Hacker-Software
/
https-proxy-with-self-signed-cert
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add HTTPS reverse proxy with self-signed 100-year cert 

- Nginx reverse proxy with WebUI and REST API for configuration
- Self-signed SSL certificate with own CA (100 years validity)
- Domain-based and IP/port-based routing
- Docker setup with host network mode
- All settings configurable via .env

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker 2026-04-09 15:32:00 +02:00
parent 3d35e1ab92
commit 411a8b8ddb
9 changed files with 936 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.env.example Normal file
View File

@ -0,0 +1,17 @@
# ============================================
# HTTPS Proxy - Konfiguration
# ============================================
# --- Zertifikat-Einstellungen ---
CERT_COUNTRY=DE
CERT_STATE=Bavaria
CERT_CITY=Munich
CERT_ORG=MyOrganization
CERT_OU=IT
CERT_CN=proxy.local
CERT_DAYS=36500
# --- WebUI-Einstellungen ---
WEBUI_PORT=8443
WEBUI_USERNAME=admin
WEBUI_PASSWORD=admin123

24
Dockerfile Normal file
View File

@ -0,0 +1,24 @@
FROM nginx:alpine
# Install Python, pip, openssl
RUN apk add --no-cache python3 py3-pip openssl bash \
&& python3 -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
# Install Python dependencies
COPY app/requirements.txt /app/requirements.txt
RUN pip install --no-cache-dir -r /app/requirements.txt
# Copy application files
COPY app/ /app/
COPY nginx/nginx.conf /etc/nginx/nginx.conf.template
COPY nginx/entrypoint.sh /entrypoint.sh
COPY certs/generate-certs.sh /certs/generate-certs.sh
RUN chmod +x /entrypoint.sh /certs/generate-certs.sh \
&& mkdir -p /data /etc/nginx/conf.d
# No EXPOSE needed - running in host network mode
ENTRYPOINT ["/entrypoint.sh"]

