add an HTTPS version

It does it's own process management (because socat is stupid and won't let
you pass an arbitrary socket to OPENSSL), instead of outsourcing it to
systemd/inetd/whatever.

And stunnel is too complicated.

6 files changed, 53 insertions, 3 deletions

diff --git a/.gitignore b/.gitignore
index 0e77e51..93d09ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,10 @@
 httpconnectd@.service
 httpconnectd
 httpconnectd.sh
+
+httpsconnectd.service
+httpsconnectd
+httpsconnectd.sh
+
 .var.*
 .tmp.*
diff --git a/Makefile b/Makefile
index dad9c4a..a745ecf 100644
--- a/Makefile
+++ b/Makefile
@@ -13,13 +13,18 @@ Q = @
 
 MAKEFLAGS += -r
 vars = $(patsubst .var.%,%,$(filter .var.%,$^))
-build_targets = httpconnectd httpconnectd@.service httpconnectd.socket basicauth.conf-sample
-install_targets = $(DESTDIR)$(bindir)/httpconnectd $(DESTDIR)$(systemddir)/httpconnectd@.service $(DESTDIR)$(systemddir)/httpconnectd.socket $(DESTDIR)$(pkgconfdir)/basicauth.conf-sample
+build_targets += httpconnectd httpconnectd@.service httpconnectd.socket
+build_targets += httpsconnectd httpsconnectd.service
+build_targets += basicauth.conf-sample
+install_targets += $(DESTDIR)$(bindir)/httpconnectd $(DESTDIR)$(systemddir)/httpconnectd@.service $(DESTDIR)$(systemddir)/httpconnectd.socket
+install_targets += $(DESTDIR)$(bindir)/httpsconnectd $(DESTDIR)$(systemddir)/httpsconnectd.service $(DESTDIR)$(pkgconfdir)/https.conf
+install_targets += $(DESTDIR)$(pkgconfdir)/basicauth.conf-sample
 
 all: $(build_targets)
 install: $(install_targets)
 clean:
 	rm -f -- httpconnectd httpconnectd.sh httpconnectd@.service
+	rm -f -- httpsconnectd httpsconnectd.sh httpsconnectd.service
 uninstall:
 	rm -f -- $(install_targets)
 	rmdir -p -- $(dir $(install_targets))
@@ -28,6 +33,9 @@ uninstall:
 httpconnectd@.service: .var.bindir
 httpconnectd.sh: .var.pkgconfdir
 
+httpsconnectd.service: .var.bindir
+httpsconnectd.sh: .var.pkgconfdir
+
 ########################################################################
 
 %: %.sh
diff --git a/httpconnectd.socket b/httpconnectd.socket
index c270b12..38cefd8 100644
--- a/httpconnectd.socket
+++ b/httpconnectd.socket
@@ -1,7 +1,7 @@
 # Copyright 2016 Luke Shumaker
 # License: WTFPLv2
 [Unit]
-Description=A simple HTTP server that only implements the CONNECT method
+Description=HTTP CONNECT server
 
 [Socket]
 ListenStream=8080
diff --git a/https.conf b/https.conf
new file mode 100644
index 0000000..14cfaec
--- /dev/null
+++ b/https.conf
@@ -0,0 +1,12 @@
+#!/hint/bash
+# Copyright 2016 Luke Shumaker
+# License: WTFPLv2
+
+port=8443
+ssl_options=(
+	cert=/etc/ssl/private/myhostname/fullchain.pem
+	key=/etc/ssl/private/myhostname/privkey.pem
+	dhparam=/etc/ssl/private/dhparam-2048.pem
+
+	verify=0
+)
diff --git a/httpsconnectd.service.in b/httpsconnectd.service.in
new file mode 100644
index 0000000..379dc59
--- /dev/null
+++ b/httpsconnectd.service.in
@@ -0,0 +1,12 @@
+# Copyright 2016 Luke Shumaker
+# License: WTFPLv2
+[Unit]
+Description=HTTPS CONNECT server
+
+[Service]
+ExecStart=@bindir@/httpsconnectd
+User=nobody
+Group=keys
+
+[Install]
+WantedBy=multi-user.target
diff --git a/httpsconnectd.sh.in b/httpsconnectd.sh.in
new file mode 100644
index 0000000..3d1da77
--- /dev/null
+++ b/httpsconnectd.sh.in
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# Copyright 2016 Luke Shumaker
+# License: WTFPLv2
+
+# Dependencies:
+# - bash
+# - socat (with OpenSSL support)
+# - httpconnectd
+
+set -e
+source @pkgconfdir@/https.conf
+IFS=,
+socat -d -d -d OPENSSL-LISTEN:"${port},${ssl_options[*]},reuseaddr,fork" EXEC:httpconnectd