diff --git a/gen/gen.go b/gen/gen.go index 5d61af0..ddbb01a 100644 --- a/gen/gen.go +++ b/gen/gen.go @@ -12,13 +12,14 @@ import ( "fmt" "log" "math/big" + "net" "os" "time" ) // Keys generates a new P256 ECDSA public private key pair for TLS. // It returns a bytes buffer for the PEM encoded private key and certificate. -func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte, err error) { +func Keys(validFor time.Duration, cn, dns, ip string) (cert, key *bytes.Buffer, fingerprint [32]byte, err error) { privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { log.Fatalf("failed to generate private key: %s", err) @@ -39,6 +40,7 @@ func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"ssl-proxy"}, + CommonName: cn, }, NotBefore: notBefore, NotAfter: notAfter, @@ -47,6 +49,12 @@ func Keys(validFor time.Duration) (cert, key *bytes.Buffer, fingerprint [32]byte ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } + if dns != "" { + template.DNSNames = []string{dns} + } + if ip != "" { + template.IPAddresses = []net.IP{net.ParseIP(ip)} + } derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privKey.PublicKey, privKey) if err != nil { diff --git a/main.go b/main.go index 447a777..7e948e9 100644 --- a/main.go +++ b/main.go @@ -16,11 +16,15 @@ import ( ) var ( - to = flag.String("to", "http://127.0.0.1:80", "the address and port for which to proxy requests to") - fromURL = flag.String("from", "127.0.0.1:4430", "the tcp address and port this proxy should listen for requests on") - certFile = flag.String("cert", "", "path to a tls certificate file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/") - keyFile = flag.String("key", "", "path to a private key file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/") - domain = flag.String("domain", "", "domain to mint letsencrypt certificates for. Usage of this parameter implies acceptance of the LetsEncrypt terms of service.") + to = flag.String("to", "http://127.0.0.1:80", "the address and port for which to proxy requests to") + fromURL = flag.String("from", "127.0.0.1:4430", "the tcp address and port this proxy should listen for requests on") + certFile = flag.String("cert", "", "path to a tls certificate file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/") + keyFile = flag.String("key", "", "path to a private key file. If not provided, ssl-proxy will generate one for you in ~/.ssl-proxy/") + domain = flag.String("domain", "", "domain to mint letsencrypt certificates for. Usage of this parameter implies acceptance of the LetsEncrypt terms of service.") + cn = flag.String("cn", "", "Common name of generated certificate") + dns = flag.String("dns", "", "DNS name for SAN attribute") + ip = flag.String("ip", "", "IP address for SAN attribute") + redirectHTTP = flag.Bool("redirectHTTP", false, "if true, redirects http requests from port 80 to https at your fromURL") ) @@ -47,7 +51,7 @@ func main() { log.Printf("No existing cert or key specified, generating some self-signed certs for use (%s, %s)\n", *certFile, *keyFile) // Generate new keys - certBuf, keyBuf, fingerprint, err := gen.Keys(365 * 24 * time.Hour) + certBuf, keyBuf, fingerprint, err := gen.Keys(365*24*time.Hour, *cn, *dns, *ip) if err != nil { log.Fatal("Error generating default keys", err) }