
+			submatches := pattern.FindAllStringSubmatch(v, -1)
+			log.Printf("%+v", submatches)
+			result[k] = Proxy{
+				Auth: submatches[0][2],
+				From: submatches[0][4],
+				To:   submatches[0][5],
+			}
+		}
+		return result
+	}
+	return getRoutesCSV()
+}
+
+func getRoutesCSV() map[string]Proxy {
+	list := conf.Get("proxy2").GetString()
 	definitions := strings.Split(list, ",,")
 	routes := make(map[string]Proxy)
 	for _, definition := range definitions {
-		k, v := parseProxy(definition)
+		k, v := parseOneProxyCSV(definition)
 		routes[k] = v
 	}
 	return routes
--- a/config/new.go
+++ b/config/new.go
@ -2,12 +2,13 @@ package config

 import (
 	"fmt"
-	"local/args"
-	"local/logb"
 	"log"
 	"os"
 	"strings"
 	"time"
+
+	"gitea.bel.blue/local/args"
+	"gitea.bel.blue/local/logb"
 )

 var conf *args.ArgSet
@ -50,9 +51,7 @@ func parseArgs() (*args.ArgSet, error) {
 	as.Append(args.STRING, "trim", "path prefix to trim, like '/abc' to change '/abc/def' to '/def'", "")
 	as.Append(args.STRING, "tcp", "address for tcp only tunnel", "")
 	as.Append(args.DURATION, "timeout", "timeout for tunnel", time.Minute)
-	as.Append(args.STRING, "proxy", "double-comma separated (+ if auth)from,scheme://to.tld:port,,", "")
-	as.Append(args.STRING, "oauth", "url for boauthz", "")
-	as.Append(args.STRING, "authelia", "url for authelia", "")
+	as.Append(args.STRING, "proxy2", "double-comma separated 'from,scheme://to.tld:port,,' OR a yaml dictionary of 'from: (password:)scheme://to.tld:port'", "")
 	as.Append(args.STRING, "cors", "json dict key:true for keys to set CORS permissive headers, like {\"from\":true}", "{}")
 	as.Append(args.STRING, "nopath", "json dict key:true for keys to remove all path info from forwarded request, like -cors", "{}")
 	as.Append(args.STRING, "level", "log level", "info")
--- a/example_config.yaml
+++ b/example_config.yaml
@ -7,5 +7,7 @@ crt: ""
 key: ""
 tcp: ""
 timeout: 1m
-proxy: a,http://localhost:41912,,+b,http://localhost:41912
+proxy2: |
+  a: http://localhost:41912
+  b: password:http://localhost:41912
 oauth: http://localhost:23456
--- a/go.mod
+++ b/go.mod
@ -0,0 +1,17 @@
+module gitea.bel.blue/local/rproxy3
+
+go 1.18
+
+require (
+	gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714
+	gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9
+	github.com/google/uuid v1.3.0
+	golang.org/x/time v0.1.0
+)
+
+require gopkg.in/yaml.v2 v2.4.0
+
+require (
+	github.com/kr/pretty v0.1.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
+)
--- a/go.sum
+++ b/go.sum
@ -0,0 +1,18 @@
+gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714 h1:JHV86INH1QmPJoyIhdrDLJq7OKta+fJAwbK0pnxI4Hc=
+gitea.bel.blue/local/args v0.0.0-20251121001304-83c57f856714/go.mod h1:GCzui3GPhOgKgGYNqtW55YkI3vIWCQEHPydGjFhaXV0=
+gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9 h1:lBkQPYgWZnPxt6CvsSwVh9EZtuvi2lIbGOHPqe/gn1Y=
+gitea.bel.blue/local/logb v0.0.0-20251121001353-d45d53fbaae9/go.mod h1:+8sJb8UksdadKy43czL7/3TcfBwCkuYT6hFY+RaxP48=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
+golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
--- a/main.go
+++ b/main.go
@ -1,8 +1,8 @@
 package main

 import (
-	"local/rproxy3/config"
-	"local/rproxy3/server"
+	"gitea.bel.blue/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/server"
 )

