Initial version

Author: tobilg

Diff for: accelerator-stack/resources/dns-records.yml

@@ -0,0 +1,21 @@
+Resources:
+  HostedZone:
+    Type: 'AWS::Route53::HostedZone'
+    Properties:
+      HostedZoneConfig:
+        Comment: 'Hosted zone for ${self:custom.domain}'
+      Name: '${self:custom.domain}'
+      
+  ExternalDnsRecord:
+    Type: 'AWS::Route53::RecordSet'
+    Properties:
+      Comment: 'External subdomain for ${self:custom.domain}'
+      HostedZoneId: !Ref 'HostedZone'
+      Type: A
+      Name: 'external.${self:custom.domain}'
+      AliasTarget:
+        # Will redirect to the GlobalAccelerator DNS name
+        DNSName: !Sub '${Accelerator.DnsName}'
+        # Default (static) hosted zone for GlobalAccelerator
+        # See https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget-1.html#cfn-route53-aliastarget-hostedzoneid
+        HostedZoneId: 'Z2BJ6XQ5FK7U4H'

Diff for: accelerator-stack/resources/global-accelerator.yml

@@ -0,0 +1,31 @@
+Resources:
+  Accelerator:
+    Type: AWS::GlobalAccelerator::Accelerator
+    Properties:
+      Name: 'External-Accelerator'
+      Enabled: true
+  
+  Listener:
+    Type: AWS::GlobalAccelerator::Listener
+    Properties:
+      AcceleratorArn:
+        Ref: Accelerator
+      Protocol: TCP
+      ClientAffinity: NONE
+      PortRanges:
+        - FromPort: 443
+          ToPort: 443
+
+  EndpointGroup1:
+    Type: AWS::GlobalAccelerator::EndpointGroup
+    Properties: 
+      EndpointConfigurations: 
+        - EndpointId: '${self:custom.ec2.instance1.id}'
+          Weight: 1
+      EndpointGroupRegion: '${self:custom.ec2.instance1.region}'
+      HealthCheckIntervalSeconds: 30
+      HealthCheckPath: '/health'
+      HealthCheckPort: 80
+      HealthCheckProtocol: 'HTTP'
+      ListenerArn: !Ref 'Listener'
+      ThresholdCount: 3

Diff for: accelerator-stack/serverless.yml

@@ -0,0 +1,21 @@
+service: global-reverse-proxy-accelerator
+
+custom:
+
+  # Target domain name
+  domain: 'your-target-domain.com'
+
+  ec2:
+    # Add instance information manually, and add a new endpoint group for each instance in global-accelerator.yml
+    instance1:
+      id: '${cf:global-reverse-proxy-server-1-${self:provider.stage}.EC2InstanceId}'
+      region: '${cf:global-reverse-proxy-server-1-${self:provider.stage}.EC2Region}'
+
+provider:
+  name: aws
+  region: 'us-east-1' # Needs to be in us-east-1 because GlobalAccelerator!
+  stage: ${opt:stage, 'prd'} # Can be changed by the --stage CLI option
+
+resources:
+  - ${file(resources/dns-records.yml)}
+  - ${file(resources/global-accelerator.yml)}

Diff for: domain-service-stack/resources/dynamo-db.yml

@@ -0,0 +1,12 @@
+Resources:
+  CertificatesTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      TableName: ${self:custom.dynamodb.tableName}
+      BillingMode: PAY_PER_REQUEST
+      AttributeDefinitions:
+        - AttributeName: PrimaryKey
+          AttributeType: S
+      KeySchema:
+        - AttributeName: PrimaryKey
+          KeyType: HASH

Diff for: domain-service-stack/resources/outputs.yml

@@ -0,0 +1,7 @@
+Outputs:
+  DomainVerifierFunctionUrl:
+    Description: The URL for the domain Lambda function
+    Value: !GetAtt 'DomainVerifierLambdaFunctionUrl.FunctionUrl'
+  CertificateTableName:
+    Description: Name of the certificate DynamoDB table
+    Value: '${self:custom.dynamodb.tableName}'

