Https support without any settings
I wrote a program for automatically writing out ssl-certificates on the fly (at the first request to the domain). To start the program, it’s enough just to start it;
Details inside.
Requirements:
')
1. On the client side, support for SNI (main browsers have long been supported). - it is already possible to process one domain without SNI (indicated by the parameter)
2. From the server side: so that you can compile a binary from golang (windows, linux, freebsd, mac). Checked on windows and linux.
3. The domain complies with the Lets encrypt rules, at the moment it is: the length of the domain is 64 characters or shorter,without punycode (i.e., it will not receive a certificate) - punycode is already possible.
4. The server with the site is accessible from the public network.
Principle of operation:
The program works as a reverse proxy, writing out the right certificates on the go as needed.
When you receive a request through the SNI extension, the program recognizes the domain for which you need a certificate. If there is already a certificate, then there is further processing with an existing certificate.
If there is no certificate, a request is sent to lets encrypt to receive a certificate from the SNI header, and then processing goes with the newly received certificate (the certificate is stored in the cache).
In lets encrypt, a domain is verified using the tls-sni-01 method - by issuing a certificate for a specially crafted https request.
Time for all checks and obtaining a certificate - about 3 seconds. This is the delay for the first https request to the domain.
Then the request goes to the same IP on which the https request was received, but already on port 80 and without encryption - i.e. normal http.
» Github.com/rekby/lets-proxy/releases/latest
Despite the simplicity of the default option, the program has many startup keys to determine the nuances of operation. For a complete list, you can use the key - help.
Details inside.
Prehistory
I have been working with let's encrypt since about April of this year, writing out certificates in large quantities (many thousands, new ones are constantly being added).
Initially, it looked like this: one program makes a list of domains for which a certificate is needed, the second program goes and writes out these certificates, the third one checks the issued certificates and lists them for haproxy / nginx (because with the wrong certificates they will not restart when updating the list of certificates and all https sites will fall down). It works quite reliably, but it turns out a lot of components.
In addition, the launch of this miracle on windows + iis turned out to be non-trivial and a colleague was inventing additional crutches.
Initially, it looked like this: one program makes a list of domains for which a certificate is needed, the second program goes and writes out these certificates, the third one checks the issued certificates and lists them for haproxy / nginx (because with the wrong certificates they will not restart when updating the list of certificates and all https sites will fall down). It works quite reliably, but it turns out a lot of components.
In addition, the launch of this miracle on windows + iis turned out to be non-trivial and a colleague was inventing additional crutches.
Requirements:
')
2. From the server side: so that you can compile a binary from golang (windows, linux, freebsd, mac). Checked on windows and linux.
3. The domain complies with the Lets encrypt rules, at the moment it is: the length of the domain is 64 characters or shorter,
4. The server with the site is accessible from the public network.
Principle of operation:
The program works as a reverse proxy, writing out the right certificates on the go as needed.
When you receive a request through the SNI extension, the program recognizes the domain for which you need a certificate. If there is already a certificate, then there is further processing with an existing certificate.
If there is no certificate, a request is sent to lets encrypt to receive a certificate from the SNI header, and then processing goes with the newly received certificate (the certificate is stored in the cache).
In lets encrypt, a domain is verified using the tls-sni-01 method - by issuing a certificate for a specially crafted https request.
Time for all checks and obtaining a certificate - about 3 seconds. This is the delay for the first https request to the domain.
Then the request goes to the same IP on which the https request was received, but already on port 80 and without encryption - i.e. normal http.
» Github.com/rekby/lets-proxy/releases/latest
Despite the simplicity of the default option, the program has many startup keys to determine the nuances of operation. For a complete list, you can use the key - help.
Source: https://habr.com/ru/post/315678/
All Articles