fbi-proxy 1.9.1 β†’ 1.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/README.md +71 -0
  2. package/dist/cli.js +772 -29
  3. package/package.json +16 -10
  4. package/release/fbi-proxy-linux-arm64 +0 -0
  5. package/release/fbi-proxy-linux-x64 +0 -0
  6. package/release/fbi-proxy-macos-arm64 +0 -0
  7. package/release/fbi-proxy-macos-x64 +0 -0
  8. package/release/fbi-proxy-windows-arm64.exe +0 -0
  9. package/release/fbi-proxy-windows-x64.exe +0 -0
  10. package/rs/fbi-proxy.rs +111 -87
  11. package/rs/lib.rs +12 -0
  12. package/rs/routes.rs +976 -0
  13. package/ts/auth/authConfig.ts +141 -0
  14. package/ts/auth/caddyfileGen.test.ts +156 -0
  15. package/ts/auth/caddyfileGen.ts +142 -0
  16. package/ts/auth/downloadCaddy.test.ts +131 -0
  17. package/ts/auth/downloadCaddy.ts +213 -0
  18. package/ts/auth/setupWizard.ts +183 -0
  19. package/ts/auth/spawnCaddy.ts +125 -0
  20. package/ts/auth/spawnFbiAuth.ts +43 -0
  21. package/ts/buildFbiProxy.ts +3 -11
  22. package/ts/cli.ts +190 -7
  23. package/ts/dSpawn.ts +4 -9
  24. package/ts/getProxyFilename.ts +11 -9
  25. package/ts/routes.test.ts +182 -0
  26. package/ts/routes.ts +238 -0
package/README.md CHANGED
@@ -26,8 +26,14 @@ FBI-Proxy provides easy HTTPS access to your local services with intelligent dom
26
26
 
27
27
  ## Roadmap
28
28
 
29
+ ### Shipped βœ…
30
+
31
+ - [x] **Auto Caddy Setup** - One-command bootstrap that generates a Caddyfile for the chosen domain and supervises Caddy alongside fbi-proxy and fbi-auth (`bunx fbi-proxy --with-caddy --with-auth --domain example.dev`). Caddy binary is auto-downloaded from GitHub Releases on first run (SHA-512 verified against the release's `checksums.txt`), cached at `~/.fbi-proxy/bin/caddy`. Set `FBI_CADDY_AUTO_DOWNLOAD=false` to opt out. See [docs/auth/setup.md](lib/fbi-auth/docs/setup.md#automatic-setup-with---with-caddy-phase-3--shipped).
32
+
29
33
  ### Next Up 🚧
30
34
 
35
+ - [ ] **Custom Domain Wizard** - Interactive setup that prints the DNS records to add (`*.example.dev β†’ <ip>`) and generates the matching Caddyfile / DNS-01 TLS block
36
+ - [ ] **Built-in HTTPS (optional)** - Native TLS termination via rustls + ACME so Caddy becomes optional for simple setups
31
37
  - [ ] **Configuration File Support** - YAML/JSON config for persistent routing rules
32
38
  - [ ] **Access Control** - Domain filtering, host/port whitelisting
33
39
  - [ ] **Request Logging** - Basic access logs for debugging
@@ -39,6 +45,8 @@ FBI-Proxy provides easy HTTPS access to your local services with intelligent dom
39
45
  - [ ] **Metrics** - Basic statistics (requests, response times, errors)
40
46
  - [ ] **Hot Reload** - Update configuration without restart
41
47
  - [ ] **Custom Headers** - Add/modify headers for specific routes
48
+ - [ ] **Cloudflare Tunnel / ngrok Integration** - Expose `*.your-domain` to the public internet without owning a static IP
49
+ - [ ] **Auth Gateway** - Built-in basic auth / OIDC so public exposure is safe by default
42
50
 
