fbi-proxy 1.11.0 → 1.13.0

package/README.md

@@ -11,42 +11,50 @@ FBI-Proxy provides easy HTTPS access to your local services with intelligent dom
 
 ### Current Features ✅
 
-- **Intelligent Domain Routing**: Multiple routing patterns for flexible service access
+- **One-command HTTPS gateway**: `bunx fbi-proxy --with-caddy --with-auth --provider snolab --domain fbi.com` brings up Caddy (auto-downloaded), fbi-auth (Firebase-backed Google sign-in), and the Rust proxy together — zero config needed on `.fbi.com`.
+- **Rule-based Domain Routing** via `routes.yaml`:
   - Port-based routing (e.g., `3000.fbi.com` → `localhost:3000`)
   - Host--Port routing (e.g., `api--3001.fbi.com` → `api:3001`)
   - Subdomain routing with Host headers (e.g., `admin.app.fbi.com` → `app:80`)
   - Direct host forwarding (e.g., `myserver.fbi.com` → `myserver:80`)
-- **WebSocket Support**: Full WebSocket connection support for all routing patterns
-- **High Performance**: Built with Rust for optimal performance and low resource usage
-- **Easy Setup**: Simple one-command installation and startup
-- **Docker Support**: Available as a Docker image for containerized deployments
-- **Flexible Configuration**: Environment variables and CLI options for customization
-- **Cross-Platform**: Works on macOS, Linux, and Windows
-- **Integration Ready**: Compatible with reverse proxies like Caddy for HTTPS
+  - Placeholder syntax (`{name}`, `{name:int}`, `{name:slug}`, `{name:multi}`) for custom rules — see [docs/routing.md](docs/routing.md)
+- **HTTPS Upstreams**: Targets with an `https://` prefix connect to upstream over TLS (Mozilla webpki roots).
+- **WebSocket Support**: Full WebSocket forwarding (`ws://` and `wss://`) for all routing patterns.
+- **Auth Gateway**: Google OAuth / Firebase Auth / zero-config snolab default IdP — JWT cookie scoped to `Domain=.your-domain` for cross-subdomain SSO. Audit log at `~/.config/fbi-proxy/audit.log`.
+- **High Performance**: Built with Rust for optimal performance and low resource usage.
+- **Easy Setup**: Simple one-command installation and startup.
+- **Docker Support**: Available as a Docker image for containerized deployments.
+- **Flexible Configuration**: Environment variables, CLI options, and `routes.yaml` overrides.
+- **Cross-Platform**: Pre-built binaries for macOS, Linux, and Windows (x64 + arm64).
+- **Integration Ready**: Compatible with reverse proxies like Caddy for HTTPS (and bundles its own `--with-caddy` automation).
 
 ## Roadmap
 
 ### Shipped ✅
 
-- [x] **Auto Caddy Setup** - One-command bootstrap that generates a Caddyfile for the chosen domain and supervises Caddy alongside fbi-proxy and fbi-auth (`bunx fbi-proxy --with-caddy --with-auth --domain example.dev`). Caddy binary is auto-downloaded from GitHub Releases on first run (SHA-512 verified against the release's `checksums.txt`), cached at `~/.fbi-proxy/bin/caddy`. Set `FBI_CADDY_AUTO_DOWNLOAD=false` to opt out. See [docs/auth/setup.md](lib/fbi-auth/docs/setup.md#automatic-setup-with---with-caddy-phase-3--shipped).
+- [x] **Auto Caddy Setup** — One-command bootstrap that generates a Caddyfile for the chosen domain and supervises Caddy alongside fbi-proxy and fbi-auth (`bunx fbi-proxy --with-caddy --with-auth --domain example.dev`). Caddy binary is auto-downloaded from GitHub Releases on first run (SHA-512 verified against the release's `checksums.txt`), cached at `~/.fbi-proxy/bin/caddy`. Set `FBI_CADDY_AUTO_DOWNLOAD=false` to opt out.
+- [x] **Auth Gateway** — Google OAuth, Firebase Auth, and a **zero-config snolab default IdP** (Firebase-based, live on `fbi.com`). Cookie-based SSO across `*.your-domain`. Sliding-window refresh, configurable threshold, JSONL audit log at `~/.config/fbi-proxy/audit.log`. See [lib/fbi-auth/docs/setup.md](lib/fbi-auth/docs/setup.md) and [lib/fbi-auth/docs/snolab.md](lib/fbi-auth/docs/snolab.md).
+- [x] **Rule-based Routing** — `routes.yaml` with placeholder syntax (`{name}`, `{name:int}`, `{name:slug}`, `{name:multi}`). DNS-passthrough, k8s, Docker, and PR-preview recipes in [docs/routing.md](docs/routing.md). Override the bundled defaults with `--routes` or `FBI_PROXY_ROUTES`.
+- [x] **HTTPS Upstream Support** — Route target with an `https://` prefix triggers TLS to upstream via `hyper-rustls` + Mozilla webpki roots. Backward compatible — plain `host:port` still uses HTTP. WebSocket upgrades flip to `wss://` automatically.
+- [x] **Cross-platform Releases** — Every push builds six platforms in parallel (linux x64/arm64, macOS x64/arm64, windows x64/arm64). See [docs/cross-compile-tradeoffs.html](docs/cross-compile-tradeoffs.html).
 
