derp, cmd/derper: add debug handlers, stats

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-01-07 08:07:42 +00:00 · 2020-02-21 09:35:53 -08:00 · 2020-02-21 09:35:53 -08:00 · 2612e54ad1
commit 2612e54ad1
parent 433b917977
2 changed files with 160 additions and 15 deletions
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@ -7,30 +7,37 @@
 import (
 	"encoding/json"
 	"expvar"
 	_ "expvar"
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/interfaces"
 	"tailscale.com/logpolicy"
 	"tailscale.com/types/key"
 )
 var (
 	dev           = flag.Bool("dev", false, "run in localhost development mode")
 	addr          = flag.String("a", ":443", "server address")
 	configPath    = flag.String("c", "", "config file path")
 	certDir       = flag.String("certdir", defaultCertDir(), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	bytesPerSec   = flag.Int("mbps", 5, "Mbps (mebibit/s) per-client rate limit; 0 means unlimited")
+	mbps          = flag.Int("mbps", 5, "Mbps (mebibit/s) per-client rate limit; 0 means unlimited")
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
 )
@ -47,6 +54,9 @@ type config struct {
 }
 func loadConfig() config {
 	if *dev {
 		return config{PrivateKey: mustNewKey()}
 	}
 	if *configPath == "" {
 		log.Fatalf("derper: -c <config path> not specified")
 	}
@ -66,12 +76,16 @@ func loadConfig() config {
 	}
 }
-func writeNewConfig() config {
+func mustNewKey() wgcfg.PrivateKey {
 	key, err := wgcfg.NewPrivateKey()
 	if err != nil {
 		log.Fatal(err)
 	}
 	return key
 }
 func writeNewConfig() config {
 	key := mustNewKey()
 	if err := os.MkdirAll(filepath.Dir(*configPath), 0777); err != nil {
 		log.Fatal(err)
 	}
@ -91,6 +105,12 @@ func writeNewConfig() config {
 func main() {
 	flag.Parse()
 	if *dev {
 		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 	}
 	var logPol *logpolicy.Policy
 	if *logCollection != "" {
 		logPol = logpolicy.New(*logCollection)
@ -105,16 +125,33 @@ func main() {
 	}
 	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
-	if *bytesPerSec != 0 {
+	if *mbps != 0 {
-		s.BytesPerSecond = (*bytesPerSec << 20) / 8
+		s.BytesPerSecond = (*mbps << 20) / 8
 	}
 	expvar.Publish("derp", s.ExpVar())
 	expvar.Publish("uptime", uptimeVar{})
 	// Create our own mux so we don't expose /debug/ stuff to the world.
 	mux := http.NewServeMux()
 	mux.Handle("/derp", derphttp.Handler(s))
 	mux.Handle("/debug/", protected(debugHandler(s)))
 	mux.Handle("/debug/pprof/", protected(http.DefaultServeMux)) // to net/http/pprof
 	mux.Handle("/debug/vars", protected(http.DefaultServeMux))   // to expvar
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain")
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(200)
-		io.WriteString(w, "Tailscale DERP server.")
+		io.WriteString(w, `<html><body>
 <h1>DERP</h1>
 <p>
  This is a
  <a href="https://tailscale.com/">Tailscale</a>
  <a href="https://godoc.org/tailscale.com/derp">DERP</a>
  server.
 </p>
 `)
 		if allowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
 	httpsrv := &http.Server{
@ -151,3 +188,55 @@ func main() {
 		log.Fatalf("derper: %v", err)
 	}
 }
 func protected(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !allowDebugAccess(r) {
 			http.Error(w, "debug access denied", http.StatusForbidden)
 			return
 		}
 		h.ServeHTTP(w, r)
 	})
 }
 func allowDebugAccess(r *http.Request) bool {
 	if r.Header.Get("X-Forwarded-For") != "" {
 		// TODO if/when needed. For now, conservative:
 		return false
 	}
 	ipStr, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
 		return false
 	}
 	ip := net.ParseIP(ipStr)
 	return interfaces.IsTailscaleIP(ip) || ip.IsLoopback() || ipStr == os.Getenv("ALLOW_DEBUG_IP")
 }
 func debugHandler(s *derp.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
 		f(`<html><body>
 <h1>DERP debug</h1>
 <ul>
 `)
 		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
 		f("<li><b>Rate Limit:</b> %v Mbps</li>\n", *mbps)
 		f("<li><b>Uptime:</b> %v</li>\n", uptime().Round(time.Second))
 		f(`<li><a href="/debug/vars">/debug/vars</a></li>
   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
 <ul>
 </html>
 `)
 	})
 }
 var timeStart = time.Now()
 func uptime() time.Duration { return time.Since(timeStart) }
 type uptimeVar struct{}
 func (uptimeVar) String() string { return fmt.Sprint(int64(uptime().Seconds())) }
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@ -13,11 +13,13 @@
 	crand "crypto/rand"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
 	"math/big"
 	"net"
 	"sync"
 	"sync/atomic"
 	"time"
 	"golang.org/x/crypto/nacl/box"
@ -36,21 +38,28 @@ type Server struct {
 	publicKey  key.Public
 	logf       logger.Logf
-	mu       sync.Mutex
+	// Counters:
-	closed   bool
+	packetsSent int64
-	netConns map[net.Conn]chan struct{} // chan is closed when conn closes
+	bytesSent   int64
-	clients  map[key.Public]*sclient
+
 	mu          sync.Mutex
 	closed      bool
 	accepts     int64
 	netConns    map[net.Conn]chan struct{} // chan is closed when conn closes
 	clients     map[key.Public]*sclient
 	clientsEver map[key.Public]bool // never deleted from, for stats; fine for now
 }
 // NewServer returns a new DERP server. It doesn't listen on its own.
