alpnproxy

package
v11.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 13, 2022 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CheckCertSubject 

func CheckCertSubject(cert *x509.Certificate, dbRoute tlsca.RouteToDatabase) error

CheckCertSubject checks if the route to the database from the cert matches the provided route in terms of username and database (if present).

func DialALPN 

func DialALPN(ctx context.Context, addr string, cfg ALPNDialerConfig) (*tls.Conn, error)

DialALPN a helper to dial using an ALPNDialer and returns a tls.Conn if successful.

func IsALPNConnUpgradeRequired 

func IsALPNConnUpgradeRequired(addr string, insecure bool) bool

IsALPNConnUpgradeRequired returns true if a tunnel is required through a HTTP connection upgrade for ALPN connections.

The function makes a test connection to the Proxy Service and checks if the ALPN is supported. If not, the Proxy Service is likely behind an AWS ALB or some custom proxy services that strip out ALPN and SNI information on the way to our Proxy Service.

In those cases, the Teleport client should make a HTTP "upgrade" call to the Proxy Service to establish a tunnel for the originally planned traffic to preserve the ALPN and SNI information.

func IsConnectRequest 

func IsConnectRequest(req *http.Request) bool

IsConnectRequest returns true if the request is a HTTP CONNECT tunnel request.

https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.6

func MatchAWSRequests 

func MatchAWSRequests(req *http.Request) bool

MatchAWSRequests is a MatchFunc that returns true if request is an AWS API request.

func MatchAllRequests 

func MatchAllRequests(req *http.Request) bool

MatchAllRequests is a MatchFunc that returns true for all requests.

Types

type ALPNDialer 

type ALPNDialer struct {
	// contains filtered or unexported fields
}

ALPNDialer is a ContextDialer that dials a connection to the Proxy Service with ALPN and SNI configured in the provided TLSConfig. An ALPN connection upgrade is also performed at the initial connection, if an upgrade is required.

func (ALPNDialer) DialContext 

func (d ALPNDialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error)

DialContext implements ContextDialer.

type ALPNDialerConfig 

type ALPNDialerConfig struct {
	// KeepAlivePeriod defines period between keep alives.
	KeepAlivePeriod time.Duration
	// DialTimeout defines how long to attempt dialing before timing out.
	DialTimeout time.Duration
	// TLSConfig is the TLS config used for the TLS connection.
	TLSConfig *tls.Config
	// ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required.
	ALPNConnUpgradeRequired bool
}

ALPNDialerConfig is the config for ALPNDialer.

type CertGenListener 

type CertGenListener struct {
	net.Listener
	// contains filtered or unexported fields
}

CertGenListener is a HTTPS listener that can generate TLS certificates based on SNI during HTTPS handshake.

func NewCertGenListener 

func NewCertGenListener(config CertGenListenerConfig) (*CertGenListener, error)

NewCertGenListener creates a new CertGenListener and listens to the configured listen address.

func (*CertGenListener) GetCertificate 

func (r *CertGenListener) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate generates and returns TLS certificate for incoming connection. Implements tls.Config.GetCertificate.

type CertGenListenerConfig 

type CertGenListenerConfig struct {
	// ListenAddr is network address to listen.
	ListenAddr string
	// CA is the certificate authority for signing certificates.
	CA tls.Certificate
}

CertGenListenerConfig is the config for CertGenListener.

func (*CertGenListenerConfig) CheckAndSetDefaults 

func (c *CertGenListenerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type ConnectRequestHandler 

type ConnectRequestHandler interface {
	// Match returns true if this handler wants to handle the provided request.
	Match(req *http.Request) bool

	// Handle handles the request with provided client connection.
	Handle(ctx context.Context, clientConn net.Conn, req *http.Request)
}

ConnectRequestHandler defines handler for handling CONNECT requests.

type ConnectionHandler 

type ConnectionHandler func(ctx context.Context, conn net.Conn) error

ConnectionHandler defines a function for serving incoming connections.

type ConnectionHandlerWrapper 

type ConnectionHandlerWrapper struct {
	// contains filtered or unexported fields
}

ConnectionHandlerWrapper is a wrapper of ConnectionHandler. This wrapper is mainly used as a placeholder to resolve circular dependencies.

func (*ConnectionHandlerWrapper) HandleConnection 

func (w *ConnectionHandlerWrapper) HandleConnection(ctx context.Context, conn net.Conn) error

