- Fixed session retrieval to use lowercased host for consistency.
- Ensured context cancellation is properly handled in HTTP forwarding.
- Refined proxy timeout configuration with better error logging and validation.
- Introduced `StatusGatewayTimeout` (504) for server-side timeouts between HopGate and backend.
- Implemented 504 error page with multilingual support.
- Enhanced `bufio.Reader` usage in JSON decoding to prevent "dtls: buffer too small" errors for large payloads.
- Applied request handling improvements for control domain and timeout scenarios.
- Added `canonicalizeDomainForDNS` to normalize domain strings for DNS and DB lookups.
- Implemented `domainGateValidator` to verify if client-provided domains resolve to expected IPs (`HOP_ACME_EXPECT_IPS`) using A/AAAA DNS queries.
- Included a fallback for DB-only validation if `HOP_ACME_EXPECT_IPS` is unset or empty.
- Updated `parseExpectedIPsFromEnv` to parse and validate IP lists from environment variables.
- Marked relevant handshake enhancements in `progress.md` as completed.
- Added `entDomainValidator` implementation to validate `(domain, client_api_key)` combinations from the `Domain` table using `ent.Client`.
- Replaced dummy validator with the new ent-based validator in server initialization.
- Updated documentation and progress tracking for domain validation implementation.
- Ensured compatibility with `host` and `host:port` formats by normalizing domain strings during validation.
- Fixed path prefix to ensure proper handling of `/__hopgate_assets__/` requests.
- Adjusted `http.StripPrefix` to match the corrected route for consistent file serving.
- Added safeguard to ensure `/__hopgate_assets__/` requests always serve static files, regardless of proxy routing or backend state.
- Implemented fallback to a 500 error page when embedded asset FS is unavailable.
- Implemented custom HTML templates for `400`, `404`, `500`, and `525` error pages with multilingual support.
- Added embedded file system for error page templates and assets.
- Introduced fallback mechanism to serve minimal plain text for missing error templates.
- Integrated TailwindCSS for styling error pages, with a build script in `package.json`.
- Introduced `HOP_ACME_STANDALONE_ONLY` env variable to run the ACME client without starting HTTP/DTLS servers.
- Allows certificate issuance/renewal solely and exits upon completion.
- Includes initialization of the ACME manager with domain verification, certificate management, and caching mechanisms. DomainService and expand Admin API
- Added `DomainServiceImpl` with support for registering, unregistering, and querying domains.
- Expanded Admin API with new endpoints:
- `GET /api/v1/admin/domains/exists` to check domain registration status.
- `GET /api/v1/admin/domains/status` to retrieve detailed domain information.
- Updated server initialization to wire `DomainService` and Admin API routes.
- Documented new Admin API endpoints in `API.md`.
- Introduced `HOP_ACME_STANDALONE_ONLY` env variable to run the ACME client without starting HTTP/DTLS servers.
- Allows certificate issuance/renewal solely and exits upon completion.
- Includes initialization of the ACME manager with domain verification, certificate management, and caching mechanisms.
- Refactored HTTP tunneling protocol to use `protocol.Envelope` for better extensibility.
- Implemented support for message types including HTTP requests, stream handling, and responses.
- Added common security headers like HSTS and X-Forwarded-For processing for improved security and identity handling.
- Introduced GitHub Actions workflow to build and publish Docker images to GHCR.
- Added new protocol structures for stream-based communication in anticipation of future WebSocket/TCP tunneling.
- Updated `go.sum` to remove unused dependencies and reflect new changes.
- Introduced Prometheus metrics tracking for DTLS handshakes, HTTP requests, and proxy errors.
- Defined counters and histograms with labels for detailed observability.
- Registered metrics via `MustRegister` during server initialization.
- Added `/metrics` endpoint protected by host domain filtering.
- Updated HTTP handler to capture request metadata and record metrics.
- Integrated metrics tracking for DTLS handshake processes and various error conditions.
- Updated `go.mod` and `go.sum` with Prometheus client dependencies.
- Introduced a new `legoManager` for managing per-domain TLS certificates.
- Implemented ACME HTTP-01 challenge handling with a configurable webroot directory.
- Created `NewLegoManagerFromEnv` to initialize ACME settings from environment variables.
- Added `verifyDomainsResolve` to validate domain DNS resolutions.
- Updated `.gitignore` to include ACME cache and webroot directories.
- Updated `go.mod` and `go.sum` with new dependencies, including `go-acme/lego`.
Implement initial DTLS handshake flow for server and client using
pion/dtls. Load server and client configuration from .env/environment,
including new debug flags and logging config.
On the server:
- load ServerConfig from env, including DTLS listen addr and debug flag
- create DTLS listener with optional self-signed localhost cert in debug
- accept DTLS sessions and run PerformServerHandshake with a dummy
domain validator
On the client:
- load ClientConfig from env, then override with CLI flags where given
- validate required fields: server_addr, domain, api_key, local_target
- create DTLS client and run PerformClientHandshake
- support debug mode to skip server certificate verification
Also:
- update go.mod/go.sum with pion/dtls and related dependencies
- extend .env.example with new ports, client config, and debug flags
- ignore built binaries via bin/ in .gitignore
BREAKING CHANGE: client environment variables have changed. The former
HOP_CLIENT_ID, HOP_CLIENT_AUTH_TOKEN and HOP_CLIENT_SERVICE_PORTS are
replaced by HOP_CLIENT_DOMAIN, HOP_CLIENT_API_KEY,
HOP_CLIENT_LOCAL_TARGET and HOP_CLIENT_DEBUG. Client startup now
requires server_addr, domain, api_key and local_target to be provided
(via env or CLI).
