├── .github └── workflows │ └── deploy.yaml ├── .gitignore ├── LICENSE ├── README.md ├── ca └── ca.go ├── cmd └── main.go ├── go.mod ├── go.sum ├── internal └── streamcopy │ └── streamcopy.go └── pkg └── installca ├── installca.go ├── platform_linux.go └── platform_windows.go /.github/workflows/deploy.yaml: -------------------------------------------------------------------------------- 1 | name: Deploy 2 | 3 | permissions: 4 | contents: write 5 | 6 | on: 7 | push: {} 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v4 14 | - uses: actions/setup-go@v3 15 | with: 16 | go-version: '1.22' 17 | - run: go version 18 | - run: mkdir -p dist 19 | - name: Build For Linux 20 | run: | 21 | CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o dist/local-tls-proxy-linux_x86_64.exe ./cmd/ 22 | - name: Build For Windows 23 | run: | 24 | GOOS=windows GOARCH=amd64 go build -o dist/local-tls-proxy-windows_x86_64.exe ./cmd/ 25 | - name: Archive production artifacts 26 | uses: actions/upload-artifact@v3 27 | with: 28 | name: dist 29 | path: | 30 | dist/ 31 | release: 32 | needs: 33 | - build 34 | runs-on: ubuntu-latest 35 | steps: 36 | - name: Download artifacts 37 | uses: actions/download-artifact@v3 38 | with: 39 | name: dist 40 | path: dist/ 41 | - name: Release 42 | uses: softprops/action-gh-release@v1 43 | if: startsWith(github.ref, 'refs/tags/') 44 | env: 45 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 46 | with: 47 | files: | 48 | dist/* 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # If you prefer the allow list template instead of the deny list, see community template: 2 | # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore 3 | # 4 | # Binaries for programs and plugins 5 | *.exe 6 | *.exe~ 7 | *.dll 8 | *.so 9 | *.dylib 10 | 11 | # Test binary, built with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Dependency directories (remove the comment below to include it) 18 | # vendor/ 19 | 20 | # Go workspace file 21 | go.work 22 | go.work.sum 23 | 24 | # env file 25 | .env 26 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # local-tls-proxy 2 | 3 | ```text 4 | Usage of local-tls-proxy 5 | -ca-cert string 6 | KeyPair certificate file path (default "ca.pem") 7 | -ca-key string 8 | KeyPair key file path (default "ca.key") 9 | -install 10 | install CA certificate 11 | -port int 12 | server port (default 5443) 13 | ``` 14 | 15 | Proxing https://{PORT}.{IP}.sslip.io:5443/ to http://{IP}:{PORT}/ 16 | 17 | # License 18 | 19 | [Apache 2.0](./LICENSE) 20 | -------------------------------------------------------------------------------- /ca/ca.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 JC-Lab. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 3 | // license that can be found in the LICENSE file. 4 | 5 | package ca 6 | 7 | import ( 8 | "crypto" 9 | "crypto/ecdsa" 10 | "crypto/elliptic" 11 | "crypto/rand" 12 | "crypto/x509" 13 | "crypto/x509/pkix" 14 | "fmt" 15 | "github.com/pkg/errors" 16 | "math/big" 17 | "net" 18 | "time" 19 | ) 20 | 21 | type KeyPair struct { 22 | Key crypto.PrivateKey 23 | Cert *x509.Certificate 24 | } 25 | 26 | func GenerateCA() (*KeyPair, error) { 27 | // CA의 Private Key 생성 28 | caKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 29 | if err != nil { 30 | return nil, errors.Wrap(err, "failed to