consul/vendor/github.com/google/tcpproxy/sni.go

193 lines
5.4 KiB
Go
Raw Normal View History

wan federation via mesh gateways (#6884) This is like a Möbius strip of code due to the fact that low-level components (serf/memberlist) are connected to high-level components (the catalog and mesh-gateways) in a twisty maze of references which make it hard to dive into. With that in mind here's a high level summary of what you'll find in the patch: There are several distinct chunks of code that are affected: * new flags and config options for the server * retry join WAN is slightly different * retry join code is shared to discover primary mesh gateways from secondary datacenters * because retry join logic runs in the *agent* and the results of that operation for primary mesh gateways are needed in the *server* there are some methods like `RefreshPrimaryGatewayFallbackAddresses` that must occur at multiple layers of abstraction just to pass the data down to the right layer. * new cache type `FederationStateListMeshGatewaysName` for use in `proxycfg/xds` layers * the function signature for RPC dialing picked up a new required field (the node name of the destination) * several new RPCs for manipulating a FederationState object: `FederationState:{Apply,Get,List,ListMeshGateways}` * 3 read-only internal APIs for debugging use to invoke those RPCs from curl * raft and fsm changes to persist these FederationStates * replication for FederationStates as they are canonically stored in the Primary and replicated to the Secondaries. * a special derivative of anti-entropy that runs in secondaries to snapshot their local mesh gateway `CheckServiceNodes` and sync them into their upstream FederationState in the primary (this works in conjunction with the replication to distribute addresses for all mesh gateways in all DCs to all other DCs) * a "gateway locator" convenience object to make use of this data to choose the addresses of gateways to use for any given RPC or gossip operation to a remote DC. This gets data from the "retry join" logic in the agent and also directly calls into the FSM. * RPC (`:8300`) on the server sniffs the first byte of a new connection to determine if it's actually doing native TLS. If so it checks the ALPN header for protocol determination (just like how the existing system uses the type-byte marker). * 2 new kinds of protocols are exclusively decoded via this native TLS mechanism: one for ferrying "packet" operations (udp-like) from the gossip layer and one for "stream" operations (tcp-like). The packet operations re-use sockets (using length-prefixing) to cut down on TLS re-negotiation overhead. * the server instances specially wrap the `memberlist.NetTransport` when running with gateway federation enabled (in a `wanfed.Transport`). The general gist is that if it tries to dial a node in the SAME datacenter (deduced by looking at the suffix of the node name) there is no change. If dialing a DIFFERENT datacenter it is wrapped up in a TLS+ALPN blob and sent through some mesh gateways to eventually end up in a server's :8300 port. * a new flag when launching a mesh gateway via `consul connect envoy` to indicate that the servers are to be exposed. This sets a special service meta when registering the gateway into the catalog. * `proxycfg/xds` notice this metadata blob to activate additional watches for the FederationState objects as well as the location of all of the consul servers in that datacenter. * `xds:` if the extra metadata is in place additional clusters are defined in a DC to bulk sink all traffic to another DC's gateways. For the current datacenter we listen on a wildcard name (`server.<dc>.consul`) that load balances all servers as well as one mini-cluster per node (`<node>.server.<dc>.consul`) * the `consul tls cert create` command got a new flag (`-node`) to help create an additional SAN in certs that can be used with this flavor of federation.
2020-03-09 20:59:02 +00:00
// Copyright 2017 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package tcpproxy
import (
"bufio"
"bytes"
"context"
"crypto/tls"
"io"
"net"
"strings"
)
// AddSNIRoute appends a route to the ipPort listener that routes to
// dest if the incoming TLS SNI server name is sni. If it doesn't
// match, rule processing continues for any additional routes on
// ipPort.
//
// By default, the proxy will route all ACME tls-sni-01 challenges
// received on ipPort to all SNI dests. You can disable ACME routing
// with AddStopACMESearch.
//
// The ipPort is any valid net.Listen TCP address.
func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) {
p.AddSNIMatchRoute(ipPort, equals(sni), dest)
}
// AddSNIMatchRoute appends a route to the ipPort listener that routes
// to dest if the incoming TLS SNI server name is accepted by
// matcher. If it doesn't match, rule processing continues for any
// additional routes on ipPort.