 func main() {
--- a/main_test.go
+++ b/main_test.go
@ -34,7 +34,7 @@ func TestHTTPSMain(t *testing.T) {
 			"username",
 			"-pass",
 			"password",
-			"-proxy",
+			"-proxy2",
 			"hello," + addr,
 			"-crt",
 			"./testdata/rproxy3server.crt",
@ -89,7 +89,7 @@ func TestHTTPMain(t *testing.T) {
 			"username",
 			"-pass",
 			"password",
-			"-proxy",
+			"-proxy2",
 			"hello," + addr,
 		}
 		main()
--- a/server/new.go
+++ b/server/new.go
@ -1,8 +1,8 @@
 package server

 import (
-	"local/rproxy3/config"
-	"local/rproxy3/storage"
+	"gitea.bel.blue/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/storage"

 	"golang.org/x/time/rate"
 )
@ -17,7 +17,5 @@ func New() *Server {
 		altaddr: altport,
 		limiter: rate.NewLimiter(rate.Limit(r), b),
 	}
-	_, server.auth.BOAuthZ = config.GetBOAuthZ()
-	_, server.auth.Authelia = config.GetAuthelia()
 	return server
 }
--- a/server/proxy.go
+++ b/server/proxy.go
@ -4,13 +4,14 @@ import (
 	"bytes"
 	"crypto/tls"
 	"io"
-	"local/rproxy3/config"
-	"local/rproxy3/storage/packable"
 	"log"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"strings"
+
+	"gitea.bel.blue/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )

 type redirPurge struct {
@ -51,10 +52,16 @@ func (s *Server) lookup(host string) (*url.URL, error) {
 	return v.URL(), err
 }

-func (s *Server) lookupAuth(host string) (bool, error) {
+func (s *Server) lookupAuth(host string) (string, error) {
 	v := packable.NewString()
-	err := s.db.Get(nsBOAuthZ, host, v)
-	return v.String() == "true", err
+	err := s.db.Get(nsRouting, host+"//auth", v)
+	return v.String(), err
+}
+
+func (s *Server) lookupFrom(host string) (string, error) {
+	v := packable.NewString()
+	err := s.db.Get(nsRouting, host+"//from", v)
+	return v.String(), err
 }

 func mapKey(host string) string {
--- a/server/routes.go
+++ b/server/routes.go
@ -1,7 +1,7 @@
 package server

 import (
-	"local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/config"
 )

 func (s *Server) Routes() error {
--- a/server/server.go
+++ b/server/server.go
@ -8,33 +8,32 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"local/logb"
-	"local/oauth2/oauth2client"
-	"local/rproxy3/config"
-	"local/rproxy3/storage"
-	"local/rproxy3/storage/packable"
 	"log"
 	"net"
 	"net/http"
 	"net/url"
-	"path"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"

+	"gitea.bel.blue/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/storage"
+	"gitea.bel.blue/local/rproxy3/storage/packable"
+
 	"github.com/google/uuid"
 	"golang.org/x/time/rate"
 )

 const nsRouting = "routing"
-const nsBOAuthZ = "oauth"

 type listenerScheme int

 const (
-	schemeHTTP  listenerScheme = iota
-	schemeHTTPS listenerScheme = iota
-	schemeTCP   listenerScheme = iota
+	schemeHTTP listenerScheme = iota
+	schemeHTTPS
+	schemeTCP
+	schemeTCPTLS
 )

 func (ls listenerScheme) String() string {
@ -45,6 +44,8 @@ func (ls listenerScheme) String() string {
 		return "https"
 	case schemeTCP:
 		return "tcp"
+	case schemeTCPTLS:
+		return "tcptls"
 	}
 	return ""
 }
@ -56,21 +57,21 @@ type Server struct {
 	username string
 	password string
 	limiter  *rate.Limiter
-	auth     struct {
-		BOAuthZ  bool
-		Authelia bool
-	}
 }

