ipn/ipnlocal: add support for funnel in tsnet

Previously the part that handled Funnel connections was not
aware of any listeners that tsnet.Servers might have had open
so it would check against the ServeConfig and fail.

Adding a ServeConfig for a TCP proxy was also not suitable in this
scenario as that would mean creating two different listeners and have
one forward to the other, which really meant that you could not have
funnel and tailnet-only listeners on the same port.

This also introduces the ipn.FunnelConn as a way for users to identify
whether the call is coming over funnel or not. Currently it only holds
the underlying conn and the target as presented in the "Tailscale-Ingress-Target"
header.

Signed-off-by: Maisem Ali <maisem@tailscale.com>
This commit is contained in:
Maisem Ali 2023-03-08 12:36:41 -08:00 committed by Maisem Ali
parent dad78f31f3
commit b797f773c7
6 changed files with 222 additions and 5 deletions

View File

@ -150,6 +150,22 @@ type LocalBackend struct {
shutdownCalled bool // if Shutdown has been called shutdownCalled bool // if Shutdown has been called
debugSink *capture.Sink debugSink *capture.Sink
// getTCPHandlerForFunnelFlow returns a handler for an incoming TCP flow for
// the provided srcAddr and dstPort if one exists.
//
// srcAddr is the source address of the flow, not the address of the Funnel
// node relaying the flow.
// dstPort is the destination port of the flow.
//
// It returns nil if there is no known handler for this flow.
//
// This is specifically used to handle TCP flows for Funnel connections to tsnet
// servers.
//
// It is set once during initialization, and can be nil if SetTCPHandlerForFunnelFlow
// is never called.
getTCPHandlerForFunnelFlow func(srcAddr netip.AddrPort, dstPort uint16) (handler func(net.Conn))
// lastProfileID tracks the last profile we've seen from the ProfileManager. // lastProfileID tracks the last profile we've seen from the ProfileManager.
// It's used to detect when the user has changed their profile. // It's used to detect when the user has changed their profile.
lastProfileID ipn.ProfileID lastProfileID ipn.ProfileID
@ -3117,6 +3133,12 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs ipn.PrefsView, logf logger.
return dcfg return dcfg
} }
// SetTCPHandlerForFunnelFlow sets the TCP handler for Funnel flows.
// It should only be called before the LocalBackend is used.
func (b *LocalBackend) SetTCPHandlerForFunnelFlow(h func(src netip.AddrPort, dstPort uint16) (handler func(net.Conn))) {
b.getTCPHandlerForFunnelFlow = h
}
// SetVarRoot sets the root directory of Tailscale's writable // SetVarRoot sets the root directory of Tailscale's writable
// storage area . (e.g. "/var/lib/tailscale") // storage area . (e.g. "/var/lib/tailscale")
// //

View File

@ -761,12 +761,12 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
bad("Tailscale-Ingress-Src header invalid; want ip:port") bad("Tailscale-Ingress-Src header invalid; want ip:port")
return return
} }
target := r.Header.Get("Tailscale-Ingress-Target") target := ipn.HostPort(r.Header.Get("Tailscale-Ingress-Target"))
if target == "" { if target == "" {
bad("Tailscale-Ingress-Target header not set") bad("Tailscale-Ingress-Target header not set")
return return
} }
if _, _, err := net.SplitHostPort(target); err != nil { if _, _, err := net.SplitHostPort(string(target)); err != nil {
bad("Tailscale-Ingress-Target header invalid; want host:port") bad("Tailscale-Ingress-Target header invalid; want host:port")
return return
} }
@ -779,13 +779,17 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
return nil, false return nil, false
} }
io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n") io.WriteString(conn, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
return conn, true return &ipn.FunnelConn{
Conn: conn,
Src: srcAddr,
Target: target,
}, true
} }
sendRST := func() { sendRST := func() {
http.Error(w, "denied", http.StatusForbidden) http.Error(w, "denied", http.StatusForbidden)
} }
h.ps.b.HandleIngressTCPConn(h.peerNode, ipn.HostPort(target), srcAddr, getConn, sendRST) h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConn, sendRST)
} }
func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) { func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {

View File

@ -281,9 +281,22 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
sendRST() sendRST()
return return
} }
dport := uint16(port16)
if b.getTCPHandlerForFunnelFlow != nil {
handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
if handler != nil {
c, ok := getConn()
if !ok {
b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
return
}
handler(c)
return
}
}
// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn, // TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
// extend serveHTTPContext or similar. // extend serveHTTPContext or similar.
b.HandleInterceptedTCPConn(uint16(port16), srcAddr, getConn, sendRST) b.HandleInterceptedTCPConn(dport, srcAddr, getConn, sendRST)
} }
func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) { func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {

View File

@ -3,6 +3,11 @@
package ipn package ipn
import (
"net"
"net/netip"
)
// ServeConfigKey returns a StateKey that stores the // ServeConfigKey returns a StateKey that stores the
// JSON-encoded ServeConfig for a config profile. // JSON-encoded ServeConfig for a config profile.
func ServeConfigKey(profileID ProfileID) StateKey { func ServeConfigKey(profileID ProfileID) StateKey {
@ -29,6 +34,26 @@ type ServeConfig struct {
// There is no implicit port 443. It must contain a colon. // There is no implicit port 443. It must contain a colon.
type HostPort string type HostPort string
// A FunnelConn wraps a net.Conn that is coming over a
// Funnel connection. It can be used to determine further
// information about the connection, like the source address
// and the target SNI name.
type FunnelConn struct {
// Conn is the underlying connection.
net.Conn
// Target is what was presented in the "Tailscale-Ingress-Target"
// HTTP header.
Target HostPort
// Src is the source address of the connection.
// This is the address of the client that initiated the
// connection, not the address of the Tailscale Funnel
// node which is relaying the connection. That address
// can be found in Conn.RemoteAddr.
Src netip.AddrPort
}
// WebServerConfig describes a web server's configuration. // WebServerConfig describes a web server's configuration.
type WebServerConfig struct { type WebServerConfig struct {
Handlers map[string]*HTTPHandler // mountPoint => handler Handlers map[string]*HTTPHandler // mountPoint => handler