318
app/app.py Normal file
View File

@ -0,0 +1,318 @@
import json
import os
import subprocess
from functools import wraps
from pathlib import Path
from flask import Flask, jsonify, redirect, render_template, request, url_for
app = Flask(__name__)
CONFIG_FILE = "/data/proxy_config.json"
NGINX_CONF_DIR = "/etc/nginx/conf.d"
NGINX_UPSTREAM_CONF = f"{NGINX_CONF_DIR}/proxy-targets.conf"
USERNAME = os.environ.get("WEBUI_USERNAME", "admin")
PASSWORD = os.environ.get("WEBUI_PASSWORD", "admin123")
def load_config():
if os.path.exists(CONFIG_FILE):
with open(CONFIG_FILE) as f:
return json.load(f)
return {"targets": []}
def save_config(config):
os.makedirs(os.path.dirname(CONFIG_FILE), exist_ok=True)
with open(CONFIG_FILE, "w") as f:
json.dump(config, f, indent=2)
def generate_nginx_config(config):
"""Generate nginx upstream/server blocks from config."""
lines = []
for i, target in enumerate(config.get("targets", [])):
name = target.get("name", f"target_{i}")
target_host = target.get("target_host", "")
target_port = target.get("target_port", 80)
listen_port = target.get("listen_port", 0)
domains = target.get("domains", [])
target_scheme = target.get("target_scheme", "http")
if not target_host or not target.get("enabled", True):
continue
upstream_name = f"upstream_{name}"
lines.append(f"upstream {upstream_name} {{")
lines.append(f" server {target_host}:{target_port};")
lines.append("}")
lines.append("")
# Domain-based routing
if domains:
for domain_entry in domains:
domain = domain_entry.get("domain", "")
domain_port = domain_entry.get("port", 443)
if not domain:
continue
lines.append("server {")
lines.append(f" listen {domain_port} ssl;")
lines.append(f" server_name {domain};")
lines.append("")
lines.append(" ssl_certificate /certs/server.crt;")
lines.append(" ssl_certificate_key /certs/server.key;")
lines.append(" ssl_protocols TLSv1.2 TLSv1.3;")
lines.append("")
lines.append(f" location / {{")
lines.append(f" proxy_pass {target_scheme}://{upstream_name};")
lines.append(" proxy_set_header Host $host;")
lines.append(" proxy_set_header X-Real-IP $remote_addr;")
lines.append(" proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")
lines.append(" proxy_set_header X-Forwarded-Proto $scheme;")
lines.append(" proxy_http_version 1.1;")
lines.append(' proxy_set_header Upgrade $http_upgrade;')
lines.append(' proxy_set_header Connection "upgrade";')
lines.append(" }")
lines.append("}")
lines.append("")
# IP/Port-based routing
if listen_port:
lines.append("server {")
lines.append(f" listen {listen_port} ssl;")
lines.append(f" server_name _;")
lines.append("")
lines.append(" ssl_certificate /certs/server.crt;")
lines.append(" ssl_certificate_key /certs/server.key;")
lines.append(" ssl_protocols TLSv1.2 TLSv1.3;")
lines.append("")
lines.append(f" location / {{")
lines.append(f" proxy_pass {target_scheme}://{upstream_name};")
lines.append(" proxy_set_header Host $host;")
lines.append(" proxy_set_header X-Real-IP $remote_addr;")
lines.append(" proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")
lines.append(" proxy_set_header X-Forwarded-Proto $scheme;")
lines.append(" proxy_http_version 1.1;")
lines.append(' proxy_set_header Upgrade $http_upgrade;')
lines.append(' proxy_set_header Connection "upgrade";')
lines.append(" }")
lines.append("}")
lines.append("")
conf_content = "\n".join(lines)
os.makedirs(NGINX_CONF_DIR, exist_ok=True)
with open(NGINX_UPSTREAM_CONF, "w") as f:
f.write(conf_content)
return conf_content
def reload_nginx():
"""Reload nginx configuration."""
try:
result = subprocess.run(
["nginx", "-t"],
capture_output=True, text=True, timeout=10
)
if result.returncode != 0:
return False, f"Nginx config test failed: {result.stderr}"
result = subprocess.run(
["nginx", "-s", "reload"],
capture_output=True, text=True, timeout=10
)
if result.returncode != 0:
return False, f"Nginx reload failed: {result.stderr}"
return True, "Nginx reloaded successfully"
except Exception as e:
return False, str(e)
def check_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
auth = request.authorization
if not auth or auth.username != USERNAME or auth.password != PASSWORD:
return (
"Authentication required",
401,
{"WWW-Authenticate": 'Basic realm="Proxy Admin"'},
)
return f(*args, **kwargs)
return decorated
# ==================== WebUI Routes ====================
@app.route("/")
@check_auth
def index():
config = load_config()
return render_template("index.html", config=config)
@app.route("/target/add", methods=["POST"])
@check_auth
def add_target():