generate private key") 31 | } 32 | 33 | // KeyPair 인증서 템플릿 생성 34 | caTemplate := &x509.Certificate{ 35 | SerialNumber: big.NewInt(1), 36 | Subject: pkix.Name{ 37 | Organization: []string{"local-tls-proxy"}, 38 | CommonName: "local-tls-proxy KeyPair", 39 | }, 40 | NotBefore: time.Now(), 41 | NotAfter: time.Now().AddDate(10, 0, 0), // 10년 유효 42 | KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign, 43 | IsCA: true, 44 | BasicConstraintsValid: true, 45 | } 46 | 47 | // KeyPair 인증서 자체 서명 48 | caCertBytes, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &caKey.PublicKey, caKey) 49 | if err != nil { 50 | return nil, fmt.Errorf("failed to create certificate: %v", err) 51 | } 52 | 53 | caCert, err := x509.ParseCertificate(caCertBytes) 54 | if err != nil { 55 | return nil, fmt.Errorf("failed to create certificate: %v", err) 56 | } 57 | 58 | return &KeyPair{ 59 | Key: caKey, 60 | Cert: caCert, 61 | }, nil 62 | } 63 | 64 | func (ca *KeyPair) GenerateLeafCert(domain string) (*KeyPair, error) { 65 | var isDomain bool = false 66 | ip := net.ParseIP(domain) 67 | if ip == nil { 68 | isDomain = true 69 | ip = net.ParseIP("127.0.0.1") 70 | } 71 | 72 | // Leaf 인증서의 Private Key 생성 73 | leafKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 74 | if err != nil { 75 | return nil, fmt.Errorf("failed to generate leaf private key: %v", err) 76 | } 77 | 78 | // Leaf 인증서 템플릿 생성 79 | leafTemplate := &x509.Certificate{ 80 | SerialNumber: big.NewInt(2), 81 | Subject: pkix.Name{ 82 | CommonName: domain, 83 | }, 84 | NotBefore: time.Now(), 85 | NotAfter: time.Now().AddDate(1, 0, 0), // 1년 유효 86 | KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, 87 | ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, 88 | IPAddresses: []net.IP{ip}, 89 | } 90 | if isDomain { 91 | leafTemplate.DNSNames = []string{domain} 92 | } 93 | 94 | // Leaf 인증서 서명 95 | certBytes, err := x509.CreateCertificate(rand.Reader, leafTemplate, ca.Cert, &leafKey.PublicKey, ca.Key) 96 | if err != nil { 97 | return nil, fmt.Errorf("failed to create leaf certificate: %v", err) 98 | } 99 | 100 | cert, err := x509.ParseCertificate(certBytes) 101 | if err != nil { 102 | return nil, fmt.Errorf("failed to create certificate: %v", err) 103 | } 104 | 105 | return &KeyPair{ 106 | Key: leafKey, 107 | Cert: cert, 108 | }, nil 109 | } 110 | -------------------------------------------------------------------------------- /cmd/main.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 JC-Lab. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 3 | // license that can be found in the LICENSE file. 4 | 5 | package main 6 | 7 | import ( 8 | "crypto/ecdsa" 9 | "crypto/elliptic" 10 | "crypto/rand" 11 | "crypto/tls" 12 | "crypto/x509" 13 | "encoding/pem" 14 | "flag" 15 | "fmt" 16 | "github.com/pkg/errors" 17 | "github.com/youmark/pkcs8" 18 | "local-tls-proxy/ca" 19 | "local-tls-proxy/internal/streamcopy" 20 | "local-tls-proxy/pkg/installca" 21 | "log" 22 | "net" 23 | "os" 24 | "regexp" 25 | "strconv" 26 | "strings" 27 | ) 28 | 29 | var ( 30 | patternSslIp = regexp.MustCompile("(\\d+)\\.([\\w\\d-]+)\\.