Add muxer for TCP Routers

2022-03-17 11:02:08 -06:00 · 2022-03-17 11:02:08 -06:00 · dad76e0478
commit dad76e0478
parent 79aab5aab8
39 changed files with 2661 additions and 901 deletions
--- a/pkg/server/router/tcp/manager.go
+++ b/pkg/server/router/tcp/manager.go
@ -0,0 +1,365 @@
+package tcp
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"github.com/traefik/traefik/v2/pkg/config/runtime"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/middlewares/snicheck"
+	httpmuxer "github.com/traefik/traefik/v2/pkg/muxer/http"
+	tcpmuxer "github.com/traefik/traefik/v2/pkg/muxer/tcp"
+	"github.com/traefik/traefik/v2/pkg/server/provider"
+	tcpservice "github.com/traefik/traefik/v2/pkg/server/service/tcp"
+	"github.com/traefik/traefik/v2/pkg/tcp"
+	traefiktls "github.com/traefik/traefik/v2/pkg/tls"
+)
+
+type middlewareBuilder interface {
+	BuildChain(ctx context.Context, names []string) *tcp.Chain
+}
+
+// NewManager Creates a new Manager.
+func NewManager(conf *runtime.Configuration,
+	serviceManager *tcpservice.Manager,
+	middlewaresBuilder middlewareBuilder,
+	httpHandlers map[string]http.Handler,
+	httpsHandlers map[string]http.Handler,
+	tlsManager *traefiktls.Manager,
+) *Manager {
+	return &Manager{
+		serviceManager:     serviceManager,
+		middlewaresBuilder: middlewaresBuilder,
+		httpHandlers:       httpHandlers,
+		httpsHandlers:      httpsHandlers,
+		tlsManager:         tlsManager,
+		conf:               conf,
+	}
+}
+
+// Manager is a route/router manager.
+type Manager struct {
+	serviceManager     *tcpservice.Manager
+	middlewaresBuilder middlewareBuilder
+	httpHandlers       map[string]http.Handler
+	httpsHandlers      map[string]http.Handler
+	tlsManager         *traefiktls.Manager
+	conf               *runtime.Configuration
+}
+
+func (m *Manager) getTCPRouters(ctx context.Context, entryPoints []string) map[string]map[string]*runtime.TCPRouterInfo {
+	if m.conf != nil {
+		return m.conf.GetTCPRoutersByEntryPoints(ctx, entryPoints)
+	}
+
+	return make(map[string]map[string]*runtime.TCPRouterInfo)
+}
+
+func (m *Manager) getHTTPRouters(ctx context.Context, entryPoints []string, tls bool) map[string]map[string]*runtime.RouterInfo {
+	if m.conf != nil {
+		return m.conf.GetRoutersByEntryPoints(ctx, entryPoints, tls)
+	}
+
+	return make(map[string]map[string]*runtime.RouterInfo)
+}
+
+// BuildHandlers builds the handlers for the given entrypoints.
+func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string) map[string]*Router {
+	entryPointsRouters := m.getTCPRouters(rootCtx, entryPoints)
+	entryPointsRoutersHTTP := m.getHTTPRouters(rootCtx, entryPoints, true)
+
+	entryPointHandlers := make(map[string]*Router)
+	for _, entryPointName := range entryPoints {
+		entryPointName := entryPointName
+
+		routers := entryPointsRouters[entryPointName]
+
+		ctx := log.With(rootCtx, log.Str(log.EntryPointName, entryPointName))
+
+		handler, err := m.buildEntryPointHandler(ctx, routers, entryPointsRoutersHTTP[entryPointName], m.httpHandlers[entryPointName], m.httpsHandlers[entryPointName])
+		if err != nil {
+			log.FromContext(ctx).Error(err)
+			continue
+		}
+		entryPointHandlers[entryPointName] = handler
+	}
+	return entryPointHandlers
+}
+
+type nameAndConfig struct {
+	routerName string // just so we have it as additional information when logging
+	TLSConfig  *tls.Config
+}
+
+func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*runtime.TCPRouterInfo, configsHTTP map[string]*runtime.RouterInfo, handlerHTTP, handlerHTTPS http.Handler) (*Router, error) {
+	// Build a new Router.