 ### Next Up 🚧
 
-- [ ] **Custom Domain Wizard** - Interactive setup that prints the DNS records to add (`*.example.dev → <ip>`) and generates the matching Caddyfile / DNS-01 TLS block
-- [ ] **Built-in HTTPS (optional)** - Native TLS termination via rustls + ACME so Caddy becomes optional for simple setups
-- [ ] **Configuration File Support** - YAML/JSON config for persistent routing rules
-- [ ] **Access Control** - Domain filtering, host/port whitelisting
-- [ ] **Request Logging** - Basic access logs for debugging
-- [ ] **Health Checks** - Simple upstream service availability monitoring
+- [ ] **Custom Domain Wizard polish** — Print the DNS A-records to add (`*.example.dev → <ip>`) and a Caddyfile-with-DNS-01 sample for Cloudflare during `--reconfigure` on a non-fbi.com domain
+- [ ] **Hot Reload** — Watch `routes.yaml` and recompile rules without a restart
+- [ ] **Metrics** — `/varz`-style counters: requests, 2xx/4xx/5xx, upstream-connect-failures, sessions-issued, sessions-refreshed (Prometheus format)
+- [ ] **Health Checks** — Active upstream liveness probes, not just per-request failure detection
+- [ ] **Cloudflare Tunnel / ngrok Integration** — Expose `*.your-domain` publicly without owning a static IP
 
 ### Future Improvements 🔮
 
-- [ ] **Load Balancing** - Round-robin between multiple upstream targets
-- [ ] **Metrics** - Basic statistics (requests, response times, errors)
-- [ ] **Hot Reload** - Update configuration without restart
-- [ ] **Custom Headers** - Add/modify headers for specific routes
-- [ ] **Cloudflare Tunnel / ngrok Integration** - Expose `*.your-domain` to the public internet without owning a static IP
-- [ ] **Auth Gateway** - Built-in basic auth / OIDC so public exposure is safe by default
+- [ ] **Load Balancing** — Round-robin between multiple upstream targets for one route
+- [ ] **Custom Headers per route** — Beyond `Host:`, add response headers or rewrite request headers
+
+### Won't do
+
+- ~~**Built-in HTTPS via rustls + ACME**~~ — Caddy already does this very well, and the `--with-caddy` UX is one extra flag. Adding another ACME client to the Rust binary is more code, more attack surface, and another implementation of a solved problem. Caddy stays the canonical TLS path.
+- ~~**SQLite session storage**~~ — JWT + `sessionSecret` rotation covers the threat model for fbi-proxy's intended scale (solo / small-team self-hosted). See [revoking sessions](lib/fbi-auth/docs/setup.md#revoking-sessions).
 
