mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-29 13:05:46 +00:00
50990f8931
This PR adds a new field to the serve config that can be used to identify which serves are in "foreground mode" and then can also be used to ensure they do not get persisted to disk so that if Tailscaled gets ungracefully shutdown, the reloaded ServeConfig will not have those ports opened. Updates #8489 Signed-off-by: Marwan Sulaiman <marwan@tailscale.com>
422 lines
13 KiB
Go
422 lines
13 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package ipn
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/netip"
|
|
"net/url"
|
|
"slices"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"tailscale.com/tailcfg"
|
|
)
|
|
|
|
// ServeConfigKey returns a StateKey that stores the
|
|
// JSON-encoded ServeConfig for a config profile.
|
|
func ServeConfigKey(profileID ProfileID) StateKey {
|
|
return StateKey("_serve/" + profileID)
|
|
}
|
|
|
|
// ServeConfig is the JSON type stored in the StateStore for
|
|
// StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.
|
|
type ServeConfig struct {
|
|
// TCP are the list of TCP port numbers that tailscaled should handle for
|
|
// the Tailscale IP addresses. (not subnet routers, etc)
|
|
TCP map[uint16]*TCPPortHandler `json:",omitempty"`
|
|
|
|
// Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers
|
|
// keyed by mount point ("/", "/foo", etc)
|
|
Web map[HostPort]*WebServerConfig `json:",omitempty"`
|
|
|
|
// AllowFunnel is the set of SNI:port values for which funnel
|
|
// traffic is allowed, from trusted ingress peers.
|
|
AllowFunnel map[HostPort]bool `json:",omitempty"`
|
|
|
|
// Foreground is a map of an IPN Bus session ID to an alternate foreground
|
|
// serve config that's valid for the life of that WatchIPNBus session ID.
|
|
// This. This allows the config to specify ephemeral configs that are
|
|
// used in the CLI's foreground mode to ensure ungraceful shutdowns
|
|
// of either the client or the LocalBackend does not expose ports
|
|
// that users are not aware of.
|
|
Foreground map[string]*ServeConfig `json:",omitempty"`
|
|
}
|
|
|
|
// HostPort is an SNI name and port number, joined by a colon.
|
|
// There is no implicit port 443. It must contain a colon.
|
|
type HostPort string
|
|
|
|
// Port extracts just the port number from hp.
|
|
// An error is reported in the case that the hp does not
|
|
// have a valid numeric port ending.
|
|
func (hp HostPort) Port() (uint16, error) {
|
|
_, port, err := net.SplitHostPort(string(hp))
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
port16, err := strconv.ParseUint(port, 10, 16)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
return uint16(port16), nil
|
|
}
|
|
|
|
// A FunnelConn wraps a net.Conn that is coming over a
|
|
// Funnel connection. It can be used to determine further
|
|
// information about the connection, like the source address
|
|
// and the target SNI name.
|
|
type FunnelConn struct {
|
|
// Conn is the underlying connection.
|
|
net.Conn
|
|
|
|
// Target is what was presented in the "Tailscale-Ingress-Target"
|
|
// HTTP header.
|
|
Target HostPort
|
|
|
|
// Src is the source address of the connection.
|
|
// This is the address of the client that initiated the
|
|
// connection, not the address of the Tailscale Funnel
|
|
// node which is relaying the connection. That address
|
|
// can be found in Conn.RemoteAddr.
|
|
Src netip.AddrPort
|
|
}
|
|
|
|
// ServeStreamRequest defines the JSON request body
|
|
// for the serve stream endpoint
|
|
type ServeStreamRequest struct {
|
|
// HostPort is the DNS and port of the tailscale
|
|
// URL.
|
|
HostPort HostPort `json:",omitempty"`
|
|
|
|
// Source is the user's serve source
|
|
// as defined in the `tailscale serve`
|
|
// command such as http://127.0.0.1:3000
|
|
Source string `json:",omitempty"`
|
|
|
|
// MountPoint is the path prefix for
|
|
// the given HostPort.
|
|
MountPoint string `json:",omitempty"`
|
|
|
|
// Funnel indicates whether the request
|
|
// is a serve request or a funnel one.
|
|
Funnel bool `json:",omitempty"`
|
|
}
|
|
|
|
// WebServerConfig describes a web server's configuration.
