add captive portal for directories with multiple processes

Author: Xetera

cmd/localproxyd/daemon.go

@@ -40,6 +40,7 @@ type Daemon struct {
 	envoyMgr        *envoy.Manager
 	statsScraper    *envoy.StatsScraper
 	routeRegistry   *registry.RouteRegistry
+	store           *registry.Store
 	dashboardServer *proxy.DashboardServer
 	processWatcher  *discovery.ProcessWatcher
 	dockerWatcher   *discovery.DockerWatcher
@@ -116,12 +117,17 @@ func (d *Daemon) Stop() {
 	if d.envoyMgr != nil {
 		d.envoyMgr.Stop()
 	}
+	if d.store != nil {
+		d.store.Close()
+	}
 	if d.logFile != nil {
 		d.logFile.Close()
 	}
-	err := d.hostsMgr.Cleanup()
-	if err != nil {
-		log.Printf("warning: hosts manager cleanup failed: %v", err)
+	if d.hostsMgr != nil {
+		err := d.hostsMgr.Cleanup()
+		if err != nil {
+			log.Printf("warning: hosts manager cleanup failed: %v", err)
+		}
 	}
 	log.Println("daemon stopped")
 }
@@ -166,9 +172,23 @@ func (d *Daemon) initEnvoy() error {
 }
 
 func (d *Daemon) initRouting() error {
+	storePath := filepath.Join(d.dataDir, "store.db")
+	store, err := registry.NewStore(storePath)
+	if err != nil {
+		return fmt.Errorf("failed to open store: %v", err)
+	}
+	d.store = store
+
 	basePaths := d.getBasePaths()
 	d.dashboardServer = proxy.NewDashboardServer(basePaths, d.config.TraceProcessLogs, d.statsScraper)
-	d.routeRegistry = registry.NewRouteRegistry(d.onRoutesChanged)
+	d.routeRegistry = registry.NewRouteRegistry(d.onRoutesChanged, d.store)
+
+	d.dashboardServer.SetRegistry(d.routeRegistry)
+	d.dashboardServer.SetStore(d.store)
+
+	d.store.SetOnChange(func() {
+		d.routeRegistry.RefreshRoutes()
+	})
 
 	certPath, keyPath, _ := d.certMgr.GetCert("localhost")
 	initialRoute := xds.Route{
@@ -257,20 +277,38 @@ func (d *Daemon) onRoutesChanged(routes []proxy.Route) {
 		if certKey == "" {
 			certKey = "localhost"
 		}
-		if err := d.certMgr.EnsureCert(certKey); err != nil {
-			log.Printf("failed to generate cert for %s: %v", certKey, err)
-			continue
+
+		var certPath, keyPath string
+		useWildcard := r.HasWildcard || r.FolderGroup != ""
+
+		if useWildcard {
+			wildcardKey := certKey
+			if r.FolderGroup != "" && !r.HasWildcard {
+				wildcardKey = r.FolderGroup
+			}
+			if err := d.certMgr.EnsureWildcardCert(wildcardKey); err != nil {
+				log.Printf("failed to generate wildcard cert for %s: %v", wildcardKey, err)
+				continue
+			}
+			certPath, keyPath, _ = d.certMgr.GetWildcardCert(wildcardKey)
+		} else {
+			if err := d.certMgr.EnsureCert(certKey); err != nil {
+				log.Printf("failed to generate cert for %s: %v", certKey, err)
+				continue
+			}
+			certPath, keyPath, _ = d.certMgr.GetCert(certKey)
 		}
-		certPath, keyPath, _ := d.certMgr.GetCert(certKey)
 
 		xdsRoute := xds.Route{
-			Subdomain: r.Subdomain,
-			Host:      r.Endpoint.Addr().String(),
-			Port:      int(r.Endpoint.Port()),
-			TCPPort:   r.TCPPort,
-			Protocol:  xds.ProtocolHTTP,
-			CertPath:  certPath,
-			KeyPath:   keyPath,
+			Subdomain:   r.Subdomain,
+			Host:        r.Endpoint.Addr().String(),
+			Port:        int(r.Endpoint.Port()),
+			TCPPort:     r.TCPPort,
+			Protocol:    xds.ProtocolHTTP,
+			CertPath:    certPath,
+			KeyPath:     keyPath,
+			HasWildcard: r.HasWildcard,
+			FolderGroup: r.FolderGroup,
 		}
 		if r.TCPPort > 0 {
 			xdsRoute.Protocol = xds.ProtocolTCP