(sslip\\.io)$") 31 | ) 32 | 33 | func main() { 34 | var caKey string 35 | var caCert string 36 | var port int 37 | var install bool 38 | 39 | flag.StringVar(&caKey, "ca-key", "ca.key", "KeyPair key file path") 40 | flag.StringVar(&caCert, "ca-cert", "ca.pem", "KeyPair certificate file path") 41 | flag.IntVar(&port, "port", 5443, "server port") 42 | flag.BoolVar(&install, "install", false, "install CA certificate") 43 | flag.Parse() 44 | 45 | caObj, err := initializeCa(caKey, caCert) 46 | if err != nil { 47 | log.Panicln(err) 48 | } 49 | _ = caObj 50 | 51 | if install { 52 | err = installca.InstallCA(caObj.Cert.Raw) 53 | if err != nil { 54 | log.Panicln(err) 55 | } 56 | return 57 | } 58 | 59 | certPool := x509.NewCertPool() 60 | certPool.AddCert(caObj.Cert) 61 | 62 | wildcardCert, err := caObj.GenerateLeafCert("*.127-0-0-1.sslip.io") 63 | if err != nil { 64 | log.Panicln(err) 65 | } 66 | 67 | _ = wildcardCert 68 | 69 | listener, err := tls.Listen("tcp", fmt.Sprintf("0.0.0.0:%d", port), &tls.Config{ 70 | RootCAs: certPool, 71 | Certificates: []tls.Certificate{ 72 | { 73 | PrivateKey: wildcardCert.Key, 74 | Leaf: wildcardCert.Cert, 75 | Certificate: [][]byte{wildcardCert.Cert.Raw, caObj.Cert.Raw}, 76 | }, 77 | }, 78 | //GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { 79 | // log.Println("GetCertificate : ", info) 80 | // return nil, nil 81 | //}, 82 | }) 83 | if err != nil { 84 | log.Panicln(err) 85 | } 86 | 87 | log.Printf("Listening on %s", listener.Addr()) 88 | 89 | for { 90 | client, err := listener.Accept() 91 | if err != nil { 92 | log.Panicln(err) 93 | } 94 | 95 | go handleClient(client) 96 | } 97 | } 98 | 99 | func initializeCa(caKeyFile string, caCertFile string) (*ca.KeyPair, error) { 100 | var caObj *ca.KeyPair 101 | 102 | caKeyPem, err := readPemFile(caKeyFile) 103 | if err == nil { 104 | caCertPem, err := readPemFile(caCertFile) 105 | if err != nil { 106 | return nil, errors.Wrap(err, "failed to read KeyPair certificate") 107 | } 108 | caObj = &ca.KeyPair{} 109 | caObj.Cert, err = x509.ParseCertificate(caCertPem.Bytes) 110 | if err != nil { 111 | return nil, errors.Wrap(err, "failed to parse KeyPair certificate") 112 | } 113 | caObj.Key, err = pkcs8.ParsePKCS8PrivateKey(caKeyPem.Bytes) 114 | if err != nil { 115 | return nil, errors.Wrap(err, "failed to parse KeyPair key") 116 | } 117 | } else if os.IsNotExist(err) { 118 | log.Println("Generate new caObj certificate...") 119 | 120 | caObj = &ca.KeyPair{} 121 | caObj.Key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 122 | if err != nil { 123 | return nil, errors.Wrap(err, "failed to generate key") 124 | } 125 | caObj, err = ca.GenerateCA() 126 | if err != nil { 127 | return nil, err 128 | } 129 | 130 | caKeyRaw, err := pkcs8.MarshalPrivateKey(caObj.Key, nil, nil) 131 | if err != nil { 132 | return nil, err 133 | } 134 | err = writePemFile(caKeyFile, &pem.Block{Type: "EC PRIVATE KEY", Bytes: caKeyRaw}) 135 | if err != nil { 136 | return nil, err 137 | } 138 | err = writePemFile(caCertFile, &pem.Block{Type: "CERTIFICATE", Bytes: caObj.Cert.Raw}) 139 | if err != nil { 140 | return nil, err 141 | } 142 | } else { 143 | return nil, errors.Wrap(err, "failed to read KeyPair key") 144 | } 145 | 146 | return caObj, nil 147 | } 148 | 149 | func handleClient(client net.Conn) { 150 | defer client.Close() 151 | 152 | tlsConn := client.