mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 13:05:46 +00:00
ipn/ipnlocal: add support for funnel in tsnet
Previously the part that handled Funnel connections was not aware of any listeners that tsnet.Servers might have had open so it would check against the ServeConfig and fail. Adding a ServeConfig for a TCP proxy was also not suitable in this scenario as that would mean creating two different listeners and have one forward to the other, which really meant that you could not have funnel and tailnet-only listeners on the same port. This also introduces the ipn.FunnelConn as a way for users to identify whether the call is coming over funnel or not. Currently it only holds the underlying conn and the target as presented in the "Tailscale-Ingress-Target" header. Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
parent
dad78f31f3
commit
b797f773c7
@ -150,6 +150,22 @@ type LocalBackend struct {
|
|||||||
shutdownCalled bool // if Shutdown has been called
|
shutdownCalled bool // if Shutdown has been called
|
||||||
debugSink *capture.Sink
|
debugSink *capture.Sink
|
||||||
|
|
||||||
|
// getTCPHandlerForFunnelFlow returns a handler for an incoming TCP flow for
|
||||||
|
// the provided srcAddr and dstPort if one exists.
|
||||||
|
//
|
||||||
|
// srcAddr is the source address of the flow, not the address of the Funnel
|
||||||
|
// node relaying the flow.
|
||||||
|
// dstPort is the destination port of the flow.
|
||||||
|
//
|
||||||
|
// It returns nil if there is no known handler for this flow.
|
||||||
|
//
|
||||||
|
// This is specifically used to handle TCP flows for Funnel connections to tsnet
|
||||||
|
// servers.
|
||||||
|
//
|
||||||
|
// It is set once during initialization, and can be nil if SetTCPHandlerForFunnelFlow
|
||||||
|
// is never called.
|
||||||
|
getTCPHandlerForFunnelFlow func(srcAddr netip.AddrPort, dstPort uint16) (handler func(net.Conn))
|
||||||
|
|
||||||
// lastProfileID tracks the last profile we've seen from the ProfileManager.
|
// lastProfileID tracks the last profile we've seen from the ProfileManager.
|
||||||
// It's used to detect when the user has changed their profile.
|
// It's used to detect when the user has changed their profile.
|
||||||
lastProfileID ipn.ProfileID
|
lastProfileID ipn.ProfileID
|
||||||
@ -3117,6 +3133,12 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs ipn.PrefsView, logf logger.
|
|||||||
return dcfg
|
return dcfg
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetTCPHandlerForFunnelFlow sets the TCP handler for Funnel flows.
|
||||||
|
// It should only be called before the LocalBackend is used.
|
||||||
|
func (b *LocalBackend) SetTCPHandlerForFunnelFlow(h func(src netip.AddrPort, dstPort uint16) (handler func(net.Conn))) {
|
||||||
|
b.getTCPHandlerForFunnelFlow = h
|
||||||
|
}
|
||||||
|
|
||||||
// SetVarRoot sets the root directory of Tailscale's writable
|
// SetVarRoot sets the root directory of Tailscale's writable
|
||||||
// storage area . (e.g. "/var/lib/tailscale")
|
// storage area . (e.g. "/var/lib/tailscale")
|
||||||
//
|
//
|
||||||
|
@ -761,12 +761,12 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
|
|||||||
bad("Tailscale-Ingress-Src header invalid; want ip:port")
|
bad("Tailscale-Ingress-Src header invalid; want ip:port")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
target := r.Header.Get("Tailscale-Ingress-Target")
|
target := ipn.HostPort(r.Header.Get("Tailscale-Ingress-Target"))
|
||||||
if target == "" {
|
if target == "" {
|
||||||
bad("Tailscale-Ingress-Target header not set")
|
bad("Tailscale-Ingress-Target header not set")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if _, _, err := net.SplitHostPort(target); err != nil {
|
if _, _, err := net.SplitHostPort(string(target)); err != nil {
|
||||||
bad("Tailscale-Ingress-Target header invalid; want host:port")
|
bad("Tailscale-Ingress-Target header invalid; want host:port")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -779,13 +779,17 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
|
|||||||
