ingress-nginx-helm/pkg/tcpproxy/tcp.go

/*
Copyright 2017 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package tcpproxy

import (
	"fmt"
	"io"
	"net"

	"k8s.io/klog/v2"

	"pault.ag/go/sniff/parser"
)

// TCPServer describes a server that works in passthrough mode.
type TCPServer struct {
	Hostname      string
	IP            string
	Port          int
	ProxyProtocol bool
}

// TCPProxy describes the passthrough servers and a default as catch all.
type TCPProxy struct {
	ServerList []*TCPServer
	Default    *TCPServer
}

// Get returns the TCPServer to use for a given host.
func (p *TCPProxy) Get(host string) *TCPServer {
	if p.ServerList == nil {
		return p.Default
	}

	for _, s := range p.ServerList {
		if s.Hostname == host {
			return s
		}
	}

	return p.Default
}

// Handle reads enough information from the connection to extract the hostname
// and open a connection to the passthrough server.
func (p *TCPProxy) Handle(conn net.Conn) {
	defer conn.Close()
	// See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format
	data := make([]byte, 16384)

	length, err := conn.Read(data)
	if err != nil {
		klog.V(4).ErrorS(err, "Error reading data from the connection")
		return
	}

	proxy := p.Default
	hostname, err := parser.GetHostname(data)
	if err == nil {
		klog.V(4).InfoS("TLS Client Hello", "host", hostname)
		proxy = p.Get(hostname)
	}

	if proxy == nil {
		klog.V(4).InfoS("There is no configured proxy for SSL connections.")
		return
	}

	hostPort := net.JoinHostPort(proxy.IP, fmt.Sprintf("%v", proxy.Port))
	klog.V(4).InfoS("passing to", "hostport", hostPort)
	clientConn, err := net.Dial("tcp", hostPort)
	if err != nil {
		klog.V(4).ErrorS(err, "error dialing proxy", "ip", proxy.IP, "port", proxy.Port, "hostname", proxy.Hostname)
		return
	}
	defer clientConn.Close()

	if proxy.ProxyProtocol {
		// write out the Proxy Protocol header
		localAddr, ok := conn.LocalAddr().(*net.TCPAddr)
		if !ok {
			klog.Errorf("unexpected type: %T", conn.LocalAddr())
		}
		remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr)
		if !ok {
			klog.Errorf("unexpected type: %T", conn.RemoteAddr())
		}
		protocol := "UNKNOWN"
		if remoteAddr.IP.To4() != nil {
			protocol = "TCP4"
		} else if remoteAddr.IP.To16() != nil {
			protocol = "TCP6"
		}
		proxyProtocolHeader := fmt.Sprintf("PROXY %s %s %s %d %d\r\n", protocol, remoteAddr.IP.String(), localAddr.IP.String(), remoteAddr.Port, localAddr.Port)
		klog.V(4).InfoS("Writing Proxy Protocol", "header", proxyProtocolHeader)
		_, err = fmt.Fprint(clientConn, proxyProtocolHeader)
	}
	if err != nil {
		klog.ErrorS(err, "Error writing Proxy Protocol header")
		clientConn.Close()
	} else {
		_, err = clientConn.Write(data[:length])
		if err != nil {
			klog.Errorf("Error writing the first 4k of proxy data: %v", err)
			clientConn.Close()
		}
	}

	pipe(clientConn, conn)
}

func pipe(client, server net.Conn) {
	doCopy := func(s, c net.Conn, cancel chan<- bool) {
		//nolint:errcheck // No need to catch these errors
		io.Copy(s, c)
		cancel <- true
	}

	cancel := make(chan bool, 2)

	go doCopy(server, client, cancel)
	go doCopy(client, server, cancel)

	<-cancel
}
Fix license in header of files 2017-11-05 21:35:46 +00:00			`/*`
			`Copyright 2017 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

Move TCPProxy to pkg 2022-07-20 21:43:39 +00:00			`package tcpproxy`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00
			`import (`
			`"fmt"`
			`"io"`
			`"net"`

