module macleod

go 1.18

Description=MacLeod

After=network.target

StartLimitIntervalSec=0

LimitAS=infinity

LimitRSS=infinity

LimitCORE=infinity

LimitNOFILE=infinity

WorkingDirectory=/apps/macleod

Type=simple

Restart=always

RestartSec=1

User=root

ExecStart=/apps/macleod/macleod

WantedBy=multi-user.target

package main

import (

. "macleod/models"

)

func init() {

Config.Load()

}

func main() {

server := Server{}

server.Serve()

}

package models

import (

"encoding/json"

"errors"

"io/ioutil"

)

type config struct {

ListenAddress string `json:"listen_address"`

Backends map[string]struct {

Destination string `json:"destination"`

Certificate string `json:"certificate"`

Key string `json:"key"`

}

}

var Config config

func (c *config) Load() {

data, _ := ioutil.ReadFile("config.json")

_ = json.Unmarshal(data, c)

}

func (c *config) GetCertificatesForDomain(domain string) (string, string, error) {

if value, ok := Config.Backends[domain]; ok {

return value.Certificate, value.Key, nil

}

return "", "", errors.New("config not found: " + domain)

}

func (c *config) GetBackendForDomain(domain string) (string, error) {

if value, ok := Config.Backends[domain]; ok {

return value.Destination, nil

}

return "", errors.New("config not found: " + domain)

}

package models

import (

"crypto/tls"

"io"

"log"

"net"

)

type Server struct {

Listener net.Listener

}

func (s *Server) New() {

tlsConfig := &tls.Config{

GetConfigForClient: getConfigForClient,

}

var err error

s.Listener, err = tls.Listen("tcp", Config.ListenAddress, tlsConfig)

if err != nil {

log.Fatalf("error in tls.Listen: %s", err)

}

}

func (s *Server) Serve() {

for {

clientConn, err := s.Listener.Accept()

if err != nil {

log.Printf("error in listener.Accept: %s", err)

break

}

go s.Handle(clientConn)

}

}

func getConfigForClient(chi *tls.ClientHelloInfo) (*tls.Config, error) {

domain := chi.ServerName

certificate, key, err := Config.GetCertificatesForDomain(domain)

if err != nil {

return nil, err

}

cert, err := tls.LoadX509KeyPair(certificate, key)

if err != nil {

log.Fatalf("error in tls.LoadX509KeyPair: %s", err)

}

return &tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true}, nil

}

func (s *Server) Handle(clientConn net.Conn) {

tlsConn, ok := clientConn.(*tls.Conn)

if ok {

err := tlsConn.Handshake()

if err != nil {

log.Printf("error in tls.Handshake: %s", err)

_ = clientConn.Close()

return

}

domain := tlsConn.ConnectionState().ServerName

backend, err := Config.GetBackendForDomain(domain)

if err != nil {

log.Println(err)

return

}

backendConn, err := net.Dial("tcp", backend)

if err != nil {

log.Printf("error in net.Dial: %s", err)

_ = clientConn.Close()

return

}

go s.CopyIO(clientConn, backendConn)

go s.CopyIO(backendConn, clientConn)

}

}

func (s *Server) CopyIO(from, to io.ReadWriteCloser) {

defer func() {

if r := recover(); r != nil {

log.Printf("recovered while tunneling")

}

}()

_, _ = io.Copy(from, to)

_ = to.Close()

_ = from.Close()

}

- Terminates SSL connections and redirects traffic internally

- No external dependencies

go build .

Copy **config.sample.json** to **config.json**,

Create a node under backends for each domain that will be used

{

"web.domain.com": {

"destination": "10.42.0.10:8080",

"certificate": "/etc/letsencrypt/live/web.domain.com/fullchain.pem",

"key": "/etc/letsencrypt/live/web.domain.com/privkey.pem"

}

}

| Setting | Description |

| ------ |----------------------------------------------------|

| web.domain.com | Set this to your domain name |

| destination | IP or hostname that should receive the traffic |

| certificate | Location of chain file |

| key | Location of private key file |

You can also use **macleod.service** as reference to install as daemon