config = load_config()
domains = []
domain_names = request.form.getlist("domain_name[]")
domain_ports = request.form.getlist("domain_port[]")
for name, port in zip(domain_names, domain_ports):
if name.strip():
domains.append({"domain": name.strip(), "port": int(port) if port else 443})
target = {
"name": request.form.get("name", "").strip().replace(" ", "_"),
"target_host": request.form.get("target_host", "").strip(),
"target_port": int(request.form.get("target_port", 80)),
"target_scheme": request.form.get("target_scheme", "http"),
"listen_port": int(request.form.get("listen_port", 0) or 0),
"domains": domains,
"enabled": True,
}
if not target["name"] or not target["target_host"]:
return redirect(url_for("index"))
config["targets"].append(target)
save_config(config)
generate_nginx_config(config)
reload_nginx()
return redirect(url_for("index"))
@app.route("/target/<int:idx>/delete", methods=["POST"])
@check_auth
def delete_target(idx):
config = load_config()
if 0 <= idx < len(config["targets"]):
config["targets"].pop(idx)
save_config(config)
generate_nginx_config(config)
reload_nginx()
return redirect(url_for("index"))
@app.route("/target/<int:idx>/toggle", methods=["POST"])
@check_auth
def toggle_target(idx):
config = load_config()
if 0 <= idx < len(config["targets"]):
config["targets"][idx]["enabled"] = not config["targets"][idx].get("enabled", True)
save_config(config)
generate_nginx_config(config)
reload_nginx()
return redirect(url_for("index"))
@app.route("/target/<int:idx>/edit", methods=["POST"])
@check_auth
def edit_target(idx):
config = load_config()
if 0 <= idx < len(config["targets"]):
domains = []
domain_names = request.form.getlist("domain_name[]")
domain_ports = request.form.getlist("domain_port[]")
for name, port in zip(domain_names, domain_ports):
if name.strip():
domains.append({"domain": name.strip(), "port": int(port) if port else 443})
config["targets"][idx] = {
"name": request.form.get("name", "").strip().replace(" ", "_"),
"target_host": request.form.get("target_host", "").strip(),
"target_port": int(request.form.get("target_port", 80)),
"target_scheme": request.form.get("target_scheme", "http"),
"listen_port": int(request.form.get("listen_port", 0) or 0),
"domains": domains,
"enabled": config["targets"][idx].get("enabled", True),
}
save_config(config)
generate_nginx_config(config)
reload_nginx()
return redirect(url_for("index"))
# ==================== API Routes ====================
@app.route("/api/targets", methods=["GET"])
@check_auth
def api_list_targets():
config = load_config()
return jsonify(config)
@app.route("/api/targets", methods=["POST"])
@check_auth
def api_add_target():
config = load_config()
target = request.get_json()
if not target:
return jsonify({"error": "Invalid JSON"}), 400
if not target.get("name") or not target.get("target_host"):
return jsonify({"error": "name and target_host are required"}), 400
target.setdefault("target_port", 80)
target.setdefault("target_scheme", "http")
target.setdefault("listen_port", 0)
target.setdefault("domains", [])
target.setdefault("enabled", True)
config["targets"].append(target)
save_config(config)
generate_nginx_config(config)
success, msg = reload_nginx()
return jsonify({"status": "ok" if success else "warning", "message": msg, "target": target}), 201
@app.route("/api/targets/<int:idx>", methods=["PUT"])
@check_auth
def api_update_target(idx):
config = load_config()
if idx < 0 or idx >= len(config["targets"]):
return jsonify({"error": "Target not found"}), 404
target = request.get_json()
if not target:
return jsonify({"error": "Invalid JSON"}), 400
config["targets"][idx] = target
save_config(config)
generate_nginx_config(config)
success, msg = reload_nginx()
return jsonify({"status": "ok" if success else "warning", "message": msg})
@app.route("/api/targets/<int:idx>", methods=["DELETE"])
@check_auth
def api_delete_target(idx):
config = load_config()
if idx < 0 or idx >= len(config["targets"]):
return jsonify({"error": "Target not found"}), 404
removed = config["targets"].pop(idx)
save_config(config)
generate_nginx_config(config)
success, msg = reload_nginx()
return jsonify({"status": "ok" if success else "warning", "message": msg, "removed": removed})
@app.route("/api/reload", methods=["POST"])
@check_auth
def api_reload():
config = load_config()
generate_nginx_config(config)
success, msg = reload_nginx()
return jsonify({"status": "ok" if success else "error", "message": msg})
if __name__ == "__main__":
app.run(host="0.0.0.0", port=5000, debug=True)

