Added probe-reverseproxyurl configuration parameter

ameshkov · Feb 5, 2024 · 62cfee7 · 62cfee7
1 parent 59d5faa
commit 62cfee7
Show file tree

Hide file tree

Showing 7 changed files with 257 additions and 65 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,7 +11,13 @@ adheres to [Semantic Versioning][semver].
 
 ## [Unreleased]
 
-[unreleased]: https://github.com/ameshkov/udptlspipe/compare/v1.2.1...HEAD
+[unreleased]: https://github.com/ameshkov/udptlspipe/compare/v1.3.0...HEAD
+
+## [1.3.0] - 2024-02-05
+
+* Added an option to configure a probe reverse proxy URL.
+
+[1.3.0]: https://github.com/ameshkov/udptlspipe/releases/tag/v1.3.0
 
 ## [1.2.2] - 2024-02-05
 

diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ to keep it that way.
 * [How to install udptlspipe](#install)
 * [How to use udptlspipe](#howtouse)
 * [Custom TLS certificate](#tlscert)
+* [Probing protection](#probing)
 * [Docker](#docker)
 * [All command-line arguments](#allcmdarguments)
 
@@ -160,6 +161,23 @@ udptlspipe \
 
 [lego]: https://go-acme.github.io/lego/usage/cli/obtain-a-certificate/
 
+## Probing protection
+
+By default `udptlspipe` responds with a generic `403 Forbidden` response to
+unauthorized requests. However, it allows to use a more sophisticated
+protection. If `--probe-reverseproxyurl` is specified, `udptlspipe` server will
+proxy unauthorized requests to the specified target while rewriting `Host` and
+keeping the original path. This way you can imitate a real existing website.
+
+```shell
+udptlspipe --server \
+  -l 0.0.0.0:443 \
+  -d 2.3.4.5:8123 \
+  -p SecurePassword \
+  --probe-reverseproxyurl "http://example.com"
+
+```
+
 <a id="docker"></a>
 
 ## Docker

diff --git a/internal/cmd/cmd.go b/internal/cmd/cmd.go
@@ -46,13 +46,14 @@ func Main() {
 	log.Info("Configuration:\n%s", o)
 
 	cfg := &pipe.Config{
-		ListenAddr:        o.ListenAddr,
-		DestinationAddr:   o.DestinationAddr,
-		Password:          o.Password,
-		ServerMode:        o.ServerMode,
-		ProxyURL:          o.ProxyURL,
-		VerifyCertificate: o.VerifyCertificate,
-		TLSServerName:     o.TLSServerName,
+		ListenAddr:           o.ListenAddr,
+		DestinationAddr:      o.DestinationAddr,
+		Password:             o.Password,
+		ServerMode:           o.ServerMode,
+		ProxyURL:             o.ProxyURL,
+		VerifyCertificate:    o.VerifyCertificate,
+		TLSServerName:        o.TLSServerName,
+		ProbeReverseProxyURL: o.ProbeReverseProxyURL,
 	}
 
 	if o.TLSCertPath != "" {

diff --git a/internal/cmd/options.go b/internal/cmd/options.go
@@ -54,6 +54,11 @@ type Options struct {
 	// certificate specified by TLSCertPath.
 	TLSCertKey string `yaml:"tls-keyfile" long:"tls-keyfile" description:"Path to the private key for the cert specified in tls-certfile." value-name:"<path-to-key-file>"`
 
+	// ProbeReverseProxyURL is the URL that will be used by the reverse HTTP
+	// proxy to respond to unauthorized or proxy requests. If not specified,
+	// it will respond with a stub page 403 Forbidden.
+	ProbeReverseProxyURL string `yaml:"probe-reverseproxyurl" long:"probe-reverseproxyurl" description:"Unauthorized requests and probes will be proxied to the URL." value-name:"<hostname>"`
+
 	// Verbose defines whether we should write the DEBUG-level log or not.
 	Verbose bool `yaml:"verbose" short:"v" long:"verbose" description:"Verbose output (optional)." optional:"yes" optional-value:"true"`
 }