Introduce a fast proxy mode to improve HTTP/1.1 performances with backends

Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
2024-09-26 11:00:05 +02:00 · 2024-09-26 11:00:05 +02:00 · f8a78b3b25
commit f8a78b3b25
parent a6db1cac37
39 changed files with 3173 additions and 378 deletions
--- a/pkg/server/service/transport.go
+++ b/pkg/server/service/transport.go
@ -0,0 +1,340 @@
+package service
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"reflect"
+	"slices"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	traefiktls "github.com/traefik/traefik/v3/pkg/tls"
+	"github.com/traefik/traefik/v3/pkg/types"
+)
+
+// SpiffeX509Source allows to retrieve a x509 SVID and bundle.
+type SpiffeX509Source interface {
+	x509svid.Source
+	x509bundle.Source
+}
+
+// TransportManager handles transports for backend communication.
+type TransportManager struct {
+	rtLock        sync.RWMutex
+	roundTrippers map[string]http.RoundTripper
+	configs       map[string]*dynamic.ServersTransport
+	tlsConfigs    map[string]*tls.Config
+
+	spiffeX509Source SpiffeX509Source
+}
+
+// NewTransportManager creates a new TransportManager.
+func NewTransportManager(spiffeX509Source SpiffeX509Source) *TransportManager {
+	return &TransportManager{
+		roundTrippers:    make(map[string]http.RoundTripper),
+		configs:          make(map[string]*dynamic.ServersTransport),
+		tlsConfigs:       make(map[string]*tls.Config),
+		spiffeX509Source: spiffeX509Source,
+	}
+}
+
+// Update updates the transport configurations.
+func (t *TransportManager) Update(newConfigs map[string]*dynamic.ServersTransport) {
+	t.rtLock.Lock()
+	defer t.rtLock.Unlock()
+
+	for configName, config := range t.configs {
+		newConfig, ok := newConfigs[configName]
+		if !ok {
+			delete(t.configs, configName)
+			delete(t.roundTrippers, configName)
+			delete(t.tlsConfigs, configName)
+			continue
+		}
+
+		if reflect.DeepEqual(newConfig, config) {
+			continue
+		}
+
+		var err error
+
+		var tlsConfig *tls.Config
+		if tlsConfig, err = t.createTLSConfig(newConfig); err != nil {
+			log.Error().Err(err).Msgf("Could not configure HTTP Transport %s TLS configuration, fallback on default TLS config", configName)
+		}
+		t.tlsConfigs[configName] = tlsConfig
+
+		t.roundTrippers[configName], err = t.createRoundTripper(newConfig, tlsConfig)
+		if err != nil {
+			log.Error().Err(err).Msgf("Could not configure HTTP Transport %s, fallback on default transport", configName)
+			t.roundTrippers[configName] = http.DefaultTransport
+		}
+	}
+
+	for newConfigName, newConfig := range newConfigs {
+		if _, ok := t.configs[newConfigName]; ok {
+			continue
+		}
+
+		var err error
+
+		var tlsConfig *tls.Config
+		if tlsConfig, err = t.createTLSConfig(newConfig); err != nil {
+			log.Error().Err(err).Msgf("Could not configure HTTP Transport %s TLS configuration, fallback on default TLS config", newConfigName)
+		}
+		t.tlsConfigs[newConfigName] = tlsConfig
+
+		t.roundTrippers[newConfigName], err = t.createRoundTripper(newConfig, tlsConfig)
+		if err != nil {
+			log.Error().Err(err).Msgf("Could not configure HTTP Transport %s, fallback on default transport", newConfigName)
+			t.roundTrippers[newConfigName] = http.DefaultTransport
+		}
+	}
+
+	t.configs = newConfigs
+}
+
+// GetRoundTripper gets a roundtripper corresponding to the given transport name.
+func (t *TransportManager) GetRoundTripper(name string) (http.RoundTripper, error) {
+	if len(name) == 0 {
+		name = "default@internal"
+	}
+
+	t.rtLock.RLock()
+	defer t.rtLock.RUnlock()
+
+	if rt, ok := t.roundTrippers[name]; ok {
+		return rt, nil
+	}
+
+	return nil, fmt.Errorf("servers transport not found %s", name)
+}
+
+// Get gets transport by name.