Diff for: domain-service-stack/serverless.yml

@@ -0,0 +1,27 @@
+service: global-reverse-proxy-domain-service
+
+custom:
+
+  # DynamoDB
+  dynamodb:
+    tableName: 'global-proxy-certificate-table'
+
+provider:
+  name: aws
+  runtime: nodejs16.x
+  region: ${opt:region, 'us-east-1'} # Can be changed by the --region CLI option
+  stage: ${opt:stage, 'prd'} # Can be changed by the --stage CLI option
+  logRetentionInDays: 14
+
+functions:
+  domainVerifier:
+    handler: src/domainVerifier.handler
+    memorySize: 128
+    timeout: 5
+    # Use Function URLs
+    url:
+      cors: true
+
+resources:
+  - ${file(resources/dynamo-db.yml)}
+  - ${file(resources/outputs.yml)}

Diff for: domain-service-stack/src/domainVerifier.js

@@ -0,0 +1,23 @@
+// For event format, see https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-lambda.html#http-api-develop-integrations-lambda.proxy-format
+
+const allowedDomains = [
+  'mydomain.com',
+  'myotherdomain.com'
+];
+
+exports.handler = async (event) => {
+  let statusCode;
+
+  // Check if there's a "domain" query string paramenter, and check if the give value is in the list of allowed domains
+  if (event.queryStringParameters.hasOwnProperty('domain') && allowedDomains.includes(event.queryStringParameters.domain)) {
+    // If yes, send a 200 status, which will then trigger a certificate generation in Caddy
+    statusCode = 200;
+  } else {
+    // If not, send a 400 status, which will NOT trigger a certificate generation in Caddy (we should only do this for whitelisted domains!)
+    statusCode = 400;
+  }
+
+  return {
+    statusCode,
+  };
+};

Diff for: proxy-server-stack/caddy-config/Caddyfile

@@ -0,0 +1,29 @@
+{
+        debug
+	admin off
+        on_demand_tls {
+                ask {$DOMAIN_SERVICE_ENDPOINT}
+        }
+
+	storage dynamodb {$TABLE_NAME} {
+                aws_region {$AWS_REGION}
+        }
+}
+
+:80 {
+     	respond /health "Im healthy!" 200
+}
+
+:443 {
+      	tls {$LETSENCRYPT_EMAIL_ADDRESS} {
+                on_demand
+        }
+
+	reverse_proxy https://{$TARGET_DOMAIN} {
+                header_up Host {$TARGET_DOMAIN}
+                header_up User-Custom-Domain {host}
+                header_up X-Forwarded-Port {server_port}
+
+                health_timeout 5s
+        }
+}

Diff for: proxy-server-stack/caddy-config/caddy.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target
+
+[Service]
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+EnvironmentFile=/etc/caddy/environment
+
+[Install]
+WantedBy=multi-user.target

Diff for: proxy-server-stack/configs.js

@@ -0,0 +1,5 @@
+const { readFileSync } = require('fs');
+const { join } = require('path');
+
+module.exports.caddyFile = readFileSync(join(__dirname, 'caddy-config', 'Caddyfile'), { encoding: 'utf-8'}).replace(/\n/g, "\\n");
+module.exports.caddyService = readFileSync(join(__dirname, 'caddy-config', 'caddy.service'), { encoding: 'utf-8'}).replace(/\n/g, "\\n");