|
|
type WebServerConfig struct {
|
|
Handlers map[string]*HTTPHandler // mountPoint => handler
|
|
}
|
|
|
|
// TCPPortHandler describes what to do when handling a TCP
|
|
// connection.
|
|
type TCPPortHandler struct {
|
|
// HTTPS, if true, means that tailscaled should handle this connection as an
|
|
// HTTPS request as configured by ServeConfig.Web.
|
|
//
|
|
// It is mutually exclusive with TCPForward.
|
|
HTTPS bool `json:",omitempty"`
|
|
|
|
// HTTP, if true, means that tailscaled should handle this connection as an
|
|
// HTTP request as configured by ServeConfig.Web.
|
|
//
|
|
// It is mutually exclusive with TCPForward.
|
|
HTTP bool `json:",omitempty"`
|
|
|
|
// TCPForward is the IP:port to forward TCP connections to.
|
|
// Whether or not TLS is terminated by tailscaled depends on
|
|
// TerminateTLS.
|
|
//
|
|
// It is mutually exclusive with HTTPS.
|
|
TCPForward string `json:",omitempty"`
|
|
|
|
// TerminateTLS, if non-empty, means that tailscaled should terminate the
|
|
// TLS connections before forwarding them to TCPForward, permitting only the
|
|
// SNI name with this value. It is only used if TCPForward is non-empty.
|
|
// (the HTTPS mode uses ServeConfig.Web)
|
|
TerminateTLS string `json:",omitempty"`
|
|
}
|
|
|
|
// HTTPHandler is either a path or a proxy to serve.
|
|
type HTTPHandler struct {
|
|
// Exactly one of the following may be set.
|
|
|
|
Path string `json:",omitempty"` // absolute path to directory or file to serve
|
|
Proxy string `json:",omitempty"` // http://localhost:3000/, localhost:3030, 3030
|
|
|
|
Text string `json:",omitempty"` // plaintext to serve (primarily for testing)
|
|
|
|
// TODO(bradfitz): bool to not enumerate directories? TTL on mapping for
|
|
// temporary ones? Error codes? Redirects?
|
|
}
|
|
|
|
// WebHandlerExists reports whether if the ServeConfig Web handler exists for
|
|
// the given host:port and mount point.
|
|
func (sc *ServeConfig) WebHandlerExists(hp HostPort, mount string) bool {
|
|
h := sc.GetWebHandler(hp, mount)
|
|
return h != nil
|
|
}
|
|
|
|
// GetWebHandler returns the HTTPHandler for the given host:port and mount point.
|
|
// Returns nil if the handler does not exist.
|
|
func (sc *ServeConfig) GetWebHandler(hp HostPort, mount string) *HTTPHandler {
|
|
if sc == nil || sc.Web[hp] == nil {
|
|
return nil
|
|
}
|
|
return sc.Web[hp].Handlers[mount]
|
|
}
|
|
|
|
// GetTCPPortHandler returns the TCPPortHandler for the given port.
|
|
// If the port is not configured, nil is returned.
|
|
func (sc *ServeConfig) GetTCPPortHandler(port uint16) *TCPPortHandler {
|
|
if sc == nil {
|
|
return nil
|
|
}
|
|
return sc.TCP[port]
|
|
}
|
|
|
|
// IsTCPForwardingAny reports whether ServeConfig is currently forwarding in
|
|
// TCPForward mode on any port. This is exclusive of Web/HTTPS serving.
|
|
func (sc *ServeConfig) IsTCPForwardingAny() bool {
|
|
if sc == nil || len(sc.TCP) == 0 {
|
|
return false
|
|
}
|
|
for _, h := range sc.TCP {
|
|
if h.TCPForward != "" {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// IsTCPForwardingOnPort reports whether if ServeConfig is currently forwarding
|
|
// in TCPForward mode on the given port. This is exclusive of Web/HTTPS serving.
|
|
func (sc *ServeConfig) IsTCPForwardingOnPort(port uint16) bool {
|
|
if sc == nil || sc.TCP[port] == nil {
|
|
return false
|
|
}
|
|
return !sc.IsServingWeb(port)
|
|
}
|
|
|
|
// IsServingWeb reports whether if ServeConfig is currently serving Web
|
|
// (HTTP/HTTPS) on the given port. This is exclusive of TCPForwarding.