 func (s *Server) Route(src string, dst config.Proxy) error {
-	hasOAuth := strings.HasPrefix(src, "+")
 	src = strings.TrimPrefix(src, "+")
 	log.Printf("Adding route %q -> %v...\n", src, dst)
 	u, err := url.Parse(dst.To)
 	if err != nil {
 		return err
 	}
-	s.db.Set(nsBOAuthZ, src, packable.NewString(fmt.Sprint(hasOAuth)))
+	if err := s.db.Set(nsRouting, src+"//from", packable.NewString(dst.From)); err != nil {
+		return err
+	}
+	if err := s.db.Set(nsRouting, src+"//auth", packable.NewString(dst.Auth)); err != nil {
+		return err
+	}
 	return s.db.Set(nsRouting, src, packable.NewURL(u))
 }

@ -103,135 +104,40 @@ func (s *Server) Run() error {
 	case schemeTCP:
 		addr, _ := config.GetTCP()
 		return s.ServeTCP(addr)
+	case schemeTCPTLS:
+		addr, _ := config.GetTCP()
+		cert, key, _ := config.GetSSL()
+		return s.ServeTCPTLS(addr, cert, key)
 	}
 	return errors.New("did not load server")
 }

-func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		authelia, ok := config.GetAuthelia()
-		if !ok {
-			panic("howd i get here")
-		}
-		url, err := url.Parse(authelia)
-		if err != nil {
-			panic(fmt.Sprintf("bad config for authelia url: %v", err))
-		}
-		url.Path = "/api/verify"
-		logb.Verbosef("authelia @ %s", url.String())
-		req, err := http.NewRequest(http.MethodGet, url.String(), nil)
-		if err != nil {
-			panic(err.Error())
-		}
-		r2 := r.Clone(r.Context())
-		if r2.URL.Host == "" {
-			r2.URL.Host = r2.Host
-		}
-		if r2.URL.Scheme == "" {
-			r2.URL.Scheme = "https"
-		}
-		for _, httpreq := range []*http.Request{r, req} {
-			for k, v := range map[string]string{
-				"X-Original-Url":    r2.URL.String(),
-				"X-Forwarded-Proto": r2.URL.Scheme,
-				"X-Forwarded-Host":  r2.URL.Host,
-				"X-Forwarded-Uri":   r2.URL.String(),
-			} {
-				if _, ok := httpreq.Header[k]; !ok {
-					logb.Verbosef("authelia header setting %s:%s", k, v)
-					httpreq.Header.Set(k, v)
-				}
-			}
-		}
-		if cookie, err := r.Cookie("authelia_session"); err == nil {
-			logb.Verbosef("authelia session found in cookies; %+v", cookie)
-			req.AddCookie(cookie)
-		}
-		c := &http.Client{
-			Timeout: time.Minute,
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-			},
-		}
-
-		autheliaKey := mapKey(req.Host)
-		logb.Verbosef("request to %s is authelia %s? %v", r.Host, autheliaKey, strings.HasPrefix(r.Host, autheliaKey))
-		if strings.HasPrefix(r.Host, autheliaKey) {
-			logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
-			foo(w, r)
-			return
-		}
-
-		resp, err := c.Do(req)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		logb.Debugf(
-			"authelia: %+v, %+v \n\t-> \n\t(%d) %+v, %+v",
-			req,
-			req.Cookies(),
-			resp.StatusCode,
-			resp.Header,
-			resp.Cookies(),
-		)
-		defer resp.Body.Close()
-		if resp.StatusCode == http.StatusOK {
-			for k := range resp.Header {
-				if strings.HasPrefix(k, "Remote-") {
-					cookie := &http.Cookie{
-						Name:     k,
-						Value:    resp.Header.Get(k),
-						Path:     "/",
-						SameSite: http.SameSiteLaxMode,
-						Expires:  time.Now().Add(24 * time.Hour * 30),
-					}
-					logb.Verbosef("setting authelia cookie in response: %+v", cookie)
-					http.SetCookie(w, cookie)
-					logb.Verbosef("setting authelia cookie in request: %+v", cookie)
-					r.AddCookie(cookie)
-				}
-			}
-			foo(w, r)
-			return
-		}
-		url.Path = ""
-		q := url.Query()
-		q.Set("rd", r2.URL.String())
-		url.RawQuery = q.Encode()
-		logb.Verbosef("authelia status %d, rd'ing %s", resp.StatusCode, url.String())
-		http.Redirect(w, r, url.String(), http.StatusFound)
+func (s *Server) ServeTCPTLS(addr, c, k string) error {
+	certificate, err := tls.LoadX509KeyPair(c, k)
+	if err != nil {
+		return err
 	}
-}
-
-func (s *Server) doBOAuthZ(foo http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		key := mapKey(r.Host)
-		rusr, rpwd, ok := config.GetAuth()
-		if ok {
-			usr, pwd, ok := r.BasicAuth()
-			if !ok || rusr != usr || rpwd != pwd {
-				w.WriteHeader(http.StatusUnauthorized)
-				log.Printf("denying proxy basic auth")
-				return
-			}
-		}
-		ok, err := s.lookupAuth(key)
-		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
-			return
-		}
-		if url, exists := config.GetBOAuthZ(); ok && exists {
-			err := oauth2client.Authenticate(url, key, w, r)
-			if err != nil {
-				return
-			}
-		}
-		if config.GetNoPath(key) && path.Ext(r.URL.Path) == "" {
-			r.URL.Path = "/"
-		}
-		foo(w, r)
+	certificates := []tls.Certificate{certificate}
+	listen, err := net.Listen("tcp", s.addr)
+	if err != nil {
+		return err
 	}
+	defer listen.Close()
+	config := &tls.Config{
+		Certificates:             certificates,
+		MinVersion:               tls.VersionTLS12,
+		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
+		PreferServerCipherSuites: true,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
+	}
+	config.BuildNameToCertificate()
+	tlsListener := tls.NewListener(listen, config)
+	return s.serveTCP(addr, tlsListener)
 }