2
app/requirements.txt Normal file
View File

@ -0,0 +1,2 @@
flask==3.1.1
gunicorn==23.0.0

410
app/templates/index.html Normal file
View File

@ -0,0 +1,410 @@
<!DOCTYPE html>
<html lang="de">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>HTTPS Proxy - Admin</title>
<style>
* { margin: 0; padding: 0; box-sizing: border-box; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
background: #1a1a2e;
color: #e0e0e0;
min-height: 100vh;
}
.header {
background: #16213e;
padding: 20px 30px;
border-bottom: 2px solid #0f3460;
display: flex;
justify-content: space-between;
align-items: center;
}
.header h1 { color: #00d4ff; font-size: 1.5em; }
.header .badge {
background: #0f3460;
color: #00d4ff;
padding: 5px 15px;
border-radius: 20px;
font-size: 0.85em;
}
.container { max-width: 1100px; margin: 30px auto; padding: 0 20px; }
/* Card style */
.card {
background: #16213e;
border-radius: 10px;
padding: 25px;
margin-bottom: 25px;
border: 1px solid #0f3460;
}
.card h2 {
color: #00d4ff;
margin-bottom: 20px;
font-size: 1.2em;
border-bottom: 1px solid #0f3460;
padding-bottom: 10px;
}
/* Form styles */
.form-row {
display: flex;
gap: 15px;
margin-bottom: 15px;
flex-wrap: wrap;
}
.form-group {
display: flex;
flex-direction: column;
flex: 1;
min-width: 150px;
}
.form-group label {
font-size: 0.85em;
color: #8899aa;
margin-bottom: 5px;
}
input, select {
background: #1a1a2e;
border: 1px solid #0f3460;
color: #e0e0e0;
padding: 10px 12px;
border-radius: 6px;
font-size: 0.95em;
}
input:focus, select:focus {
outline: none;
border-color: #00d4ff;
}
.btn {
padding: 10px 20px;
border: none;
border-radius: 6px;
cursor: pointer;
font-size: 0.9em;
font-weight: 600;
transition: all 0.2s;
}
.btn-primary { background: #00d4ff; color: #1a1a2e; }
.btn-primary:hover { background: #00b8d4; }
.btn-danger { background: #e74c3c; color: white; }
.btn-danger:hover { background: #c0392b; }
.btn-success { background: #2ecc71; color: #1a1a2e; }
.btn-success:hover { background: #27ae60; }
.btn-warning { background: #f39c12; color: #1a1a2e; }
.btn-warning:hover { background: #e67e22; }
.btn-sm { padding: 6px 12px; font-size: 0.8em; }
/* Domain list */
.domain-list { margin-top: 10px; }
.domain-entry {
display: flex;
gap: 10px;
margin-bottom: 8px;
align-items: center;
}
.domain-entry input { flex: 1; }
.domain-entry .port-input { width: 100px; flex: none; }
.remove-domain {
background: #e74c3c;
color: white;
border: none;
border-radius: 50%;
width: 28px;
height: 28px;
cursor: pointer;
font-size: 1.1em;
line-height: 1;
}
/* Target list */
.target-item {
background: #1a1a2e;
border: 1px solid #0f3460;
border-radius: 8px;
padding: 20px;
margin-bottom: 15px;
}
.target-header {
display: flex;
justify-content: space-between;
align-items: center;
margin-bottom: 12px;
}
.target-name {
font-size: 1.1em;
font-weight: 600;
color: #00d4ff;
}
.target-details {
display: flex;
flex-wrap: wrap;
gap: 15px;
font-size: 0.9em;
}
.target-detail {
background: #16213e;
padding: 5px 12px;
border-radius: 5px;
}
.target-detail span { color: #8899aa; }
.status-enabled { color: #2ecc71; }
.status-disabled { color: #e74c3c; }
.actions { display: flex; gap: 8px; }
/* Collapsible edit form */
.edit-form {
display: none;
margin-top: 15px;
padding-top: 15px;
border-top: 1px solid #0f3460;
}
.edit-form.active { display: block; }
/* API section */
.api-info {
background: #1a1a2e;
padding: 15px;
border-radius: 6px;
font-family: 'Courier New', monospace;
font-size: 0.85em;
overflow-x: auto;
}
.api-info code {
color: #2ecc71;
}
.api-method {
display: inline-block;
padding: 2px 8px;
border-radius: 4px;
font-weight: 600;
font-size: 0.8em;
margin-right: 8px;
}
.api-get { background: #2ecc71; color: #1a1a2e; }
.api-post { background: #f39c12; color: #1a1a2e; }
