1 files changed, 68 insertions, 0 deletions
diff --git a/ansible/roles/certs/files/leforward.py b/ansible/roles/certs/files/leforward.py
new file mode 100755
index 0000000..dccbac1
--- /dev/null
+++ b/ansible/roles/certs/files/leforward.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+""" Run a single-purpose HTTP server.
+Server takes all GET requests and redirects them to a new host
+if the request URI starts with SUBPATH, otherwise returns 404.
+Requests are redirected to the URL provided by --baseurl. """
+import socketserver
+import http.server
+import argparse
+import sys
+CHALLENGE_HOST = None
+SUBPATH = "/.well-known/acme-challenge"
+class RedirectChallenges(http.server.BaseHTTPRequestHandler):
+    def do_GET(self):
+        if self.path.startswith(SUBPATH):
+            self.send_response(301)
+            self.send_header('Location', f"{CHALLENGE_HOST}{self.path}")
+        else:
+            self.send_response(404)
+        self.end_headers()
+class ReusableServer(socketserver.TCPServer):
+    """ Allow TCPServer to reuse host address.
+    Without setting 'allow_reuse_address', we can get stuck in
+    TIME_WAIT after being killed and the stale state stops a new
+    server from attaching to the port."""
+    allow_reuse_address = True
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Redirect all URIs with matching prefix to another host")
+    parser.add_argument(
+        '--baseurl',
+        dest='baseurl',
+        required=True,
+        help="Destination URL for all matching URIs on this server")
+    args = parser.parse_args()
+    CHALLENGE_HOST = args.baseurl
+    if not CHALLENGE_HOST.startswith("http"):
+        print("Redirect URL must be a full URL starting with http")
+        sys.exit(1)
+    # If user gave us a trailing slash URL, remove slash.
+    if CHALLENGE_HOST[-1] == "/":
+        CHALLENGE_HOST = CHALLENGE_HOST[:-1]
+    serverAddress = ('', 80)
+    # Note: if running remotely by an SSH command, you MUST launch with '-t':
+    #   > ssh -t me@otherhost leforward.py --baseurl http://otherserver.com
+    # If you omit '-t' the listening server won't terminate when you kill the
+    # ssh session, which probably isn't what you want.
+    with ReusableServer(serverAddress, RedirectChallenges) as httpd:
+        httpd.serve_forever()

diff --git a/ansible/roles/certs/files/leforward.py b/ansible/roles/certs/files/leforward.py new file mode 100755 index 0000000..dccbac1 --- /dev/null +++ b/ansible/roles/certs/files/leforward.py
@@ -0,0 +1,68 @@
	1	#!/usr/bin/env python3
	2
	3	""" Run a single-purpose HTTP server.
	4
	5	Server takes all GET requests and redirects them to a new host
	6	if the request URI starts with SUBPATH, otherwise returns 404.
	7
	8	Requests are redirected to the URL provided by --baseurl. """
	9
	10	import socketserver
	11	import http.server
	12	import argparse
	13	import sys
	14
	15
	16	CHALLENGE_HOST = None
	17	SUBPATH = "/.well-known/acme-challenge"
	18
	19
	20	class RedirectChallenges(http.server.BaseHTTPRequestHandler):
	21	def do_GET(self):
	22	if self.path.startswith(SUBPATH):
	23	self.send_response(301)
	24	self.send_header('Location', f"{CHALLENGE_HOST}{self.path}")
	25	else:
	26	self.send_response(404)
	27
	28	self.end_headers()
	29
	30
	31	class ReusableServer(socketserver.TCPServer):
	32	""" Allow TCPServer to reuse host address.
	33
	34	Without setting 'allow_reuse_address', we can get stuck in
	35	TIME_WAIT after being killed and the stale state stops a new
	36	server from attaching to the port."""
	37
	38	allow_reuse_address = True
	39
	40
	41	if __name__ == "__main__":
	42	parser = argparse.ArgumentParser(
	43	description="Redirect all URIs with matching prefix to another host")
	44	parser.add_argument(
	45	'--baseurl',
	46	dest='baseurl',
	47	required=True,
	48	help="Destination URL for all matching URIs on this server")
	49
	50	args = parser.parse_args()
	51	CHALLENGE_HOST = args.baseurl
	52
	53	if not CHALLENGE_HOST.startswith("http"):
	54	print("Redirect URL must be a full URL starting with http")
	55	sys.exit(1)
	56
	57	# If user gave us a trailing slash URL, remove slash.
	58	if CHALLENGE_HOST[-1] == "/":
	59	CHALLENGE_HOST = CHALLENGE_HOST[:-1]
	60
	61	serverAddress = ('', 80)
	62
	63	# Note: if running remotely by an SSH command, you MUST launch with '-t':
	64	# > ssh -t me@otherhost leforward.py --baseurl http://otherserver.com
	65	# If you omit '-t' the listening server won't terminate when you kill the
	66	# ssh session, which probably isn't what you want.
	67	with ReusableServer(serverAddress, RedirectChallenges) as httpd:
	68	httpd.serve_forever()