Migrate to klog v2 2020-08-08 23:31:02 +00:00			`"k8s.io/klog/v2"`
Cleanup 2017-09-17 18:42:31 +00:00
Update code to use pault.ag/go/sniff package (#5038) * Update code to use pault.ag/go/sniff package * Update go dependencies 2020-02-07 15:27:43 +00:00			`"pault.ag/go/sniff/parser"`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`)`

Clarify log messages in controller pkg 2018-06-13 18:15:45 +00:00			`// TCPServer describes a server that works in passthrough mode.`
Remove GenericController and add tests 2017-11-05 01:18:28 +00:00			`type TCPServer struct {`
Fix remote address in log when protocol is https 2017-05-11 18:04:19 +00:00			`Hostname string`
			`IP string`
			`Port int`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`ProxyProtocol bool`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`

Clarify log messages in controller pkg 2018-06-13 18:15:45 +00:00			`// TCPProxy describes the passthrough servers and a default as catch all.`
Remove GenericController and add tests 2017-11-05 01:18:28 +00:00			`type TCPProxy struct {`
			`ServerList []*TCPServer`
			`Default *TCPServer`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`

Clarify log messages in controller pkg 2018-06-13 18:15:45 +00:00			`// Get returns the TCPServer to use for a given host.`
Remove GenericController and add tests 2017-11-05 01:18:28 +00:00			`func (p TCPProxy) Get(host string) TCPServer {`
Update sniff parser to fix index out of bound error 2017-05-26 18:25:06 +00:00			`if p.ServerList == nil {`
			`return p.Default`
			`}`

Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`for _, s := range p.ServerList {`
			`if s.Hostname == host {`
			`return s`
			`}`
			`}`

[nginx] pass non-SNI TLS hello to default backend, Fixes #693 2017-05-08 21:44:43 +00:00			`return p.Default`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`

Fix verification of boilerplate, style and file headers 2017-12-02 15:02:00 +00:00			`// Handle reads enough information from the connection to extract the hostname`
			`// and open a connection to the passthrough server.`
Remove GenericController and add tests 2017-11-05 01:18:28 +00:00			`func (p *TCPProxy) Handle(conn net.Conn) {`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`defer conn.Close()`
tcpproxy: increase buffer size to 16K (#9548) 2023-01-27 15:12:27 +00:00			`// See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format`
			`data := make([]byte, 16384)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00
			`length, err := conn.Read(data)`
			`if err != nil {`
tcpproxy: increase buffer size to 16K (#9548) 2023-01-27 15:12:27 +00:00			`klog.V(4).ErrorS(err, "Error reading data from the connection")`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`return`
			`}`

Fix remote address in log when protocol is https 2017-05-11 18:04:19 +00:00			`proxy := p.Default`
Fix golangci-lint errors (#10196) * Fix golangci-lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix dupl errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Fix errcheck lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix assert in e2e test Signed-off-by: z1cheng <imchench@gmail.com> * Not interrupt the waitForPodsReady Signed-off-by: z1cheng <imchench@gmail.com> * Replace string with constant Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Revert write file permision Signed-off-by: z1cheng <imchench@gmail.com> --------- Signed-off-by: z1cheng <imchench@gmail.com> 2023-08-31 07:36:48 +00:00			`hostname, err := parser.GetHostname(data)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`if err == nil {`
Migrate to structured logging (klog) 2020-09-27 20:32:40 +00:00			`klog.V(4).InfoS("TLS Client Hello", "host", hostname)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`proxy = p.Get(hostname)`
Fix remote address in log when protocol is https 2017-05-11 18:04:19 +00:00			`}`

			`if proxy == nil {`
Migrate to structured logging (klog) 2020-09-27 20:32:40 +00:00			`klog.V(4).InfoS("There is no configured proxy for SSL connections.")`
Fix remote address in log when protocol is https 2017-05-11 18:04:19 +00:00			`return`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`