.api-put { background: #3498db; color: white; }
.api-delete { background: #e74c3c; color: white; }
.empty-state {
text-align: center;
padding: 40px;
color: #8899aa;
}
.empty-state p { margin-top: 10px; }
</style>
</head>
<body>
<div class="header">
<h1>HTTPS Reverse Proxy</h1>
<span class="badge">Self-Signed SSL - 100 Jahre</span>
</div>
<div class="container">
<!-- Add new target -->
<div class="card">
<h2>Neues Proxy-Ziel hinzufuegen</h2>
<form method="POST" action="/target/add" id="addForm">
<div class="form-row">
<div class="form-group">
<label>Name</label>
<input type="text" name="name" placeholder="z.B. mein-service" required>
</div>
<div class="form-group">
<label>Ziel-Host (IP/Hostname)</label>
<input type="text" name="target_host" placeholder="z.B. 192.168.1.100" required>
</div>
<div class="form-group">
<label>Ziel-Port</label>
<input type="number" name="target_port" value="80" min="1" max="65535">
</div>
<div class="form-group">
<label>Ziel-Schema</label>
<select name="target_scheme">
<option value="http">HTTP</option>
<option value="https">HTTPS</option>
</select>
</div>
</div>
<div class="form-row">
<div class="form-group" style="max-width: 200px;">
<label>Listen-Port (fuer IP-Zugriff)</label>
<input type="number" name="listen_port" placeholder="z.B. 8080" min="0" max="65535">
</div>
</div>
<div class="form-group">
<label>Domaenen (optional - fuer Domain-basiertes Routing)</label>
<div class="domain-list" id="newDomains">
<div class="domain-entry">
<input type="text" name="domain_name[]" placeholder="z.B. app.example.local">
<input type="number" name="domain_port[]" class="port-input" value="443" min="1" max="65535" placeholder="Port">
<button type="button" class="remove-domain" onclick="this.parentElement.remove()">&times;</button>
</div>
</div>
<button type="button" class="btn btn-sm btn-primary" style="margin-top:8px" onclick="addDomainField('newDomains')">+ Domain hinzufuegen</button>
</div>
<div style="margin-top: 20px;">
<button type="submit" class="btn btn-success">Proxy-Ziel hinzufuegen</button>
</div>
</form>
</div>
<!-- Target list -->
<div class="card">
<h2>Aktive Proxy-Ziele ({{ config.targets | length }})</h2>
{% if config.targets %}
{% for target in config.targets %}
<div class="target-item">
<div class="target-header">
<div>
<span class="target-name">{{ target.name }}</span>
{% if target.enabled %}
<span class="status-enabled"> ● Aktiv</span>
{% else %}
<span class="status-disabled"> ● Deaktiviert</span>
{% endif %}
</div>
<div class="actions">
<button class="btn btn-sm btn-primary" onclick="toggleEdit({{ loop.index0 }})">Bearbeiten</button>
<form method="POST" action="/target/{{ loop.index0 }}/toggle" style="display:inline">
<button type="submit" class="btn btn-sm btn-warning">
{{ "Deaktivieren" if target.enabled else "Aktivieren" }}
</button>
</form>
<form method="POST" action="/target/{{ loop.index0 }}/delete" style="display:inline"
onsubmit="return confirm('Wirklich loeschen?')">
<button type="submit" class="btn btn-sm btn-danger">Loeschen</button>
</form>
</div>
</div>
<div class="target-details">
<div class="target-detail">
<span>Ziel:</span> {{ target.target_scheme }}://{{ target.target_host }}:{{ target.target_port }}
</div>
{% if target.listen_port %}
<div class="target-detail">
<span>Listen-Port:</span> {{ target.listen_port }}
</div>
{% endif %}
{% for d in target.domains %}
<div class="target-detail">
<span>Domain:</span> {{ d.domain }}:{{ d.port }}
</div>
{% endfor %}
</div>
<!-- Edit form -->
<div class="edit-form" id="edit-{{ loop.index0 }}">
<form method="POST" action="/target/{{ loop.index0 }}/edit">
<div class="form-row">
<div class="form-group">
<label>Name</label>
<input type="text" name="name" value="{{ target.name }}" required>
</div>
<div class="form-group">
