2019-11-14 15:40:05 +00:00
|
|
|
package service
|
2018-11-14 09:18:03 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2019-04-01 13:30:07 +00:00
|
|
|
"errors"
|
2020-09-11 13:40:03 +00:00
|
|
|
"fmt"
|
2018-11-14 09:18:03 +00:00
|
|
|
"net"
|
|
|
|
"net/http"
|
2020-09-11 13:40:03 +00:00
|
|
|
"reflect"
|
|
|
|
"sync"
|
2018-11-14 09:18:03 +00:00
|
|
|
"time"
|
|
|
|
|
2020-09-17 10:06:57 +00:00
|
|
|
"github.com/traefik/traefik/v2/pkg/config/dynamic"
|
2020-09-16 13:46:04 +00:00
|
|
|
"github.com/traefik/traefik/v2/pkg/log"
|
|
|
|
traefiktls "github.com/traefik/traefik/v2/pkg/tls"
|
2018-11-14 09:18:03 +00:00
|
|
|
"golang.org/x/net/http2"
|
|
|
|
)
|
|
|
|
|
|
|
|
type h2cTransportWrapper struct {
|
|
|
|
*http2.Transport
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *h2cTransportWrapper) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
|
|
req.URL.Scheme = "http"
|
|
|
|
return t.Transport.RoundTrip(req)
|
|
|
|
}
|
|
|
|
|
2020-09-11 13:40:03 +00:00
|
|
|
// NewRoundTripperManager creates a new RoundTripperManager.
|
|
|
|
func NewRoundTripperManager() *RoundTripperManager {
|
|
|
|
return &RoundTripperManager{
|
|
|
|
roundTrippers: make(map[string]http.RoundTripper),
|
|
|
|
configs: make(map[string]*dynamic.ServersTransport),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// RoundTripperManager handles roundtripper for the reverse proxy.
|
|
|
|
type RoundTripperManager struct {
|
|
|
|
rtLock sync.RWMutex
|
|
|
|
roundTrippers map[string]http.RoundTripper
|
|
|
|
configs map[string]*dynamic.ServersTransport
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update updates the roundtrippers configurations.
|
|
|
|
func (r *RoundTripperManager) Update(newConfigs map[string]*dynamic.ServersTransport) {
|
|
|
|
r.rtLock.Lock()
|
|
|
|
defer r.rtLock.Unlock()
|
|
|
|
|
|
|
|
for configName, config := range r.configs {
|
|
|
|
newConfig, ok := newConfigs[configName]
|
|
|
|
if !ok {
|
|
|
|
delete(r.configs, configName)
|
|
|
|
delete(r.roundTrippers, configName)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if reflect.DeepEqual(newConfig, config) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
r.roundTrippers[configName], err = createRoundTripper(newConfig)
|
|
|
|
if err != nil {
|
|
|
|
log.WithoutContext().Errorf("Could not configure HTTP Transport %s, fallback on default transport: %v", configName, err)
|
|
|
|
r.roundTrippers[configName] = http.DefaultTransport
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for newConfigName, newConfig := range newConfigs {
|
|
|
|
if _, ok := r.configs[newConfigName]; ok {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
r.roundTrippers[newConfigName], err = createRoundTripper(newConfig)
|
|
|
|
if err != nil {
|
|
|
|
log.WithoutContext().Errorf("Could not configure HTTP Transport %s, fallback on default transport: %v", newConfigName, err)
|
|
|
|
r.roundTrippers[newConfigName] = http.DefaultTransport
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
r.configs = newConfigs
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get get a roundtripper by name.
|
|
|
|
func (r *RoundTripperManager) Get(name string) (http.RoundTripper, error) {
|
|
|
|
if len(name) == 0 {
|
|
|
|
name = "default@internal"
|
|
|
|
}
|
|
|
|
|
|
|
|
r.rtLock.RLock()
|
|
|
|
defer r.rtLock.RUnlock()
|
|
|
|
|
|
|
|
if rt, ok := r.roundTrippers[name]; ok {
|
|
|
|
return rt, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("servers transport not found %s", name)
|
|
|
|
}
|
|
|
|
|
|
|
|
// createRoundTripper creates an http.RoundTripper configured with the Transport configuration settings.
|
2018-11-14 09:18:03 +00:00
|
|
|
// For the settings that can't be configured in Traefik it uses the default http.Transport settings.
|
2021-03-29 12:32:03 +00:00
|
|
|
// An exception to this is the MaxIdleConns setting as we only provide the option MaxIdleConnsPerHost in Traefik at this point in time.
|
2020-09-11 13:40:03 +00:00
|
|
|
// Setting this value to the default of 100 could lead to confusing behavior and backwards compatibility issues.
