A high performance and lightweight gateway to automatically reverse proxy TLS/TCP requests. It uses the SNI to route the tcp connection. It will automatically use the ACME client to obtain, cache, and renew TLS certificates.
Gate will reserve a subdomain gate-tunnel on each domain for server-client communication.
Create gate.json file like below (doc for config: conf.go):
{
"domains": [
{
"domain": "test.com",
"provider": "cloudflare",
"token": "abc",
"routes": [
{
"token": "xxx"
},
{
"token": "yyy"
}
]
}
]
}Run go run ./cmd/server to start the gate service.
Run go run ./cmd/client -h test.com -t xxx -d :3000
to proxy TLS connections from test.com to :3000.
Run go run ./cmd/client -h test.com -s sub -t yyy -d :3001
to proxy TLS connections from subdomain sub.test.com to :3001.
Run two test http servers go run ./cmd/hello -p :3000 and go run ./cmd/hello -p :3001
The clients don't have to be in the same network as the server, they will use TLS to securely communicate with each other.
The diagram below shows how the above setup works:
flowchart TB
browser1["browser visits test.com"]
browser2["browser visits sub.test.com"]
server["go run ./cmd/server"]
x-client["go run ./cmd/client -h test.com -t xxx -d :3000"]
y-client["go run ./cmd/client -h test.com -s sub -t yyy -d :3001"]
x["go run ./cmd/hello -p :3000"]
y["go run ./cmd/hello -p :3001"]
browser1 & browser2 -- tls/tcp --> server
server -- "tls tunnel (gate-tunnel.test.com)" --> x-client & y-client
x-client -- tcp --> x
y-client -- tcp --> y
If you use golang as the backend you don't have to use the sidecar client binary, you can use the client lib directly:
package main
import (
"log"
"net/http"
"github.com/ysmood/gate/lib/client"
)
func main() {
l, err := client.New("test.com", "x", "xxx")
if err != nil {
log.Fatal(err)
}
http.Serve(l, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("hello!"))
}))
}Such as use the same domain for both staging/production env. The staging service tells gate it only accepts the requests coming from cert1, other certs will be routed to production service.
flowchart TB
cert1["cert1 visits test.com"]
cert2["cert2 visits test.com"]
gate
stg["staging service on :3000"]
prd["production service on :3001"]
cert1 & cert2 -- tls --> gate
gate -- tcp from cert1 --> stg
gate -- tcp from cert2 --> prd