+func (t *TransportManager) Get(name string) (*dynamic.ServersTransport, error) {
+	if len(name) == 0 {
+		name = "default@internal"
+	}
+
+	t.rtLock.RLock()
+	defer t.rtLock.RUnlock()
+
+	if rt, ok := t.configs[name]; ok {
+		return rt, nil
+	}
+
+	return nil, fmt.Errorf("servers transport not found %s", name)
+}
+
+// GetTLSConfig gets a TLS config  corresponding to the given transport name.
+func (t *TransportManager) GetTLSConfig(name string) (*tls.Config, error) {
+	if len(name) == 0 {
+		name = "default@internal"
+	}
+
+	t.rtLock.RLock()
+	defer t.rtLock.RUnlock()
+
+	if rt, ok := t.tlsConfigs[name]; ok {
+		return rt, nil
+	}
+
+	return nil, fmt.Errorf("tls config not found %s", name)
+}
+
+func (t *TransportManager) createTLSConfig(cfg *dynamic.ServersTransport) (*tls.Config, error) {
+	var config *tls.Config
+	if cfg.Spiffe != nil {
+		if t.spiffeX509Source == nil {
+			return nil, errors.New("SPIFFE is enabled for this transport, but not configured")
+		}
+
+		spiffeAuthorizer, err := buildSpiffeAuthorizer(cfg.Spiffe)
+		if err != nil {
+			return nil, fmt.Errorf("unable to build SPIFFE authorizer: %w", err)
+		}
+
+		config = tlsconfig.MTLSClientConfig(t.spiffeX509Source, t.spiffeX509Source, spiffeAuthorizer)
+	}
+
+	if cfg.InsecureSkipVerify || len(cfg.RootCAs) > 0 || len(cfg.ServerName) > 0 || len(cfg.Certificates) > 0 || cfg.PeerCertURI != "" {
+		if config != nil {
+			return nil, errors.New("TLS and SPIFFE configuration cannot be defined at the same time")
+		}
+
+		config = &tls.Config{
+			ServerName:         cfg.ServerName,
+			InsecureSkipVerify: cfg.InsecureSkipVerify,
+			RootCAs:            createRootCACertPool(cfg.RootCAs),
+			Certificates:       cfg.Certificates.GetCertificates(),
+		}
+
+		if cfg.PeerCertURI != "" {
+			config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+				return traefiktls.VerifyPeerCertificate(cfg.PeerCertURI, config, rawCerts)
+			}
+		}
+	}
+
+	return config, nil
+}
+
+// createRoundTripper creates an http.RoundTripper configured with the Transport configuration settings.
+// For the settings that can't be configured in Traefik it uses the default http.Transport settings.
+// An exception to this is the MaxIdleConns setting as we only provide the option MaxIdleConnsPerHost in Traefik at this point in time.
+// Setting this value to the default of 100 could lead to confusing behavior and backwards compatibility issues.
