From 7b0912cf3cf28da920cfe076b6dcae4b93a15a78 Mon Sep 17 00:00:00 2001 From: Simon Ser Date: Sat, 31 Oct 2020 10:34:02 +0100 Subject: [PATCH] Add support for TLS backends Closes: https://todo.sr.ht/~emersion/tlstunnel/6 --- directives.go | 9 +++++++++ server.go | 10 +++++++--- tlstunnel.1.scd | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/directives.go b/directives.go index 83730d1..214cb10 100644 --- a/directives.go +++ b/directives.go @@ -94,6 +94,15 @@ func parseBackend(backend *Backend, d *scfg.Directive) error { } switch u.Scheme { + case "tls": + host, _, err := net.SplitHostPort(u.Host) + if err != nil { + return fmt.Errorf("failed to parse backend address %q: %v", u.Host, err) + } + backend.TLSConfig = &tls.Config{ + ServerName: host, + } + fallthrough case "", "tcp": backend.Network = "tcp" backend.Address = u.Host diff --git a/server.go b/server.go index 4bd11dd..fd2d7c8 100644 --- a/server.go +++ b/server.go @@ -172,6 +172,9 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e if err != nil { return fmt.Errorf("failed to dial backend: %v", err) } + if be.TLSConfig != nil { + upstream = tls.Client(upstream, be.TLSConfig) + } defer upstream.Close() if be.Proxy { @@ -199,9 +202,10 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e } type Backend struct { - Network string - Address string - Proxy bool + Network string + Address string + Proxy bool + TLSConfig *tls.Config // nil if no TLS } func duplexCopy(a, b io.ReadWriter) error { diff --git a/tlstunnel.1.scd b/tlstunnel.1.scd index 0107577..b692ee9 100644 --- a/tlstunnel.1.scd +++ b/tlstunnel.1.scd @@ -50,6 +50,7 @@ The following directives are supported: The following URIs are supported: - _[tcp://]:_ connects to a TCP server + - _tls://:_ connects to a TLS over TCP server - _unix://_ connects to a Unix socket The _+proxy_ suffix can be added to the URI scheme to forward