reversetunnel

package
v0.0.0-...-5c79d48 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2024 License: AGPL-3.0 Imports: 56 Imported by: 0

Documentation

Overview

Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.

Package reversetunnel provides interfaces for accessing remote clusters 

via reverse tunnels and directly.

Reverse Tunnels 

Proxy server                      Proxy agent
               Reverse tunnel
+----------+                      +---------+
|          <----------------------+         |
|          |                      |         |

+-----+----------+ +---------+-----+ | | | | | | | | +----------------+ +---------------+ 

Proxy Cluster "A"                      Proxy Cluster "B"

Reverse tunnel is established from a cluster "B" Proxy to the a cluster "A" proxy, and clients of the cluster "A" can access servers of the cluster "B" via reverse tunnel connection, even if the cluster "B" is behind the firewall.

Multiple Proxies and Revese Tunnels

With multiple proxies behind the load balancer, proxy agents will eventually discover and establish connections to all proxies in cluster.

* Initially Proxy Agent connects to Proxy 1. * Proxy 1 starts sending information about all available proxies to the the Proxy Agent . This process is called "sending discovery request".

+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+ 

Proxy 1           +-------------------------------+          |
                        |           |             |          |
                        +-----------+             +----------+
                         Load Balancer             Proxy Agent

+----------+ | | | | +----------+ 

Proxy 2

* Agent will use the discovery request to establish new connections and check if it has connected and "discovered" all the proxies specified 

in the discovery request.

* Assuming that load balancer uses fair load balancing algorithm, agent will eventually discover and connect back to all the proxies.

+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+ 

Proxy 1           +-------------------------------+          |
                  |     |           |             |          |
                  |     +-----------+             +----------+
                  |      Load Balancer             Proxy Agent

+----------+ | | <--------+ | | +----------+ 

Proxy 2

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewServer 

func NewServer(cfg Config) (reversetunnelclient.Server, error)

NewServer creates and returns a reverse tunnel server which is fully initialized but hasn't been started yet

func UseTunnel 

func UseTunnel(logger *log.Entry, c *sshutils.ChConn) bool

UseTunnel makes a channel request asking for the type of connection. If the other side does not respond (older cluster) or takes to long to respond, be on the safe side and assume it's not a tunnel connection.

Types

type Agent 

type Agent interface {
	// Start starts the agent in the background.
	Start(context.Context) error
	// Stop closes the agent and releases resources.
	Stop() error
	// GetState returns the current state of the agent.
	GetState() AgentState
	// GetProxyID returns the proxy id of the proxy the agent is connected to.
	GetProxyID() (string, bool)
}

Agent represents a reverse tunnel agent.

type AgentPool 

type AgentPool struct {
	AgentPoolConfig
	// contains filtered or unexported fields
}

AgentPool manages a pool of reverse tunnel agents.

func NewAgentPool 

func NewAgentPool(ctx context.Context, config AgentPoolConfig) (*AgentPool, error)

NewAgentPool returns new instance of the agent pool.

func (*AgentPool) Count 

func (p *AgentPool) Count() int

Count is the number connected agents.

func (*AgentPool) GetConnectedProxyGetter 

func (p *AgentPool) GetConnectedProxyGetter() *ConnectedProxyGetter

GetConnectedProxyGetter returns the ConnectedProxyGetter for this agent pool.

func (*AgentPool) Start 

func (p *AgentPool) Start() error

Start starts the agent pool in the background.

func (*AgentPool) Stop 

func (p *AgentPool) Stop()

Stop stops the pool and waits for all resources to be released.

func (*AgentPool) Wait 

func (p *AgentPool) Wait()

Wait blocks until the pool context is stopped.