HandleConnection implements ConnectionHandler.

func (*ConnectionHandlerWrapper) Set 

func (w *ConnectionHandlerWrapper) Set(h ConnectionHandler)

Set updates inner ConnectionHandler to use.

type ConnectionInfo 

type ConnectionInfo struct {
	// SNI is ServerName value obtained from TLS hello message.
	SNI string
	// ALPN protocols obtained from TLS hello message.
	ALPN []string
}

ConnectionInfo contains details about TLS connection.

type ContextDialer 

type ContextDialer interface {
	// DialContext is a function that dials the specified address
	DialContext(ctx context.Context, network, addr string) (net.Conn, error)
}

ContextDialer represents network dialer interface that uses context

func NewALPNDialer 

func NewALPNDialer(cfg ALPNDialerConfig) ContextDialer

NewALPNDialer creates a new ALPNDialer.

type ForwardProxy 

type ForwardProxy struct {
	// contains filtered or unexported fields
}

ForwardProxy is a forward proxy that serves CONNECT tunnel requests.

func NewForwardProxy 

func NewForwardProxy(cfg ForwardProxyConfig) (*ForwardProxy, error)

NewForwardProxy creates a new forward proxy server.

func (*ForwardProxy) Close 

func (p *ForwardProxy) Close() error

Close closes the forward proxy.

func (*ForwardProxy) GetAddr 

func (p *ForwardProxy) GetAddr() string

GetAddr returns the listener address.

func (*ForwardProxy) ServeHTTP 

func (p *ForwardProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request)

ServeHTTP serves HTTP requests. Implements http.Handler.

func (*ForwardProxy) Start 

func (p *ForwardProxy) Start() error

Start starts serving on the listener.

type ForwardProxyConfig 

type ForwardProxyConfig struct {
	// Listener is the network listener.
	Listener net.Listener
	// CloseContext is the close context.
	CloseContext context.Context
	// Handlers is a list of CONNECT request handlers.
	Handlers []ConnectRequestHandler
}

ForwardProxyConfig is the config for forward proxy server.

func (*ForwardProxyConfig) CheckAndSetDefaults 

func (c *ForwardProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type ForwardToHostHandler 

type ForwardToHostHandler struct {
	// contains filtered or unexported fields
}

ForwardToHostHandler is a CONNECT request handler that forwards requests to designated host.

func NewForwardToHostHandler 

func NewForwardToHostHandler(cfg ForwardToHostHandlerConfig) *ForwardToHostHandler

NewForwardToHostHandler creates a new ForwardToHostHandler.

func NewForwardToOriginalHostHandler 

func NewForwardToOriginalHostHandler() *ForwardToHostHandler

NewForwardToOriginalHostHandler creates a new CONNECT request handler that forwards all requests to their original hosts.

func (*ForwardToHostHandler) Handle 

func (h *ForwardToHostHandler) Handle(ctx context.Context, clientConn net.Conn, req *http.Request)

Handle handles the request with provided client connection.

func (*ForwardToHostHandler) Match 

func (h *ForwardToHostHandler) Match(req *http.Request) bool

Match returns true if this handler wants to handle the provided request.

type ForwardToHostHandlerConfig 

type ForwardToHostHandlerConfig struct {
	// Match returns true if this handler wants to handle the provided request.
	MatchFunc func(req *http.Request) bool

	// Host is the destination to forward the request to. If empty, the request
	// is forwarded to its original host.
	Host string
}

ForwardToHostHandlerConfig is the config for ForwardToHostHandler.

func (*ForwardToHostHandlerConfig) SetDefaults 

func (c *ForwardToHostHandlerConfig) SetDefaults()

SetDefaults sets default config values.

type ForwardToSystemProxyHandler 

type ForwardToSystemProxyHandler struct {
	// contains filtered or unexported fields
}

ForwardToSystemProxyHandler is a CONNECT request handler that forwards requests to existing system or corporate forward proxies where our server is run.

