Add golang server to handle TLS hello

2017-04-09 20:51:38 -03:00 · 2017-04-09 20:51:38 -03:00 · 0d9769c80d
commit 0d9769c80d
parent 7f3763590a
7 changed files with 183 additions and 65 deletions
--- a/controllers/nginx/pkg/cmd/controller/nginx.go
+++ b/controllers/nginx/pkg/cmd/controller/nginx.go
@ -80,9 +80,31 @@ func newNGINXController() ingress.Controller {
 		binary:        ngx,
 		configmap:     &api_v1.ConfigMap{},
 		isIPV6Enabled: isIPv6Enabled(),
+<<<<<<< fc67b1d5e2a51cc0037a434583af6530efa1a59c
 		resolver:      h,
+=======
+		proxy:         &proxy{},
+>>>>>>> 
 	}

+	listener, err := net.Listen("tcp", ":443")
+	if err != nil {
+		glog.Fatalf("%v", err)
+	}
+
+	// start goroutine that accepts tcp connections in port 443
+	go func() {
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				glog.Warningf("unexpected error accepting tcp connection: %v", err)
+				continue
+			}
+			glog.V(3).Infof("%s -> %s", conn.RemoteAddr(), conn.LocalAddr())
+			go n.proxy.Handle(conn)
+		}
+	}()
+
 	var onChange func()
 	onChange = func() {
 		template, err := ngx_template.NewTemplate(tmplPath, onChange)
@ -134,7 +156,11 @@ type NGINXController struct {
 	// returns true if IPV6 is enabled in the pod
 	isIPV6Enabled bool

+<<<<<<< fc67b1d5e2a51cc0037a434583af6530efa1a59c
 	resolver []net.IP
+=======
+	proxy *proxy
+>>>>>>> 
 }

 // Start start a new NGINX master process running in foreground.
@ -446,6 +472,39 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er
 		return nil, err
 	}

+	servers := []*server{}
+	for _, pb := range ingressCfg.PassthroughBackends {
+		svc := pb.Service
+		if svc == nil {
+			continue
+		}
+		port, err := strconv.Atoi(pb.Port.String())
+		if err != nil {
+			for _, sp := range svc.Spec.Ports {
+				if sp.Name == pb.Port.String() {
+					port = int(sp.Port)
+					break
+				}
+			}
+		} else {
+			for _, sp := range svc.Spec.Ports {
+				if sp.Port == int32(port) {
+					port = int(sp.Port)
+					break
+				}
+			}
+		}
+
+		servers = append(servers, &server{
+			Hostname: pb.Hostname,
+			IP:       svc.Spec.ClusterIP,
+			Port:     port,
+		})
+	}
+
+	glog.Infof("%v", servers)
+	n.proxy.ServerList = servers
+
 	return content, nil
 }

--- a/controllers/nginx/pkg/cmd/controller/tcp.go
+++ b/controllers/nginx/pkg/cmd/controller/tcp.go
@ -0,0 +1,90 @@
+package main
+
+import (
+	"fmt"
+	"io"
+	"net"
+
+	"github.com/golang/glog"
+	"github.com/paultag/sniff/parser"
+)
+
+type server struct {
+	Hostname string
+	IP       string
+	Port     int
+}
+
+type proxy struct {
+	ServerList []*server
+	Default    *server
+}
+
+func (p *proxy) Get(host string) *server {
+	for _, s := range p.ServerList {
+		if s.Hostname == host {
+			return s
+		}
+	}
+
+	return &server{
+		Hostname: "localhost",
+		IP:       "127.0.0.1",
+		Port:     442,
+	}
+}
+
+func (p *proxy) Handle(conn net.Conn) {
+	defer conn.Close()
+	data := make([]byte, 4096)
+
+	length, err := conn.Read(data)
+	if err != nil {
+		glog.V(4).Infof("Error reading the first 4k of the connection: %s", err)
+		return
+	}
+
+	var proxy *server
+	hostname, err := parser.GetHostname(data[:])
+	if err == nil {
+		glog.V(2).Infof("Parsed hostname: %s", hostname)
+		proxy = p.Get(hostname)
+		if proxy == nil {
+			return
+		}
+	} else {
+		proxy = p.Default
+		if proxy == nil {
+			return
+		}
+	}
+
+	clientConn, err := net.Dial("tcp", fmt.Sprintf("%s:%d", proxy.IP, proxy.Port))
+	if err != nil {
+		return
+	}
+	defer clientConn.Close()
+
+	_, err = clientConn.Write(data[:length])
+	if err != nil {
+		clientConn.Close()
+	}
+	pipe(clientConn, conn)
+}
+
+func pipe(client, server net.Conn) {
+	doCopy := func(s, c net.Conn, cancel chan<- bool) {
+		io.Copy(s, c)
+		cancel <- true
+	}
+
+	cancel := make(chan bool, 2)
+
+	go doCopy(server, client, cancel)
+	go doCopy(client, server, cancel)
+
+	select {
+	case <-cancel:
+		return
+	}
+}
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@ -50,7 +50,7 @@ const (

 	logFormatUpstream = `%v - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`

-	logFormatStream = `[$time_local] $protocol [$ssl_preread_server_name] [$stream_upstream] $status $bytes_sent $bytes_received $session_time`
+	logFormatStream = `[$time_local] $protocol $status $bytes_sent $bytes_received $session_time`

 	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
 	// Sets the size of the buffer used for sending data.
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@ -136,7 +136,6 @@ var (
 		"buildProxyPass":           buildProxyPass,
 		"buildRateLimitZones":      buildRateLimitZones,
 		"buildRateLimit":           buildRateLimit,
-		"buildSSLPassthroughUpstreams": buildSSLPassthroughUpstreams,
 		"buildResolvers":           buildResolvers,
 		"isLocationAllowed":        isLocationAllowed,
 		"buildLogFormatUpstream":   buildLogFormatUpstream,
@ -169,34 +168,6 @@ func buildResolvers(a interface{}) string {
 	return strings.Join(r, " ")
 }