type AgentPoolConfig 

type AgentPoolConfig struct {
	// Client is client to the auth server this agent connects to receive
	// a list of pools
	Client auth.ClientI
	// AccessPoint is a lightweight access point
	// that can optionally cache some values
	AccessPoint auth.AccessCache
	// HostSigner is a host signer this agent presents itself as
	HostSigner ssh.Signer
	// HostUUID is a unique ID of this host
	HostUUID string
	// LocalCluster is a cluster name this client is a member of.
	LocalCluster string
	// Clock is a clock used to get time, if not set,
	// system clock is used
	Clock clockwork.Clock
	// KubeDialAddr is an address of a kubernetes proxy
	KubeDialAddr utils.NetAddr
	// Server is either an SSH or application server. It can handle a connection
	// (perform handshake and handle request).
	Server ServerHandler
	// Component is the Teleport component this agent pool is running in. It can
	// either be proxy (trusted clusters) or node (dial back).
	Component string
	// ReverseTunnelServer holds all reverse tunnel connections.
	ReverseTunnelServer reversetunnelclient.Server
	// Resolver retrieves the reverse tunnel address
	Resolver reversetunnelclient.Resolver
	// Cluster is a cluster name of the proxy.
	Cluster string
	// FIPS indicates if Teleport was started in FIPS mode.
	FIPS bool
	// ProxiedServiceUpdater updates a proxied service with the proxies it is connected to.
	ConnectedProxyGetter *ConnectedProxyGetter
	// IsRemoteCluster indicates the agent pool is connecting to a remote cluster.
	// This means the tunnel strategy should be ignored and tls routing is determined
	// by the remote cluster.
	IsRemoteCluster bool
	// LocalAuthAddresses is a list of auth servers to use when dialing back to
	// the local cluster.
	LocalAuthAddresses []string
	// PROXYSigner is used to sign PROXY headers for securely propagating client IP address
	PROXYSigner multiplexer.PROXYHeaderSigner
}

AgentPoolConfig holds configuration parameters for the agent pool

func (*AgentPoolConfig) CheckAndSetDefaults 

func (cfg *AgentPoolConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults.

type AgentState 

type AgentState string
const (
	// AgentInitial is the state of an agent when first created.
	AgentInitial AgentState = "initial"
	// AgentConnecting is the state when an agent is starting but not yet connected.
	AgentConnecting AgentState = "connecting"
	// AgentConnected is the state of an agent when is successfully connects
	// to a server and sends its first heartbeat.
	AgentConnected AgentState = "connected"
	// AgentClosed is the state of an agent when the connection and all other
	// resources are cleaned up.
	AgentClosed AgentState = "closed"
)

type AgentStateCallback 

type AgentStateCallback func(AgentState)

AgentStateCallback is called when an agent's state changes.

type Config 

type Config struct {
	// ID is the ID of this server proxy
	ID string
	// ClusterName is a name of this cluster
	ClusterName string
	// ClientTLS is a TLS config associated with this proxy
	// used to connect to remote auth servers on remote clusters
	ClientTLS *tls.Config
	// Listener is a listener address for reverse tunnel server
	Listener net.Listener
	// HostSigners is a list of host signers
	HostSigners []ssh.Signer
	// HostKeyCallback
	// Limiter is optional request limiter
	Limiter *limiter.Limiter
	// LocalAuthClient provides access to a full AuthClient for the local cluster.
	LocalAuthClient auth.ClientI
	// AccessPoint provides access to a subset of AuthClient of the cluster.
	// AccessPoint caches values and can still return results during connection
	// problems.
	LocalAccessPoint auth.ProxyAccessPoint
	// NewCachingAccessPoint returns new caching access points
	// per remote cluster
	NewCachingAccessPoint auth.NewRemoteProxyCachingAccessPoint
	// Context is a signaling context
	Context context.Context
	// Clock is a clock used in the server, set up to
	// wall clock if not set
	Clock clockwork.Clock

	// KeyGen is a process wide key generator. It is shared to speed up
	// generation of public/private keypairs.
	KeyGen sshca.Authority

	// Ciphers is a list of ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string

	// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string

	// MACAlgorithms is a list of message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string

	// DataDir is a local server data directory
	DataDir string

	// PollingPeriod specifies polling period for internal sync
	// goroutines, used to speed up sync-ups in tests.
	PollingPeriod time.Duration

	// Component is a component used in logs
	Component string

	// Log specifies the logger
	Log log.FieldLogger

	// FIPS means Teleport was started in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// Emitter is event emitter
	Emitter events.StreamEmitter

	// DELETE IN: 8.0.0
	//
	// NewCachingAccessPointOldProxy is an access point that can be configured
	// with the old access point policy until all clusters are migrated to 7.0.0
	// and above.
	NewCachingAccessPointOldProxy auth.NewRemoteProxyCachingAccessPoint

	// PeerClient is a client to peer proxy servers.
	PeerClient *peer.Client

	// LockWatcher is a lock watcher.
	LockWatcher *services.LockWatcher

	// NodeWatcher is a node watcher.
	NodeWatcher *services.NodeWatcher

	// CertAuthorityWatcher is a cert authority watcher.
	CertAuthorityWatcher *services.CertAuthorityWatcher

	// CircuitBreakerConfig configures the auth client circuit breaker
	CircuitBreakerConfig breaker.Config

	// LocalAuthAddresses is a list of auth servers to use when dialing back to
	// the local cluster.
	LocalAuthAddresses []string

	// IngressReporter reports new and active connections.
	IngressReporter *ingress.Reporter

	// PROXYSigner is used to sign PROXY headers to securely propagate client IP information.
	PROXYSigner multiplexer.PROXYHeaderSigner
}

Config is a reverse tunnel server configuration

func (*Config) CheckAndSetDefaults 

func (cfg *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values

type ConnectedProxyGetter 

type ConnectedProxyGetter struct {
	// contains filtered or unexported fields
}

ConnectedProxyGetter gets the proxy ids that the a reverse tunnel pool is connected to. This is used to communicate the connected proxies between reversetunnel.AgentPool and service implementations to include the connected proxy ids in the service's heartbeats.

func NewConnectedProxyGetter 

func NewConnectedProxyGetter() *ConnectedProxyGetter

NewConnectedProxyGetter creates a new ConnectedProxyGetter instance.

func (*ConnectedProxyGetter) GetProxyIDs 

func (g *ConnectedProxyGetter) GetProxyIDs() []string

GetProxyIDs gets the list of connected proxy ids.

type RemoteClusterTunnelManager 

type RemoteClusterTunnelManager struct {
	// contains filtered or unexported fields
}

RemoteClusterTunnelManager manages AgentPools for trusted (remote) clusters. It polls the auth server for ReverseTunnel resources and spins AgentPools for each one as needed.

Note: ReverseTunnel resources on the auth server represent the desired tunnels, not actually active ones.

func NewRemoteClusterTunnelManager 

func NewRemoteClusterTunnelManager(cfg RemoteClusterTunnelManagerConfig) (*RemoteClusterTunnelManager, error)

NewRemoteClusterTunnelManager creates a new stopped tunnel manager with the provided config. Call Run() to start the manager.

func (*RemoteClusterTunnelManager) Close 

func (w *RemoteClusterTunnelManager) Close() error

Close cleans up all outbound tunnels and stops the manager.

func (*RemoteClusterTunnelManager) Counts 

func (w *RemoteClusterTunnelManager) Counts() map[string]int

Counts returns the number of tunnels for each remote cluster.

func (*RemoteClusterTunnelManager) Run 

func (w *RemoteClusterTunnelManager) Run(ctx context.Context)

Run runs the manager polling loop. Run is blocking, start it in a goroutine.

func (*RemoteClusterTunnelManager) Sync 

func (w *RemoteClusterTunnelManager) Sync(ctx context.Context) error

Sync does a one-time sync of trusted clusters with running agent pools. Non-test code should use Run() instead.

