traefik/pkg/server/router/tcp/router.go

423 lines
12 KiB
Go
Raw Normal View History

package tcp
import (
2022-03-17 17:02:08 +00:00
"bufio"
"bytes"
"crypto/tls"
"errors"
2022-03-17 17:02:08 +00:00
"io"
"net"
"net/http"
"slices"
"github.com/go-acme/lego/v4/challenge/tlsalpn01"
"github.com/traefik/traefik/v2/pkg/log"
2022-03-17 17:02:08 +00:00
tcpmuxer "github.com/traefik/traefik/v2/pkg/muxer/tcp"
"github.com/traefik/traefik/v2/pkg/tcp"
)
2022-03-17 17:02:08 +00:00
const defaultBufSize = 4096
// Router is a TCP router.
type Router struct {
// Contains TCP routes.
muxerTCP tcpmuxer.Muxer
// Contains TCP TLS routes.
muxerTCPTLS tcpmuxer.Muxer
// Contains HTTPS routes.
muxerHTTPS tcpmuxer.Muxer
// Forwarder handlers.
// httpForwarder handles all HTTP requests.
2022-03-17 17:02:08 +00:00
httpForwarder tcp.Handler
// httpsForwarder handles (indirectly through muxerHTTPS, or directly) all HTTPS requests.
2022-03-17 17:02:08 +00:00
httpsForwarder tcp.Handler
// Neither is used directly, but they are held here, and recreated on config reload,
// so that they can be passed to the Switcher at the end of the config reload phase.
2022-03-17 17:02:08 +00:00
httpHandler http.Handler
httpsHandler http.Handler
// TLS configs.
httpsTLSConfig *tls.Config // default TLS config
// hostHTTPTLSConfig contains TLS configs keyed by SNI.
// A nil config is the hint to set up a brokenTLSRouter.
2022-03-17 17:02:08 +00:00
hostHTTPTLSConfig map[string]*tls.Config // TLS configs keyed by SNI
2021-06-11 13:30:05 +00:00
}
2022-03-17 17:02:08 +00:00
// NewRouter returns a new TCP router.
func NewRouter() (*Router, error) {
muxTCP, err := tcpmuxer.NewMuxer()
if err != nil {
return nil, err
}
2022-03-17 17:02:08 +00:00
muxTCPTLS, err := tcpmuxer.NewMuxer()
if err != nil {
return nil, err
}
2022-03-17 17:02:08 +00:00
muxHTTPS, err := tcpmuxer.NewMuxer()
if err != nil {
return nil, err
}
2022-03-17 17:02:08 +00:00
return &Router{
muxerTCP: *muxTCP,
muxerTCPTLS: *muxTCPTLS,
muxerHTTPS: *muxHTTPS,
}, nil
}
2022-03-17 17:02:08 +00:00
// GetTLSGetClientInfo is called after a ClientHello is received from a client.
func (r *Router) GetTLSGetClientInfo() func(info *tls.ClientHelloInfo) (*tls.Config, error) {
return func(info *tls.ClientHelloInfo) (*tls.Config, error) {
if tlsConfig, ok := r.hostHTTPTLSConfig[info.ServerName]; ok {
return tlsConfig, nil
}
2022-03-17 17:02:08 +00:00
return r.httpsTLSConfig, nil
}
}
2022-03-17 17:02:08 +00:00
// ServeTCP forwards the connection to the right TCP/HTTP handler.
func (r *Router) ServeTCP(conn tcp.WriteCloser) {
// Handling Non-TLS TCP connection early if there is neither HTTP(S) nor TLS routers on the entryPoint,
// and if there is at least one non-TLS TCP router.
// In the case of a non-TLS TCP client (that does not "send" first),
// we would block forever on clientHelloInfo,
// which is why we want to detect and handle that case first and foremost.
2022-03-17 17:02:08 +00:00
if r.muxerTCP.HasRoutes() && !r.muxerTCPTLS.HasRoutes() && !r.muxerHTTPS.HasRoutes() {
2022-07-07 14:58:09 +00:00
connData, err := tcpmuxer.NewConnData("", conn, nil)
if err != nil {
2022-03-17 17:02:08 +00:00
log.WithoutContext().Errorf("Error while reading TCP connection data: %v", err)
conn.Close()
return
}
handler, _ := r.muxerTCP.Match(connData)
2022-03-17 17:02:08 +00:00
// If there is a handler matching the connection metadata,
// we let it handle the connection.
if handler != nil {
handler.ServeTCP(conn)
return
}
2022-03-17 17:02:08 +00:00
// Otherwise, we keep going because:
// 1) we could be in the case where we have HTTP routers.
// 2) if it is an HTTPS request, even though we do not have any TLS routers,
// we still need to reply with a 404.