43
51
  ## Routing Examples
44
52
 
@@ -61,6 +69,49 @@ https://myserver.fbi.com β†’ myserver:80
61
69
 
62
70
  WebSocket connections are supported for all patterns.
63
71
 
72
+ ## πŸ•ΆοΈ Why `fbi.com`? β€” The Story
73
+
74
+ Slip on your shades and look at this. πŸ•ΆοΈ
75
+
76
+ There's a public DNS quirk that makes `fbi.com` ridiculously fun for local dev: **every `*.fbi.com` wildcard A record resolves to `127.0.0.1`**. No `/etc/hosts` edits. No DNS server. Just open `https://3000.fbi.com` and your browser is already talking to your laptop.
77
+
78
+ That's why `bunx fbi-proxy` defaults to `fbi.com` β€” it's the path of least resistance to a working demo. Spin up a dev server on `:3000`, run the proxy, and you've got a real-looking subdomain pointing at it instantly.
79
+
80
+ ### πŸ•ΆοΈ …but please don't ship on it
81
+
82
+ This is **a toy for testing and playing**, not infrastructure:
83
+
84
+ - **It's somebody else's DNS.** Whoever owns `fbi.com` can change those records any time. Your "production" disappears the moment they do.
85
+ - **Caddy's `tls internal` CA is local-only.** The root cert is installed into the trust store of _the machine running Caddy_. Anyone else who visits your `*.fbi.com` site sees a TLS warning. It cannot be shared with teammates, mobile devices, or end users.
86
+ - **Anyone can issue certs for `*.fbi.com`.** Because the apex isn't yours, you have zero control over who else asks Let's Encrypt for a cert on the same name.
87
+
88
+ ### πŸ•ΆοΈ For anything real β€” bring your own domain
89
+
90
+ ```bash
91
+ bunx fbi-proxy --domain example.dev
92
+ ```
93
+
94
+ Then point `*.example.dev` at your server's IP, run Caddy with proper public-CA TLS (Let's Encrypt via HTTP-01 or DNS-01), and you own the whole stack end-to-end. Production-grade. Shareable. Trustworthy.
95
+
96
+ `fbi.com` is the costume sunglasses. Your own domain is the prescription pair.
97
+
98
+ ### πŸ•ΆοΈ Cousins in the wild: `*.vercel.app`, `*.pages.dev`
99
+
100
+ You've probably noticed `*.fbi.com` looks a lot like `*.vercel.app` or `*.pages.dev` β€” same wildcard-DNS trick, very different tradeoffs.
101
+
102
+ | | `*.fbi.com` (fbi-proxy) | `*.vercel.app` / `*.pages.dev` |
103
+ | --------------------------------------------- | --------------------------------------------------------------- | ---------------------------------------------------------- |
104
+ | Who owns the apex | A third party (`snomiao` doesn't own `fbi.com`) | The platform (Vercel / Cloudflare) |
105
+ | Wildcard resolves to | `127.0.0.1` β€” your own laptop | The platform's edge servers |
106
+ | Where code actually runs | Your laptop | The platform's infrastructure |
107
+ | TLS | None on the DNS layer β€” Caddy `tls internal` (machine-local CA) | Public CA, auto-issued, trusted on every device |
108
+ | Shareable with teammates / mobile / strangers | No (CA only trusts on your box) | Yes (it's the whole point) |
109
+ | Privacy | All traffic stays on your machine | Goes through the platform's network |
110
+ | Lock-in | None β€” drop the dependency by switching `--domain` | You're on the platform's runtime, build system, and limits |
111
+ | Best for | Local dev, demos, "look it works on my laptop" | Actual deployed apps that real users hit |
112
+
113
+ Same shape β€” public wildcard apex points at _something_ β€” but `*.fbi.com` points it at **your machine**, while `*.vercel.app` and `*.pages.dev` point it at **someone else's machines running your code for you**. fbi-proxy is the DIY-at-home cousin of those platforms' subdomain UX.
114
+
64
115
  ## Usage
65
116
 