return nil, false
|
return nil, false
|
||||||
}
|
}
|
||||||
io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
|
io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
|
||||||
return conn, true
|
return &ipn.FunnelConn{
|
||||||
|
Conn: conn,
|
||||||
|
Src: srcAddr,
|
||||||
|
Target: target,
|
||||||
|
}, true
|
||||||
}
|
}
|
||||||
sendRST := func() {
|
sendRST := func() {
|
||||||
http.Error(w, "denied", http.StatusForbidden)
|
http.Error(w, "denied", http.StatusForbidden)
|
||||||
}
|
}
|
||||||
|
|
||||||
h.ps.b.HandleIngressTCPConn(h.peerNode, ipn.HostPort(target), srcAddr, getConn, sendRST)
|
h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConn, sendRST)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
|
func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
|
||||||
|
@ -281,9 +281,22 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
|
|||||||
sendRST()
|
sendRST()
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
dport := uint16(port16)
|
||||||
|
if b.getTCPHandlerForFunnelFlow != nil {
|
||||||
|
handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
|
||||||
|
if handler != nil {
|
||||||
|
c, ok := getConn()
|
||||||
|
if !ok {
|
||||||
|
b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
handler(c)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
|
// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
|
||||||
// extend serveHTTPContext or similar.
|
// extend serveHTTPContext or similar.
|
||||||
b.HandleInterceptedTCPConn(uint16(port16), srcAddr, getConn, sendRST)
|
b.HandleInterceptedTCPConn(dport, srcAddr, getConn, sendRST)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
|
func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
|
||||||
|
25
ipn/serve.go
25
ipn/serve.go
@ -3,6 +3,11 @@
|
|||||||
|
|
||||||
package ipn
|
package ipn
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net"
|
||||||
|
"net/netip"
|
||||||
|
)
|
||||||
|
|
||||||
// ServeConfigKey returns a StateKey that stores the
|
// ServeConfigKey returns a StateKey that stores the
|
||||||
// JSON-encoded ServeConfig for a config profile.
|
// JSON-encoded ServeConfig for a config profile.
|
||||||
func ServeConfigKey(profileID ProfileID) StateKey {
|
func ServeConfigKey(profileID ProfileID) StateKey {
|
||||||
@ -29,6 +34,26 @@ type ServeConfig struct {
|
|||||||
// There is no implicit port 443. It must contain a colon.
|
// There is no implicit port 443. It must contain a colon.
|
||||||
type HostPort string
|
type HostPort string
|
||||||
|
|
||||||
|
// A FunnelConn wraps a net.Conn that is coming over a
|
||||||
|
// Funnel connection. It can be used to determine further
|
||||||
|
// information about the connection, like the source address
|
||||||
|
// and the target SNI name.
|
||||||
|
type FunnelConn struct {
|
||||||
|
// Conn is the underlying connection.
|
||||||
|
net.Conn
|
||||||
|
|
||||||
|
// Target is what was presented in the "Tailscale-Ingress-Target"
|
||||||
|
// HTTP header.
|
||||||
|
Target HostPort
|
||||||
|
|
||||||
|
// Src is the source address of the connection.
|
||||||
|
// This is the address of the client that initiated the
|
||||||
|
// connection, not the address of the Tailscale Funnel
|
||||||
|
// node which is relaying the connection. That address
|
||||||
|
// can be found in Conn.RemoteAddr.
|
||||||
|
Src netip.AddrPort
|
||||||
|
}
|
||||||
|
|
||||||
// WebServerConfig describes a web server's configuration.
|
// WebServerConfig describes a web server's configuration.
|
||||||
type WebServerConfig struct {
|
type WebServerConfig struct {
|
||||||
Handlers map[string]*HTTPHandler // mountPoint => handler
|
Handlers map[string]*HTTPHandler // mountPoint => handler
|
||||||
|
131
tsnet/example/tsnet-funnel/tsnet-funnel.go
Normal file
131
tsnet/example/tsnet-funnel/tsnet-funnel.go
Normal file
@ -0,0 +1,131 @@
|
|||||||
|
// Copyright (c) Tailscale Inc & AUTHORS
|
||||||
|
// SPDX-License-Identifier: BSD-3-Clause
|
||||||
|
|
||||||
|
// The tsnet-funnel server demonstrates how to use tsnet with Funnel.