+	router, err := NewRouter()
+	if err != nil {
+		return nil, err
+	}
+
+	router.SetHTTPHandler(handlerHTTP)
+
+	defaultTLSConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, traefiktls.DefaultTLSConfigName)
+	if err != nil {
+		log.FromContext(ctx).Errorf("Error during the build of the default TLS configuration: %v", err)
+	}
+
+	// Keyed by domain. The source of truth for doing SNI checking, and for what TLS
+	// options will actually be used for the connection.
+	// As soon as there's (at least) two different tlsOptions found for the same domain,
+	// we set the value to the default TLS conf.
+	tlsOptionsForHost := map[string]string{}
+
+	// Keyed by domain, then by options reference.
+	// As opposed to tlsOptionsForHost, it keeps track of all the (different) TLS
+	// options that occur for a given host name, so that later on we can set relevant
+	// errors and logging for all the routers concerned (i.e. wrongly configured).
+	tlsOptionsForHostSNI := map[string]map[string]nameAndConfig{}
+
+	for routerHTTPName, routerHTTPConfig := range configsHTTP {
+		if routerHTTPConfig.TLS == nil {
+			continue
+		}
+
+		ctxRouter := log.With(provider.AddInContext(ctx, routerHTTPName), log.Str(log.RouterName, routerHTTPName))
+		logger := log.FromContext(ctxRouter)
+
+		tlsOptionsName := traefiktls.DefaultTLSConfigName
+		if len(routerHTTPConfig.TLS.Options) > 0 && routerHTTPConfig.TLS.Options != traefiktls.DefaultTLSConfigName {
+			tlsOptionsName = provider.GetQualifiedName(ctxRouter, routerHTTPConfig.TLS.Options)
+		}
+
+		domains, err := httpmuxer.ParseDomains(routerHTTPConfig.Rule)
+		if err != nil {
+			routerErr := fmt.Errorf("invalid rule %s, error: %w", routerHTTPConfig.Rule, err)
+			routerHTTPConfig.AddError(routerErr, true)
+			logger.Error(routerErr)
+			continue
+		}
+
+		if len(domains) == 0 {
+			// Extra Host(*) rule, for HTTPS routers with no Host rule, and for requests for
+			// which the SNI does not match _any_ of the other existing routers Host. This is
+			// only about choosing the TLS configuration. The actual routing will be done
+			// further on by the HTTPS handler. See examples below.
+			router.AddHTTPTLSConfig("*", defaultTLSConf)
+
+			// The server name (from a Host(SNI) rule) is the only parameter (available in
+			// HTTP routing rules) on which we can map a TLS config, because it is the only one
+			// accessible before decryption (we obtain it during the ClientHello). Therefore,
+			// when a router has no Host rule, it does not make any sense to specify some TLS
+			// options. Consequently, when it comes to deciding what TLS config will be used,
+			// for a request that will match an HTTPS router with no Host rule, the result will
+			// depend on the _others_ existing routers (their Host rule, to be precise), and
+			// the TLS options associated with them, even though they don't match the incoming
+			// request. Consider the following examples:
+
+			//	# conf1
+			//	httpRouter1:
+			//		rule: PathPrefix("/foo")
+			//	# Wherever the request comes from, the TLS config used will be the default one, because of the Host(*) fallback.
+
+			//	# conf2
+			//	httpRouter1:
+			//		rule: PathPrefix("/foo")
+			//
+			//	httpRouter2:
+			//		rule: Host("foo.com") && PathPrefix("/bar")
+			//		tlsoptions: myTLSOptions
+			//	# When a request for "/foo" comes, even though it won't be routed by
+			//	httpRouter2, if its SNI is set to foo.com, myTLSOptions will be used for the TLS
+			//	connection. Otherwise, it will fallback to the default TLS config.