|
|
|
|
func createRoundTripper(cfg *dynamic.ServersTransport) (http.RoundTripper, error) {
|
|
|
|
if cfg == nil {
|
2018-11-27 16:42:04 +00:00
|
|
|
return nil, errors.New("no transport configuration given")
|
|
|
|
}
|
|
|
|
|
2018-11-14 09:18:03 +00:00
|
|
|
dialer := &net.Dialer{
|
2019-03-18 10:30:07 +00:00
|
|
|
Timeout: 30 * time.Second,
|
2018-11-14 09:18:03 +00:00
|
|
|
KeepAlive: 30 * time.Second,
|
|
|
|
}
|
|
|
|
|
2020-09-11 13:40:03 +00:00
|
|
|
if cfg.ForwardingTimeouts != nil {
|
|
|
|
dialer.Timeout = time.Duration(cfg.ForwardingTimeouts.DialTimeout)
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
transport := &http.Transport{
|
|
|
|
Proxy: http.ProxyFromEnvironment,
|
|
|
|
DialContext: dialer.DialContext,
|
2020-09-11 13:40:03 +00:00
|
|
|
MaxIdleConnsPerHost: cfg.MaxIdleConnsPerHost,
|
2018-11-14 09:18:03 +00:00
|
|
|
IdleConnTimeout: 90 * time.Second,
|
|
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
|
|
ExpectContinueTimeout: 1 * time.Second,
|
2021-03-05 13:30:04 +00:00
|
|
|
ReadBufferSize: 64 * 1024,
|
|
|
|
WriteBufferSize: 64 * 1024,
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
|
|
|
|
2020-09-11 13:40:03 +00:00
|
|
|
if cfg.ForwardingTimeouts != nil {
|
|
|
|
transport.ResponseHeaderTimeout = time.Duration(cfg.ForwardingTimeouts.ResponseHeaderTimeout)
|
|
|
|
transport.IdleConnTimeout = time.Duration(cfg.ForwardingTimeouts.IdleConnTimeout)
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
|
|
|
|
2021-07-15 12:02:11 +00:00
|
|
|
if cfg.InsecureSkipVerify || len(cfg.RootCAs) > 0 || len(cfg.ServerName) > 0 || len(cfg.Certificates) > 0 || cfg.PeerCertURI != "" {
|
2018-11-14 09:18:03 +00:00
|
|
|
transport.TLSClientConfig = &tls.Config{
|
2020-09-11 13:40:03 +00:00
|
|
|
ServerName: cfg.ServerName,
|
|
|
|
InsecureSkipVerify: cfg.InsecureSkipVerify,
|
|
|
|
RootCAs: createRootCACertPool(cfg.RootCAs),
|
|
|
|
Certificates: cfg.Certificates.GetCertificates(),
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
2021-07-15 12:02:11 +00:00
|
|
|
|
|
|
|
if cfg.PeerCertURI != "" {
|
|
|
|
transport.TLSClientConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
|
|
|
return traefiktls.VerifyPeerCertificate(cfg.PeerCertURI, transport.TLSClientConfig, rawCerts)
|
|
|
|
}
|
|
|
|
}
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
|
|
|
|
2021-03-29 12:32:03 +00:00
|
|
|
// Return directly HTTP/1.1 transport when HTTP/2 is disabled
|
|
|
|
if cfg.DisableHTTP2 {
|
|
|
|
return transport, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
transport.RegisterProtocol("h2c", &h2cTransportWrapper{
|
|
|
|
Transport: &http2.Transport{
|
|
|
|
DialTLS: func(netw, addr string, cfg *tls.Config) (net.Conn, error) {
|
|
|
|
return net.Dial(netw, addr)
|
|
|
|
},
|
|
|
|
AllowHTTP: true,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
|
2020-09-11 13:40:03 +00:00
|
|
|
return newSmartRoundTripper(transport)
|
2018-11-14 09:18:03 +00:00
|
|
|
}
|
|
|
|
|
2019-06-17 09:48:05 +00:00
|
|
|
func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
|
2020-03-23 15:48:06 +00:00
|
|
|
if len(rootCAs) == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-11-14 09:18:03 +00:00
|
|
|
roots := x509.NewCertPool()
|
|
|
|
|
|
|
|
for _, cert := range rootCAs {
|
|
|
|
certContent, err := cert.Read()
|
|
|
|
if err != nil {
|
|
|
|
log.WithoutContext().Error("Error while read RootCAs", err)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
roots.AppendCertsFromPEM(certContent)
|
|
|
|
}
|
|
|
|
|
|
|
|
return roots
|
|
|
|
}
|