forked from cherti/authguard
-
Notifications
You must be signed in to change notification settings - Fork 1
/
authguard.go
93 lines (76 loc) · 2.61 KB
/
authguard.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package main
import (
"flag"
"fmt"
"os"
auth "github.com/abbot/go-http-auth"
"net/http"
"net/http/httputil"
)
// addresses and protocols
var outerAddress = flag.String("web.listen-address", ":8081", "address exposed to outside")
var innerAddress = flag.String("web.proxy-to", "127.0.0.1:8080", "address to proxy to")
var innerScheme = flag.String("scheme", "http", "scheme to use for connection to target (either http or https)")
// HTTP basic auth
var useAuth = flag.Bool("auth", true, "use HTTP-Basic-Auth for outer connection")
var user = flag.String("user", "authguard", "user for HTTP basic auth outwards")
var pass = flag.String("pass", "authguard", "password for HTTP basic auth outwards")
var htpasswdfile = flag.String("htpasswd", "", "htpasswd-file to use if any; invalidates -user and -pass")
// TLS
var useTLS = flag.Bool("tls", true, "use TLS for outer connection")
var crt = flag.String("crt", "", "path to TLS public key file for outer connection")
var key = flag.String("key", "", "path to TLS private key file for outer connection")
// return secret for basic http-auth
func Secret(puser, realm string) string {
if *user == puser {
magic := []byte("$magic$")
salt := []byte("salt")
e := auth.MD5Crypt([]byte(*pass), salt, magic)
return string(e)
}
return ""
}
// modifies incoming http.request to go to target
func director(r *http.Request) {
r.URL.Scheme = *innerScheme
r.URL.Host = *innerAddress
}
func redirectIt(w http.ResponseWriter, r *http.Request) {
proxy := &httputil.ReverseProxy{Director: director}
proxy.ServeHTTP(w, r)
}
func main() {
flag.Parse()
fmt.Println("starting redirector from", *outerAddress, "to", *innerAddress)
if *useAuth {
fmt.Println("HTTP Basic Auth enabled")
var authenticator *auth.BasicAuth
if *htpasswdfile == "" {
authenticator = auth.NewBasicAuthenticator("", Secret)
} else {
// check whether the htpasswd file exists
// very simple check just to catch typos etc.,
// doesn't say anything about validity or so
if _, err := os.Stat(*htpasswdfile); os.IsNotExist(err) {
fmt.Println("specified htpasswd-file does not exist")
os.Exit(1)
}
authenticator = auth.NewBasicAuthenticator("", auth.HtpasswdFileProvider(*htpasswdfile))
}
http.HandleFunc("/", auth.JustCheck(authenticator, redirectIt))
} else {
fmt.Println("HTTP Basic Auth disabled")
http.HandleFunc("/", redirectIt)
}
var err error
if *useTLS {
fmt.Println("TLS enabled")
err = http.ListenAndServeTLS(*outerAddress, *crt, *key, nil)
} else {
fmt.Println("TLS disabled")
err = http.ListenAndServe(*outerAddress, nil)
}
if err != nil {
fmt.Println(err)
}
}