<label>Ziel-Host</label>
<input type="text" name="target_host" value="{{ target.target_host }}" required>
</div>
<div class="form-group">
<label>Ziel-Port</label>
<input type="number" name="target_port" value="{{ target.target_port }}">
</div>
<div class="form-group">
<label>Schema</label>
<select name="target_scheme">
<option value="http" {{ "selected" if target.target_scheme == "http" }}>HTTP</option>
<option value="https" {{ "selected" if target.target_scheme == "https" }}>HTTPS</option>
</select>
</div>
</div>
<div class="form-row">
<div class="form-group" style="max-width: 200px;">
<label>Listen-Port</label>
<input type="number" name="listen_port" value="{{ target.listen_port or '' }}">
</div>
</div>
<div class="form-group">
<label>Domaenen</label>
<div class="domain-list" id="editDomains{{ loop.index0 }}">
{% for d in target.domains %}
<div class="domain-entry">
<input type="text" name="domain_name[]" value="{{ d.domain }}">
<input type="number" name="domain_port[]" class="port-input" value="{{ d.port }}">
<button type="button" class="remove-domain" onclick="this.parentElement.remove()">&times;</button>
</div>
{% endfor %}
</div>
<button type="button" class="btn btn-sm btn-primary" style="margin-top:8px"
onclick="addDomainField('editDomains{{ loop.index0 }}')">+ Domain</button>
</div>
<div style="margin-top: 15px;">
<button type="submit" class="btn btn-success">Speichern</button>
<button type="button" class="btn btn-sm" style="background:#0f3460;color:#e0e0e0"
onclick="toggleEdit({{ loop.index0 }})">Abbrechen</button>
</div>
</form>
</div>
</div>
{% endfor %}
{% else %}
<div class="empty-state">
<h3>Keine Proxy-Ziele konfiguriert</h3>
<p>Fuege oben ein neues Ziel hinzu, um den Proxy zu starten.</p>
</div>
{% endif %}
</div>
<!-- API Documentation -->
<div class="card">
<h2>API-Dokumentation</h2>
<p style="margin-bottom: 15px; color: #8899aa;">
Alle Endpunkte erfordern HTTP Basic Auth (gleiche Zugangsdaten wie die WebUI).
</p>
<div class="api-info" style="margin-bottom: 10px;">
<p><span class="api-method api-get">GET</span> <code>/api/targets</code> - Alle Ziele auflisten</p>
</div>
<div class="api-info" style="margin-bottom: 10px;">
<p><span class="api-method api-post">POST</span> <code>/api/targets</code> - Neues Ziel hinzufuegen</p>
<pre style="margin-top:8px;color:#8899aa">curl -k -u admin:password -X POST https://localhost:8443/api/targets \
-H "Content-Type: application/json" \
-d '{"name":"my-app","target_host":"192.168.1.50","target_port":3000,
"listen_port":9443,"domains":[{"domain":"app.local","port":443}]}'</pre>
</div>
<div class="api-info" style="margin-bottom: 10px;">
<p><span class="api-method api-put">PUT</span> <code>/api/targets/&lt;id&gt;</code> - Ziel aktualisieren</p>
</div>
<div class="api-info" style="margin-bottom: 10px;">
<p><span class="api-method api-delete">DELETE</span> <code>/api/targets/&lt;id&gt;</code> - Ziel loeschen</p>
</div>
<div class="api-info">
<p><span class="api-method api-post">POST</span> <code>/api/reload</code> - Nginx-Konfiguration neu laden</p>
</div>
</div>
</div>
<script>
function addDomainField(containerId) {
const container = document.getElementById(containerId);
const entry = document.createElement('div');
entry.className = 'domain-entry';
entry.innerHTML = `
<input type="text" name="domain_name[]" placeholder="z.B. app.example.local">
<input type="number" name="domain_port[]" class="port-input" value="443" min="1" max="65535" placeholder="Port">
<button type="button" class="remove-domain" onclick="this.parentElement.remove()">&times;</button>
`;
container.appendChild(entry);
}
function toggleEdit(idx) {
const form = document.getElementById('edit-' + idx);
form.classList.toggle('active');
}
</script>
</body>
</html>