}
2022-08-31 06:24:08 +00:00
// TODO -- Check if ProxyProtocol changes the first bytes of the request
2022-03-17 17:02:08 +00:00
br := bufio.NewReader(conn)
2022-07-07 14:58:09 +00:00
hello, err := clientHelloInfo(br)
2022-03-17 17:02:08 +00:00
if err != nil {
conn.Close()
return
}
2022-07-07 14:58:09 +00:00
connData, err := tcpmuxer.NewConnData(hello.serverName, conn, hello.protos)
2022-03-17 17:02:08 +00:00
if err != nil {
log.WithoutContext().Errorf("Error while reading TCP connection data: %v", err)
conn.Close()
return
}
2022-07-07 14:58:09 +00:00
if !hello.isTLS {
handler, _ := r.muxerTCP.Match(connData)
2022-03-17 17:02:08 +00:00
switch {
case handler != nil:
2022-07-07 14:58:09 +00:00
handler.ServeTCP(r.GetConn(conn, hello.peeked))
2022-03-17 17:02:08 +00:00
case r.httpForwarder != nil:
2022-07-07 14:58:09 +00:00
r.httpForwarder.ServeTCP(r.GetConn(conn, hello.peeked))
2022-03-17 17:02:08 +00:00
default:
conn.Close()
}
2022-03-17 17:02:08 +00:00
return
}
// Handling ACME-TLS/1 challenges.
if slices.Contains(hello.protos, tlsalpn01.ACMETLS1Protocol) {
r.acmeTLSALPNHandler().ServeTCP(r.GetConn(conn, hello.peeked))
return
}
// For real, the handler eventually used for HTTPS is (almost) always the same:
// it is the httpsForwarder that is used for all HTTPS connections that match
// (which is also incidentally the same used in the last block below for 404s).
// The added value from doing Match is to find and use the specific TLS config
// (wrapped inside the returned handler) requested for the given HostSNI.
handlerHTTPS, catchAllHTTPS := r.muxerHTTPS.Match(connData)
if handlerHTTPS != nil && !catchAllHTTPS {
// In order not to depart from the behavior in 2.6,
// we only allow an HTTPS router to take precedence over a TCP-TLS router if it is _not_ an HostSNI(*) router
// (so basically any router that has a specific HostSNI based rule).
2022-07-07 14:58:09 +00:00
handlerHTTPS.ServeTCP(r.GetConn(conn, hello.peeked))
2022-03-17 17:02:08 +00:00
return
}
// Contains also TCP TLS passthrough routes.
handlerTCPTLS, catchAllTCPTLS := r.muxerTCPTLS.Match(connData)
if handlerTCPTLS != nil && !catchAllTCPTLS {
2022-07-07 14:58:09 +00:00
handlerTCPTLS.ServeTCP(r.GetConn(conn, hello.peeked))
return
}
// Fallback on HTTPS catchAll.
// We end up here for e.g. an HTTPS router that only has a PathPrefix rule,
// which under the scenes is counted as an HostSNI(*) rule.
if handlerHTTPS != nil {
2022-07-07 14:58:09 +00:00
handlerHTTPS.ServeTCP(r.GetConn(conn, hello.peeked))
return
}
// Fallback on TCP TLS catchAll.
if handlerTCPTLS != nil {
2022-07-07 14:58:09 +00:00
handlerTCPTLS.ServeTCP(r.GetConn(conn, hello.peeked))
2022-03-17 17:02:08 +00:00
return
}
// To handle 404s for HTTPS.
2022-03-17 17:02:08 +00:00
if r.httpsForwarder != nil {
2022-07-07 14:58:09 +00:00
r.httpsForwarder.ServeTCP(r.GetConn(conn, hello.peeked))
2022-03-17 17:02:08 +00:00
return
}
2022-03-17 17:02:08 +00:00
conn.Close()
}
// acmeTLSALPNHandler returns a special handler to solve ACME-TLS/1 challenges.
func (r *Router) acmeTLSALPNHandler() tcp.Handler {
if r.httpsTLSConfig == nil {
return &brokenTLSRouter{}
}
return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
_ = tls.Server(conn, r.httpsTLSConfig).Handshake()
})
}
2022-03-17 17:02:08 +00:00
// AddRoute defines a handler for the given rule.
func (r *Router) AddRoute(rule string, priority int, target tcp.Handler) error {
return r.muxerTCP.AddRoute(rule, priority, target)
}
// AddHTTPTLSConfig defines a handler for a given sniHost and sets the matching tlsConfig.
func (r *Router) AddHTTPTLSConfig(sniHost string, config *tls.Config) {
if r.hostHTTPTLSConfig == nil {
r.hostHTTPTLSConfig = map[string]*tls.Config{}
}
2022-03-17 17:02:08 +00:00
r.hostHTTPTLSConfig[sniHost] = config
}
2022-03-17 17:02:08 +00:00
// GetConn creates a connection proxy with a peeked string.
func (r *Router) GetConn(conn tcp.WriteCloser, peeked string) tcp.WriteCloser {
2022-08-31 06:24:08 +00:00
// TODO should it really be on Router ?