//
// By default, the proxy will route all ACME tls-sni-01 challenges
// received on ipPort to all SNI dests. You can disable ACME routing
// with AddStopACMESearch.
//
// The ipPort is any valid net.Listen TCP address.
func (p *Proxy) AddSNIMatchRoute(ipPort string, matcher Matcher, dest Target) {
cfg := p.configFor(ipPort)
if !cfg.stopACME {
if len(cfg.acmeTargets) == 0 {
p.addRoute(ipPort, &acmeMatch{cfg})
}
cfg.acmeTargets = append(cfg.acmeTargets, dest)
}
p.addRoute(ipPort, sniMatch{matcher, dest})
}
// AddStopACMESearch prevents ACME probing of subsequent SNI routes.
// Any ACME challenges on ipPort for SNI routes previously added
// before this call will still be proxied to all possible SNI
// backends.
func (p *Proxy) AddStopACMESearch(ipPort string) {
p.configFor(ipPort).stopACME = true
}
type sniMatch struct {
matcher Matcher
target Target
}
func (m sniMatch) match(br *bufio.Reader) (Target, string) {
sni := clientHelloServerName(br)
if m.matcher(context.TODO(), sni) {
return m.target, sni
}
return nil, ""
}
// acmeMatch matches "*.acme.invalid" ACME tls-sni-01 challenges and
// searches for a Target in cfg.acmeTargets that has the challenge
// response.
type acmeMatch struct {
cfg *config
}
func (m *acmeMatch) match(br *bufio.Reader) (Target, string) {
sni := clientHelloServerName(br)
if !strings.HasSuffix(sni, ".acme.invalid") {
return nil, ""
}
// TODO: cache. ACME issuers will hit multiple times in a short
// burst for each issuance event. A short TTL cache + singleflight
// should have an excellent hit rate.
// TODO: maybe an acme-specific timeout as well?
// TODO: plumb context upwards?
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
ch := make(chan Target, len(m.cfg.acmeTargets))
for _, target := range m.cfg.acmeTargets {
go tryACME(ctx, ch, target, sni)
}
for range m.cfg.acmeTargets {
if target := <-ch; target != nil {
return target, sni
}
}
// No target was happy with the provided challenge.
return nil, ""
}
func tryACME(ctx context.Context, ch chan<- Target, dest Target, sni string) {
var ret Target
defer func() { ch <- ret }()
conn, targetConn := net.Pipe()
defer conn.Close()
go dest.HandleConn(targetConn)
deadline, ok := ctx.Deadline()
if ok {
conn.SetDeadline(deadline)
}
client := tls.Client(conn, &tls.Config{
ServerName: sni,
InsecureSkipVerify: true,
})
if err := client.Handshake(); err != nil {
// TODO: log?
return
}
certs := client.ConnectionState().PeerCertificates
if len(certs) == 0 {
// TODO: log?
return
}
// acme says the first cert offered by the server must match the
// challenge hostname.
if err := certs[0].VerifyHostname(sni); err != nil {
// TODO: log?
return
}
// Target presented what looks like a valid challenge
// response, send it back to the matcher.
ret = dest
}
// clientHelloServerName returns the SNI server name inside the TLS ClientHello,
// without consuming any bytes from br.
// On any error, the empty string is returned.
func clientHelloServerName(br *bufio.Reader) (sni string) {
const recordHeaderLen = 5
hdr, err := br.Peek(recordHeaderLen)
if err != nil {
return ""
}
const recordTypeHandshake = 0x16
if hdr[0] != recordTypeHandshake {
return "" // Not TLS.
}
recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3]
helloBytes, err := br.Peek(recordHeaderLen + recLen)
if err != nil {
return ""
}
tls.Server(sniSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
sni = hello.ServerName
return nil, nil
},
}).Handshake()
return
}
// sniSniffConn is a net.Conn that reads from r, fails on Writes,
// and crashes otherwise.
type sniSniffConn struct {
r io.Reader
net.Conn // nil; crash on any unexpected use
}
func (c sniSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) }
func (sniSniffConn) Write(p []byte) (int, error) { return 0, io.EOF }