 func (s *Server) ServeTCP(addr string) error {
@ -239,6 +145,11 @@ func (s *Server) ServeTCP(addr string) error {
 	if err != nil {
 		return err
 	}
+	defer listen.Close()
+	return s.serveTCP(addr, listen)
+}
+
+func (s *Server) serveTCP(addr string, listen net.Listener) error {
 	for {
 		c, err := listen.Accept()
 		if err != nil {
@ -277,24 +188,67 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			return
 		}

+		if r.URL.Scheme == "https" {
+			w.Header().Set("X-Forwarded-Proto", "https")
+		}
+
 		w, did := doCORS(w, r)
 		if did {
 			pushMeta(r, "explain", "did cors")
 			return
 		}

-		if s.auth.BOAuthZ {
-			logb.Verbosef("doing boauthz for request to %s", r.URL.String())
-			s.doBOAuthZ(foo)(w, r)
-		} else if s.auth.Authelia {
-			logb.Verbosef("doing authelia for request to %s", r.URL.String())
-			s.doAuthelia(foo)(w, r)
+		if mapKey(r.Host) == "_" {
+			s.List(w)
+			return
+		}
+
+		if auth, err := s.lookupAuth(mapKey(r.Host)); err != nil {
+			log.Printf("failed to lookup auth for %s (%s): %v", r.Host, mapKey(r.Host), err)
+			w.Header().Set("WWW-Authenticate", "Basic")
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+		} else if _, p, _ := r.BasicAuth(); auth != "" && auth != p {
+			log.Printf("failed to auth: expected %q but got %q", auth, p)
+			w.Header().Set("WWW-Authenticate", "Basic")
+			http.Error(w, "unexpected basic auth", http.StatusUnauthorized)
+		} else if from, err := s.lookupFrom(mapKey(r.Host)); err != nil {
+			log.Printf("failed to lookup from for %s (%s): %v", r.Host, mapKey(r.Host), err)
+			http.Error(w, err.Error(), http.StatusBadGateway)
+		} else if err := assertFrom(from, r.RemoteAddr); err != nil {
+			log.Printf("failed to from: expected %q but got %q: %v", from, r.RemoteAddr, err)
+			http.Error(w, "unexpected from", http.StatusUnauthorized)
 		} else {
 			foo(w, r)
 		}
 	}
 }