2022-03-17 17:02:08 +00:00
conn = &Conn{
Peeked: []byte(peeked),
WriteCloser: conn,
}
2022-03-17 17:02:08 +00:00
return conn
}
2022-03-17 17:02:08 +00:00
// GetHTTPHandler gets the attached http handler.
func (r *Router) GetHTTPHandler() http.Handler {
return r.httpHandler
}
2022-03-17 17:02:08 +00:00
// GetHTTPSHandler gets the attached https handler.
func (r *Router) GetHTTPSHandler() http.Handler {
return r.httpsHandler
}
2022-03-17 17:02:08 +00:00
// SetHTTPForwarder sets the tcp handler that will forward the connections to an http handler.
func (r *Router) SetHTTPForwarder(handler tcp.Handler) {
r.httpForwarder = handler
}
// brokenTLSRouter is associated to a Host(SNI) rule for which we know the TLS conf is broken.
// It is used to make sure any attempt to connect to that hostname is closed,
// since we cannot proceed with the intended TLS conf.
type brokenTLSRouter struct{}
// ServeTCP instantly closes the connection.
func (t *brokenTLSRouter) ServeTCP(conn tcp.WriteCloser) {
_ = conn.Close()
}
// SetHTTPSForwarder sets the tcp handler that will forward the TLS connections to an HTTP handler.
// It also sets up each TLS handler (with its TLS config) for each Host(SNI) rule we previously kept track of.
// It sets up a special handler that closes the connection if a TLS config is nil.
2022-03-17 17:02:08 +00:00
func (r *Router) SetHTTPSForwarder(handler tcp.Handler) {
for sniHost, tlsConf := range r.hostHTTPTLSConfig {
var tcpHandler tcp.Handler
if tlsConf == nil {
tcpHandler = &brokenTLSRouter{}
} else {
tcpHandler = &tcp.TLSHandler{
Next: handler,
Config: tlsConf,
}
}
2022-03-17 17:02:08 +00:00
// muxerHTTPS only contains single HostSNI rules (and no other kind of rules),
// so there's no need for specifying a priority for them.
err := r.muxerHTTPS.AddRoute("HostSNI(`"+sniHost+"`)", 0, tcpHandler)
2022-03-17 17:02:08 +00:00
if err != nil {
log.WithoutContext().Errorf("Error while adding route for host: %v", err)
}
}
if r.httpsTLSConfig == nil {
r.httpsForwarder = &brokenTLSRouter{}
return
}
2022-03-17 17:02:08 +00:00
r.httpsForwarder = &tcp.TLSHandler{
Next: handler,
Config: r.httpsTLSConfig,
}
}
2022-03-17 17:02:08 +00:00
// SetHTTPHandler attaches http handlers on the router.
func (r *Router) SetHTTPHandler(handler http.Handler) {
r.httpHandler = handler
}
2022-03-17 17:02:08 +00:00
// SetHTTPSHandler attaches https handlers on the router.
func (r *Router) SetHTTPSHandler(handler http.Handler, config *tls.Config) {
r.httpsHandler = handler
r.httpsTLSConfig = config
}
2022-03-17 17:02:08 +00:00
// Conn is a connection proxy that handles Peeked bytes.
type Conn struct {
// Peeked are the bytes that have been read from Conn for the purposes of route matching,
// but have not yet been consumed by Read calls.
// It set to nil by Read when fully consumed.
2022-03-17 17:02:08 +00:00
Peeked []byte
// Conn is the underlying connection.
// It can be type asserted against *net.TCPConn or other types as needed.
// It should not be read from directly unless Peeked is nil.
2022-03-17 17:02:08 +00:00
tcp.WriteCloser
}
2022-03-17 17:02:08 +00:00
// Read reads bytes from the connection (using the buffer prior to actually reading).
func (c *Conn) Read(p []byte) (n int, err error) {
if len(c.Peeked) > 0 {
n = copy(p, c.Peeked)
c.Peeked = c.Peeked[n:]
if len(c.Peeked) == 0 {
c.Peeked = nil
}
2022-03-17 17:02:08 +00:00
return n, nil
}
return c.WriteCloser.Read(p)
}
2022-07-07 14:58:09 +00:00
type clientHello struct {
serverName string // SNI server name
protos []string // ALPN protocols list
isTLS bool // whether we are a TLS handshake
peeked string // the bytes peeked from the hello while getting the info
}
// clientHelloInfo returns various data from the clientHello handshake,
2022-03-17 17:02:08 +00:00
// without consuming any bytes from br.
