1. 13

  2. 5

    My goal there was to provide simplest possible proxy that would allow me to dynamically add and remove the applications from the system during development. It provides passthrough TLS proxying as well as TLS terminating proxy. TLS terminating proxy will automatically create self-signed certificate (in future it will allow defining CA certificates as well as it should support working as ACME CA).

    For creating sockets for services it uses systemd-compatible interface where there is FD passed down to the spawned process, this approach allows it to “simulate” socket-activated processes (which are IMHO great idea).

    1. 2

      That looks great. It’s part of the list of projects that I want to tackle and had a similar design in mind. With similar ideas around localhost ACME as well.

      Two things that come to mind:

      • .localhost doesn’t resolve on all the machines. I think it depends on the NSS config. TBI.
      • the CA can be created with a name constraint. So even if it gets leaked, the attacker cannot MITM other domains than .localhost.
      1. 2

        I know that it do not resolved to loop back everywhere by default. I strongly believe that it should, that would make life of everyone much easier, but the RFC died in drafts. I have configured DNSmasq on my Mac to do so. systemd-resolved does so by default AFAIK. I was thinking about adding built in DNS into Dolores that will help with such configuration on macOS, but I am not sure if it is good idea.