+			logger.Warnf("No domain found in rule %v, the TLS options applied for this router will depend on the SNI of each request", routerHTTPConfig.Rule)
+		}
+
+		tlsConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, tlsOptionsName)
+		if err != nil {
+			routerHTTPConfig.AddError(err, true)
+			logger.Error(err)
+			continue
+		}
+
+		for _, domain := range domains {
+			// domain is already in lower case thanks to the domain parsing
+			if tlsOptionsForHostSNI[domain] == nil {
+				tlsOptionsForHostSNI[domain] = make(map[string]nameAndConfig)
+			}
+			tlsOptionsForHostSNI[domain][tlsOptionsName] = nameAndConfig{
+				routerName: routerHTTPName,
+				TLSConfig:  tlsConf,
+			}
+
+			if name, ok := tlsOptionsForHost[domain]; ok && name != tlsOptionsName {
+				// Different tlsOptions on the same domain, so fallback to default
+				tlsOptionsForHost[domain] = traefiktls.DefaultTLSConfigName
+			} else {
+				tlsOptionsForHost[domain] = tlsOptionsName
+			}
+		}
+	}
+
+	sniCheck := snicheck.New(tlsOptionsForHost, handlerHTTPS)
+
+	router.SetHTTPSHandler(sniCheck, defaultTLSConf)
+
+	logger := log.FromContext(ctx)
+	for hostSNI, tlsConfigs := range tlsOptionsForHostSNI {
+		if len(tlsConfigs) == 1 {
+			var optionsName string
+			var config *tls.Config
+			for k, v := range tlsConfigs {
+				optionsName = k
+				config = v.TLSConfig
+				break
+			}
+
+			logger.Debugf("Adding route for %s with TLS options %s", hostSNI, optionsName)
+
+			router.AddHTTPTLSConfig(hostSNI, config)
+		} else {
+			routers := make([]string, 0, len(tlsConfigs))
+			for _, v := range tlsConfigs {
+				configsHTTP[v.routerName].AddError(fmt.Errorf("found different TLS options for routers on the same host %v, so using the default TLS options instead", hostSNI), false)
+				routers = append(routers, v.routerName)
+			}
+
+			logger.Warnf("Found different TLS options for routers on the same host %v, so using the default TLS options instead for these routers: %#v", hostSNI, routers)
+
+			router.AddHTTPTLSConfig(hostSNI, defaultTLSConf)
+		}
+	}
+
+	for routerName, routerConfig := range configs {
+		ctxRouter := log.With(provider.AddInContext(ctx, routerName), log.Str(log.RouterName, routerName))
+		logger := log.FromContext(ctxRouter)
+
+		if routerConfig.Service == "" {
+			err := errors.New("the service is missing on the router")
+			routerConfig.AddError(err, true)
+			logger.Error(err)
+			continue
+		}
+
+		if routerConfig.Rule == "" {
+			err := errors.New("router has no rule")
+			routerConfig.AddError(err, true)
+			logger.Error(err)
+			continue
+		}
+
+		handler, err := m.buildTCPHandler(ctxRouter, routerConfig)
+		if err != nil {
+			routerConfig.AddError(err, true)
+			logger.Error(err)
+			continue
+		}
+
+		domains, err := tcpmuxer.ParseHostSNI(routerConfig.Rule)
+		if err != nil {
+			routerErr := fmt.Errorf("invalid rule: %q , %w", routerConfig.Rule, err)
+			routerConfig.AddError(routerErr, true)
+			logger.Error(routerErr)
+			continue
+		}
+
+		// HostSNI Rule, but TLS not set on the router, which is an error.
+		// However, we allow the HostSNI(*) exception.