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"crypto/tls"
|
||||||
|
"errors"
|
||||||
|
"flag"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
|
"net"
|
||||||
|
"net/http"
|
||||||
|
"net/netip"
|
||||||
|
|
||||||
|
"tailscale.com/ipn"
|
||||||
|
"tailscale.com/tsnet"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
addr = flag.String("addr", ":443", "address to listen on")
|
||||||
|
)
|
||||||
|
|
||||||
|
func enableFunnel(ctx context.Context, s *tsnet.Server) error {
|
||||||
|
st, err := s.Up(ctx)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if len(st.CertDomains) == 0 {
|
||||||
|
return errors.New("tsnet: you must enable HTTPS in the admin panel to proceed")
|
||||||
|
}
|
||||||
|
domain := st.CertDomains[0]
|
||||||
|
|
||||||
|
hp := ipn.HostPort(net.JoinHostPort(domain, "443"))
|
||||||
|
|
||||||
|
srvConfig := &ipn.ServeConfig{
|
||||||
|
AllowFunnel: map[ipn.HostPort]bool{
|
||||||
|
hp: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
lc, err := s.LocalClient()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return lc.SetServeConfig(ctx, srvConfig)
|
||||||
|
}
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
flag.Parse()
|
||||||
|
s := new(tsnet.Server)
|
||||||
|
defer s.Close()
|
||||||
|
ctx := context.Background()
|
||||||
|
if err := enableFunnel(ctx, s); err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ln, err := s.Listen("tcp", *addr)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
defer ln.Close()
|
||||||
|
|
||||||
|
lc, err := s.LocalClient()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ln = tls.NewListener(ln, &tls.Config{
|
||||||
|
GetCertificate: lc.GetCertificate,
|
||||||
|
})
|
||||||
|
httpServer := &http.Server{
|
||||||
|
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
|
||||||
|
if tc, ok := c.(*tls.Conn); ok {
|
||||||
|
// First unwrap the TLS connection to get the underlying
|
||||||
|
// net.Conn.
|
||||||
|
c = tc.NetConn()
|
||||||
|
}
|
||||||
|
// Then check if the underlying net.Conn is a FunnelConn.
|
||||||
|
if fc, ok := c.(*ipn.FunnelConn); ok {
|
||||||
|
ctx = context.WithValue(ctx, funnelKey{}, true)
|
||||||
|
ctx = context.WithValue(ctx, funnelSrcKey{}, fc.Src)
|
||||||
|
}
|
||||||
|
return ctx
|
||||||
|
},
|
||||||
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if isFunnel(r.Context()) {
|
||||||
|
fmt.Fprintln(w, "<html><body><h1>Hello, internet!</h1>")
|
||||||
|
fmt.Fprintln(w, "<p>You are connected over the internet!</p>")
|
||||||
|
fmt.Fprintf(w, "<p>You are coming from %v</p></html>\n", funnelSrc(r.Context()))
|
||||||
|
} else {
|
||||||
|
fmt.Fprintln(w, "<html><body><h1>Hello, tailnet!</h1>")
|
||||||
|
fmt.Fprintln(w, "<p>You are connected over the tailnet!</p>")
|
||||||
|
who, err := lc.WhoIs(r.Context(), r.RemoteAddr)
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("WhoIs(%v): %v", r.RemoteAddr, err)
|
||||||
|
fmt.Fprintf(w, "<p>I do not know who you are</p>")
|
||||||
|
} else if len(who.Node.Tags) > 0 {
|
||||||
|
fmt.Fprintf(w, "<p>You are using a tagged node: %v</p>\n", who.Node.Tags)
|
||||||
|
} else {
|
||||||
|
fmt.Fprintf(w, "<p>You are %v</p>\n", who.UserProfile.DisplayName)
|
||||||
|
}
|
||||||
|
fmt.Fprintf(w, "<p>You are coming from %v</p></html>\n", r.RemoteAddr)
|
||||||
|
}
|
||||||
|
}),
|
||||||
|
}
|
||||||
|
log.Fatal(httpServer.Serve(ln))
|
||||||
|
}
|
||||||
|
|
||||||
|
// funnelKey is a context key used to indicate that a request is coming
|
||||||
|
// over the internet.