+func assertFrom(from, remoteAddr string) error {
+	if from == "" {
+		return nil
+	}
+
+	pattern := regexp.MustCompile(`[0-9](:[0-9]+)$`).FindStringSubmatchIndex(remoteAddr)
+	if len(pattern) == 4 {
+		remoteAddr = remoteAddr[:pattern[2]]
+	}
+
+	remoteIP := net.ParseIP(remoteAddr)
+	if remoteIP == nil {
+		return fmt.Errorf("cannot parse remote %q", remoteAddr)
+	}
+
+	_, net, err := net.ParseCIDR(from)
+	if err != nil {
+		panic(err)
+	}
+	if net.Contains(remoteIP) {
+		return nil
+	}
+
+	return fmt.Errorf("expected like %q but got like %q", from, remoteAddr)
+}
+
 func withMeta(w http.ResponseWriter, r *http.Request) (*http.Request, func()) {
 	meta := map[string]string{
 		"ts":     strconv.FormatInt(time.Now().Unix(), 10),
@ -331,6 +285,25 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.Pre(s.Proxy)(w, r)
 }

+func (s *Server) List(w http.ResponseWriter) {
+	keys := s.db.Keys(nsRouting)
+	hostURL := map[string]string{}
+	hostFrom := map[string]string{}
+	for _, key := range keys {
+		u, _ := s.lookup(key)
+		if u != nil && strings.TrimSuffix(key, "//auth") == key {
+			hostURL[key] = u.String()
+		}
+		if u != nil && strings.TrimSuffix(key, "//from") == key {
+			hostFrom[key] = u.String()
+		}
+	}
+	json.NewEncoder(w).Encode(map[string]any{
+		"hostsToURLs": hostURL,
+		"hostsToFrom": hostFrom,
+	})
+}
+
 type corsResponseWriter struct {
 	r *http.Request
 	http.ResponseWriter
@ -346,7 +319,6 @@ func (cb corsResponseWriter) WriteHeader(code int) {
 func doCORS(w http.ResponseWriter, r *http.Request) (http.ResponseWriter, bool) {
 	key := mapKey(r.Host)
 	if !config.GetCORS(key) {
-		pushMeta(r, "do-cors", "not enabled for key")
 		return w, false
 	}
 	pushMeta(r, "do-cors", "enabled for key")
@ -406,11 +378,15 @@ func (s *Server) alt() {

 func getScheme() listenerScheme {
 	scheme := schemeHTTP
-	if _, _, ok := config.GetSSL(); ok {
+	_, _, ssl := config.GetSSL()
+	if ssl {
 		scheme = schemeHTTPS
 	}
 	if _, ok := config.GetTCP(); ok {
 		scheme = schemeTCP
+		if ssl {
+			scheme = schemeTCPTLS
+		}
 	}
 	return scheme
 }
--- a/server/server_test.go
+++ b/server/server_test.go
@ -3,13 +3,14 @@ package server
 import (
 	"context"
 	"fmt"
-	"local/rproxy3/config"
-	"local/rproxy3/storage"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

+	"gitea.bel.blue/local/rproxy3/config"
+	"gitea.bel.blue/local/rproxy3/storage"
+
 	"golang.org/x/time/rate"
 )

@ -104,3 +105,32 @@ func TestCORS(t *testing.T) {
 		}
 	})
 }
+
+func TestAssertFrom(t *testing.T) {
+	cases := map[string]struct {
+		from   string
+		remote string
+		err    bool
+	}{
+		"empty": {},
+		"ipv6 localhost": {
+			from:   "::1/128",
+			remote: "::1:12345",
+		},
+		"ipv4 localhost": {
+			from:   "127.0.0.1/32",
+			remote: "127.0.0.1:12345",
+		},
+	}
+
+	for name, d := range cases {
+		c := d
+		t.Run(name, func(t *testing.T) {
+			err := assertFrom(c.from, c.remote)
+			got := err != nil
+			if got != c.err {
+				t.Errorf("expected err=%v but got %v", c.err, err)
+			}
+		})
+	}
+}
--- a/storage/db.go
+++ b/storage/db.go
@ -2,7 +2,8 @@ package storage

