init commit

.gitignore

@@ -0,0 +1,3 @@
+*.key
+*.pem
+tlsendpoint*

LICENSE

@@ -0,0 +1,166 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+

README.md

@@ -0,0 +1,21 @@
+tlsendpoint
+============
+
+a tls termination util that forward the request to backend server by sni name
+
+support many different kind of backends, tcp, unix, tls...
+
+
+example:
+
+ client A requests with sni name a.example.com forward to 127.0.0.1:8081
+
+ client B requests with sni name b.example.com forward to
+ 127.0.0.1:8082
+
+usage
+
+    go get github.com/fangdingjun/tlsendpoint
+    cp $GOPATH/src/github.com/fangdingjun/tlsendpoint/config_example.yaml config.yaml
+    vim config.yaml
+    $GOPATH/bin/tlsendpoint -c config.yaml

config.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"crypto/tls"
+	"io/ioutil"
+	"log"
+	"net/url"
+
+	"github.com/go-yaml/yaml"
+)
+
+type conf struct {
+	Listen         []string      `yaml:"listen"`
+	Forward        []forward     `yaml:"forward"`
+	Certificate    []certificate `yaml:"certificate"`
+	DefaultBackend string        `yaml:"default_backend"`
+}
+
+type forward struct {
+	SNI     string `yaml:"sni"`
+	Backend string `yaml:"backend"`
+}
+
+type certificate struct {
+	Cert string `yaml:"cert"`
+	Key  string `yaml:"key"`
+}
+
+func loadConfig(f string) (c *conf, err error) {
+	data, err := ioutil.ReadFile(f)
+	if err != nil {
+		return
+	}
+	c = &conf{}
+	if err = yaml.Unmarshal(data, c); err != nil {
+		return
+	}
+	return
+}
+
+func (f forward) match(sni string) bool {
+	if f.SNI == sni {
+		return true
+	}
+	return false
+}
+
+func (f forward) getBackend() *url.URL {
+	u, err := url.Parse(f.Backend)
+	if err != nil {
+		log.Println(err)
+		return nil
+	}
+	return u
+}
+
+func (c certificate) load() (tls.Certificate, error) {
+	cert, err := tls.LoadX509KeyPair(c.Cert, c.Key)
+	return cert, err
+}

config_example.yaml

@@ -0,0 +1,27 @@
+listen:
+    -   :10312
+    -  127.0.0.1:11113
+
+certificate:
+  -
+    cert: a.pem
+    key: a.key
+  -
+    cert: b.pem
+    key: b.key
+
+forward:
+  -
+    sni: a.example.com
+    backend: tcp://127.0.0.1:9002
+  - 
+    sni: b.example.com
+    backend: http://127.0.0.1:8001
+  -
+    sni: b.example.com
+    backend: unix:///tmp/a.sock
+  -
+    sni: d.example.com
+    backend: tls://localhost:1921
+
+default_backend:  tcp://localhost:1212

config_test.go

@@ -0,0 +1,14 @@
+package main
+
+import (
+	"fmt"
+	"testing"
+)
+
+func TestConfig(t *testing.T) {
+	c, err := loadConfig("config_example.yaml")
+	if err != nil {
+		t.Fatal(err)
+	}
+	fmt.Printf("%+v\n", c)
+}

handler.go

@@ -0,0 +1,121 @@
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/url"
+	"strings"
+)
+
+func initHandler() {
+	var _certs []tls.Certificate
+	for _, _c := range _config.Certificate {
+		_cert, err := _c.load()
+		if err != nil {
+			log.Println("load certificate failed", err)
+			continue
+		}
+		_certs = append(_certs, _cert)
+
+	}
+	_tlsconfig := &tls.Config{
+		Certificates: _certs,
+	}
+	_tlsconfig.BuildNameToCertificate()
+
+	for _, _l := range _config.Listen {
+		l, err := tls.Listen("tcp", _l, _tlsconfig)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		go func(l net.Listener) {
+			defer l.Close()
+			for {
+				c, err := l.Accept()
+				if err != nil {
+					break
+				}
+				go handleConnection(c)
+			}
+		}(l)
+	}
+}
+
+func handleConnection(c net.Conn) {
+	defer c.Close()
+
+	log.Printf("connection from %s", c.RemoteAddr().String())
+	tlsconn := c.(*tls.Conn)
+	connstate := tlsconn.ConnectionState()
+	for !connstate.HandshakeComplete {
+		if err := tlsconn.Handshake(); err != nil {
+			log.Println(err)
+			return
+		}
+		connstate = tlsconn.ConnectionState()
+	}
+
+	log.Printf("handshake complete")
+	servername := connstate.ServerName
+	var backend *url.URL
+	for _, f := range _config.Forward {
+		if !f.match(servername) {
+			continue
+		}
+		backend = f.getBackend()
+		break
+	}
+	if backend == nil {
+		_b, err := url.Parse(_config.DefaultBackend)
+		if err != nil {
+			log.Println(err)
+			return
+		}
+		backend = _b
+	}
+	log.Printf("sni name %s, get backend: %s", servername, backend.String())
+	handleForward(tlsconn, backend)
+}
+
+func handleForward(c *tls.Conn, b *url.URL) {
+	var remote net.Conn
+	var err error
+
+	log.Printf("forward to %s", b.String())
+	switch b.Scheme {
+	case "tcp":
+		remote, err = net.Dial("tcp", b.Host)
+	case "unix":
+		remote, err = net.Dial("unix", b.Host)
+	case "http":
+		if !strings.Contains(b.Host, ":") {
+			b.Host = fmt.Sprintf("%s:80", b.Host)
+		}
+		remote, err = net.Dial("tcp", b.Host)
+	case "tls":
+		h, _, _ := net.SplitHostPort(b.Host)
+		remote, err = tls.Dial("tcp", b.Host, &tls.Config{ServerName: h})
+	}
+
+	if err != nil {
+		log.Println(err)
+		return
+	}
+	log.Println("begin data forward")
+
+	defer remote.Close()
+	ch := make(chan struct{}, 2)
+	go func() {
+		io.Copy(c, remote)
+		ch <- struct{}{}
+	}()
+	go func() {
+		io.Copy(remote, c)
+		ch <- struct{}{}
+	}()
+	<-ch
+}

main.go

@@ -0,0 +1,23 @@
+package main
+
+import (
+	"flag"
+	"log"
+)
+
+var _config *conf
+
+func main() {
+	var configfile string
+	flag.StringVar(&configfile, "c", "config.yaml", "config file")
+	flag.Parse()
+
+	cfg, err := loadConfig(configfile)
+	if err != nil {
+		log.Fatal(err)
+	}
+	_config = cfg
+
+	initHandler()
+	select {}
+}