-func buildSSLPassthroughUpstreams(b interface{}, sslb interface{}) string {
-	backends := b.([]*ingress.Backend)
-	sslBackends := sslb.([]*ingress.SSLPassthroughBackend)
-	buf := bytes.NewBuffer(make([]byte, 0, 10))
-
-	// multiple services can use the same upstream.
-	// avoid duplications using a map[name]=true
-	u := make(map[string]bool)
-	for _, passthrough := range sslBackends {
-		if u[passthrough.Backend] {
-			continue
-		}
-		u[passthrough.Backend] = true
-		fmt.Fprintf(buf, "upstream %v {\n", passthrough.Backend)
-		for _, backend := range backends {
-			if backend.Name == passthrough.Backend {
-				for _, server := range backend.Endpoints {
-					fmt.Fprintf(buf, "\t\tserver %v:%v;\n", server.Address, server.Port)
-				}
-				break
-			}
-		}
-		fmt.Fprint(buf, "\t}\n\n")
-	}
-
-	return buf.String()
-}
-
 // buildLocation produces the location string, if the ingress has redirects
 // (specified through the ingress.kubernetes.io/rewrite-to annotation)
 func buildLocation(input interface{}) string {
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -222,10 +222,10 @@ http {
        listen 80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}};
        {{ if $IsIPV6Enabled }}listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{ end }};{{ end }}

-        {{/* Listen on 442 because port 443 is used in the stream section */}}
+        {{/* Listen on 442 because port 443 is used in the TLS sni server */}}
        {{/* This listen on port 442 cannot contains proxy_protocol directive because port 443 is in charge of decoding the protocol */}}
-        {{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}442{{ else }}443 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
-        {{ if $IsIPV6Enabled }}{{ if not (empty $server.SSLCertificate) }}listen {{ if gt (len $passthroughBackends) 0 }}[::]:442{{ else }}[::]:443 {{ end }}{{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};{{ end }}
+        {{ if not (empty $server.SSLCertificate) }}listen 442 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+        {{ if $IsIPV6Enabled }}{{ if not (empty $server.SSLCertificate) }}listen [::]:442 {{ if $cfg.UseProxyProtocol }} proxy_protocol {{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};{{ end }}
        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
        # PEM sha: {{ $server.SSLPemChecksum }}
        ssl_certificate                         {{ $server.SSLCertificate }};
@ -476,6 +476,7 @@ http {
 }

 stream {
+<<<<<<< fc67b1d5e2a51cc0037a434583af6530efa1a59c
    {{ if gt (len $passthroughBackends) 0 }}
    # map FQDN that requires SSL passthrough
    map $ssl_preread_server_name $stream_upstream {
@ -486,6 +487,8 @@ stream {
        # send SSL traffic to this nginx in a different port
        default                         nginx-ssl-backend;
    }
+=======
+>>>>>>> 

    log_format log_stream {{ $cfg.LogFormatStream }};

@ -497,21 +500,6 @@ stream {

    error_log  /var/log/nginx/error.log;

-    # configure default backend for SSL
-    upstream nginx-ssl-backend {
-        server 127.0.0.1:442;
-    }
-
-    {{ buildSSLPassthroughUpstreams $backends .PassthroughBackends }}
-
-    server {
-        listen                  443 {{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};
-        {{ if $IsIPV6Enabled }}listen                  [::]:443 {{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }};{{ end }}
-        proxy_pass              $stream_upstream;
-        ssl_preread             on;
-    }
-    {{ end }}
-
    # TCP services
    {{ range $i, $tcpServer := .TCPBackends }}
    upstream tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -790,6 +790,12 @@ func (ic *GenericController) createUpstreams(data []interface{}) map[string]*ing
 						continue
 					}
 					upstream.Endpoints = endp
+
+					s, e, _ := ic.svcLister.Store.GetByKey(svcKey)
+					if e {
+						upstream.Service = s.(*api.Service)
+					}
+					upstream.Port = path.Backend.ServicePort
 				}
 			}
 		}
--- a/core/pkg/ingress/types.go
+++ b/core/pkg/ingress/types.go
@ -148,6 +148,8 @@ type Configuration struct {
 type Backend struct {
 	// Name represents an unique api.Service name formatted as <namespace>-<name>-<port>
 	Name    string `json:"name"`
+	Service *api.Service
+	Port    intstr.IntOrString
 	// This indicates if the communication protocol between the backend and the endpoint is HTTP or HTTPS
 	// Allowing the use of HTTPS
 	// The endpoint/s must provide a TLS connection.
@ -158,8 +160,7 @@ type Backend struct {
 	SSLPassthrough bool `json:"sslPassthrough"`
 	// Endpoints contains the list of endpoints currently running
 	Endpoints []Endpoint `json:"endpoints"`
-	// StickySession contains the StickyConfig object with stickness configuration
-
+	// StickySessionAffinitySession contains the StickyConfig object with stickness configuration
 	SessionAffinity SessionAffinityConfig
 }

@ -291,6 +292,9 @@ type Location struct {
 // The endpoints must provide the TLS termination exposing the required SSL certificate.
 // The ingress controller only pipes the underlying TCP connection
 type SSLPassthroughBackend struct {
+	Namespace string
+	Service   *api.Service
+	Port      intstr.IntOrString
 	// Backend describes the endpoints to use.
 	Backend string `json:"namespace,omitempty"`
 	// Hostname returns the FQDN of the server