View File

@ -0,0 +1,131 @@
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
// The tsnet-funnel server demonstrates how to use tsnet with Funnel.
package main
import (
"context"
"crypto/tls"
"errors"
"flag"
"fmt"
"log"
"net"
"net/http"
"net/netip"
"tailscale.com/ipn"
"tailscale.com/tsnet"
)
var (
addr = flag.String("addr", ":443", "address to listen on")
)
func enableFunnel(ctx context.Context, s *tsnet.Server) error {
st, err := s.Up(ctx)
if err != nil {
return err
}
if len(st.CertDomains) == 0 {
return errors.New("tsnet: you must enable HTTPS in the admin panel to proceed")
}
domain := st.CertDomains[0]
hp := ipn.HostPort(net.JoinHostPort(domain, "443"))
srvConfig := &ipn.ServeConfig{
AllowFunnel: map[ipn.HostPort]bool{
hp: true,
},
}
lc, err := s.LocalClient()
if err != nil {
return err
}
return lc.SetServeConfig(ctx, srvConfig)
}
func main() {
flag.Parse()
s := new(tsnet.Server)
defer s.Close()
ctx := context.Background()
if err := enableFunnel(ctx, s); err != nil {
log.Fatal(err)
}
ln, err := s.Listen("tcp", *addr)
if err != nil {
log.Fatal(err)
}
defer ln.Close()
lc, err := s.LocalClient()
if err != nil {
log.Fatal(err)
}
ln = tls.NewListener(ln, &tls.Config{
GetCertificate: lc.GetCertificate,
})
httpServer := &http.Server{
ConnContext: func(ctx context.Context, c net.Conn) context.Context {
if tc, ok := c.(*tls.Conn); ok {
// First unwrap the TLS connection to get the underlying
// net.Conn.
c = tc.NetConn()
}
// Then check if the underlying net.Conn is a FunnelConn.
if fc, ok := c.(*ipn.FunnelConn); ok {
ctx = context.WithValue(ctx, funnelKey{}, true)
ctx = context.WithValue(ctx, funnelSrcKey{}, fc.Src)
}
return ctx
},
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if isFunnel(r.Context()) {
fmt.Fprintln(w, "<html><body><h1>Hello, internet!</h1>")
fmt.Fprintln(w, "<p>You are connected over the internet!</p>")
fmt.Fprintf(w, "<p>You are coming from %v</p></html>\n", funnelSrc(r.Context()))
} else {
fmt.Fprintln(w, "<html><body><h1>Hello, tailnet!</h1>")
fmt.Fprintln(w, "<p>You are connected over the tailnet!</p>")
who, err := lc.WhoIs(r.Context(), r.RemoteAddr)
if err != nil {
log.Printf("WhoIs(%v): %v", r.RemoteAddr, err)
fmt.Fprintf(w, "<p>I do not know who you are</p>")
} else if len(who.Node.Tags) > 0 {
fmt.Fprintf(w, "<p>You are using a tagged node: %v</p>\n", who.Node.Tags)
} else {
fmt.Fprintf(w, "<p>You are %v</p>\n", who.UserProfile.DisplayName)
}
fmt.Fprintf(w, "<p>You are coming from %v</p></html>\n", r.RemoteAddr)
}
}),
}
log.Fatal(httpServer.Serve(ln))
}
// funnelKey is a context key used to indicate that a request is coming
// over the internet.
// It is not used by tsnet, but is used by this example to demonstrate
// how to detect when a request is coming over the internet rather than
// over the tailnet.
type funnelKey struct{}
// funnelSrcKey is a context key used to indicate the source of a
// request.
type funnelSrcKey struct{}
// isFunnel reports whether the request is coming over the internet.
func isFunnel(ctx context.Context) bool {
v, _ := ctx.Value(funnelKey{}).(bool)
return v
}
func funnelSrc(ctx context.Context) netip.AddrPort {
v, _ := ctx.Value(funnelSrcKey{}).(netip.AddrPort)
return v
}

View File

@ -519,6 +519,7 @@ func (s *Server) start() (reterr error) {
if err != nil { if err != nil {
return fmt.Errorf("NewLocalBackend: %v", err) return fmt.Errorf("NewLocalBackend: %v", err)
} }
lb.SetTCPHandlerForFunnelFlow(s.getTCPHandlerForFunnelFlow)
lb.SetVarRoot(s.rootPath) lb.SetVarRoot(s.rootPath)
logf("tsnet starting with hostname %q, varRoot %q", s.hostname, s.rootPath) logf("tsnet starting with hostname %q, varRoot %q", s.hostname, s.rootPath)
s.lb = lb s.lb = lb
@ -660,6 +661,27 @@ func (s *Server) listenerForDstAddr(netBase string, dst netip.AddrPort) (_ *list
return nil, false return nil, false
} }
func (s *Server) getTCPHandlerForFunnelFlow(src netip.AddrPort, dstPort uint16) (handler func(net.Conn)) {
ipv4, ipv6 := s.TailscaleIPs()
var dst netip.AddrPort
if src.Addr().Is4() {
if !ipv4.IsValid() {
return nil
}
dst = netip.AddrPortFrom(ipv4, dstPort)
} else {
if !ipv6.IsValid() {
return nil
}
dst = netip.AddrPortFrom(ipv6, dstPort)
}
ln, ok := s.listenerForDstAddr("tcp", dst)
if !ok {
return nil
}
return ln.handle
}
func (s *Server) getTCPHandlerForFlow(src, dst netip.AddrPort) (handler func(net.Conn), intercept bool) { func (s *Server) getTCPHandlerForFlow(src, dst netip.AddrPort) (handler func(net.Conn), intercept bool) {
ln, ok := s.listenerForDstAddr("tcp", dst) ln, ok := s.listenerForDstAddr("tcp", dst)
if !ok { if !ok {