Remove Python dependency, enable proxy protocol (#38)

* Remove python dep

Makefile

@@ -19,4 +19,4 @@ link-macos:
 	docker run -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock" --rm -it fractalnetworks/gateway-cli:latest $(GATEWAY) $(FQDN) $(EXPOSE)
 
 link-ci:
-	./ci/create-link-ci.sh $(GATEWAY) $(FQDN) $(EXPOSE)
+	./ci/create-link-ci.sh gateway-sshd app.example.com nginx:80

README.md

@@ -2,12 +2,15 @@
 **Jump to [Getting Started](#getting-started)**
 ## Features and Benefits
 - Docker native self-hosted alternative to Cloudflare Tunnels, Tailscale Funnel, ngrok and others.
-- Entirely self-hosted and self-managed, both local and remote components tunneling components provided.
+- Entirely self-hosted and self-managed, includes local and remote tunneling components.
 - No custom code, this project leverages existing battled tested FOSS components:
- - WireGuard
- - Nginx (Gateway)
- - Caddy (Client)
+  - WireGuard
+  - Nginx (Gateway)
+  - Caddy (Client)
 - Automatic client side HTTPS cert provisioning thanks to Caddy's automatic https.
+- Remote client IPs passed to local container via proxy protocol
+- Enable basic authentication by specifying env variable containig username and password
+- Proxy generic TCP/UDP traffic to localhost with socat
 
 ## Video Overview & Setup Guide
 <a href="http://www.youtube.com/watch?feature=player_embedded&v=VCH8-XOikQc" target="_blank">
@@ -35,16 +38,16 @@ This project automates the provisioning of **Reverse Proxy-over-VPN (RPoVPN)** W
 
 ### Prerequisites
 - Domain
- - Ability to create an `A` record for a domain name.
+  - Ability to create an `A` record for a domain name.
 - Gateway 
- - A publically addressable Linux host to act as the `gateway`, typically a cloud VPS (Hetzner, Digital Ocean, etc..) with the following requirements:
- - SSH access
- - Ports 80/443 open (http/https)
- - The UDP port range listed by `cat /proc/sys/net/ipv4/ip_local_port_range` open to the Internet.
- - `docker`, `git` & `make` installed on the Gateway
+  - A publically addressable Linux host to act as the `gateway`, typically a cloud VPS (Hetzner, Digital Ocean, etc..) with the following requirements:
+  - SSH access
+  - Ports 80/443 open (http/https)
+  - The UDP port range listed by `cat /proc/sys/net/ipv4/ip_local_port_range` open to the Internet.
+  - `docker`, `git` & `make` installed on the Gateway
 - Client
- - An existing `docker-compose.yml` that you would like to expose to the Internet.
- - `docker`, `git` & `make` installed locally
+  - An existing `docker-compose.yml` that you would like to expose to the Internet.
+  - `docker`, `git` & `make` installed locally
 
 ### Steps
 1. Point `*.mydomain.com` (DNS A Record) to the IPv4 & IPv6 address of your VPS Gateway host.

ci/create-link-ci.sh

@@ -9,10 +9,11 @@ docker network create gateway || true   # create docker network if not exists
 docker compose up -d --build
 eval $(ssh-agent -s)
 ssh-add ./gateway-sim-key
-# 
+# generate a docker compose to test the generated link
 cat test-link.template.yaml > test-link.yaml
 docker run --network gateway -e SSH_AGENT_PID=$SSH_AGENT_PID -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK --rm fractalnetworks/gateway-cli:latest $1 $2 $3 >> test-link.yaml
 cat network.yaml >> test-link.yaml
+# set the gateway endpoint to the gateway link container
 sed -i 's/^\(\s*GATEWAY_ENDPOINT:\).*/\1 app-example-com:18521/' test-link.yaml
 docker compose -f test-link.yaml up -d
 docker compose -f test-link.yaml exec link ping 10.0.0.1 -c 2

ci/test-link.template.yaml

@@ -1,8 +1,7 @@
 version: '3.9'
 
-# need this
 networks:
   gateway:
       external: true
 
-services:  
+services:

src/client-link/Caddyfile.template

@@ -1,6 +1,12 @@
 {
     http_port 8080
     https_port 8443
+    servers {
+        listener_wrappers {
+            proxy_protocol
+            tls
+        }
+    }
 }
 
 $LINK_DOMAIN {
@@ -11,4 +17,7 @@ $LINK_DOMAIN {
     # BasicAuthPlaceholder
 
     reverse_proxy $EXPOSE
-}
+
+    # TODO optional internal tls
+    # tls internal
+}

src/client-link/entrypoint.sh

@@ -55,7 +55,7 @@ END
     PASSWORD=$(echo $BASIC_AUTH | cut -d':' -f2)
     HASHED_PASSWORD=$(caddy hash-password --plaintext $PASSWORD)
     # Construct the basic auth configuration
-    BASIC_AUTH_CONFIG="    basicauth /* {\n        $USERNAME $HASHED_PASSWORD\n    }\n"
+    BASIC_AUTH_CONFIG="    basicauth /* {\n        "$USERNAME" "$HASHED_PASSWORD"\n    }\n"
     # Insert basic auth config into the final Caddyfile, replacing the placeholder
     sed -i "s|# BasicAuthPlaceholder|$BASIC_AUTH_CONFIG|" /etc/Caddyfile.template
 fi

src/create-link/entrypoint.sh

@@ -3,6 +3,21 @@
 
 set -e
 
+function fqdn_to_container_name() {
+    local fqdn="$1"
+
+    # Check if the FQDN is non-empty
+    if [[ -z "$fqdn" ]]; then
+        echo "Error: No FQDN provided."
+        return 1
+    fi
+
+    # Replace all dots with dashes
+    CONTAINER_NAME="${fqdn//./-}"
+
+    echo "$CONTAINER_NAME"
+}
+
 SSH_HOST=$1
 SSH_PORT=22
 # split port from SSH_HOST if SSH_HOST contains :
@@ -14,13 +29,15 @@ fi
 
 export LINK_DOMAIN=$2
 export EXPOSE=$3
-export WG_PRIVKEY=$(wg genkey)
+WG_PRIVKEY=$(wg genkey)
+export WG_PRIVKEY
 # Nginx uses Docker DNS resolver for dynamic mapping of LINK_DOMAIN to link container hostnames, see nginx/*.conf
 # This is the magic.
 # NOTE: All traffic for `*.subdomain.domain.tld`` will be routed to the container named `subdomain-domain-tld``
 # Also supports `subdomain.domain.tld` as well as apex `domain.tld`
 # *.domain.tld should resolve to the Gateway's public IPv4 address
-export CONTAINER_NAME=$(echo $LINK_DOMAIN|python3 -c 'fqdn=input();print("-".join(fqdn.split(".")[-4:]))')
+CONTAINER_NAME=$(fqdn_to_container_name "$LINK_DOMAIN")
+export CONTAINER_NAME
 
 
 LINK_CLIENT_WG_PUBKEY=$(echo $WG_PRIVKEY|wg pubkey)

src/gateway/nginx.conf.template

@@ -35,7 +35,7 @@ events {
             ~^(?<subdomain>.+?)?\.(?<domain>.+)\.(?<tld>.+)$ $subdomain-$domain-$tld:443;
             ~^(?<domain>.+)\.(?<tld>.+)$ $domain-$tld:443;
         } 
-
+        proxy_protocol on;
         server {
             listen 443; 
 
@@ -46,6 +46,4 @@ events {
             proxy_pass $targetBackend;       
             ssl_preread on;
         }
-
-
 }