|
||||||
|
// It is not used by tsnet, but is used by this example to demonstrate
|
||||||
|
// how to detect when a request is coming over the internet rather than
|
||||||
|
// over the tailnet.
|
||||||
|
type funnelKey struct{}
|
||||||
|
|
||||||
|
// funnelSrcKey is a context key used to indicate the source of a
|
||||||
|
// request.
|
||||||
|
type funnelSrcKey struct{}
|
||||||
|
|
||||||
|
// isFunnel reports whether the request is coming over the internet.
|
||||||
|
func isFunnel(ctx context.Context) bool {
|
||||||
|
v, _ := ctx.Value(funnelKey{}).(bool)
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
func funnelSrc(ctx context.Context) netip.AddrPort {
|
||||||
|
v, _ := ctx.Value(funnelSrcKey{}).(netip.AddrPort)
|
||||||
|
return v
|
||||||
|
}
|
@ -519,6 +519,7 @@ func (s *Server) start() (reterr error) {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("NewLocalBackend: %v", err)
|
return fmt.Errorf("NewLocalBackend: %v", err)
|
||||||
}
|
}
|
||||||
|
lb.SetTCPHandlerForFunnelFlow(s.getTCPHandlerForFunnelFlow)
|
||||||
lb.SetVarRoot(s.rootPath)
|
lb.SetVarRoot(s.rootPath)
|
||||||
logf("tsnet starting with hostname %q, varRoot %q", s.hostname, s.rootPath)
|
logf("tsnet starting with hostname %q, varRoot %q", s.hostname, s.rootPath)
|
||||||
s.lb = lb
|
s.lb = lb
|
||||||
@ -660,6 +661,27 @@ func (s *Server) listenerForDstAddr(netBase string, dst netip.AddrPort) (_ *list
|
|||||||
return nil, false
|
return nil, false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Server) getTCPHandlerForFunnelFlow(src netip.AddrPort, dstPort uint16) (handler func(net.Conn)) {
|
||||||
|
ipv4, ipv6 := s.TailscaleIPs()
|
||||||
|
var dst netip.AddrPort
|
||||||
|
if src.Addr().Is4() {
|
||||||
|
if !ipv4.IsValid() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
dst = netip.AddrPortFrom(ipv4, dstPort)
|
||||||
|
} else {
|
||||||
|
if !ipv6.IsValid() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
dst = netip.AddrPortFrom(ipv6, dstPort)
|
||||||
|
}
|
||||||
|
ln, ok := s.listenerForDstAddr("tcp", dst)
|
||||||
|
if !ok {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return ln.handle
|
||||||
|
}
|
||||||
|
|
||||||
func (s *Server) getTCPHandlerForFlow(src, dst netip.AddrPort) (handler func(net.Conn), intercept bool) {
|
func (s *Server) getTCPHandlerForFlow(src, dst netip.AddrPort) (handler func(net.Conn), intercept bool) {
|
||||||
ln, ok := s.listenerForDstAddr("tcp", dst)
|
ln, ok := s.listenerForDstAddr("tcp", dst)
|
||||||
if !ok {
|
if !ok {
|
||||||
|
Loading…
Reference in New Issue
Block a user