 import (
 	"errors"
-	"local/rproxy3/storage/packable"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )

 var ErrNotFound = errors.New("not found")
@ -10,5 +11,6 @@ var ErrNotFound = errors.New("not found")
 type DB interface {
 	Get(string, string, packable.Packable) error
 	Set(string, string, packable.Packable) error
+	Keys(string) []string
 	Close() error
 }
--- a/storage/db_test.go
+++ b/storage/db_test.go
@ -1,9 +1,10 @@
 package storage

 import (
-	"local/rproxy3/storage/packable"
 	"os"
 	"testing"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )

 func TestDB(t *testing.T) {
--- a/storage/map.go
+++ b/storage/map.go
@ -2,7 +2,8 @@ package storage

 import (
 	"fmt"
-	"local/rproxy3/storage/packable"
+
+	"gitea.bel.blue/local/rproxy3/storage/packable"
 )

 type Map map[string]map[string][]byte
@ -40,6 +41,15 @@ func (m Map) Close() error {
 	return nil
 }

+func (m Map) Keys(ns string) []string {
+	m2, _ := m[ns]
+	result := make([]string, 0, len(m2))
+	for k := range m2 {
+		result = append(result, k)
+	}
+	return result
+}
+
 func (m Map) Get(ns, key string, value packable.Packable) error {
 	if _, ok := m[ns]; !ok {
 		m[ns] = make(map[string][]byte)
Author	SHA1	Message	Date
bel	057a0ab341	to bel.blue	2025-11-20 17:56:06 -07:00
Bel LaPointe	b6422eb0c0	support tcp AND ssl	2025-11-20 17:15:22 -07:00
Bel LaPointe	4a0e3c15e9	mto bel.blue thanks render	2025-11-20 17:14:50 -07:00
bel	3b53ef938d	build.sh	2025-11-20 08:47:54 -07:00
bel	40d95d5b63	fix tests	2025-11-20 08:29:11 -07:00
bel	2ff12869cd	impl cidr as password:CIDR:http://target	2025-11-20 08:28:25 -07:00
bel	9791f80b28	shhhh	2025-06-19 17:03:01 -06:00
bel	8d018aa236	oh	2025-06-19 16:56:52 -06:00
bel	00eda1e419	hrm	2025-06-19 16:52:36 -06:00
bel	5a0f567da3	_ lists	2025-06-19 16:49:06 -06:00
bel	e4451923e9	whatevs	2024-12-21 13:50:53 -07:00
bel	4211b238c5	X-Forwarded-Proto	2024-12-21 13:48:57 -07:00
bel	5ab41100fb	Merge branch 'master' of https://gitea.inhome.blapointe.com/local/rproxy3	2024-12-21 13:44:47 -07:00
bel	66f2a4df94	passthrough basic auth if not configred at rproxy3 level	2024-04-01 06:46:27 -06:00
Bel LaPointe	dee04b6962	ewwww broke passthrough basic auth	2024-04-01 06:45:31 -06:00
Bel LaPointe	87d95b4eff	Merge branch 'master' of https://gitea.inhome.blapointe.com/local/rproxy3	2024-04-01 06:44:15 -06:00
bel	f083763f1d	there we go	2024-03-10 11:17:48 -06:00
bel	abf628d2bb	proxy2 does auth inline	2024-03-10 11:08:51 -06:00
bel	fb6d7af6d3	from gogs to gitea	2024-03-10 09:54:05 -06:00
bel	9941706b73	trivial	2024-03-10 09:51:29 -06:00
Bel LaPointe	669f3283f4	from gogs	2024-01-09 08:05:16 -07:00
Bel LaPointe	fb30cc8436	to gogs.inhome	2023-04-10 11:18:10 -06:00
bel	c8330aab26	NOW go mod	2022-10-25 22:42:05 -06:00
bel	32891c518c	go mod	2022-10-25 22:40:00 -06:00