 ## Routing Examples
 

package/dist/cli.js

@@ -5529,8 +5529,40 @@ async function runWizard(prompter, opts) {
   prompter.print("Config preview:");
   prompter.print(JSON.stringify(redact(cfg), null, 2));
   prompter.print("");
+  if (cleanDomain !== "fbi.com") {
+    printCustomDomainHints(prompter, cleanDomain);
+  }
   return cfg;
 }
+function printCustomDomainHints(prompter, domain) {
+  prompter.print("─── Custom-domain DNS + TLS hints ───");
+  prompter.print("");
+  prompter.print(`Your domain is '${domain}' (not the default fbi.com).`);
+  prompter.print(`You'll need DNS A-records pointing the wildcard + sso host`);
+  prompter.print(`at the public IP of the machine running fbi-proxy:`);
+  prompter.print("");
+  prompter.print(`    *.${domain}     A    <your-public-ip>`);
+  prompter.print(`    sso.${domain}   A    <your-public-ip>      (covered by the wildcard,`);
+  prompter.print(`                                                 but call it out explicitly)`);
+  prompter.print("");
+  prompter.print(`For wildcard TLS via Let's Encrypt you need DNS-01 (HTTP-01`);
+  prompter.print(`can't issue wildcards). With Cloudflare DNS:`);
+  prompter.print("");
+  prompter.print(`  1. Create a Cloudflare API token with Zone:DNS:Edit on '${domain}'.`);
+  prompter.print(`  2. Export it: CLOUDFLARE_API_TOKEN=...`);
+  prompter.print(`  3. Run with --with-caddy --tls-mode auto. fbi-proxy will generate`);
+  prompter.print(`     a Caddyfile that uses Caddy's cloudflare DNS plugin:`);
+  prompter.print("");
+  prompter.print(`     *.${domain} {`);
+  prompter.print(`       tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} }`);
+  prompter.print(`       reverse_proxy 127.0.0.1:{$FBI_PROXY_PORT}`);
+  prompter.print(`     }`);
+  prompter.print("");
+  prompter.print(`If you're just testing locally without public DNS, point your`);
+  prompter.print(`/etc/hosts at 127.0.0.1 and pass --tls-mode internal — Caddy will`);
+  prompter.print(`use its local CA (the cert won't be trusted by other machines).`);
+  prompter.print("");
+}
 function redact(c) {
   return {
     ...c,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fbi-proxy",
-  "version": "1.11.0",
+  "version": "1.13.0",
   "description": "FBI-Proxy provides easy HTTPS access to your local services with intelligent domain routing",
   "keywords": [
     "development-tools",

package/rs/fbi-proxy.rs

@@ -10,6 +10,7 @@ use hyper::{Method, Request, Response, StatusCode, Uri};
 use hyper_tungstenite::{HyperWebsocket, WebSocketStream};
 use hyper_util::client::legacy::{Client, connect::HttpConnector};
 use hyper_util::rt::TokioIo;
+use hyper_rustls::HttpsConnector;
 use log::{error, info};
 use regex::Regex;
 use std::convert::Infallible;
@@ -29,7 +30,7 @@ type BoxBody = http_body_util::combinators::BoxBody<Bytes, hyper::Error>;
 const BUNDLED_ROUTES_YAML: &str = include_str!("../routes.yaml");
 
 pub struct FBIProxy {
-    client: Client<HttpConnector, BoxBody>,
+    client: Client<HttpsConnector<HttpConnector>, BoxBody>,
     number_regex: Regex,
     domain_filter: Option<String>,
     compiled_routes: Vec<CompiledRoute>,
@@ -64,12 +65,21 @@ the landing page.
 */
 impl FBIProxy {
     pub fn new(domain_filter: Option<String>, compiled_routes: Vec<CompiledRoute>) -> Self {
-        let mut connector = HttpConnector::new();
-        // Set connection timeout to 5 seconds to avoid hanging on invalid hosts
-        connector.set_connect_timeout(Some(Duration::from_secs(3)));
-
-        let client = Client::builder(hyper_util::rt::TokioExecutor::new())
-            .build(connector);
+        let mut http = HttpConnector::new();
+        // Connect timeout — avoid hanging on unreachable hosts.
+        http.set_connect_timeout(Some(Duration::from_secs(3)));
+        // Allow http:// scheme through the HTTPS-enabled connector below.
+        http.enforce_http(false);
+
+        // HttpsConnector handles both http:// and https:// upstream URLs,
+        // using Mozilla's webpki root store for TLS validation.
+        let https = hyper_rustls::HttpsConnectorBuilder::new()
+            .with_webpki_roots()
+            .https_or_http()
+            .enable_http1()
+            .wrap_connector(http);
+
+        let client = Client::builder(hyper_util::rt::TokioExecutor::new()).build(https);
 
