├── .gitignore ├── LICENSE ├── README.md ├── gocat.go ├── gocat.service ├── gocat.socket └── util ├── socket_client.go ├── socket_server.go ├── tls_client.go └── tls_server.go /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files, Static and Dynamic libs (Shared Objects) 2 | *.o 3 | *.a 4 | *.so 5 | 6 | # Folders 7 | _obj 8 | _test 9 | 10 | # Architecture specific extensions/prefixes 11 | *.[568vq] 12 | [568vq].out 13 | 14 | *.cgo1.go 15 | *.cgo2.c 16 | _cgo_defun.c 17 | _cgo_gotypes.go 18 | _cgo_export.* 19 | 20 | _testmain.go 21 | 22 | *.exe 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, and 10 | distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by the copyright 13 | owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities 16 | that control, are controlled by, or are under common control with that entity. 17 | For the purposes of this definition, "control" means (i) the power, direct or 18 | indirect, to cause the direction or management of such entity, whether by 19 | contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the 20 | outstanding shares, or (iii) beneficial ownership of such entity. 21 | 22 | "You" (or "Your") shall mean an individual or Legal Entity exercising 23 | permissions granted by this License. 24 | 25 | "Source" form shall mean the preferred form for making modifications, including 26 | but not limited to software source code, documentation source, and configuration 27 | files. 28 | 29 | "Object" form shall mean any form resulting from mechanical transformation or 30 | translation of a Source form, including but not limited to compiled object code, 31 | generated documentation, and conversions to other media types. 32 | 33 | "Work" shall mean the work of authorship, whether in Source or Object form, made 34 | available under the License, as indicated by a copyright notice that is included 35 | in or attached to the work (an example is provided in the Appendix below). 36 | 37 | "Derivative Works" shall mean any work, whether in Source or Object form, that 38 | is based on (or derived from) the Work and for which the editorial revisions, 39 | annotations, elaborations, or other modifications represent, as a whole, an 40 | original work of authorship. For the purposes of this License, Derivative Works 41 | shall not include works that remain separable from, or merely link (or bind by 42 | name) to the interfaces of, the Work and Derivative Works thereof. 43 | 44 | "Contribution" shall mean any work of authorship, including the original version 45 | of the Work and any modifications or additions to that Work or Derivative Works 46 | thereof, that is intentionally submitted to Licensor for inclusion in the Work 47 | by the copyright owner or by an individual or Legal Entity authorized to submit 48 | on behalf of the copyright owner. For the purposes of this definition, 49 | "submitted" means any form of electronic, verbal, or written communication sent 50 | to the Licensor or its representatives, including but not limited to 51 | communication on electronic mailing lists, source code control systems, and 52 | issue tracking systems that are managed by, or on behalf of, the Licensor for 53 | the purpose of discussing and improving the Work, but excluding communication 54 | that is conspicuously marked or otherwise designated in writing by the copyright 55 | owner as "Not a Contribution." 56 | 57 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf 58 | of whom a Contribution has been received by Licensor and subsequently 59 | incorporated within the Work. 60 | 61 | 2. Grant of Copyright License. 62 | 63 | Subject to the terms and conditions of this License, each Contributor hereby 64 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 65 | irrevocable copyright license to reproduce, prepare Derivative Works of, 66 | publicly display, publicly perform, sublicense, and distribute the Work and such 67 | Derivative Works in Source or Object form. 68 | 69 | 3. Grant of Patent License. 70 | 71 | Subject to the terms and conditions of this License, each Contributor hereby 72 | grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, 73 | irrevocable (except as stated in this section) patent license to make, have 74 | made, use, offer to sell, sell, import, and otherwise transfer the Work, where 75 | such license applies only to those patent claims licensable by such Contributor 76 | that are necessarily infringed by their Contribution(s) alone or by combination 77 | of their Contribution(s) with the Work to which such Contribution(s) was 78 | submitted. If You institute patent litigation against any entity (including a 79 | cross-claim or counterclaim in a lawsuit) alleging that the Work or a 80 | Contribution incorporated within the Work constitutes direct or contributory 81 | patent infringement, then any patent licenses granted to You under this License 82 | for that Work shall terminate as of the date such litigation is filed. 