A forwarding HTTPS server using Let's Encrypt
Provides a forwarding HTTPS server which transparently fetches and caches certificates via Let's Encrypt. This must run on 443 and 80 (http:// just forwards to https://, no forwarding happens unencrypted) and can't coexist with any other web server on your machine.
Why? This is so you can host random and long-lived services publicly on the internet—perfect for other services which are served on http://, don't care about certificates or HTTPS at all, and might be provided by Node or Go on a random high port (e.g., some dumb service running on localhost:8080
).
Note! This doesn't magic up domain names. You would use this service only if you're able to point DNS records to the IP address of a machine you're running this on, and that the machine is able to handle incoming requests on port 443 and 80 (e.g., on a home network, you'd have to set up port forwarding on your router).
Configure this via /var/snap/https-forward/common/config
, which is empty after install. It should be authored like this:
# hostname forward-to optional-basic-auth
host.example.com localhost:8080
blah.example.com 192.168.86.24:7999 user:pass
user-only.example.com localhost:9002 user # accepts any password
# Specify host with '.' to suffix all following
.example.com
test localhost:9000
under-example any-hostname-here.com:9000
# Clear the current suffix with a single "." (otherwise below would be "*.example.com.example.com")
.
# You can include ? or * to glob-match domain parts (this does NOT match "-")
*.example.com localhost:9000
test-v?*.example.com localhost:9999 # matches "test-v1", "test-v100", but NOT "test-v" or "test-vx-123"
# serves a blank dummy page (but generate https cert, perhaps as a placeholder)
serves-nothing.example.com
(example.com used above purely as an example.
You'd replace it with a domain name you controlled, preferably with a wildcard DNS (https://en.wikipedia.org/wiki/Wildcard_DNS_record) record like *.example.com
.)
Restart with snap restart https-forward
to reread the config file (or try killall -SIGHUP https-forward
to signal it instead). You can read logs to ensure that the file has been parsed properly:
sudo journalctl -f -u snap.https-forward.https-forward