63
certs/generate-certs.sh Executable file
View File

@ -0,0 +1,63 @@
#!/bin/bash
set -e
CERT_DIR="/certs"
CA_KEY="$CERT_DIR/ca.key"
CA_CERT="$CERT_DIR/ca.crt"
SERVER_KEY="$CERT_DIR/server.key"
SERVER_CSR="$CERT_DIR/server.csr"
SERVER_CERT="$CERT_DIR/server.crt"
# Defaults
CERT_COUNTRY="${CERT_COUNTRY:-DE}"
CERT_STATE="${CERT_STATE:-Bavaria}"
CERT_CITY="${CERT_CITY:-Munich}"
CERT_ORG="${CERT_ORG:-MyOrganization}"
CERT_OU="${CERT_OU:-IT}"
CERT_CN="${CERT_CN:-proxy.local}"
CERT_DAYS="${CERT_DAYS:-36500}"
# Skip if certs already exist
if [ -f "$CA_CERT" ] && [ -f "$SERVER_CERT" ] && [ -f "$SERVER_KEY" ]; then
echo "Certificates already exist. Skipping generation."
echo "Delete files in $CERT_DIR to regenerate."
exit 0
fi
echo "=== Generating CA (Certificate Authority) ==="
openssl genrsa -out "$CA_KEY" 4096
openssl req -new -x509 -days "$CERT_DAYS" -key "$CA_KEY" -out "$CA_CERT" \
-subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN CA"
echo "=== Generating Server Certificate ==="
openssl genrsa -out "$SERVER_KEY" 4096
openssl req -new -key "$SERVER_KEY" -out "$SERVER_CSR" \
-subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN"
# Create extension file for SAN (Subject Alternative Names)
cat > "$CERT_DIR/server.ext" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=$CERT_CN
DNS.2=localhost
IP.1=127.0.0.1
EOF
openssl x509 -req -in "$SERVER_CSR" -CA "$CA_CERT" -CAkey "$CA_KEY" \
-CAcreateserial -out "$SERVER_CERT" -days "$CERT_DAYS" \
-extfile "$CERT_DIR/server.ext"
# Cleanup
rm -f "$SERVER_CSR" "$CERT_DIR/server.ext" "$CERT_DIR/ca.srl"
echo "=== Certificates generated successfully ==="
echo "CA Certificate: $CA_CERT"
echo "Server Certificate: $SERVER_CERT"
echo "Server Key: $SERVER_KEY"
echo "Validity: $CERT_DAYS days (~$(($CERT_DAYS / 365)) years)"

22
docker-compose.yml Normal file
View File

@ -0,0 +1,22 @@
services:
https-proxy:
build: .
container_name: https-proxy
restart: unless-stopped
environment:
# Certificate settings
- CERT_COUNTRY=${CERT_COUNTRY:-DE}
- CERT_STATE=${CERT_STATE:-Bavaria}
- CERT_CITY=${CERT_CITY:-Munich}
- CERT_ORG=${CERT_ORG:-MyOrganization}
- CERT_OU=${CERT_OU:-IT}
- CERT_CN=${CERT_CN:-proxy.local}
- CERT_DAYS=${CERT_DAYS:-36500}
# WebUI settings
- WEBUI_PORT=${WEBUI_PORT:-8443}
- WEBUI_USERNAME=${WEBUI_USERNAME:-admin}
- WEBUI_PASSWORD=${WEBUI_PASSWORD:-admin123}
network_mode: host
volumes:
- ./certs:/certs
- ./data:/data

39
nginx/entrypoint.sh Executable file
View File

@ -0,0 +1,39 @@
#!/bin/bash
set -e
echo "=== Starting HTTPS Proxy ==="
# Set default for WEBUI_PORT
export WEBUI_PORT="${WEBUI_PORT:-8443}"
# Generate certificates if needed
/certs/generate-certs.sh
# Replace env vars in nginx config template
envsubst '${WEBUI_PORT}' < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf
# Ensure conf.d directory exists with empty config
mkdir -p /etc/nginx/conf.d
touch /etc/nginx/conf.d/proxy-targets.conf
# Load existing config and generate nginx config
if [ -f /data/proxy_config.json ]; then
echo "Loading existing proxy configuration..."
python3 -c "
import sys
sys.path.insert(0, '/app')
from app import load_config, generate_nginx_config
config = load_config()
generate_nginx_config(config)
print('Nginx config generated from saved configuration.')
"
fi
# Start gunicorn in background
echo "Starting WebUI..."
cd /app
gunicorn --bind 127.0.0.1:5000 --workers 2 --timeout 120 app:app &
# Start nginx in foreground
echo "Starting Nginx..."
exec nginx -g "daemon off;"

41
nginx/nginx.conf Normal file
View File

@ -0,0 +1,41 @@
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# WebUI / Admin interface
server {
listen ${WEBUI_PORT} ssl default_server;
server_name _;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
# Include dynamic proxy configurations
include /etc/nginx/conf.d/*.conf;
}