(*tls.Conn) 153 | err := tlsConn.Handshake() 154 | if err != nil { 155 | log.Println("handshake failed: ", err) 156 | return 157 | } 158 | 159 | serverName := tlsConn.ConnectionState().ServerName 160 | 161 | matches := patternSslIp.FindStringSubmatch(serverName) 162 | if len(matches) <= 0 { 163 | log.Println("unknown domain: %s", serverName) 164 | return 165 | } 166 | targetPort, err := strconv.ParseInt(matches[1], 10, 16) 167 | if err != nil { 168 | log.Printf("DOMAIN[%s] port parse failed: %v", serverName, err) 169 | return 170 | } 171 | targetAddr := strings.ReplaceAll(matches[2], "-", ".") 172 | 173 | targetConn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", targetAddr, targetPort)) 174 | if err != nil { 175 | log.Printf("DOMAIN[%s] dial failed: %v", serverName, err) 176 | return 177 | } 178 | 179 | defer targetConn.Close() 180 | 181 | streamcopy.BiDirectionCopy(targetConn.(*net.TCPConn), tlsConn) 182 | } 183 | 184 | func readPemFile(name string) (*pem.Block, error) { 185 | raw, err := os.ReadFile(name) 186 | if err != nil { 187 | return nil, err 188 | } 189 | block, _ := pem.Decode(raw) 190 | if block == nil { 191 | return nil, errors.New("failed to decode PEM") 192 | } 193 | return block, nil 194 | } 195 | 196 | func writePemFile(name string, block *pem.Block) error { 197 | f, err := os.Create(name) 198 | if err != nil { 199 | return err 200 | } 201 | defer f.Close() 202 | return pem.Encode(f, block) 203 | } 204 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module local-tls-proxy 2 | 3 | go 1.22 4 | 5 | require ( 6 | github.com/pkg/errors v0.9.1 // indirect 7 | github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect 8 | golang.org/x/crypto v0.22.0 // indirect 9 | ) 10 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 2 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 3 | github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM= 4 | github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI= 5 | golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= 6 | golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= 7 | -------------------------------------------------------------------------------- /internal/streamcopy/streamcopy.go: -------------------------------------------------------------------------------- 1 | // Copyright 2024 JC-Lab. All rights reserved. 2 | // Use of this source code is governed by an Apache 2.0 3 | // license that can be found in the LICENSE file. 4 | 5 | package streamcopy 6 | 7 | import ( 8 | "github.com/pkg/errors" 9 | "io" 10 | "log" 11 | "os" 12 | "strings" 13 | "sync/atomic" 14 | "time" 15 | ) 16 | 17 | type HalfConn interface { 18 | io.Closer 19 | io.Reader 20 | io.Writer 21 | SetReadDeadline(t time.Time) error 22 | CloseWrite() error 23 | } 24 | 25 | type CloseRead interface { 26 | CloseRead() error 27 | } 28 | 29 | func IsDeadlineErr(err error) bool { 30 | if err == nil { 31 | return false 32 | } 33 | if strings.Contains(err.Error(), "deadline") { 34 | return true 35 | } 36 | return errors.Is(err, os.ErrDeadlineExceeded) 37 | } 38 | 39 | func Copy(prunning *int32, src HalfConn, dst HalfConn) error { 40 | var buf [65536]byte 41 | var rerr error 42 | var werr error 43 | 44 | for atomic.LoadInt32(prunning) == 1 { 45 | var n int 46 | src.SetReadDeadline(time.Now().Add(time.Second * 3)) 47 | n, rerr = src.Read(buf[:]) 48 | if n > 0 { 49 | _, werr = dst.Write(buf[:n]) 50 | } 51 | if rerr != nil && IsDeadlineErr(rerr) { 52 | rerr = nil 53 | } 54 | if rerr != nil || werr != nil { 55 | break 56 | } 57 | } 58 | 59 | srcCloseRead, ok := src.