+func (t *TransportManager) createRoundTripper(cfg *dynamic.ServersTransport, tlsConfig *tls.Config) (http.RoundTripper, error) {
+	if cfg == nil {
+		return nil, errors.New("no transport configuration given")
+	}
+
+	dialer := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+
+	if cfg.ForwardingTimeouts != nil {
+		dialer.Timeout = time.Duration(cfg.ForwardingTimeouts.DialTimeout)
+	}
+
+	transport := &http.Transport{
+		Proxy:                 http.ProxyFromEnvironment,
+		DialContext:           dialer.DialContext,
+		MaxIdleConnsPerHost:   cfg.MaxIdleConnsPerHost,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		ReadBufferSize:        64 * 1024,
+		WriteBufferSize:       64 * 1024,
+		TLSClientConfig:       tlsConfig,
+	}
+
+	if cfg.ForwardingTimeouts != nil {
+		transport.ResponseHeaderTimeout = time.Duration(cfg.ForwardingTimeouts.ResponseHeaderTimeout)
+		transport.IdleConnTimeout = time.Duration(cfg.ForwardingTimeouts.IdleConnTimeout)
+	}
+
+	// Return directly HTTP/1.1 transport when HTTP/2 is disabled
+	if cfg.DisableHTTP2 {
+		return &kerberosRoundTripper{
+			OriginalRoundTripper: transport,
+			new: func() http.RoundTripper {
+				return transport.Clone()
+			},
+		}, nil
+	}
+
+	rt, err := newSmartRoundTripper(transport, cfg.ForwardingTimeouts)
+	if err != nil {
+		return nil, err
+	}
+	return &kerberosRoundTripper{
+		OriginalRoundTripper: rt,
+		new: func() http.RoundTripper {
+			return rt.Clone()
+		},
+	}, nil
+}
+
+type stickyRoundTripper struct {
+	RoundTripper http.RoundTripper
+}
+
+type transportKeyType string
+
+var transportKey transportKeyType = "transport"
+
+func AddTransportOnContext(ctx context.Context) context.Context {
+	return context.WithValue(ctx, transportKey, &stickyRoundTripper{})
+}
+
+type kerberosRoundTripper struct {
+	new                  func() http.RoundTripper
+	OriginalRoundTripper http.RoundTripper
+}
+
+func (k *kerberosRoundTripper) RoundTrip(request *http.Request) (*http.Response, error) {
+	value, ok := request.Context().Value(transportKey).(*stickyRoundTripper)
+	if !ok {
+		return k.OriginalRoundTripper.RoundTrip(request)
+	}
+
+	if value.RoundTripper != nil {
+		return value.RoundTripper.RoundTrip(request)
+	}
+
+	resp, err := k.OriginalRoundTripper.RoundTrip(request)
+
+	// If we found that we are authenticating with Kerberos (Negotiate) or NTLM.
+	// We put a dedicated roundTripper in the ConnContext.
+	// This will stick the next calls to the same connection with the backend.
+	if err == nil && containsNTLMorNegotiate(resp.Header.Values("WWW-Authenticate")) {
+		value.RoundTripper = k.new()
+	}
+	return resp, err
+}
+
+func containsNTLMorNegotiate(h []string) bool {
+	return slices.ContainsFunc(h, func(s string) bool {
+		return strings.HasPrefix(s, "NTLM") || strings.HasPrefix(s, "Negotiate")
+	})
+}
+
+func createRootCACertPool(rootCAs []types.FileOrContent) *x509.CertPool {
+	if len(rootCAs) == 0 {
+		return nil
+	}
+
+	roots := x509.NewCertPool()
+
+	for _, cert := range rootCAs {
+		certContent, err := cert.Read()
+		if err != nil {
+			log.Error().Err(err).Msg("Error while read RootCAs")
+			continue
+		}
+		roots.AppendCertsFromPEM(certContent)
+	}
+
+	return roots
+}
+
+func buildSpiffeAuthorizer(cfg *dynamic.Spiffe) (tlsconfig.Authorizer, error) {
+	switch {
+	case len(cfg.IDs) > 0:
+		spiffeIDs := make([]spiffeid.ID, 0, len(cfg.IDs))
+		for _, rawID := range cfg.IDs {
+			id, err := spiffeid.FromString(rawID)
+			if err != nil {
+				return nil, fmt.Errorf("invalid SPIFFE ID: %w", err)
+			}
+
+			spiffeIDs = append(spiffeIDs, id)
+		}
+
+		return tlsconfig.AuthorizeOneOf(spiffeIDs...), nil
+
+	case cfg.TrustDomain != "":
+		trustDomain, err := spiffeid.TrustDomainFromString(cfg.TrustDomain)
+		if err != nil {
+			return nil, fmt.Errorf("invalid SPIFFE trust domain: %w", err)
+		}
+
+		return tlsconfig.AuthorizeMemberOf(trustDomain), nil
+
+	default:
+		return tlsconfig.AuthorizeAny(), nil
+	}
+}