         Self {
             client,
@@ -170,14 +180,14 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
     }
 
     /// Extract the hostname portion (before the first `:`) from a target
-    /// string like `"127.0.0.1:3000"`. This is the default `Host` header
-    /// value used when a matched rule doesn't specify an explicit
-    /// `headers.Host` rewrite — which preserves the original
-    /// `parse_host` semantics (numeric subdomain → Host: localhost).
+    /// string like `"127.0.0.1:3000"` or `"https://api.github.com:443"`.
+    /// This is the default `Host` header value used when a matched rule
+    /// doesn't specify an explicit `headers.Host` rewrite.
     fn host_from_target(target: &str) -> String {
-        match target.find(':') {
-            Some(i) => target[..i].to_string(),
-            None => target.to_string(),
+        let authority = parse_target_scheme(target).1;
+        match authority.find(':') {
+            Some(i) => authority[..i].to_string(),
+            None => authority.to_string(),
         }
     }
 
@@ -388,11 +398,16 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
                 .await;
         }
 
-        // Build target URL for HTTP requests
+        // Build target URL for HTTP requests. parse_target_scheme handles
+        // an optional `http://` / `https://` prefix on the matched target
+        // so routes like `target: "https://api.github.com:443"` reach
+        // upstream over TLS via the HttpsConnector wired in FBIProxy::new.
         let uri = req.uri();
+        let (scheme, authority) = parse_target_scheme(&target_host);
         let target_url = format!(
-            "http://{}{}",
-            target_host,
+            "{}://{}{}",
+            scheme,
+            authority,
             uri.path_and_query().map(|pq| pq.as_str()).unwrap_or("/")
         );
         let target_uri: Uri = target_url.parse()?;
@@ -469,9 +484,12 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
         _new_host: &str, // Currently not used for WebSocket connections, but kept for consistency
     ) -> Result<Response<BoxBody>, BoxError> {
         let uri = req.uri().clone();
+        let (scheme, authority) = parse_target_scheme(target_host);
+        let ws_scheme = if scheme == "https" { "wss" } else { "ws" };
         let ws_url = format!(
-            "ws://{}{}",
-            target_host,
+            "{}://{}{}",
+            ws_scheme,
+            authority,
             uri.path_and_query().map(|pq| pq.as_str()).unwrap_or("/")
         );
 
@@ -506,6 +524,21 @@ npx fbi-proxy -d fbi.example.com  # Only accept *.fbi.example.com</pre>
     }
 }
 
+/// Parse a route target into (scheme, authority). Supports an optional
+/// `http://` or `https://` prefix; defaults to `http` so existing
+/// `host:port`-style targets keep working unchanged. Used by both the
+/// HTTP forwarder (chooses URL scheme) and the WebSocket upgrade path
+/// (chooses `ws` vs `wss`).
+fn parse_target_scheme(target: &str) -> (&'static str, &str) {
+    if let Some(rest) = target.strip_prefix("https://") {
+        ("https", rest)
+    } else if let Some(rest) = target.strip_prefix("http://") {
+        ("http", rest)
+    } else {
+        ("http", target)
+    }
+}
+
 async fn handle_websocket_forwarding(
     websocket: HyperWebsocket,
     upstream_ws: WebSocketStream<tokio_tungstenite::MaybeTlsStream<tokio::net::TcpStream>>,
@@ -774,3 +807,32 @@ TRY RUN:
         }
     });
 }
+
+#[cfg(test)]
+mod tests {
+    use super::parse_target_scheme;
+
+    #[test]
+    fn parse_target_scheme_defaults_to_http_with_no_prefix() {
+        assert_eq!(parse_target_scheme("localhost:3000"), ("http", "localhost:3000"));
+        assert_eq!(parse_target_scheme("api"), ("http", "api"));
+        assert_eq!(parse_target_scheme("127.0.0.1:80"), ("http", "127.0.0.1:80"));
+    }
+
+    #[test]
+    fn parse_target_scheme_strips_http_prefix() {
+        assert_eq!(parse_target_scheme("http://localhost:3000"), ("http", "localhost:3000"));
+    }
+
+    #[test]
+    fn parse_target_scheme_strips_https_prefix() {
+        assert_eq!(
+            parse_target_scheme("https://api.github.com:443"),
+            ("https", "api.github.com:443"),
+        );
+        assert_eq!(
+            parse_target_scheme("https://example.dev"),
+            ("https", "example.dev"),
+        );
+    }
+}