Here "system" is used to differentiate the forward proxy users have outside Teleport from our own forward proxy server. The purpose of this handler is to honor "system" proxy settings so the requests are forwarded to "system" proxies as intended instead of going to their original hosts.

func NewForwardToSystemProxyHandler 

func NewForwardToSystemProxyHandler(cfg ForwardToSystemProxyHandlerConfig) *ForwardToSystemProxyHandler

NewForwardToSystemProxyHandler creates a new ForwardToSystemProxyHandler.

func (*ForwardToSystemProxyHandler) Handle 

func (h *ForwardToSystemProxyHandler) Handle(ctx context.Context, clientConn net.Conn, req *http.Request)

Handle handles the request with provided client connection.

func (*ForwardToSystemProxyHandler) Match 

func (h *ForwardToSystemProxyHandler) Match(req *http.Request) bool

Match returns true if this handler wants to handle the provided request.

type ForwardToSystemProxyHandlerConfig 

type ForwardToSystemProxyHandlerConfig struct {
	// TunnelProtocol is the protocol of the requests being tunneled.
	TunnelProtocol string
	// InsecureSystemProxy allows insecure system proxy when forwarding
	// unwanted requests.
	InsecureSystemProxy bool
	// SystemProxyFunc is the function that determines the system proxy URL to
	// use for provided request URL.
	SystemProxyFunc func(reqURL *url.URL) (*url.URL, error)
}

ForwardToSystemProxyHandlerConfig is the config for ForwardToSystemProxyHandler.

func (*ForwardToSystemProxyHandlerConfig) SetDefaults 

func (c *ForwardToSystemProxyHandlerConfig) SetDefaults()

SetDefaults sets default config values.

type HandlerDecs 

type HandlerDecs struct {
	// Handler is protocol handling logic.
	Handler HandlerFunc
	// HandlerWithConnInfo is protocol handler function providing additional TLS insight.
	// Used in cases where internal handler function must have access to hello message values without
	// terminating the TLS connection.
	HandlerWithConnInfo HandlerFuncWithInfo
	// ForwardTLS tells is ALPN proxy service should terminate TLS traffic or delegate the
	// TLS termination to the protocol handler (Used in Kube handler case)
	ForwardTLS bool
	// MatchFunc is a routing route match function based on ALPN SNI TLS values.
	// If is evaluated to true the current HandleDesc will be used
	// for connection handling.
	MatchFunc MatchFunc
	// TLSConfig is TLS configuration that allows switching TLS settings for the handle.
	// By default, the ProxyConfig.WebTLSConfig configuration is used to TLS terminate incoming connection
	// but if HandleDesc.TLSConfig is present it will take precedence over ProxyConfig TLS configuration.
	TLSConfig *tls.Config
}

HandlerDecs describes the handler for particular protocols.

func (*HandlerDecs) CheckAndSetDefaults 

func (h *HandlerDecs) CheckAndSetDefaults() error

type HandlerFunc 

type HandlerFunc func(ctx context.Context, conn net.Conn) error

HandlerFunc is a common function signature used to handle downstream with particular ALPN protocol.

type HandlerFuncWithInfo 

type HandlerFuncWithInfo func(ctx context.Context, conn net.Conn, info ConnectionInfo) error

HandlerFuncWithInfo is protocol handler function providing additional TLS insight. Used in cases where internal handler function must have access to hello message values without terminating the TLS connection.

func ExtractMySQLEngineVersion 

func ExtractMySQLEngineVersion(fn func(ctx context.Context, conn net.Conn) error) HandlerFuncWithInfo

ExtractMySQLEngineVersion returns a pre-process function for MySQL connections that tries to extract MySQL server version from incoming connection.

type ListenerMuxWrapper 

type ListenerMuxWrapper struct {
	// net.Listener is the main service listener that is being wrapped.
	net.Listener
	// contains filtered or unexported fields
}

ListenerMuxWrapper wraps the net.Listener and multiplex incoming connection from serviceListener and connection injected by HandleConnection handler.

func NewMuxListenerWrapper 

func NewMuxListenerWrapper(serviceListener, alpnListener net.Listener) *ListenerMuxWrapper

NewMuxListenerWrapper creates a new instance of ListenerMuxWrapper

func (*ListenerMuxWrapper) Accept 

func (l *ListenerMuxWrapper) Accept() (net.Conn, error)

Accept waits for the next injected by HandleConnection or received from serviceListener and returns it.

func (*ListenerMuxWrapper) Addr 

func (l *ListenerMuxWrapper) Addr() net.Addr

Addr returns address of the listeners. If both serviceListener and alpnListener listeners were provided. function will return address obtained from the alpnListener listener.