|
|
func (sc *ServeConfig) IsServingWeb(port uint16) bool {
|
|
return sc.IsServingHTTP(port) || sc.IsServingHTTPS(port)
|
|
}
|
|
|
|
// IsServingHTTPS reports whether if ServeConfig is currently serving HTTPS on
|
|
// the given port. This is exclusive of HTTP and TCPForwarding.
|
|
func (sc *ServeConfig) IsServingHTTPS(port uint16) bool {
|
|
if sc == nil || sc.TCP[port] == nil {
|
|
return false
|
|
}
|
|
return sc.TCP[port].HTTPS
|
|
}
|
|
|
|
// IsServingHTTP reports whether if ServeConfig is currently serving HTTP on the
|
|
// given port. This is exclusive of HTTPS and TCPForwarding.
|
|
func (sc *ServeConfig) IsServingHTTP(port uint16) bool {
|
|
if sc == nil || sc.TCP[port] == nil {
|
|
return false
|
|
}
|
|
return sc.TCP[port].HTTP
|
|
}
|
|
|
|
// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
|
|
// traffic for any host:port.
|
|
//
|
|
// View version of ServeConfig.IsFunnelOn.
|
|
func (v ServeConfigView) IsFunnelOn() bool { return v.ж.IsFunnelOn() }
|
|
|
|
// IsFunnelOn reports whether if ServeConfig is currently allowing funnel
|
|
// traffic for any host:port.
|
|
func (sc *ServeConfig) IsFunnelOn() bool {
|
|
if sc == nil {
|
|
return false
|
|
}
|
|
for _, b := range sc.AllowFunnel {
|
|
if b {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// CheckFunnelAccess checks whether Funnel access is allowed for the given node
|
|
// and port.
|
|
// It checks:
|
|
// 1. HTTPS is enabled on the Tailnet
|
|
// 2. the node has the "funnel" nodeAttr
|
|
// 3. the port is allowed for Funnel
|
|
//
|
|
// The nodeAttrs arg should be the node's Self.Capabilities which should contain
|
|
// the attribute we're checking for and possibly warning-capabilities for
|
|
// Funnel.
|
|
func CheckFunnelAccess(port uint16, nodeAttrs []string) error {
|
|
if !slices.Contains(nodeAttrs, tailcfg.CapabilityHTTPS) {
|
|
return errors.New("Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.")
|
|
}
|
|
if !slices.Contains(nodeAttrs, tailcfg.NodeAttrFunnel) {
|
|
return errors.New("Funnel not available; \"funnel\" node attribute not set. See https://tailscale.com/s/no-funnel.")
|
|
}
|
|
return CheckFunnelPort(port, nodeAttrs)
|
|
}
|
|
|
|
// CheckFunnelPort checks whether the given port is allowed for Funnel.
|
|
// It uses the tailcfg.CapabilityFunnelPorts nodeAttr to determine the allowed
|
|
// ports.
|
|
func CheckFunnelPort(wantedPort uint16, nodeAttrs []string) error {
|
|
deny := func(allowedPorts string) error {
|
|
if allowedPorts == "" {
|
|
return fmt.Errorf("port %d is not allowed for funnel", wantedPort)
|
|
}
|
|
return fmt.Errorf("port %d is not allowed for funnel; allowed ports are: %v", wantedPort, allowedPorts)
|
|
}
|
|
var portsStr string
|
|
for _, attr := range nodeAttrs {
|
|
if !strings.HasPrefix(attr, tailcfg.CapabilityFunnelPorts) {
|
|
continue
|
|
}
|
|
u, err := url.Parse(attr)
|
|
if err != nil {
|
|
return deny("")
|
|
}
|
|
portsStr = u.Query().Get("ports")
|
|
if portsStr == "" {
|
|
return deny("")
|
|
}
|
|
u.RawQuery = ""
|
|
if u.String() != tailcfg.CapabilityFunnelPorts {
|
|
return deny("")
|
|
}
|
|
}
|
|
wantedPortString := strconv.Itoa(int(wantedPort))
|
|
for _, ps := range strings.Split(portsStr, ",") {
|
|
if ps == "" {
|
|
continue
|
|
}
|
|
first, last, ok := strings.Cut(ps, "-")
|
|
if !ok {
|
|
if first == wantedPortString {
|
|
return nil
|
|
}
|
|
continue
|
|
}
|
|
fp, err := strconv.ParseUint(first, 10, 16)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
lp, err := strconv.ParseUint(last, 10, 16)
|
|
if err != nil {
|
|
continue
|
|
}
|
|
pr := tailcfg.PortRange{First: uint16(fp), Last: uint16(lp)}
|
|
if pr.Contains(wantedPort) {
|
|
return nil
|
|
}
|
|
}
|
|
return deny(portsStr)
|
|
}
|
|
|
|
// RangeOverTCPs ranges over both background and foreground TCPs.
