Add support for TLS backends

Closes: https://todo.sr.ht/~emersion/tlstunnel/6

directives.go

@@ -94,6 +94,15 @@ func parseBackend(backend *Backend, d *scfg.Directive) error {
 	}
 
 	switch u.Scheme {
+	case "tls":
+		host, _, err := net.SplitHostPort(u.Host)
+		if err != nil {
+			return fmt.Errorf("failed to parse backend address %q: %v", u.Host, err)
+		}
+		backend.TLSConfig = &tls.Config{
+			ServerName: host,
+		}
+		fallthrough
 	case "", "tcp":
 		backend.Network = "tcp"
 		backend.Address = u.Host

server.go

@@ -172,6 +172,9 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
 	if err != nil {
 		return fmt.Errorf("failed to dial backend: %v", err)
 	}
+	if be.TLSConfig != nil {
+		upstream = tls.Client(upstream, be.TLSConfig)
+	}
 	defer upstream.Close()
 
 	if be.Proxy {
@@ -199,9 +202,10 @@ func (fe *Frontend) handle(downstream net.Conn, tlsState *tls.ConnectionState) e
 }
 
 type Backend struct {
-	Network string
-	Address string
-	Proxy   bool
+	Network   string
+	Address   string
+	Proxy     bool
+	TLSConfig *tls.Config // nil if no TLS
 }
 
 func duplexCopy(a, b io.ReadWriter) error {

tlstunnel.1.scd

@@ -50,6 +50,7 @@ The following directives are supported:
 		The following URIs are supported:
 
 		- _[tcp://]<host>:<port>_ connects to a TCP server
+		- _tls://<host>:<port>_ connects to a TLS over TCP server
 		- _unix://<path>_ connects to a Unix socket
 
 		The _+proxy_ suffix can be added to the URI scheme to forward