 // Connections are given to it via Server.Accept.
 func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 	s := &Server{
-		privateKey: privateKey,
+		privateKey:  privateKey,
-		publicKey:  privateKey.Public(),
+		publicKey:   privateKey.Public(),
-		logf:       logf,
+		logf:        logf,
-		clients:    make(map[key.Public]*sclient),
+		clients:     make(map[key.Public]*sclient),
-		netConns:   make(map[net.Conn]chan struct{}),
+		clientsEver: make(map[key.Public]bool),
 		netConns:    make(map[net.Conn]chan struct{}),
 	}
 	return s
 }
@ -95,6 +104,7 @@ func (s *Server) Accept(nc net.Conn, brw *bufio.ReadWriter) {
 	closed := make(chan struct{})
 	s.mu.Lock()
 	s.accepts++
 	s.netConns[nc] = closed
 	s.mu.Unlock()
@ -125,6 +135,7 @@ func (s *Server) registerClient(c *sclient) {
 		s.logf("derp: %s: client %x: adding connection, replacing %s", c.nc.RemoteAddr(), c.key, old.nc.RemoteAddr())
 	}
 	s.clients[c.key] = c
 	s.clientsEver[c.key] = true
 }
 // unregisterClient removes a client from the server.
@ -311,6 +322,8 @@ func (s *Server) recvClientKey(br *bufio.Reader) (clientKey key.Public, info *sc
 }
 func (s *Server) sendPacket(bw *bufio.Writer, srcKey key.Public, contents []byte) error {
 	atomic.AddInt64(&s.packetsSent, 1)
 	atomic.AddInt64(&s.bytesSent, int64(len(contents)))
 	if err := writeFrameHeader(bw, frameRecvPacket, uint32(len(contents))); err != nil {
 		return err
 	}
@ -397,3 +410,46 @@ type sclientInfo struct {
 type serverInfo struct {
 }
 // Stats returns stats about the server.
 func (s *Server) Stats() *ServerStats {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	return &ServerStats{
 		BytesPerSecondLimit: s.BytesPerSecond,
 		CurrentConnections:  len(s.netConns),
 		UniqueClientsEver:   len(s.clientsEver),
 		TotalAccepts:        s.accepts,
 		PacketsSent:         atomic.LoadInt64(&s.packetsSent),
 		BytesSent:           atomic.LoadInt64(&s.bytesSent),
 	}
 }
 // ExpVar returns an expvar variable suitable for registering with expvar.Publish.
 func (s *Server) ExpVar() expvar.Var {
 	return expVar{s}
 }
 type expVar struct{ *Server }
 // String implements the expvar.Var interface, returning the current server stats as JSON.
 func (v expVar) String() string {
 	ss := v.Server.Stats()
 	j, err := json.MarshalIndent(ss, "", "\t")
 	if err != nil {
 		return "{}"
 	}
 	return string(j)
 }
 // ServerStats are returned by Server.Stats.
 //
 // It is JSON-ified by expVar for the expvar package.
 type ServerStats struct {
 	BytesPerSecondLimit int   `json:"bytesPerSecondLimit"`
 	CurrentConnections  int   `json:"currentClients"`
 	UniqueClientsEver   int   `json:"uniqueClientsEver"`
 	TotalAccepts        int64 `json:"totalAccepts"`
 	PacketsSent         int64 `json:"packetsSent"`
 	BytesSent           int64 `json:"bytesSent"`
 }