Diff for: proxy-server-stack/resources/ec2.yml

@@ -0,0 +1,91 @@
+Resources:
+  EC2Instance:
+    Type: AWS::EC2::Instance
+    # https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html#aws-resource-cloudformation-init-syntax
+    Properties:
+      InstanceType: '${self:custom.ec2.instanceType}'
+      KeyName: '${self:custom.ec2.keyName}'
+      SecurityGroups: 
+        - !Ref 'InstanceSecurityGroup'
+      ImageId: 'ami-0b5eea76982371e91' # Amazon Linux 2 AMI
+      IamInstanceProfile: !Ref 'InstanceProfile'
+      UserData: !Base64 
+        'Fn::Join':
+          - ''
+          - - |
+              #!/bin/bash -xe
+            - |
+              sudo wget -O /usr/bin/caddy "https://github.com/tobilg/aws-caddy-build/raw/main/releases/aws_caddy_v2.6.2_linux"
+            - |
+              sudo chmod +x /usr/bin/caddy
+            - |
+              sudo groupadd --system caddy
+            - |
+              sudo useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin --comment "Caddy web server" caddy
+            - |
+              sudo mkdir -p /etc/caddy
+            - |
+              sudo echo -e "${file(./configs.js):caddyService}" | sudo tee /etc/systemd/system/caddy.service
+            - |
+              sudo echo -e "${file(./configs.js):caddyFile}" | sudo tee /etc/caddy/Caddyfile
+            - |
+              sudo echo -e "AWS_REGION=${self:provider.region}\nTABLE_NAME=${self:custom.caddy.dynamoDBTableName}\nDOMAIN_SERVICE_ENDPOINT=${self:custom.caddy.domainServiceEndpoint}\nLETSENCRYPT_EMAIL_ADDRESS=${self:custom.caddy.letsEncryptEmailAddress}\nTARGET_DOMAIN=${self:custom.caddy.targetDomainName}" | sudo tee /etc/caddy/environment
+            - |
+              sudo systemctl daemon-reload
+            - |
+              sudo systemctl enable caddy
+            - |
+              sudo systemctl start --now caddy
+
+  InstanceSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Enable HTTP(S) and SSH access
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: 443
+          ToPort: 443
+          CidrIp: 0.0.0.0/0
+
+  InstanceProfile:
+    Type: AWS::IAM::InstanceProfile
+    Properties: 
+      Path: '/'
+      Roles: 
+        - !Ref 'InstanceRole'
+
+  InstanceRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      Path: '/'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ec2.amazonaws.com
+            Action:
+              - sts:AssumeRole
+
+  InstancePolicy:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      PolicyName: 'use-dynamodb-ssm-policy'
+      PolicyDocument:
+        Statement:
+          - Effect: 'Allow'
+            Action:
+              - dynamodb:Scan
+              - dynamodb:Query
+              - dynamodb:GetItem
+              - dynamodb:PutItem
+              - dynamodb:UpdateItem
+              - dynamodb:DeleteItem
+            Resource: !Sub '${CertificatesTable.Arn}'
+      Roles:
+        - !Ref 'InstanceRole'

Diff for: proxy-server-stack/resources/outputs.yml

@@ -0,0 +1,7 @@
+Outputs:
+  EC2InstanceId:
+    Description: The EC2 instance is
+    Value: !Ref 'EC2Instance'
+  EC2Region:
+    Description: The region the EC2 instance is deployed to
+    Value: '${self:provider.region}'

Diff for: proxy-server-stack/serverless.yml

@@ -0,0 +1,23 @@
+service: global-reverse-proxy-server-1 # Assuming there's only one EC2 instance per region, otherwise change stack name manually
+
+custom:
+
+  # Caddy config
+  caddy:
+    targetDomainName: 'your-target-domain.com' # The target domain name where to proxy to
+    letsEncryptEmailAddress: '[email protected]' # Use for automatic certificate generation
+    domainServiceEndpoint: '${cf:global-reverse-proxy-domain-service-${self:provider.stage}.DomainVerifierFunctionUrl}' # Get Function URL from domain service stack export
+    dynamoDBTableName: '${cf:global-reverse-proxy-domain-service-${self:provider.stage}.CertificateTableName}' # Get DynamoDB table name from base stack export
+
+  # EC2
+  ec2:
+    instanceType: 't2.micro' # For free tier usage
+    keyName: 'my-key-name' # Update this to your key name, which you need to create in the AWS Console BEFORE deploying this stack
+
+provider:
+  name: aws
+  region: ${opt:region, 'us-east-1'} # Can be changed by the --region CLI option
+  stage: ${opt:stage, 'prd'} # Can be changed by the --stage CLI option
+
+resources:
+  - ${file(resources/ec2.yml)}