From 4c15c8881087781b7611f4cf557389392889e1f1 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Tue, 4 Oct 2016 13:26:55 -0400 Subject: add an HTTPS version It does it's own process management (because socat is stupid and won't let you pass an arbitrary socket to OPENSSL), instead of outsourcing it to systemd/inetd/whatever. And stunnel is too complicated. --- .gitignore | 5 +++++ Makefile | 12 ++++++++++-- httpconnectd.socket | 2 +- https.conf | 12 ++++++++++++ httpsconnectd.service.in | 12 ++++++++++++ httpsconnectd.sh.in | 13 +++++++++++++ 6 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 https.conf create mode 100644 httpsconnectd.service.in create mode 100644 httpsconnectd.sh.in diff --git a/.gitignore b/.gitignore index 0e77e51..93d09ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,10 @@ httpconnectd@.service httpconnectd httpconnectd.sh + +httpsconnectd.service +httpsconnectd +httpsconnectd.sh + .var.* .tmp.* diff --git a/Makefile b/Makefile index dad9c4a..a745ecf 100644 --- a/Makefile +++ b/Makefile @@ -13,13 +13,18 @@ Q = @ MAKEFLAGS += -r vars = $(patsubst .var.%,%,$(filter .var.%,$^)) -build_targets = httpconnectd httpconnectd@.service httpconnectd.socket basicauth.conf-sample -install_targets = $(DESTDIR)$(bindir)/httpconnectd $(DESTDIR)$(systemddir)/httpconnectd@.service $(DESTDIR)$(systemddir)/httpconnectd.socket $(DESTDIR)$(pkgconfdir)/basicauth.conf-sample +build_targets += httpconnectd httpconnectd@.service httpconnectd.socket +build_targets += httpsconnectd httpsconnectd.service +build_targets += basicauth.conf-sample +install_targets += $(DESTDIR)$(bindir)/httpconnectd $(DESTDIR)$(systemddir)/httpconnectd@.service $(DESTDIR)$(systemddir)/httpconnectd.socket +install_targets += $(DESTDIR)$(bindir)/httpsconnectd $(DESTDIR)$(systemddir)/httpsconnectd.service $(DESTDIR)$(pkgconfdir)/https.conf +install_targets += $(DESTDIR)$(pkgconfdir)/basicauth.conf-sample all: $(build_targets) install: $(install_targets) clean: rm -f -- httpconnectd httpconnectd.sh httpconnectd@.service + rm -f -- httpsconnectd httpsconnectd.sh httpsconnectd.service uninstall: rm -f -- $(install_targets) rmdir -p -- $(dir $(install_targets)) @@ -28,6 +33,9 @@ uninstall: httpconnectd@.service: .var.bindir httpconnectd.sh: .var.pkgconfdir +httpsconnectd.service: .var.bindir +httpsconnectd.sh: .var.pkgconfdir + ######################################################################## %: %.sh diff --git a/httpconnectd.socket b/httpconnectd.socket index c270b12..38cefd8 100644 --- a/httpconnectd.socket +++ b/httpconnectd.socket @@ -1,7 +1,7 @@ # Copyright 2016 Luke Shumaker # License: WTFPLv2 [Unit] -Description=A simple HTTP server that only implements the CONNECT method +Description=HTTP CONNECT server [Socket] ListenStream=8080 diff --git a/https.conf b/https.conf new file mode 100644 index 0000000..14cfaec --- /dev/null +++ b/https.conf @@ -0,0 +1,12 @@ +#!/hint/bash +# Copyright 2016 Luke Shumaker +# License: WTFPLv2 + +port=8443 +ssl_options=( + cert=/etc/ssl/private/myhostname/fullchain.pem + key=/etc/ssl/private/myhostname/privkey.pem + dhparam=/etc/ssl/private/dhparam-2048.pem + + verify=0 +) diff --git a/httpsconnectd.service.in b/httpsconnectd.service.in new file mode 100644 index 0000000..379dc59 --- /dev/null +++ b/httpsconnectd.service.in @@ -0,0 +1,12 @@ +# Copyright 2016 Luke Shumaker +# License: WTFPLv2 +[Unit] +Description=HTTPS CONNECT server + +[Service] +ExecStart=@bindir@/httpsconnectd +User=nobody +Group=keys + +[Install] +WantedBy=multi-user.target diff --git a/httpsconnectd.sh.in b/httpsconnectd.sh.in new file mode 100644 index 0000000..3d1da77 --- /dev/null +++ b/httpsconnectd.sh.in @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +# Copyright 2016 Luke Shumaker +# License: WTFPLv2 + +# Dependencies: +# - bash +# - socat (with OpenSSL support) +# - httpconnectd + +set -e +source @pkgconfdir@/https.conf +IFS=, +socat -d -d -d OPENSSL-LISTEN:"${port},${ssl_options[*]},reuseaddr,fork" EXEC:httpconnectd -- cgit v1.1-4-g5e80