CI: Build on Go 1.18
Docker: build on Go 1.18
Docker: Fix broken HEALTHCHECK with PORT EnvVar
TLS Redirector is a tiny HTTP server written in Go that is designed to run on port 80 and redirect all incoming traffic to HTTPS. It does this by emitting a 301 Permanent Redirect where the scheme is simply replaced with "https".
This is intended to separate out responsibilities from the software that listens on port 443 and serves your website. Because you have TLS Redirector on port 80, you do not need to configure HTTP to HTTPS redirects; simplifying configuration for Apache, nginx, or whatever web server you use.
Furthermore, most crawlers and bots will actually connect to port 80 without a meaningful Host header. As TLS Redirector cannot be configured, it can only politely tell them to go away, whereas your primary web server likely sends them to the "default server" which may well redirect them to your website, opening you up to being scanned. This causes tons of noise in your log files.
Because it uses the Host header, TLS Redirector is truly zero-config. Set it up once and forget about it.
.well-known/acme-challenge
directory.docker run -d --user nobody --restart=unless-stopped --env PORT=1234 \
-p 80:1234 --name tls-redirector ancarda/tls-redirector
If you want systemd socket activation, you need to compile this way:
go build -tags systemd
Building without that tag will produce a binary that only has TCP/IP support.
The Host
header is required to redirect as there's no way to configure a
default. Visitors without one will simply see an error message. This message
is specified in the program source code and cannot be configured at runtime.
Only a single ACME challenge directory can be served, as the Host
header
is ignored, so if you have multiple domains or servers on the same machine,
you may want to:
Behavior may be configured through the following environmental variables:
PORT
. TCP/IP port number to listen on. If not specified, port 80 is used
OR systemd socket activation is detected and used.
You can force TLS Redirector to use socket activation with PORT=systemd
.
ACME_CHALLENGE_DIR
Path to a directory on disk to serve at the
path /.well-known/acme-challenge
. All files are served as text/plain
and
is intended to provide support for HTTP based ACME challenges if necessary.
Setting this to /tmp
means TLS Redirector will look for files in that
directory. This differs slightly from the --webroot
command of EFF Certbot
because Certbot expects to be at the root, and TLS Redirector does not.
Therefore, when you setup Certbot, if you have the following:
certbot --webroot /var/www
You should set TLS Redirector to:
ACME_CHALLENGE_DIR=/var/www/.well-known/acme-challenge