2022-07-07 14:58:09 +00:00
// It returns an error if it can't peek the first byte from the connection.
func clientHelloInfo(br *bufio.Reader) (*clientHello, error) {
2022-03-17 17:02:08 +00:00
hdr, err := br.Peek(1)
if err != nil {
var opErr *net.OpError
if !errors.Is(err, io.EOF) && (!errors.As(err, &opErr) || opErr.Timeout()) {
log.WithoutContext().Errorf("Error while Peeking first byte: %s", err)
}
2022-07-07 14:58:09 +00:00
return nil, err
}
// No valid TLS record has a type of 0x80, however SSLv2 handshakes start with an uint16 length
// where the MSB is set and the first record is always < 256 bytes long.
// Therefore, typ == 0x80 strongly suggests an SSLv2 client.
2022-03-17 17:02:08 +00:00
const recordTypeSSLv2 = 0x80
const recordTypeHandshake = 0x16
if hdr[0] != recordTypeHandshake {
if hdr[0] == recordTypeSSLv2 {
// we consider SSLv2 as TLS, and it will be refused by real TLS handshake.
2022-07-07 14:58:09 +00:00
return &clientHello{
isTLS: true,
peeked: getPeeked(br),
}, nil
2022-03-17 17:02:08 +00:00
}
2022-07-07 14:58:09 +00:00
return &clientHello{
peeked: getPeeked(br),
}, nil // Not TLS.
2022-03-17 17:02:08 +00:00
}
2022-03-17 17:02:08 +00:00
const recordHeaderLen = 5
hdr, err = br.Peek(recordHeaderLen)
if err != nil {
log.Errorf("Error while Peeking hello: %s", err)
2022-07-07 14:58:09 +00:00
return &clientHello{
peeked: getPeeked(br),
}, nil
2021-06-11 13:30:05 +00:00
}
2022-03-17 17:02:08 +00:00
recLen := int(hdr[3])<<8 | int(hdr[4]) // ignoring version in hdr[1:3]
if recordHeaderLen+recLen > defaultBufSize {
br = bufio.NewReaderSize(br, recordHeaderLen+recLen)
2021-06-11 13:30:05 +00:00
}
2022-03-17 17:02:08 +00:00
helloBytes, err := br.Peek(recordHeaderLen + recLen)
2021-06-11 13:30:05 +00:00
if err != nil {
2022-03-17 17:02:08 +00:00
log.Errorf("Error while Hello: %s", err)
2022-07-07 14:58:09 +00:00
return &clientHello{
isTLS: true,
peeked: getPeeked(br),
}, nil
2021-06-11 13:30:05 +00:00
}
2022-03-17 17:02:08 +00:00
sni := ""
2022-07-07 14:58:09 +00:00
var protos []string
server := tls.Server(helloSniffConn{r: bytes.NewReader(helloBytes)}, &tls.Config{
2022-03-17 17:02:08 +00:00
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
sni = hello.ServerName
2022-07-07 14:58:09 +00:00
protos = hello.SupportedProtos
2022-03-17 17:02:08 +00:00
return nil, nil
},
})
_ = server.Handshake()
2022-07-07 14:58:09 +00:00
return &clientHello{
serverName: sni,
isTLS: true,
peeked: getPeeked(br),
protos: protos,
}, nil
2022-03-17 17:02:08 +00:00
}
2021-06-11 13:30:05 +00:00
2022-03-17 17:02:08 +00:00
func getPeeked(br *bufio.Reader) string {
peeked, err := br.Peek(br.Buffered())
if err != nil {
log.Errorf("Could not get anything: %s", err)
return ""
}
return string(peeked)
2021-06-11 13:30:05 +00:00
}
2022-03-17 17:02:08 +00:00
2022-07-07 14:58:09 +00:00
// helloSniffConn is a net.Conn that reads from r, fails on Writes,
2022-03-17 17:02:08 +00:00
// and crashes otherwise.
2022-07-07 14:58:09 +00:00
type helloSniffConn struct {
2022-03-17 17:02:08 +00:00
r io.Reader
net.Conn // nil; crash on any unexpected use
}
// Read reads from the underlying reader.
2022-07-07 14:58:09 +00:00
func (c helloSniffConn) Read(p []byte) (int, error) { return c.r.Read(p) }
2022-03-17 17:02:08 +00:00
// Write crashes all the time.
2022-07-07 14:58:09 +00:00
func (helloSniffConn) Write(p []byte) (int, error) { return 0, io.EOF }