83 | 84 | 4. Redistribution. 85 | 86 | You may reproduce and distribute copies of the Work or Derivative Works thereof 87 | in any medium, with or without modifications, and in Source or Object form, 88 | provided that You meet the following conditions: 89 | 90 | You must give any other recipients of the Work or Derivative Works a copy of 91 | this License; and 92 | You must cause any modified files to carry prominent notices stating that You 93 | changed the files; and 94 | You must retain, in the Source form of any Derivative Works that You distribute, 95 | all copyright, patent, trademark, and attribution notices from the Source form 96 | of the Work, excluding those notices that do not pertain to any part of the 97 | Derivative Works; and 98 | If the Work includes a "NOTICE" text file as part of its distribution, then any 99 | Derivative Works that You distribute must include a readable copy of the 100 | attribution notices contained within such NOTICE file, excluding those notices 101 | that do not pertain to any part of the Derivative Works, in at least one of the 102 | following places: within a NOTICE text file distributed as part of the 103 | Derivative Works; within the Source form or documentation, if provided along 104 | with the Derivative Works; or, within a display generated by the Derivative 105 | Works, if and wherever such third-party notices normally appear. The contents of 106 | the NOTICE file are for informational purposes only and do not modify the 107 | License. You may add Your own attribution notices within Derivative Works that 108 | You distribute, alongside or as an addendum to the NOTICE text from the Work, 109 | provided that such additional attribution notices cannot be construed as 110 | modifying the License. 111 | You may add Your own copyright statement to Your modifications and may provide 112 | additional or different license terms and conditions for use, reproduction, or 113 | distribution of Your modifications, or for any such Derivative Works as a whole, 114 | provided Your use, reproduction, and distribution of the Work otherwise complies 115 | with the conditions stated in this License. 116 | 117 | 5. Submission of Contributions. 118 | 119 | Unless You explicitly state otherwise, any Contribution intentionally submitted 120 | for inclusion in the Work by You to the Licensor shall be under the terms and 121 | conditions of this License, without any additional terms or conditions. 122 | Notwithstanding the above, nothing herein shall supersede or modify the terms of 123 | any separate license agreement you may have executed with Licensor regarding 124 | such Contributions. 125 | 126 | 6. Trademarks. 127 | 128 | This License does not grant permission to use the trade names, trademarks, 129 | service marks, or product names of the Licensor, except as required for 130 | reasonable and customary use in describing the origin of the Work and 131 | reproducing the content of the NOTICE file. 132 | 133 | 7. Disclaimer of Warranty. 134 | 135 | Unless required by applicable law or agreed to in writing, Licensor provides the 136 | Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, 137 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, 138 | including, without limitation, any warranties or conditions of TITLE, 139 | NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are 140 | solely responsible for determining the appropriateness of using or 141 | redistributing the Work and assume any risks associated with Your exercise of 142 | permissions under this License. 143 | 144 | 8. Limitation of Liability. 145 | 146 | In no event and under no legal theory, whether in tort (including negligence), 147 | contract, or otherwise, unless required by applicable law (such as deliberate 148 | and grossly negligent acts) or agreed to in writing, shall any Contributor be 149 | liable to You for damages, including any direct, indirect, special, incidental, 150 | or consequential damages of any character arising as a result of this License or 151 | out of the use or inability to use the Work (including but not limited to 152 | damages for loss of goodwill, work stoppage, computer failure or malfunction, or 153 | any and all other commercial damages or losses), even if such Contributor has 154 | been advised of the possibility of such damages. 