Documentation
¶
Index ¶
- func GenerateCA(name string) (certPEM, keyPEM []byte, err error)
- func GenerateCert(ca *tls.Certificate, hosts ...string) (*tls.Certificate, error)
- func HTTPDirector(r *http.Request)
- func NewListener(inner net.Listener, ca *tls.Certificate, conf *tls.Config) net.Listener
- func SkipNone(req *http.Request) bool
- type Proxy
- type ServerConn
- type ServerParam
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateCA ¶
GenerateCA generates a CA cert and key pair.
func GenerateCert ¶
func GenerateCert(ca *tls.Certificate, hosts ...string) (*tls.Certificate, error)
GenerateCert generates a leaf cert from ca.
func HTTPDirector ¶
HTTPDirector is director designed for use in Proxy for http proxies.
func NewListener ¶
NewListener returns a net.Listener that generates a new cert from ca for each new Accept. It uses SNI to generate the cert, and therefore only works with clients that send SNI headers.
This is useful for building transparent MITM proxies.
Types ¶
type Proxy ¶
type Proxy struct {
// Handle specifies a function for handling the decrypted HTTP request and response.
Handle func(https bool) func(w http.ResponseWriter, r *http.Request)
// CA specifies the root CA for generating leaf certs for each incoming
// TLS request.
CA *tls.Certificate
// TLSServerConfig specifies the tls.Config to use when generating leaf
// cert using CA.
TLSServerConfig *tls.Config
// TLSClientConfig specifies the tls.Config to use when establishing
// an upstream connection for proxying.
TLSClientConfig *tls.Config
// Director is function which modifies the request into a new
// request to be sent using Transport. See the documentation for
// httputil.ReverseProxy for more details. For mitm proxies, the
// director defaults to HTTPDirector, but for transparent TLS
// proxies it should be set to HTTPSDirector.
Director func(*http.Request)
// SkipRequest is a function used to skip some requests from being
// proxied. If it returns true, the request passes by without being
// wrapped. If false, it's wrapped and proxied. By default we use
// SkipNone, which doesn't skip any request
SkipRequest func(*http.Request) bool
}
Proxy is a forward proxy that substitutes its own certificate for incoming TLS connections in place of the upstream server's certificate.
type ServerConn ¶
type ServerConn struct {
*tls.Conn
// ServerName is set during Conn's handshake to the client's requested
// server name set in the SNI header. It is not safe to access across
// multiple goroutines while Conn is performing the handshake.
ServerName string
}
A ServerConn is a net.Conn that holds its clients SNI header in ServerName after the handshake.
func Server ¶
func Server(cn net.Conn, p ServerParam) *ServerConn
Server wraps cn with a ServerConn configured with p so that during its Handshake, it will generate a new certificate using p.CA. After a successful Handshake, its ServerName field will be set to the clients requested ServerName in the SNI header.
type ServerParam ¶
type ServerParam struct {
CA *tls.Certificate // the Root CA for generatng on the fly MITM certificates
TLSConfig *tls.Config // a template TLS config for the server.
}
ServerParam struct
Source Files