alpnproxy

package
v1.3.3-0...-f31c912 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 9, 2024 License: AGPL-3.0 Imports: 56 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrUserInputRequired = errors.New("user input required")

ErrUserInputRequired returned when user's input required to relogin and/or reissue new certificate.

Functions

func CheckCertSubject 

func CheckCertSubject(cert *x509.Certificate, dbRoute tlsca.RouteToDatabase) error

CheckCertSubject checks if the route to the database from the cert matches the provided route in terms of username and database (if present).

func CreateKubeLocalCAs 

func CreateKubeLocalCAs(key *keys.PrivateKey, teleportClusters []string) (map[string]tls.Certificate, error)

CreateKubeLocalCAs generate local CAs used for kube local proxy with provided key.

func IsConnectRequest 

func IsConnectRequest(req *http.Request) bool

IsConnectRequest returns true if the request is a HTTP CONNECT tunnel request.

https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.6

func MatchAWSRequests 

func MatchAWSRequests(req *http.Request) bool

MatchAWSRequests is a MatchFunc that returns true if request is an AWS API request.

func MatchAllRequests 

func MatchAllRequests(req *http.Request) bool

MatchAllRequests is a MatchFunc that returns true for all requests.

func MatchAzureRequests 

func MatchAzureRequests(req *http.Request) bool

MatchAzureRequests is a MatchFunc that returns true if request is an Azure API request.

func MatchGCPRequests 

func MatchGCPRequests(req *http.Request) bool

MatchGCPRequests is a MatchFunc that returns true if request is an GCP API request.

func NewKubeListener 

func NewKubeListener(casByTeleportCluster map[string]tls.Certificate) (net.Listener, error)

NewKubeListener creates a listener for kube local proxy.

Types

type AWSAccessMiddleware 

type AWSAccessMiddleware struct {
	DefaultLocalProxyHTTPMiddleware

	// AWSCredentials are AWS Credentials used by LocalProxy for request's signature verification.
	AWSCredentials *credentials.Credentials

	Log logrus.FieldLogger
	// contains filtered or unexported fields
}

AWSAccessMiddleware verifies the requests to AWS proxy are properly signed.

func (*AWSAccessMiddleware) CheckAndSetDefaults 

func (m *AWSAccessMiddleware) CheckAndSetDefaults() error

func (*AWSAccessMiddleware) HandleRequest 

func (m *AWSAccessMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool

HandleRequest handles a request from the AWS client.

Normally, the requests are signed with the local-proxy-generated credentials. We verify the signatures of these requests using the local-proxy-generated credentials then forward them to the proxy. The app agent will re-sign these requests with real credentials before sending them to AWS.

When this AWS middleware receives a valid AssumeRole output (through HandleResponse), the middleware caches the credentials.

When the middleware receives requests signed with these assumed-roles' credentials, in addition to verifying the signatures using the cached credentials, the middleware also rewrites the headers to indicate that these requests are signed by assumed roles. Upon receiving requests by assumed roles, the app agent restore the headers without re-signing before sending them to AWS.

Here's a sample sequence for request by assumed role:

client tsh teleport AWS | | | | │ sts:AssumeRole │ │ │ ├────────────────────────►│ forward │ │ │ ├───────────────────►│ re-sign │ │ │ ├──────────────────────►│ │ │ │ sts:AssumeRole output │ │ │ │◄──────────────────────┤ │ │◄───────────────────┤ │ │ │ │ │ │ ├────┐ cache │ │ │ │ │ sts:AssumeRole│ │ │ sts:AssuemRole output │◄───┘ output │ │ │◄────────────────────────┤ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ request by assumed role │ │ │ ├────────────────────────►│ rewrite headers │ │ │ ├───────────────────►│ restore headers │ │ │ ├──────────────────────►│ │ │ │ │ │ │ │◄──────────────────────┤ │ │◄───────────────────┤ │ │◄────────────────────────┤ │ │

Note that the first sts:AssumeRole should be signed with the local-proxy-generated credentials by the AWS client, while the second request is signed with real credentials of the assumed role.

func (*AWSAccessMiddleware) HandleResponse 

func (m *AWSAccessMiddleware) HandleResponse(response *http.Response) error

type AuthorizationCheckerMiddleware 

type AuthorizationCheckerMiddleware struct {
	DefaultLocalProxyHTTPMiddleware

	// Log is the Logger.
	Log logrus.FieldLogger
	// Secret is the expected value of a bearer token.
	Secret string
}

AuthorizationCheckerMiddleware is a middleware that checks `Authorization` header of incoming requests. If the header is missing, the request is passed through. If it is present, the middleware checks it is a bearer token with value matching the secret.

func (*AuthorizationCheckerMiddleware) CheckAndSetDefaults 

func (m *AuthorizationCheckerMiddleware) CheckAndSetDefaults() error

CheckAndSetDefaults checks configuration validity and sets defaults.

func (*AuthorizationCheckerMiddleware) HandleRequest 

func (m *AuthorizationCheckerMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool

HandleRequest checks Authorization header, which must be either missing or set to the secret value of a bearer token.