155 | 156 | 9. Accepting Warranty or Additional Liability. 157 | 158 | While redistributing the Work or Derivative Works thereof, You may choose to 159 | offer, and charge a fee for, acceptance of support, warranty, indemnity, or 160 | other liability obligations and/or rights consistent with this License. However, 161 | in accepting such obligations, You may act only on Your own behalf and on Your 162 | sole responsibility, not on behalf of any other Contributor, and only if You 163 | agree to indemnify, defend, and hold each Contributor harmless for any liability 164 | incurred by, or claims asserted against, such Contributor by reason of your 165 | accepting any such warranty or additional liability. 166 | 167 | END OF TERMS AND CONDITIONS 168 | 169 | APPENDIX: How to apply the Apache License to your work 170 | 171 | To apply the Apache License to your work, attach the following boilerplate 172 | notice, with the fields enclosed by brackets "[]" replaced with your own 173 | identifying information. (Don't include the brackets!) The text should be 174 | enclosed in the appropriate comment syntax for the file format. We also 175 | recommend that a file or class name and description of purpose be included on 176 | the same "printed page" as the copyright notice for easier identification within 177 | third-party archives. 178 | 179 | Copyright [yyyy] [name of copyright owner] 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # gocat 2 | 3 | Socket activated transparent SSL proxy written in Go. 4 | The goal is to make it easy to write a simple unit file that exposes a Unix socket to the internet securely 5 | 6 | cool-service-ssl.socket 7 | 8 | ``` 9 | [Unit] 10 | Description=Cool Service Internet Proxy 11 | 12 | [Socket] 13 | ListenStream=1234 14 | ``` 15 | 16 | cool-service-ssl.service 17 | 18 | ``` 19 | [Unit] 20 | Description=Proxy Cool Service to the Internet 21 | 22 | [Service] 23 | Type=simple 24 | ExecStart=/usr/bin/gocat -key -cert /var/run/cool-service/service.socket 25 | ``` 26 | 27 | ## Goals 28 | 29 | - Simple transparent SSL proxy 30 | - Socket activated by default using systemd's socket activation protocol 31 | - Support for SSL client certificates 32 | - Simple command line interface 33 | -------------------------------------------------------------------------------- /gocat.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "flag" 6 | "fmt" 7 | "io" 8 | "net" 9 | "os" 10 | "github.com/coreos/go-systemd/activation" 11 | ) 12 | 13 | //TODO: review error handling 14 | 15 | func flagAssert(pred bool, display string) { 16 | if !pred { 17 | fmt.Fprintln(os.Stderr, display) 18 | flag.Usage() 19 | os.Exit(2) 20 | } 21 | } 22 | 23 | func main() { 24 | key := flag.String("key", "", "path to private key") 25 | cert := flag.String("cert", "", "path to cert pem") 26 | flag.Usage = func() { 27 | fmt.Fprintln(os.Stderr, "gocat [unix socket file] [host]:port") 28 | fmt.Fprintln(os.Stderr, " (when gocat is socket activated, the second argument is ignored)") 29 | flag.PrintDefaults() 30 | } 31 | flag.Parse() 32 | flagAssert(flag.NArg() == 2, "error: gocat requires exactly 2 arguments") 33 | flagAssert(*key == "" && *cert == "" || *key != "" && *cert != "", 34 | "error: gocat requires both a key and a certificate to be specified") 35 | socket := flag.Arg(0) 36 | server := flag.Arg(1) 37 | 38 | fmt.Println(socket, server, *cert, *key) //TODO: remove 39 | gocat(socket, server, *cert, *key) 40 | } 41 | 42 | func gocat(socket, server, cert, key string) { 43 | var ln net.Listener 44 | var err error 45 | if activatedFds := activation.Files(); len(activatedFds) == 0 { 46 | ln, err = net.Listen("tcp", server) 47 | if err != nil { 48 | panic(err) 49 | } 50 | } else if len(activatedFds) == 1 { 51 | fmt.Println("socket activation!") //TODO: remove 52 | ln, err = net.FileListener(activatedFds[0]) 53 | if err != nil { 54 | panic(err) 55 | } 56 | //TODO: does activatedFDs[0] need to be closed? 57 | } else { 58 | panic("Too many activated sockets! Check .socket file configuration.") 