dev.sh

@@ -1,6 +1,2 @@
-#!/bin/bash
-
-pkill -f "go run.*localproxyd" 2>/dev/null
-sleep 0.5
-
+#!/usr/bin/env bash
 sudo CGO_ENABLED=0 go run ./cmd/localproxyd --watch ~/projects --https-redirect $@

internal/certs/mkcert.go

@@ -42,26 +42,46 @@ func (m *CertManager) Init() error {
 }
 
 func (m *CertManager) EnsureCert(subdomain string) error {
+	return m.ensureCertInternal(subdomain, false)
+}
+
+func (m *CertManager) EnsureWildcardCert(subdomain string) error {
+	return m.ensureCertInternal(subdomain, true)
+}
+
+func (m *CertManager) ensureCertInternal(subdomain string, wildcard bool) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	if _, exists := m.certs[subdomain]; exists {
+	cacheKey := subdomain
+	if wildcard {
+		cacheKey = "wildcard_" + subdomain
+	}
+
+	if _, exists := m.certs[cacheKey]; exists {
 		return nil
 	}
 
-	certPath := filepath.Join(m.certsDir, subdomain+".pem")
-	keyPath := filepath.Join(m.certsDir, subdomain+"-key.pem")
+	certPath := filepath.Join(m.certsDir, cacheKey+".pem")
+	keyPath := filepath.Join(m.certsDir, cacheKey+"-key.pem")
 
 	if _, err := os.Stat(certPath); err == nil {
 		if _, err := os.Stat(keyPath); err == nil {
-			m.certs[subdomain] = &CertPaths{CertPath: certPath, KeyPath: keyPath}
+			m.certs[cacheKey] = &CertPaths{CertPath: certPath, KeyPath: keyPath}
 			return nil
 		}
 	}
 
 	var domains []string
 	if subdomain == "localhost" {
 		domains = []string{"localhost", "proxy.localhost", "proxy.internal"}
+	} else if wildcard {
+		domains = []string{
+			"*." + subdomain + ".localhost",
+			"*." + subdomain + ".internal",
+			subdomain + ".localhost",
+			subdomain + ".internal",
+		}
 	} else {
 		domains = []string{subdomain + ".localhost", subdomain + ".internal"}
 	}
@@ -74,10 +94,22 @@ func (m *CertManager) EnsureCert(subdomain string) error {
 		return fmt.Errorf("failed to generate cert for %v: %w", domains, err)
 	}
 
-	m.certs[subdomain] = &CertPaths{CertPath: certPath, KeyPath: keyPath}
+	m.certs[cacheKey] = &CertPaths{CertPath: certPath, KeyPath: keyPath}
 	return nil
 }
 
+func (m *CertManager) GetWildcardCert(subdomain string) (certPath, keyPath string, ok bool) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	cacheKey := "wildcard_" + subdomain
+	paths, exists := m.certs[cacheKey]
+	if !exists {
+		return "", "", false
+	}
+	return paths.CertPath, paths.KeyPath, true
+}
+
 func (m *CertManager) GetCert(subdomain string) (certPath, keyPath string, ok bool) {
 	m.mu.RLock()
 	defer m.mu.RUnlock()

internal/discovery/docker.go

@@ -352,7 +352,6 @@ func (w *DockerWatcher) DiscoverServiceInfo(svc DiscoveredService, onDiscovered
 	log.Printf("docker: starting service discovery for %s on %d ports", svc.Subdomain, len(targets))
 	results := make(chan []ServiceInfo, 1)
 	ProbeEndpoints(w.ctx, targets, results)
-	onDiscovered(svc)
 
 	go w.onServiceDiscovered(svc, results, portToIndex, onDiscovered)
 }

internal/discovery/process.go

@@ -200,12 +200,12 @@ func (w *ProcessWatcher) processEntry(state *scanState, entry portEntry) {
 		return
 	}
 