type AzureMSIMiddleware 

type AzureMSIMiddleware struct {
	DefaultLocalProxyHTTPMiddleware

	// Identity is the Azure identity to be served by the server. Only single identity will be provided.
	Identity string
	// TenantID to be returned in a claim. Doesn't have to match actual TenantID as recognized by Azure.
	TenantID string
	// ClientID to be returned in a claim.
	ClientID string

	// Key used to sign JWT
	Key crypto.Signer

	// Clock is used to override time in tests.
	Clock clockwork.Clock
	// Log is the Logger.
	Log logrus.FieldLogger
	// Secret to be provided by the client.
	Secret string
}

AzureMSIMiddleware implements a simplified version of MSI server serving auth tokens.

func (*AzureMSIMiddleware) CheckAndSetDefaults 

func (m *AzureMSIMiddleware) CheckAndSetDefaults() error

func (*AzureMSIMiddleware) HandleRequest 

func (m *AzureMSIMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool

type CertGenListener 

type CertGenListener struct {
	net.Listener
	// contains filtered or unexported fields
}

CertGenListener is a HTTPS listener that can generate TLS certificates based on SNI during HTTPS handshake.

func NewCertGenListener 

func NewCertGenListener(config CertGenListenerConfig) (*CertGenListener, error)

NewCertGenListener creates a new CertGenListener and listens to the configured listen address.

func (*CertGenListener) GetCertificate 

func (r *CertGenListener) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate generates and returns TLS certificate for incoming connection. Implements tls.Config.GetCertificate.

type CertGenListenerConfig 

type CertGenListenerConfig struct {
	// ListenAddr is network address to listen.
	ListenAddr string
	// CA is the certificate authority for signing certificates.
	CA tls.Certificate
}

CertGenListenerConfig is the config for CertGenListener.

func (*CertGenListenerConfig) CheckAndSetDefaults 

func (c *CertGenListenerConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type ConnectRequestHandler 

type ConnectRequestHandler interface {
	// Match returns true if this handler wants to handle the provided request.
	Match(req *http.Request) bool

	// Handle handles the request with provided client connection.
	Handle(ctx context.Context, clientConn net.Conn, req *http.Request)
}

ConnectRequestHandler defines handler for handling CONNECT requests.

type ConnectionHandler 

type ConnectionHandler func(ctx context.Context, conn net.Conn) error

ConnectionHandler defines a function for serving incoming connections.

type ConnectionHandlerWrapper 

type ConnectionHandlerWrapper struct {
	// contains filtered or unexported fields
}

ConnectionHandlerWrapper is a wrapper of ConnectionHandler. This wrapper is mainly used as a placeholder to resolve circular dependencies.

func (*ConnectionHandlerWrapper) HandleConnection 

func (w *ConnectionHandlerWrapper) HandleConnection(ctx context.Context, conn net.Conn) error

HandleConnection implements ConnectionHandler.

func (*ConnectionHandlerWrapper) Set 

func (w *ConnectionHandlerWrapper) Set(h ConnectionHandler)

Set updates inner ConnectionHandler to use.

type ConnectionInfo 

type ConnectionInfo struct {
	// SNI is ServerName value obtained from TLS hello message.
	SNI string
	// ALPN protocols obtained from TLS hello message.
	ALPN []string
}

ConnectionInfo contains details about TLS connection.

type DefaultLocalProxyHTTPMiddleware 

type DefaultLocalProxyHTTPMiddleware struct {
}

DefaultLocalProxyHTTPMiddleware provides default implementations for LocalProxyHTTPMiddleware.

func (*DefaultLocalProxyHTTPMiddleware) CheckAndSetDefaults 

func (m *DefaultLocalProxyHTTPMiddleware) CheckAndSetDefaults() error

func (*DefaultLocalProxyHTTPMiddleware) HandleRequest 

func (m *DefaultLocalProxyHTTPMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool

func (*DefaultLocalProxyHTTPMiddleware) HandleResponse 

func (m *DefaultLocalProxyHTTPMiddleware) HandleResponse(resp *http.Response) error

func (*DefaultLocalProxyHTTPMiddleware) OverwriteClientCerts 

func (m *DefaultLocalProxyHTTPMiddleware) OverwriteClientCerts(req *http.Request) ([]tls.Certificate, error)

type ForwardProxy 

type ForwardProxy struct {
	// contains filtered or unexported fields
}

ForwardProxy is a forward proxy that serves CONNECT tunnel requests.

func NewForwardProxy 

func NewForwardProxy(cfg ForwardProxyConfig) (*ForwardProxy, error)

NewForwardProxy creates a new forward proxy server.

func NewKubeForwardProxy 

func NewKubeForwardProxy(config KubeForwardProxyConfig) (*ForwardProxy, error)

NewKubeForwardProxy creates a forward proxy for kube access.

func (*ForwardProxy) Close 

func (p *ForwardProxy) Close() error

Close closes the forward proxy.

func (*ForwardProxy) GetAddr 

func (p *ForwardProxy) GetAddr() string

GetAddr returns the listener address.