package/ts/auth/setupWizard.ts

@@ -133,9 +133,57 @@ export async function runWizard(
   prompter.print(JSON.stringify(redact(cfg), null, 2));
   prompter.print("");
 
+  if (cleanDomain !== "fbi.com") {
+    printCustomDomainHints(prompter, cleanDomain);
+  }
+
   return cfg;
 }
 
+function printCustomDomainHints(prompter: WizardPrompter, domain: string) {
+  prompter.print("─── Custom-domain DNS + TLS hints ───");
+  prompter.print("");
+  prompter.print(`Your domain is '${domain}' (not the default fbi.com).`);
+  prompter.print(`You'll need DNS A-records pointing the wildcard + sso host`);
+  prompter.print(`at the public IP of the machine running fbi-proxy:`);
+  prompter.print("");
+  prompter.print(`    *.${domain}     A    <your-public-ip>`);
+  prompter.print(
+    `    sso.${domain}   A    <your-public-ip>      (covered by the wildcard,`,
+  );
+  prompter.print(
+    `                                                 but call it out explicitly)`,
+  );
+  prompter.print("");
+  prompter.print(`For wildcard TLS via Let's Encrypt you need DNS-01 (HTTP-01`);
+  prompter.print(`can't issue wildcards). With Cloudflare DNS:`);
+  prompter.print("");
+  prompter.print(
+    `  1. Create a Cloudflare API token with Zone:DNS:Edit on '${domain}'.`,
+  );
+  prompter.print(`  2. Export it: CLOUDFLARE_API_TOKEN=...`);
+  prompter.print(
+    `  3. Run with --with-caddy --tls-mode auto. fbi-proxy will generate`,
+  );
+  prompter.print(`     a Caddyfile that uses Caddy's cloudflare DNS plugin:`);
+  prompter.print("");
+  prompter.print(`     *.${domain} {`);
+  prompter.print(`       tls { dns cloudflare {env.CLOUDFLARE_API_TOKEN} }`);
+  prompter.print(`       reverse_proxy 127.0.0.1:{$FBI_PROXY_PORT}`);
+  prompter.print(`     }`);
+  prompter.print("");
+  prompter.print(
+    `If you're just testing locally without public DNS, point your`,
+  );
+  prompter.print(
+    `/etc/hosts at 127.0.0.1 and pass --tls-mode internal — Caddy will`,
+  );
+  prompter.print(
+    `use its local CA (the cert won't be trusted by other machines).`,
+  );
+  prompter.print("");
+}
+
 function redact(c: AuthConfigShape): AuthConfigShape {
   return {
     ...c,

package/ts/routes.test.ts

@@ -99,6 +99,28 @@ describe("validateRoute", () => {
     expect(validateRoute(good)).toEqual({ valid: true });
   });
 
+  it("accepts an https:// target prefix (R5)", () => {
+    expect(
+      validateRoute({
+        name: "passthrough",
+        match: "{anything:multi}",
+        target: "https://api.github.com:443",
+        headers: { Host: "api.github.com" },
+      }),
+    ).toEqual({ valid: true });
+  });
+
+  it("accepts an http:// target prefix (R5)", () => {
+    expect(
+      validateRoute({
+        name: "passthrough",
+        match: "{anything:multi}",
+        target: "http://example.com:80",
+        headers: { Host: "example.com" },
+      }),
+    ).toEqual({ valid: true });
+  });
+
   it("rejects empty name", () => {
     expect(validateRoute({ ...good, name: "" })).toEqual({
       valid: false,