type RemoteClusterTunnelManagerConfig 

type RemoteClusterTunnelManagerConfig struct {
	// AuthClient is client to the auth server.
	AuthClient auth.ClientI
	// AccessPoint is a lightweight access point that can optionally cache some
	// values.
	AccessPoint auth.ProxyAccessPoint
	// HostSigners is a signer for the host private key.
	HostSigner ssh.Signer
	// HostUUID is a unique ID of this host
	HostUUID string
	// LocalCluster is a cluster name this client is a member of.
	LocalCluster string
	// Local ReverseTunnelServer to reach other cluster members connecting to
	// this proxy over a tunnel.
	ReverseTunnelServer reversetunnelclient.Server
	// Clock is a mock-able clock.
	Clock clockwork.Clock
	// KubeDialAddr is an optional address of a local kubernetes proxy.
	KubeDialAddr utils.NetAddr
	// FIPS indicates if Teleport was started in FIPS mode.
	FIPS bool
	// Log is the logger
	Log logrus.FieldLogger
	// LocalAuthAddresses is a list of auth servers to use when dialing back to
	// the local cluster.
	LocalAuthAddresses []string
	// PROXYSigner is used to sign PROXY headers for securely propagating client IP address
	PROXYSigner multiplexer.PROXYHeaderSigner
}

RemoteClusterTunnelManagerConfig is a bundle of parameters used by a RemoteClusterTunnelManager.

func (*RemoteClusterTunnelManagerConfig) CheckAndSetDefaults 

func (c *RemoteClusterTunnelManagerConfig) CheckAndSetDefaults() error

type SSHClient 

type SSHClient interface {
	ssh.ConnMetadata
	io.Closer
	Wait() error
	OpenChannel(ctx context.Context, name string, data []byte) (*tracessh.Channel, <-chan *ssh.Request, error)
	SendRequest(ctx context.Context, name string, wantReply bool, payload []byte) (bool, []byte, error)
	Principals() []string
	GlobalRequests() <-chan *ssh.Request
	HandleChannelOpen(channelType string) <-chan ssh.NewChannel
	Reply(*ssh.Request, bool, []byte) error
}

SSHClient is a client for an ssh connection.

type ServerHandler 

type ServerHandler interface {
	// HandleConnection performs a handshake then process the connection.
	HandleConnection(conn net.Conn)
}

ServerHandler implements an interface which can handle a connection (perform a handshake then process). This is needed because importing lib/srv in lib/reversetunnel causes a circular import.

type ServerHandlerToListener 

type ServerHandlerToListener struct {
	// contains filtered or unexported fields
}

ServerHandlerToListener is an adapter from ServerHandler to net.Listener. It can be used as a Server field in AgentPoolConfig, while also being passed to http.Server.Serve (or any other func Serve(net.Listener)).

func NewServerHandlerToListener 

func NewServerHandlerToListener(tunnelAddr string) ServerHandlerToListener

NewServerHandlerToListener creates a new ServerHandlerToListener adapter.

func (ServerHandlerToListener) Accept 

func (l ServerHandlerToListener) Accept() (net.Conn, error)

func (ServerHandlerToListener) Addr 

func (l ServerHandlerToListener) Addr() net.Addr

func (ServerHandlerToListener) Close 

func (l ServerHandlerToListener) Close() error

func (ServerHandlerToListener) HandleConnection 

func (l ServerHandlerToListener) HandleConnection(c net.Conn)

Source Files

View all Source files

Directories

Path Synopsis
Package track provides a simple interface to keep track of proxies as described via "gossip" messages shared by other proxies as part of the reverse tunnel protocol, and to decide if and when it's appropriate to attempt a new connection to a proxy load balancer at any given moment.
 Package track provides a simple interface to keep track of proxies as described via "gossip" messages shared by other proxies as part of the reverse tunnel protocol, and to decide if and when it's appropriate to attempt a new connection to a proxy load balancer at any given moment.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.