-	subdomain, needsCustomMapping := w.buildSubdomain(basePath, cwd, state.ignoredDirs)
-	if subdomain == "" && !needsCustomMapping {
+	result := w.buildSubdomain(basePath, cwd, state.ignoredDirs)
+	if result.subdomain == "" && !result.needsCustomMapping {
 		return
 	}
 
-	w.addListeningProcess(state, pid, entry.Endpoint, subdomain, cwd, needsCustomMapping)
+	w.addListeningProcess(state, pid, entry.Endpoint, result, cwd)
 	state.usedPorts[entry.Endpoint.Port()] = true
 }
 
@@ -247,19 +247,21 @@ func (w *ProcessWatcher) addWellKnownProcess(state *scanState, pid int, endpoint
 	state.usedPorts[port] = true
 }
 
-func (w *ProcessWatcher) addListeningProcess(state *scanState, pid int, endpoint netip.AddrPort, subdomain string, cwd string, needsCustomMapping bool) {
+func (w *ProcessWatcher) addListeningProcess(state *scanState, pid int, endpoint netip.AddrPort, result subdomainResult, cwd string) {
 	if state.seenPID[pid] {
 		return
 	}
 	state.results = append(state.results, DiscoveredService{
-		Subdomain: subdomain,
+		Subdomain: result.subdomain,
 		Endpoint:  endpoint,
 		Source:    RouteSourceProcess,
 		Process: &ProcessInfo{
 			PID:                pid,
 			Cwd:                cwd,
-			Disabled:           needsCustomMapping,
-			NeedsCustomMapping: needsCustomMapping,
+			Disabled:           result.needsCustomMapping,
+			NeedsCustomMapping: result.needsCustomMapping,
+			TopLevelFolder:     result.topLevelFolder,
+			RelativePath:       result.relativePath,
 		},
 	})
 	state.seenPID[pid] = true
@@ -273,28 +275,46 @@ func (w *ProcessWatcher) handleOutsideBasePath(state *scanState, pid int, endpoi
 	w.addWellKnownProcess(state, pid, endpoint)
 }
 
-func (w *ProcessWatcher) buildSubdomain(basePath string, cwd string, ignoredDirs map[string]bool) (string, bool) {
+type subdomainResult struct {
+	subdomain          string
+	needsCustomMapping bool
+	topLevelFolder     string
+	relativePath       string
+}
+
+func (w *ProcessWatcher) buildSubdomain(basePath string, cwd string, ignoredDirs map[string]bool) subdomainResult {
 	rel, err := filepath.Rel(basePath, cwd)
 	if err != nil {
-		return "", false
+		return subdomainResult{}
 	}
 
 	parts := strings.Split(rel, string(filepath.Separator))
 	if len(parts) == 0 || parts[0] == "" || parts[0] == "." {
-		return "", false
+		return subdomainResult{}
 	}
 
 	filteredParts := w.filterPathParts(parts, ignoredDirs)
 	if len(filteredParts) == 0 {
-		return "", false
+		return subdomainResult{}
 	}
 
+	topLevel := filteredParts[0]
+
 	if len(filteredParts) == 1 {
-		subdomain := filteredParts[0]
-		return subdomain, false
+		return subdomainResult{
+			subdomain:          topLevel,
+			needsCustomMapping: false,
+			topLevelFolder:     topLevel,
+			relativePath:       topLevel,
+		}
 	}
 
-	return "", true
+	return subdomainResult{
+		subdomain:          topLevel,
+		needsCustomMapping: true,
+		topLevelFolder:     topLevel,
+		relativePath:       strings.Join(filteredParts, "/"),
+	}
 }
 
 func (w *ProcessWatcher) filterPathParts(parts []string, ignoredDirs map[string]bool) []string {

internal/discovery/types.go

@@ -29,6 +29,8 @@ type ProcessInfo struct {
 	NeedsCustomMapping bool
 	IsWellKnown        bool
 	IsDocker           bool
+	TopLevelFolder     string
+	RelativePath       string
 }
 
 type DockerListener struct {

internal/proxy/route.go

@@ -20,4 +20,8 @@ type Route struct {
 	NeedsCustomMapping bool
 	IsDocker           bool
 	ServiceProtocol    string
+	HasWildcard        bool
+	FolderGroup        string
+	TopLevelFolder     string
+	RelativePath       string
 }