diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index a645c317a..0c749b67d 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -19,7 +19,6 @@ package main import ( "encoding/json" "fmt" - "net" "net/http" "net/http/pprof" "os" @@ -28,7 +27,6 @@ import ( "syscall" "time" - proxyproto "github.com/armon/go-proxyproto" "github.com/golang/glog" "github.com/prometheus/client_golang/prometheus/promhttp" @@ -130,10 +128,6 @@ func main() { ngx := controller.NewNGINXController(conf, fs) - if conf.EnableSSLPassthrough { - setupSSLProxy(conf.ListenPorts.HTTPS, conf.ListenPorts.SSLProxy, ngx) - } - go handleSigterm(ngx, func(code int) { os.Exit(code) }) @@ -165,49 +159,6 @@ func handleSigterm(ngx *controller.NGINXController, exit exiter) { exit(exitCode) } -func setupSSLProxy(sslPort, proxyPort int, n *controller.NGINXController) { - glog.Info("starting TLS proxy for SSL passthrough") - n.Proxy = &controller.TCPProxy{ - Default: &controller.TCPServer{ - Hostname: "localhost", - IP: "127.0.0.1", - Port: proxyPort, - ProxyProtocol: true, - }, - } - - listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort)) - if err != nil { - glog.Fatalf("%v", err) - } - - proxyList := &proxyproto.Listener{Listener: listener} - - // start goroutine that accepts tcp connections in port 443 - go func() { - for { - var conn net.Conn - var err error - - if n.IsProxyProtocolEnabled() { - // we need to wrap the listener in order to decode - // proxy protocol before handling the connection - conn, err = proxyList.Accept() - } else { - conn, err = listener.Accept() - } - - if err != nil { - glog.Warningf("unexpected error accepting tcp connection: %v", err) - continue - } - - glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr()) - go n.Proxy.Handle(conn) - } - }() -} - // createApiserverClient creates new Kubernetes Apiserver client. When kubeconfig or apiserverHost param is empty // the function assumes that it is running inside a Kubernetes cluster and attempts to // discover the Apiserver. Otherwise, it connects to the Apiserver specified. diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 1d5e1ba83..3d859b7be 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -32,6 +32,7 @@ import ( "github.com/golang/glog" + proxyproto "github.com/armon/go-proxyproto" apiv1 "k8s.io/api/core/v1" extensions "k8s.io/api/extensions/v1beta1" "k8s.io/client-go/kubernetes/scheme" @@ -227,6 +228,8 @@ type NGINXController struct { isShuttingDown bool + Proxy *TCPProxy + store store.Storer fileSystem filesystem.Filesystem @@ -252,6 +255,10 @@ func (n *NGINXController) Start() { Pgid: 0, } + if n.cfg.EnableSSLPassthrough { + n.setupSSLProxy() + } + glog.Info("starting NGINX process...") n.start(cmd) @@ -399,40 +406,38 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver - /* - servers := []*TCPServer{} - for _, pb := range ingressCfg.PassthroughBackends { - svc := pb.Service - if svc == nil { - glog.Warningf("missing service for PassthroughBackends %v", pb.Backend) - continue - } - port, err := strconv.Atoi(pb.Port.String()) - if err != nil { - for _, sp := range svc.Spec.Ports { - if sp.Name == pb.Port.String() { - port = int(sp.Port) - break - } - } - } else { - for _, sp := range svc.Spec.Ports { - if sp.Port == int32(port) { - port = int(sp.Port) - break - } - } - } - - //TODO: Allow PassthroughBackends to specify they support proxy-protocol - servers = append(servers, &TCPServer{ - Hostname: pb.Hostname, - IP: svc.Spec.ClusterIP, - Port: port, - ProxyProtocol: false, - }) + servers := []*TCPServer{} + for _, pb := range ingressCfg.PassthroughBackends { + svc := pb.Service + if svc == nil { + glog.Warningf("missing service for PassthroughBackends %v", pb.Backend) + continue } - */ + port, err := strconv.Atoi(pb.Port.String()) + if err != nil { + for _, sp := range svc.Spec.Ports { + if sp.Name == pb.Port.String() { + port = int(sp.Port) + break + } + } + } else { + for _, sp := range svc.Spec.Ports { + if sp.Port == int32(port) { + port = int(sp.Port) + break + } + } + } + + //TODO: Allow PassthroughBackends to specify they support proxy-protocol + servers = append(servers, &TCPServer{ + Hostname: pb.Hostname, + IP: svc.Spec.ClusterIP, + Port: port, + ProxyProtocol: false, + }) + } // we need to check if the status module configuration changed if cfg.EnableVtsStatus { @@ -640,3 +645,49 @@ func nextPowerOf2(v int) int { return v } + +func (n *NGINXController) setupSSLProxy() { + sslPort := n.cfg.ListenPorts.HTTPS + proxyPort := n.cfg.ListenPorts.SSLProxy + + glog.Info("starting TLS proxy for SSL passthrough") + n.Proxy = &TCPProxy{ + Default: &TCPServer{ + Hostname: "localhost", + IP: "127.0.0.1", + Port: proxyPort, + ProxyProtocol: true, + }, + } + + listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort)) + if err != nil { + glog.Fatalf("%v", err) + } + + proxyList := &proxyproto.Listener{Listener: listener} + + // start goroutine that accepts tcp connections in port 443 + go func() { + for { + var conn net.Conn + var err error + + if n.store.GetBackendConfiguration().UseProxyProtocol { + // we need to wrap the listener in order to decode + // proxy protocol before handling the connection + conn, err = proxyList.Accept() + } else { + conn, err = listener.Accept() + } + + if err != nil { + glog.Warningf("unexpected error accepting tcp connection: %v", err) + continue + } + + glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr()) + go n.Proxy.Handle(conn) + } + }() +}