socat-lite with letsencrypt support
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
LICENSE initial commit Feb 7, 2016 Update Feb 7, 2016
certs.go initial commit Feb 7, 2016
keys.go the Letsencrypt library we're using doesn't support 4096bit keys Jun 2, 2016
letsencrypt.go initial commit Feb 7, 2016
main.go don't use os/user for home path determination Jun 2, 2016
proxy.go hardcode intermediate cert for now Jun 29, 2016
util.go don't use os/user for home path determination Jun 2, 2016


socat-lite with letsencrypt support


I often find myself running web services on unprivileged ports such as 8000, 8080, etc, and then later decide I want to access these things on port 80. In these cases, I often run something like sudo socat TCP-LISTEN:80,fork,reuseaddr TCP:localhost:8080. What this does is start a small process that listens on port 80 and forwards all incoming connections to my process on port 8080.

Unfortunately, this isn't HTTPS or SSL. It'd be nice to be able to run a small binary like socat that listens on 443, does SSL termination, and redirects the actual unencrypted traffic to localhost:8080. You can do this, too, with socat, but certs are just such a hassle. OR WERE!

With the advent of Let's Encrypt, having a small binary that actually does the entire process of making a key, getting a valid certificate, and doing the proxying is now possible!

lecat is this thing.

Example Usage

All you gotta do is tell lecat the domain your process is visible from and the local unencrypted port to forward to.

lecat --host --target localhost:8080

An example session:

$ ./ --listen localhost:8080 &
$ go get
$ sudo ~/your/gopath/bin/lecat --host --target localhost:8080
2016/02/07 07:12:25 loading configuration
2016/02/07 07:12:25 no key found at /root/.lecat/server.key, generating
2016/02/07 07:12:35 no cert found at /root/.lecat/server.crt, requesting
2016/02/07 07:12:35 no key found at /root/.lecat/account.key, generating
2016/02/07 07:12:44 (re)registering account key
2016/02/07 07:12:44 getting challenges for ""
2016/02/07 07:12:45 performing sni challenge
2016/02/07 07:12:46 waiting for challenge
2016/02/07 07:12:47 making csr
2016/02/07 07:12:47 getting cert
2016/02/07 07:12:47 listening on [::]:443

Running it again will reload existing keys and certificates:

$ sudo ~/your/gopath/bin/lecat --host --target localhost:8080
2016/02/07 07:19:13 loading configuration
2016/02/07 07:19:14 listening on [::]:443

Lastly, you can also pass --redirect-addr :80 to have the process start a small HTTP server listening on port 80 that redirects incoming unencrypted requests to HTTPS. Be aware that this little HTTP server will set the HSTS flag on redirected requests for one year, telling incoming browsers to never try HTTP again for that year period. If you use this setting and this isn't the behavior that you want, you'll probably need to clear your domain out of your browser's HSTS database. Or just keep using SSL.


lecat doesn't really need sudo, it just needs setcap 'cap_net_bind_service=+ep' or something. I often forget the incantation.


Copyright 2016 JT Olds

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.