func (*ListenerMuxWrapper) Close 

func (l *ListenerMuxWrapper) Close() error

Close the ListenerMuxWrapper.

func (*ListenerMuxWrapper) HandleConnection 

func (l *ListenerMuxWrapper) HandleConnection(ctx context.Context, conn net.Conn) error

HandleConnection allows injecting connection to the listener.

type LocalProxy 

type LocalProxy struct {
	// contains filtered or unexported fields
}

LocalProxy allows upgrading incoming connection to TLS where custom TLS values are set SNI ALPN and updated connection is forwarded to remote ALPN SNI teleport proxy service.

func NewLocalProxy 

func NewLocalProxy(cfg LocalProxyConfig) (*LocalProxy, error)

NewLocalProxy creates a new instance of LocalProxy.

func (*LocalProxy) CheckDBCerts 

func (l *LocalProxy) CheckDBCerts(dbRoute tlsca.RouteToDatabase) error

CheckDBCerts checks the proxy certificates for expiration and that the cert subject matches a database route.

func (*LocalProxy) Close 

func (l *LocalProxy) Close() error

func (*LocalProxy) GetAddr 

func (l *LocalProxy) GetAddr() string

GetAddr returns the LocalProxy listener address.

func (*LocalProxy) SetCerts 

func (l *LocalProxy) SetCerts(certs []tls.Certificate)

SetCerts sets the local proxy's configured TLS certificates.

func (*LocalProxy) Start 

func (l *LocalProxy) Start(ctx context.Context) error

Start starts the LocalProxy.

func (*LocalProxy) StartAWSAccessProxy 

func (l *LocalProxy) StartAWSAccessProxy(ctx context.Context) error

StartAWSAccessProxy starts the local AWS CLI proxy.

type LocalProxyConfig 

type LocalProxyConfig struct {
	// RemoteProxyAddr is the downstream destination address of remote ALPN proxy service.
	RemoteProxyAddr string
	// Protocol set for the upstream TLS connection.
	Protocols []common.Protocol
	// InsecureSkipTLSVerify turns off verification for x509 upstream ALPN proxy service certificate.
	InsecureSkipVerify bool
	// Listener is listener running on local machine.
	Listener net.Listener
	// SNI is a ServerName value set for upstream TLS connection.
	SNI string
	// ParentContext is a parent context, used to signal global closure>
	ParentContext context.Context
	// SSHUser is an SSH username.
	SSHUser string
	// SSHUserHost is user host requested by ssh subsystem.
	SSHUserHost string
	// SSHHostKeyCallback is the function type used for verifying server keys.
	SSHHostKeyCallback ssh.HostKeyCallback
	// SSHTrustedCluster allows selecting trusted cluster ssh subsystem request.
	SSHTrustedCluster string
	// Certs are the client certificates used to connect to the remote Teleport Proxy.
	Certs []tls.Certificate
	// AWSCredentials are AWS Credentials used by LocalProxy for request's signature verification.
	AWSCredentials *credentials.Credentials
	// RootCAs overwrites the root CAs used in tls.Config if specified.
	RootCAs *x509.CertPool
	// ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required.
	ALPNConnUpgradeRequired bool
	// Middleware provides callback functions to the local proxy.
	Middleware LocalProxyMiddleware
	// Clock is used to override time in tests.
	Clock clockwork.Clock
	// Log is the Logger.
	Log logrus.FieldLogger
}

LocalProxyConfig is configuration for LocalProxy.

func (*LocalProxyConfig) CheckAndSetDefaults 

func (cfg *LocalProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for LocalProxyConfig.

func (*LocalProxyConfig) GetProtocols 

func (cfg *LocalProxyConfig) GetProtocols() []string

type LocalProxyMiddleware 

type LocalProxyMiddleware interface {
	// OnNewConnection is a callback triggered when a new downstream connection is
	// accepted by the local proxy. If an error is returned, the connection will be closed
	// by the local proxy.
	OnNewConnection(ctx context.Context, lp *LocalProxy, conn net.Conn) error
	// OnStart is a callback triggered when the local proxy starts.
	OnStart(ctx context.Context, lp *LocalProxy) error
}

LocalProxyMiddleware provides callback functions for LocalProxy.

type MatchFunc 

type MatchFunc func(sni, alpn string) bool

MatchFunc is a type of the match route functions.

func MatchByALPNPrefix 

func MatchByALPNPrefix(prefix string) MatchFunc

MatchByALPNPrefix creates match function based on client TLS ALPN protocol prefix.

