September 14, 2024

ngrok alternative²: frp + Caddy + Lets Encrypt

Update of ngrok alternative: localtunnel + Caddy + Lets Encrypt but using frp - fast reverse proxy. In addition to the default setup, we are adding multiuser auth support using frp server plugin. Setup frps - server prepare dedicated user and folders: sudo useradd -m -s /bin/bash -b /var/lib -r frp sudo install -d -o frp -g frp -m 700 /etc/frp fetch binary from frp releases. Example: release=0.60.0 curl -sfL "https://github.com/fatedier/frp/releases/download/v${release}/frp_${release}_linux_amd64.tar.gz" | sudo tar -xzf - -C /usr/local/bin --strip-components=1 "frp_${release}_linux_amd64/frps" create config file /etc/frp/frps.toml according to your needs. I’ll use this example for now: bindPort = 7000 vhostHTTPPort = 7001 webServer.port = 7500 subDomainHost = "your-subdomain.example.com" [[httpPlugins]] name = "user-login" addr = "127.0.0.1:8000" path = "/login" ops = ["Login"] create systemd unit: add the following to /etc/systemd/system/frp-server.service [Unit] Description=frp (fast reverse proxy) - server After=network.target Documentation=https://github.com/fatedier/frp [Service] ExecStart=/usr/local/bin/frps --config /etc/frp/frps.toml User=frp Group=frp Restart=on-failure RestartSec=10 [Install] WantedBy=multi-user.target start and enable: systemctl enable --now frp-server.service Caddy We will also setup protection for the wildcard subdomains to only issue certificates for subdomains registered with frp using a custom ask endpoint. Read more

June 28, 2022

ACME TLS for localhost with traefik and smallstep

If you’re using docker for your local development environment and need to develop against TLS-secured endpoints (which you should as you need to run it in production anyway), you just can leverage traefik with smallstep. In this example, we just use docker as configuration provider by setting labels to container exposed via traefik. The important things are commented inline. --- version: '3.8' services: step-ca: image: smallstep/step-ca:0.24.2 volumes: - step-ca:/home/step # shared volume between step-ca and traefik to access root ca environment: DOCKER_STEPCA_INIT_NAME: "Step CA" DOCKER_STEPCA_INIT_DNS_NAMES: "localhost,step-ca" # must at least include name of step-ca service which is referenced as acme.caserver DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT: "true" DOCKER_STEPCA_INIT_ACME: "true" # initialize acme provider networks: - traefik traefik: depends_on: - step-ca image: traefik:2.10 command: - '--providers.docker=true' - '--providers.docker.network=traefik' - '--providers.docker.exposedByDefault=false' - '--api.dashboard=true' - '--api.insecure=true' - '--accesslog=true' - '--pilot.dashboard=false' - '--entryPoints.web.address=:80' - '--entryPoints.web.http.redirections.entryPoint.to=websecure' - '--entrypoints.web.http.redirections.entryPoint.scheme=https' - '--entrypoints.web.http.redirections.entrypoint.permanent=true' - '--entryPoints.websecure.address=:443' # enable secure endpoint - '--entrypoints.websecure.http.tls.certResolver=step-ca' # use step-ca as certresolver - '--certificatesresolvers.step-ca.acme.caserver=https://step-ca:9000/acme/acme/directory' # step-ca acme endpoint - '--certificatesresolvers.step-ca.acme.email=traefik@localhost.localdomain' - '--certificatesresolvers.step-ca.acme.tlsChallenge=true' # enable tls-alpn-01 challenge environment: LEGO_CA_CERTIFICATES: /home/step/certs/root_ca.crt # use root ca created by step-ca networks: - traefik ports: - target: 80 published: 80 mode: host - target: 443 published: 443 mode: host volumes: - step-ca:/home/step # shared volume between step-ca and traefik to access root ca - /var/run/docker.sock:/var/run/docker.sock labels: traefik.enable: true traefik.http.routers.traefik-https.rule: Host(`traefik.localhost`) traefik.http.routers.traefik-https.entrypoints: websecure traefik.http.routers.traefik-https.service: api@internal networks: traefik: {} volumes: step-ca: {}

September 22, 2020

ngrok alternative: localtunnel + Caddy + Lets Encrypt

Update: See more up to date post ngrok alternative²: frp + Caddy + Lets Encrypt Sometimes you want to show localhost to the world or need real world access for testing or callback urls. Usually you’re using ngrok. Thats okay, i’ll do too. But also sometimes, you are a paranoid bastard and there’s no way you’re routing your data through alien infrastructure. This is where localtunnel kicks in. For wildcard subdomains, you’ll also need a wildcard subdomain dns entry and a loadbalancer/reverse proxy. This could be done using e.g. Route53 and and ALB with wildcard certificates on AWS or using Caddy and Let’s Encrypt on your own infrastructure, like i did. Read more