59 | } 60 | 61 | if key != "" { 62 | ln = wrapTLS(ln, cert, key) 63 | } else { 64 | fmt.Println("danger: no certificate or key specified - starting without TLS!") 65 | } 66 | 67 | for { 68 | conn, err := ln.Accept() 69 | if err != nil { 70 | fmt.Fprintln(os.Stderr, "accept failure:", err) 71 | continue 72 | } 73 | 74 | unix, err := net.Dial("unix", socket) 75 | if err != nil { 76 | fmt.Fprintln(os.Stderr, "socket connection error:", err) 77 | conn.Close() 78 | continue 79 | } 80 | 81 | go func() { 82 | //TODO: consider ways the connection might close 83 | go io.Copy(unix, conn) 84 | io.Copy(conn, unix) 85 | conn.Close() 86 | }() 87 | } 88 | } 89 | 90 | func wrapTLS(listener net.Listener, certFile, keyFile string) net.Listener { 91 | cert, err := tls.LoadX509KeyPair(certFile, keyFile) 92 | if err != nil { 93 | fmt.Fprintln(os.Stderr, "certificate load failed:", err) 94 | } 95 | 96 | cfg := &tls.Config{ 97 | Certificates: []tls.Certificate{cert}, 98 | /* ServerName: "test_server", */ 99 | /* ClientAuth: tls.RequireAndVerifyClientCert, */ 100 | ClientAuth: tls.RequireAnyClientCert, 101 | } 102 | cfg.BuildNameToCertificate() 103 | 104 | return tls.NewListener(listener, cfg) 105 | } 106 | 107 | -------------------------------------------------------------------------------- /gocat.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Socket Activated Go HTTP Server Example 3 | 4 | [Service] 5 | # To run directly 6 | ExecStart=/vagrant/gocat/gocat /tmp/testsock :8080 7 | -------------------------------------------------------------------------------- /gocat.socket: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Socket for Go HTTP Server Example 3 | 4 | [Socket] 5 | ListenStream=8080 6 | -------------------------------------------------------------------------------- /util/socket_client.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "net" 7 | "os" 8 | ) 9 | 10 | func main() { 11 | conn, err := net.Dial("unix", "/tmp/testsock") 12 | if err != nil { 13 | fmt.Fprintln(os.Stderr, "socket connection error:", err) 14 | } 15 | 16 | ioConnect(conn) 17 | } 18 | 19 | func ioConnect(rw io.ReadWriteCloser) { 20 | go func() { 21 | io.Copy(os.Stdin, rw) 22 | fmt.Fprintln(os.Stderr, "(input closed)") 23 | }() 24 | io.Copy(rw, os.Stdout) 25 | fmt.Fprintln(os.Stderr, "(closing output)") 26 | rw.Close() 27 | } 28 | -------------------------------------------------------------------------------- /util/socket_server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io" 6 | "net" 7 | "os" 8 | ) 9 | 10 | func main() { 11 | ln, err := net.Listen("unix", "/tmp/testsock") 12 | defer ln.Close() 13 | 14 | if err != nil { 15 | fmt.Fprintln(os.Stderr, "socket listen error:", err) 16 | } 17 | 18 | conn, err := ln.Accept() 19 | if err != nil { 20 | fmt.Fprintln(os.Stderr, "accept failure:", err) 21 | return 22 | } 23 | ioConnect(conn) 24 | } 25 | 26 | func ioConnect(rw io.ReadWriteCloser) { 27 | go func() { 28 | io.Copy(os.Stdin, rw) 29 | fmt.Fprintln(os.Stderr, "(input closed)") 30 | }() 31 | io.Copy(rw, os.Stdout) 32 | fmt.Fprintln(os.Stderr, "(closing output)") 33 | rw.Close() 34 | } 35 | -------------------------------------------------------------------------------- /util/tls_client.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "os" 7 | "io" 8 | ) 9 | 10 | func main() { 11 | cert, err := tls.LoadX509KeyPair("client_cert.pem", "client_private.key") 12 | if err != nil { 13 | fmt.Fprintln(os.Stderr, "cert load failed:", err) 14 | return 15 | } 16 | 17 | cfg := &tls.Config{ 18 | Certificates: []tls.Certificate{cert}, 19 | InsecureSkipVerify: true, 20 | } 21 | 22 | conn, err := tls.Dial("tcp", "localhost:8080", cfg) 23 | if err != nil { 24 | fmt.Fprintln(os.Stderr, "dial failed:", err) 25 | return 26 | } 27 | 28 | go io.Copy(conn, os.Stdin) 29 | io.Copy(os.Stdout, conn) 30 | } 31 | -------------------------------------------------------------------------------- /util/tls_server.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "os" 7 | ) 8 | 9 | func main() { 10 | cert, err := tls.LoadX509KeyPair("cert.pem", "private.key") 11 | if err != nil { 12 | fmt.Fprintln(os.Stderr, "cert load failed:", err) 13 | } 14 | 15 | cfg := &tls.Config { 16 | Certificates: []tls.Certificate{cert}, 17 | ServerName: "test_server", 18 | /* ClientAuth: tls.RequireAndVerifyClientCert, */ 19 | ClientAuth: tls.RequireAnyClientCert, 20 | } 21 | cfg.BuildNameToCertificate() 22 | 23 | ln, err := tls.Listen("tcp", ":8080", cfg) 24 | if err != nil { 25 | fmt.Fprintln(os.Stderr, "listen failed:", err) 26 | os.Exit(-1) 27 | } 28 | 29 | for { 30 | conn, err := ln.Accept() 31 | if err != nil { 32 | fmt.Fprintln(os.Stderr, "accept failure:", err) 33 | continue 34 | } 35 | 36 | fmt.Fprintln(conn, "success!") 37 | conn.Close() 38 | } 39 | 40 | } 41 | --------------------------------------------------------------------------------