66
117
  ```sh
@@ -156,6 +207,26 @@ Command-line arguments take precedence over environment variables.
156
207
  - Host binding: `--host` or `FBI_PROXY_HOST` env var
157
208
  - Port binding: `--port` or `FBI_PROXY_PORT` env var
158
209
 
210
+ ## Alternatives & Tradeoffs
211
+
212
+ fbi-proxy isn't the only way to get `https://myapp.something β†’ localhost:port`. Below are five well-known alternatives covering the two halves of the problem: **subdomain β†’ loopback resolution** (Group A) and **forward-auth gateways** (Group B).
213
+
214
+ | Name | What it does | Setup | Cross-machine? | HTTPS story | WebSocket | vs fbi-proxy |
215
+ | --------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
216
+ | [mDNS / Bonjour / Avahi](https://en.wikipedia.org/wiki/Multicast_DNS) | Resolves `*.local` hostnames via UDP multicast β€” no DNS server needed | Low (built into macOS/iOS/Win10+, `avahi-daemon` on Linux) | LAN-only (same broadcast domain); not for prod or cellular | None β€” needs own CA / self-signed; browser warnings | N/A (DNS layer only) | Beats fbi-proxy for zero-config LAN service discovery; loses on wildcard subdomains (mDNS publishes individual names, not `*.local`) and TLS UX |
217
+ | [dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html) | Tiny local DNS+DHCP; `address=/test/127.0.0.1` wildcards any `*.test` to loopback | Med (install, edit config, point resolver at it) | Yes if installed on the LAN gateway | None β€” DNS only, you still need TLS via Caddy / nginx / mkcert | N/A | Beats fbi-proxy when you want a generic LAN-wide wildcard resolver decoupled from any specific proxy; loses because you still have to bolt on a reverse proxy + TLS yourself |
218
+ | [Pi-hole](https://pi-hole.net) | Network-wide DNS ad-blocker built on dnsmasq/FTL; UI for custom local DNS / CNAME records | Med (dedicated host or container, router DNS pointed at it) | LAN-wide | None β€” DNS only | N/A | Beats fbi-proxy if you already run Pi-hole; loses for single-laptop dev (overkill, no TLS, no proxy) |
219
+ | [vercel-labs/portless](https://github.com/vercel-labs/portless) | CLI that wraps `npm`/dev-server processes and exposes them as `https://name.localhost` with an auto-installed local CA | Low (`npm i -g portless` then `portless myapp next dev`) | Laptop-only by default | Auto-generates a local CA and installs it in the system trust store β€” no warnings | Yes (HTTP/2 proxy) | Beats fbi-proxy on TLS UX (no separate Caddy step) and per-app naming; loses on the "any port, any subdomain, zero config per service" model β€” portless registers apps explicitly, fbi-proxy is pure pattern routing |
220
+ | [Authelia](https://www.authelia.com/) | Self-hosted SSO + 2FA + OIDC provider; plugs into reverse proxies as a `forward_auth` endpoint | High (DB / LDAP / session store, YAML config, separate container) | Yes β€” production-grade | Inherits from front proxy (Caddy/Traefik/nginx) | Pass-through via proxy | Beats fbi-proxy when you want real SSO, OIDC issuance, WebAuthn/passkeys, group policies; loses when you only need "is this user logged in?" with one binary |
221
+ | [tinyauth](https://github.com/steveiliop56/tinyauth) | Minimal Go forward-auth server: OAuth/OIDC, LDAP, TOTP, simple ACLs | Low–Med (single binary / container, env-var config) | Yes | Inherits from front proxy | Pass-through via proxy | Beats fbi-proxy when you outgrow basic auth but don't want Authelia's surface area; loses because fbi-proxy ships routing in the same binary |
222
+
223
+ ### When to use which
224
+
225
+ - **Pure local dev, one laptop, throwaway demo** β€” fbi-proxy's default `fbi.com` mode or **portless** are both fine. portless wins on TLS-trusted-out-of-the-box; fbi-proxy wins if you want pattern routing (`<port>.<host>`) without registering each service.
226
+ - **LAN-wide / teammates on the same Wi-Fi** β€” **dnsmasq** or **Pi-hole** for the DNS half, then put fbi-proxy (or Caddy directly) in front for TLS + routing. **mDNS** works for hostname discovery but not wildcards.
227
+ - **Production / public domain** β€” fbi-proxy with `--domain yourdomain.com` + Caddy for ACME TLS. Pair with **tinyauth** (lightweight) or **Authelia** (full IAM) for real auth.
228
+ - **Honest tradeoffs:** fbi-proxy's default `*.fbi.com` is a toy meant for demos β€” for anything serious you need `--domain` and a real TLS terminator (Caddy is the documented path). It does not replace an SSO server, a DNS server, or a CDN; it's the glue that wires `subdomain β†’ port` and optionally calls out to one of the above.
229
+
159
230
  ## License
160
231
 
161
232
  MIT License - see [LICENSE](LICENSE) file for details