Use net.JoinHostPort to avoid IPV6 issues 2020-09-03 02:01:13 +00:00			`hostPort := net.JoinHostPort(proxy.IP, fmt.Sprintf("%v", proxy.Port))`
Add sslpassthrough tests (#9457) 2022-12-28 20:59:27 +00:00			`klog.V(4).InfoS("passing to", "hostport", hostPort)`
Use net.JoinHostPort to avoid IPV6 issues 2020-09-03 02:01:13 +00:00			`clientConn, err := net.Dial("tcp", hostPort)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`if err != nil {`
Release v1 (#7470) * Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com> 2021-08-21 20:42:00 +00:00			`klog.V(4).ErrorS(err, "error dialing proxy", "ip", proxy.IP, "port", proxy.Port, "hostname", proxy.Hostname)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`return`
			`}`
			`defer clientConn.Close()`

Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`if proxy.ProxyProtocol {`
Clarify log messages in controller pkg 2018-06-13 18:15:45 +00:00			`// write out the Proxy Protocol header`
Fix golangci-lint errors (#10196) * Fix golangci-lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix dupl errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Fix errcheck lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix assert in e2e test Signed-off-by: z1cheng <imchench@gmail.com> * Not interrupt the waitForPodsReady Signed-off-by: z1cheng <imchench@gmail.com> * Replace string with constant Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Revert write file permision Signed-off-by: z1cheng <imchench@gmail.com> --------- Signed-off-by: z1cheng <imchench@gmail.com> 2023-08-31 07:36:48 +00:00			`localAddr, ok := conn.LocalAddr().(*net.TCPAddr)`
			`if !ok {`
			`klog.Errorf("unexpected type: %T", conn.LocalAddr())`
			`}`
			`remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr)`
			`if !ok {`
			`klog.Errorf("unexpected type: %T", conn.RemoteAddr())`
			`}`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`protocol := "UNKNOWN"`
			`if remoteAddr.IP.To4() != nil {`
			`protocol = "TCP4"`
			`} else if remoteAddr.IP.To16() != nil {`
			`protocol = "TCP6"`
			`}`
			`proxyProtocolHeader := fmt.Sprintf("PROXY %s %s %s %d %d\r\n", protocol, remoteAddr.IP.String(), localAddr.IP.String(), remoteAddr.Port, localAddr.Port)`
Migrate to structured logging (klog) 2020-09-27 20:32:40 +00:00			`klog.V(4).InfoS("Writing Proxy Protocol", "header", proxyProtocolHeader)`
Add sslpassthrough tests (#9457) 2022-12-28 20:59:27 +00:00			`_, err = fmt.Fprint(clientConn, proxyProtocolHeader)`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`}`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`if err != nil {`
Migrate to structured logging (klog) 2020-09-27 20:32:40 +00:00			`klog.ErrorS(err, "Error writing Proxy Protocol header")`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`clientConn.Close()`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`} else {`
			`_, err = clientConn.Write(data[:length])`
			`if err != nil {`
Fix log output format Signed-off-by: Zhenhai Gao <gaozh1988@live.com> 2018-12-05 05:17:17 +00:00			`klog.Errorf("Error writing the first 4k of proxy data: %v", err)`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00			`clientConn.Close()`
			`}`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`
Use proxy-protocol to pass through source IP to nginx 2017-04-28 22:21:47 +00:00
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`pipe(clientConn, conn)`
			`}`

			`func pipe(client, server net.Conn) {`
			`doCopy := func(s, c net.Conn, cancel chan<- bool) {`
fix: remove tcpproxy copy error handling 2023-11-29 14:33:08 +00:00			`//nolint:errcheck // No need to catch these errors`
			`io.Copy(s, c)`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`cancel <- true`
			`}`

			`cancel := make(chan bool, 2)`

			`go doCopy(server, client, cancel)`
			`go doCopy(client, server, cancel)`

Add sslpassthrough tests (#9457) 2022-12-28 20:59:27 +00:00			`<-cancel`
Refactor ssl-passthroug using go to handle TLS hello 2017-04-09 23:51:38 +00:00			`}`