add dns challenge support

.github/workflows/ci.yml

@@ -28,6 +28,7 @@ jobs:
  env:
  GOFLAGS: "-mod=vendor"
  TZ: "America/Chicago"
+ DNS_CHALLENGE_TEST_ENABLED: "" # if true enables unittest for dns challenge against LE staging env
 
  - name: install golangci-lint and goveralls
  run: |

.gitignore

@@ -7,3 +7,4 @@ docker-compose-private.yml
 .vscode
 .idea
 *.gpg
+.DS_Store

README.md

@@ -154,6 +154,12 @@ In case if rules set as a part of docker compose environment, destination with t
 
 SSL mode (by default none) can be set to `auto` (ACME/LE certificates), `static` (existing certificate) or `none`. If `auto` turned on SSL certificate will be issued automatically for all discovered server names. User can override it by setting `--ssl.fqdn` value(s)
 
+### DNS Challenge 
+DNS challenge can be used to solve ACME/LE certificate issue. It is enabled by passing `--ssl.dns.enabled` flag. DNS provider is to specify with the flag `--ssl.dns-challenge.provider`. Provider specific parameters should be passed with environment variables. 
+
+#### Providers
+Full list of supported providers: see [DNS Providers](app/acme/dnsprovider/README.md) section.
+
 ## Headers 
 
 Reproxy allows to sanitize (remove) incoming headers by passing `--drop-header` parameter (can be repeated). This parameter can be useful to make sure some of the headers, set internally by the services, can't be set/faked by the end user. For example if some of the services, responsible for the auth, sets `X-Auth-User` and `X-Auth-Token` it is likely makes sense to drop those headers from the incoming requests by passing `--drop-header=X-Auth-User --drop-header=X-Auth-Token` parameter or via environment `DROP_HEADERS=X-Auth-User,X-Auth-Token`
@@ -354,13 +360,16 @@ This is the list of all options supporting multiple elements:
  --dbg debug mode [$DEBUG]
 
 ssl:
- --ssl.type=[none|static|auto] ssl (auto) support (default: none) [$SSL_TYPE]
- --ssl.cert= path to cert.pem file [$SSL_CERT]
- --ssl.key= path to key.pem file [$SSL_KEY]
- --ssl.acme-location= dir where certificates will be stored by autocert manager (default: ./var/acme) [$SSL_ACME_LOCATION]
- --ssl.acme-email= admin email for certificate notifications [$SSL_ACME_EMAIL]
- --ssl.http-port= http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without) [$SSL_HTTP_PORT]
- --ssl.fqdn= FQDN(s) for ACME certificates [$SSL_ACME_FQDN]
+ --ssl.type=[none|static|auto] ssl (auto) support (default: none) [$SSL_TYPE]
+ --ssl.cert= path to cert.pem file [$SSL_CERT]
+ --ssl.key= path to key.pem file [$SSL_KEY]
+ --ssl.acme-location= dir where certificates will be stored by autocert manager (default: ./var/acme) [$SSL_ACME_LOCATION]
+ --ssl.acme-email= admin email for certificate notifications [$SSL_ACME_EMAIL]
+ --ssl.http-port= http port for redirect to https and acme challenge test (default: 8080 under docker, 80 without) [$SSL_HTTP_PORT]
+ --ssl.fqdn= FQDN(s) for ACME certificates [$SSL_ACME_FQDN]
+ --ssl.dns-challenge-enabled enable dns challenge for ACME certificates [$SSL_ACME_DNS_CHALLENGE_ENABLED]
+ --ssl.dns-challenge-provider= dns challenge provider (default: cloudflare) [$SSL_ACME_DNS_CHALLENGE_PROVIDER]
+ --ssl.dns-challenge-resolvers= dns resolvers for dns challenge (default: will be used available in enviroment /etc/resolv.conf) [$SSL_ACME_DNS_CHALLENGE_RESOLVERS]
 
 assets:
  -a, --assets.location= assets location [$ASSETS_LOCATION]