func MatchByProtocol 

func MatchByProtocol(protocols ...common.Protocol) MatchFunc

MatchByProtocol creates match function based on client TLS ALPN protocol.

func MatchByProtocolWithPing 

func MatchByProtocolWithPing(protocols ...common.Protocol) MatchFunc

MatchByProtocolWithPing creates match function based on client TLS APLN protocol matching also their ping protocol variations.

type PingConn 

type PingConn struct {
	//net.Conn
	*tls.Conn
	// contains filtered or unexported fields
}

PingConn wraps a *tls.Conn and add ping capabilities to it, including the `WritePing` function and `Read` (which excludes ping packets).

When using this connection, the packets written will contain an initial data: the packet size. When reading, this information is taken into account, but it is not returned to the caller.

Ping messages have a packet size of zero and are produced only when `WritePing` is called. On `Read`, any Ping packet is discarded.

func NewPingConn 

func NewPingConn(conn *tls.Conn) *PingConn

NewPingConn returns a ping connection wrapping the provided net.Conn.

func (*PingConn) Read 

func (c *PingConn) Read(p []byte) (int, error)

Read reads content from the underlaying connection, discarding any ping messages it finds.

func (*PingConn) Write 

func (c *PingConn) Write(p []byte) (int, error)

Write writes provided content to the underlying connection with proper protocol fields.

func (*PingConn) WritePing 

func (c *PingConn) WritePing() error

WritePing writes the ping packet to the connection.

type Proxy 

type Proxy struct {
	// contains filtered or unexported fields
}

Proxy server allows routing downstream connections based on TLS SNI ALPN values to particular service.

func New 

func New(cfg ProxyConfig) (*Proxy, error)

New creates a new instance of the Proxy.

func (*Proxy) Close 

func (p *Proxy) Close() error

Close the Proxy server.

func (*Proxy) MakeConnectionHandler 

func (p *Proxy) MakeConnectionHandler(defaultOverride *tls.Config) ConnectionHandler

MakeConnectionHandler creates a ConnectionHandler which provides a callback to handle incoming connections by this ALPN proxy server.

func (*Proxy) Serve 

func (p *Proxy) Serve(ctx context.Context) error

Serve starts accepting connections.

type ProxyConfig 

type ProxyConfig struct {
	// Listener is a listener to serve requests on.
	Listener net.Listener
	// WebTLSConfig specifies the TLS configuration used by the Proxy server.
	WebTLSConfig *tls.Config
	// Router contains definition of protocol routing and handlers description.
	Router *Router
	// Log is used for logging.
	Log logrus.FieldLogger
	// Clock is a clock to override in tests, set to real time clock
	// by default
	Clock clockwork.Clock
	// ReadDeadline is a connection read deadline during the TLS handshake (start
	// of the connection). It is set to defaults.HandshakeReadDeadline if
	// unspecified.
	ReadDeadline time.Duration
	// IdentityTLSConfig is the TLS ProxyRole identity used in servers with localhost SANs values.
	IdentityTLSConfig *tls.Config
	// AccessPoint is the auth server client.
	AccessPoint auth.ReadProxyAccessPoint
	// ClusterName is the name of the teleport cluster.
	ClusterName string
	// PingInterval defines the ping interval for ping-wrapped connections.
	PingInterval time.Duration
}

ProxyConfig is the configuration for an ALPN proxy server.

func (*ProxyConfig) CheckAndSetDefaults 

func (c *ProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of ProxyConfig

type Router 

type Router struct {
	// contains filtered or unexported fields
}

Router contains information about protocol handlers and routing rules.

func NewRouter 

func NewRouter() *Router

NewRouter creates a ALPN new router.

func (*Router) Add 

func (r *Router) Add(desc HandlerDecs)

Add sets the handler for DB TLS traffic.

func (*Router) AddDBTLSHandler 

func (r *Router) AddDBTLSHandler(handler HandlerFunc)

AddDBTLSHandler adds the handler for DB TLS traffic.

func (*Router) AddKubeHandler 

func (r *Router) AddKubeHandler(handler HandlerFunc)

AddKubeHandler adds the handle for Kubernetes protocol (distinguishable by "kube." SNI prefix).

func (*Router) CheckAndSetDefaults 

func (r *Router) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for Router.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.