+		if len(domains) > 0 && routerConfig.TLS == nil && domains[0] != "*" {
+			routerErr := fmt.Errorf("invalid rule: %q , has HostSNI matcher, but no TLS on router", routerConfig.Rule)
+			routerConfig.AddError(routerErr, true)
+			logger.Error(routerErr)
+		}
+
+		if routerConfig.TLS == nil {
+			logger.Debugf("Adding route for %q", routerConfig.Rule)
+			if err := router.AddRoute(routerConfig.Rule, routerConfig.Priority, handler); err != nil {
+				routerConfig.AddError(err, true)
+				logger.Error(err)
+			}
+			continue
+		}
+
+		if routerConfig.TLS.Passthrough {
+			logger.Debugf("Adding Passthrough route for %q", routerConfig.Rule)
+			if err := router.AddRouteTLS(routerConfig.Rule, routerConfig.Priority, handler, nil); err != nil {
+				routerConfig.AddError(err, true)
+				logger.Error(err)
+			}
+			continue
+		}
+
+		for _, domain := range domains {
+			if httpmuxer.IsASCII(domain) {
+				continue
+			}
+
+			asciiError := fmt.Errorf("invalid domain name value %q, non-ASCII characters are not allowed", domain)
+			routerConfig.AddError(asciiError, true)
+			logger.Error(asciiError)
+		}
+
+		tlsOptionsName := routerConfig.TLS.Options
+
+		if len(tlsOptionsName) == 0 {
+			tlsOptionsName = traefiktls.DefaultTLSConfigName
+		}
+
+		if tlsOptionsName != traefiktls.DefaultTLSConfigName {
+			tlsOptionsName = provider.GetQualifiedName(ctxRouter, tlsOptionsName)
+		}
+
+		tlsConf, err := m.tlsManager.Get(traefiktls.DefaultTLSStoreName, tlsOptionsName)
+		if err != nil {
+			routerConfig.AddError(err, true)
+			logger.Error(err)
+			continue
+		}
+
+		// Now that the Rule is not just about the Host, we could theoretically have a config like:
+		//	router1:
+		//		rule: HostSNI(foo.com) && ClientIP(IP1)
+		//		tlsOption: tlsOne
+		//	router2:
+		//		rule: HostSNI(foo.com) && ClientIP(IP2)
+		//		tlsOption: tlsTwo
+		// i.e. same HostSNI but different tlsOptions
+		// This is only applicable if the muxer can decide about the routing _before_
+		// telling the client about the tlsConf (i.e. before the TLS HandShake). This seems
+		// to be the case so far with the existing matchers (HostSNI, and ClientIP), so
+		// it's all good. Otherwise, we would have to do as for HTTPS, i.e. disallow
+		// different TLS configs for the same HostSNIs.
+
+		logger.Debugf("Adding TLS route for %q", routerConfig.Rule)
+		if err := router.AddRouteTLS(routerConfig.Rule, routerConfig.Priority, handler, tlsConf); err != nil {
+			routerConfig.AddError(err, true)
+			logger.Error(err)
+		}
+	}
+
+	return router, nil
+}
+
+func (m *Manager) buildTCPHandler(ctx context.Context, router *runtime.TCPRouterInfo) (tcp.Handler, error) {
+	var qualifiedNames []string
+	for _, name := range router.Middlewares {
+		qualifiedNames = append(qualifiedNames, provider.GetQualifiedName(ctx, name))
+	}
+	router.Middlewares = qualifiedNames
+
+	if router.Service == "" {
+		return nil, errors.New("the service is missing on the router")
+	}
+
+	sHandler, err := m.serviceManager.BuildTCP(ctx, router.Service)
+	if err != nil {
+		return nil, err
+	}
+
+	mHandler := m.middlewaresBuilder.BuildChain(ctx, router.Middlewares)
+
+	return tcp.NewChain().Extend(*mHandler).Then(sHandler)
+}