|
|
// If the returned bool from the given f is false, then this function stops
|
|
// iterating immediately and does not check other foreground configs.
|
|
func (v ServeConfigView) RangeOverTCPs(f func(port uint16, _ TCPPortHandlerView) bool) {
|
|
parentCont := true
|
|
v.TCP().Range(func(k uint16, v TCPPortHandlerView) (cont bool) {
|
|
parentCont = f(k, v)
|
|
return parentCont
|
|
})
|
|
v.Foreground().Range(func(k string, v ServeConfigView) (cont bool) {
|
|
if !parentCont {
|
|
return false
|
|
}
|
|
v.TCP().Range(func(k uint16, v TCPPortHandlerView) (cont bool) {
|
|
parentCont = f(k, v)
|
|
return parentCont
|
|
})
|
|
return parentCont
|
|
})
|
|
}
|
|
|
|
// RangeOverWebs ranges over both background and foreground Webs.
|
|
// If the returned bool from the given f is false, then this function stops
|
|
// iterating immediately and does not check other foreground configs.
|
|
func (v ServeConfigView) RangeOverWebs(f func(_ HostPort, conf WebServerConfigView) bool) {
|
|
parentCont := true
|
|
v.Web().Range(func(k HostPort, v WebServerConfigView) (cont bool) {
|
|
parentCont = f(k, v)
|
|
return parentCont
|
|
})
|
|
v.Foreground().Range(func(k string, v ServeConfigView) (cont bool) {
|
|
if !parentCont {
|
|
return false
|
|
}
|
|
v.Web().Range(func(k HostPort, v WebServerConfigView) (cont bool) {
|
|
parentCont = f(k, v)
|
|
return parentCont
|
|
})
|
|
return parentCont
|
|
})
|
|
}
|
|
|
|
// FindTCP returns the first TCP that matches with the given port. It
|
|
// prefers a foreground match first followed by a background search if none
|
|
// existed.
|
|
func (v ServeConfigView) FindTCP(port uint16) (res TCPPortHandlerView, ok bool) {
|
|
v.Foreground().Range(func(_ string, v ServeConfigView) (cont bool) {
|
|
res, ok = v.TCP().GetOk(port)
|
|
return !ok
|
|
})
|
|
if ok {
|
|
return res, ok
|
|
}
|
|
return v.TCP().GetOk(port)
|
|
}
|
|
|
|
// FindWeb returns the first Web that matches with the given HostPort. It
|
|
// prefers a foreground match first followed by a background search if none
|
|
// existed.
|
|
func (v ServeConfigView) FindWeb(hp HostPort) (res WebServerConfigView, ok bool) {
|
|
v.Foreground().Range(func(_ string, v ServeConfigView) (cont bool) {
|
|
res, ok = v.Web().GetOk(hp)
|
|
return !ok
|
|
})
|
|
if ok {
|
|
return res, ok
|
|
}
|
|
return v.Web().GetOk(hp)
|
|
}
|
|
|
|
// HasAllowFunnel returns whether this config has at least one AllowFunnel
|
|
// set in the background or foreground configs.
|
|
func (v ServeConfigView) HasAllowFunnel() bool {
|
|
return v.AllowFunnel().Len() > 0 || func() bool {
|
|
var exists bool
|
|
v.Foreground().Range(func(k string, v ServeConfigView) (cont bool) {
|
|
exists = v.AllowFunnel().Len() > 0
|
|
return !exists
|
|
})
|
|
return exists
|
|
}()
|
|
}
|
|
|
|
// FindFunnel reports whether target exists in in either the background AllowFunnel
|
|
// or any of the foreground configs.
|
|
func (v ServeConfigView) HasFunnelForTarget(target HostPort) bool {
|
|
if v.AllowFunnel().Get(target) {
|
|
return true
|
|
}
|
|
var exists bool
|
|
v.Foreground().Range(func(_ string, v ServeConfigView) (cont bool) {
|
|
if exists = v.AllowFunnel().Get(target); exists {
|
|
return false
|
|
}
|
|
return true
|
|
})
|
|
return exists
|
|
}
|