(CloseRead) 60 | if ok { 61 | srcCloseRead.CloseRead() 62 | } 63 | dst.CloseWrite() 64 | 65 | if werr != nil && werr != io.EOF { 66 | return werr 67 | } 68 | if rerr != nil && rerr != io.EOF { 69 | return rerr 70 | } 71 | return nil 72 | } 73 | 74 | func BiDirectionCopy(stream HalfConn, conn HalfConn) { 75 | var running int32 = 1 76 | exitCh := make(chan error, 1) 77 | 78 | go func() { 79 | exitCh <- Copy(&running, conn, stream) 80 | atomic.StoreInt32(&running, 0) 81 | }() 82 | if err := Copy(&running, stream, conn); err != nil { 83 | log.Println("connToStreamCopy error: ", err) 84 | } 85 | atomic.StoreInt32(&running, 0) 86 | err := <-exitCh 87 | if err != nil && err != io.EOF { 88 | log.Println("streamToConnCopy error: ", err) 89 | } 90 | stream.Close() 91 | conn.Close() 92 | } 93 | -------------------------------------------------------------------------------- /pkg/installca/installca.go: -------------------------------------------------------------------------------- 1 | package installca 2 | 3 | import ( 4 | "encoding/pem" 5 | "io" 6 | "os" 7 | ) 8 | 9 | func writeToCertificatePem(out io.Writer, raw []byte) error { 10 | block := &pem.Block{ 11 | Type: "CERTIFICATE", 12 | Bytes: raw, 13 | } 14 | return pem.Encode(out, block) 15 | } 16 | 17 | func writeToCertificatePemFile(name string, raw []byte) error { 18 | f, err := os.Create(name) 19 | if err != nil { 20 | return err 21 | } 22 | defer f.Close() 23 | return writeToCertificatePem(f, raw) 24 | } 25 | -------------------------------------------------------------------------------- /pkg/installca/platform_linux.go: -------------------------------------------------------------------------------- 1 | //go:build linux 2 | // +build linux 3 | 4 | package installca 5 | 6 | import ( 7 | "crypto/sha256" 8 | "encoding/hex" 9 | "os" 10 | "os/exec" 11 | "path/filepath" 12 | ) 13 | 14 | func InstallCA(x509Certificate []byte) error { 15 | hash := sha256.New() 16 | hash.Write(x509Certificate) 17 | fingerprint := hash.Sum(nil) 18 | if err := writeToCertificatePemFile(filepath.Join("/usr/local/share/ca-certificates", "local-tls-proxy-"+hex.EncodeToString(fingerprint)+".crt"), x509Certificate); err != nil { 19 | return err 20 | } 21 | 22 | cmd := exec.Command("update-ca-certificates") 23 | cmd.Stderr = os.Stderr 24 | cmd.Stdout = os.Stdout 25 | return cmd.Run() 26 | } 27 | -------------------------------------------------------------------------------- /pkg/installca/platform_windows.go: -------------------------------------------------------------------------------- 1 | //go:build windows 2 | // +build windows 3 | 4 | package installca 5 | 6 | import ( 7 | "os" 8 | "os/exec" 9 | ) 10 | 11 | func InstallCA(x509Certificate []byte) error { 12 | f, err := os.CreateTemp(os.TempDir(), "tmp-*.crt") 13 | if err != nil { 14 | return err 15 | } 16 | defer os.Remove(f.Name()) 17 | err = writeToCertificatePem(f, x509Certificate) 18 | f.Close() 19 | if err != nil { 20 | return err 21 | } 22 | 23 | cmd := exec.Command("certutil", "-addstore", "-f", "ROOT", f.Name()) 24 | cmd.Stderr = os.Stderr 25 | cmd.Stdout = os.Stdout 26 | return cmd.Run() 27 | } 28 | --------------------------------------------------------------------------------