func (*ForwardProxy) ServeHTTP 

func (p *ForwardProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request)

ServeHTTP serves HTTP requests. Implements http.Handler.

func (*ForwardProxy) Start 

func (p *ForwardProxy) Start() error

Start starts serving on the listener.

type ForwardProxyConfig 

type ForwardProxyConfig struct {
	// Listener is the network listener.
	Listener net.Listener
	// CloseContext is the close context.
	CloseContext context.Context
	// Handlers is a list of CONNECT request handlers.
	Handlers []ConnectRequestHandler
}

ForwardProxyConfig is the config for forward proxy server.

func (*ForwardProxyConfig) CheckAndSetDefaults 

func (c *ForwardProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type ForwardToHostHandler 

type ForwardToHostHandler struct {
	// contains filtered or unexported fields
}

ForwardToHostHandler is a CONNECT request handler that forwards requests to designated host.

func NewForwardToHostHandler 

func NewForwardToHostHandler(cfg ForwardToHostHandlerConfig) *ForwardToHostHandler

NewForwardToHostHandler creates a new ForwardToHostHandler.

func NewForwardToOriginalHostHandler 

func NewForwardToOriginalHostHandler() *ForwardToHostHandler

NewForwardToOriginalHostHandler creates a new CONNECT request handler that forwards all requests to their original hosts.

func (*ForwardToHostHandler) Handle 

func (h *ForwardToHostHandler) Handle(ctx context.Context, clientConn net.Conn, req *http.Request)

Handle handles the request with provided client connection.

func (*ForwardToHostHandler) Match 

func (h *ForwardToHostHandler) Match(req *http.Request) bool

Match returns true if this handler wants to handle the provided request.

type ForwardToHostHandlerConfig 

type ForwardToHostHandlerConfig struct {
	// Match returns true if this handler wants to handle the provided request.
	MatchFunc func(req *http.Request) bool

	// Host is the destination to forward the request to. If empty, the request
	// is forwarded to its original host.
	Host string
}

ForwardToHostHandlerConfig is the config for ForwardToHostHandler.

func (*ForwardToHostHandlerConfig) SetDefaults 

func (c *ForwardToHostHandlerConfig) SetDefaults()

SetDefaults sets default config values.

type ForwardToSystemProxyHandler 

type ForwardToSystemProxyHandler struct {
	// contains filtered or unexported fields
}

ForwardToSystemProxyHandler is a CONNECT request handler that forwards requests to existing system or corporate forward proxies where our server is run.

Here "system" is used to differentiate the forward proxy users have outside Teleport from our own forward proxy server. The purpose of this handler is to honor "system" proxy settings so the requests are forwarded to "system" proxies as intended instead of going to their original hosts.

func NewForwardToSystemProxyHandler 

func NewForwardToSystemProxyHandler(cfg ForwardToSystemProxyHandlerConfig) *ForwardToSystemProxyHandler

NewForwardToSystemProxyHandler creates a new ForwardToSystemProxyHandler.

func (*ForwardToSystemProxyHandler) Handle 

func (h *ForwardToSystemProxyHandler) Handle(ctx context.Context, clientConn net.Conn, req *http.Request)

Handle handles the request with provided client connection.

func (*ForwardToSystemProxyHandler) Match 

func (h *ForwardToSystemProxyHandler) Match(req *http.Request) bool

Match returns true if this handler wants to handle the provided request.

type ForwardToSystemProxyHandlerConfig 

type ForwardToSystemProxyHandlerConfig struct {
	// TunnelProtocol is the protocol of the requests being tunneled.
	TunnelProtocol string
	// InsecureSystemProxy allows insecure system proxy when forwarding
	// unwanted requests.
	InsecureSystemProxy bool
	// SystemProxyFunc is the function that determines the system proxy URL to
	// use for provided request URL.
	SystemProxyFunc func(reqURL *url.URL) (*url.URL, error)
}

ForwardToSystemProxyHandlerConfig is the config for ForwardToSystemProxyHandler.

func (*ForwardToSystemProxyHandlerConfig) SetDefaults 

func (c *ForwardToSystemProxyHandlerConfig) SetDefaults()

SetDefaults sets default config values.

type GetClusterCACertPoolFunc 

type GetClusterCACertPoolFunc func(ctx context.Context) (*x509.CertPool, error)

GetClusterCACertPoolFunc is a function to fetch cluster CAs.

type HandlerDecs 

type HandlerDecs struct {
	// Handler is protocol handling logic.
	Handler HandlerFunc
	// HandlerWithConnInfo is protocol handler function providing additional TLS insight.
	// Used in cases where internal handler function must have access to hello message values without
	// terminating the TLS connection.
	HandlerWithConnInfo HandlerFuncWithInfo
	// ForwardTLS tells is ALPN proxy service should terminate TLS traffic or delegate the
	// TLS termination to the protocol handler (Used in Kube handler case)
	ForwardTLS bool
	// MatchFunc is a routing route match function based on ALPN SNI TLS values.
	// If is evaluated to true the current HandleDesc will be used
	// for connection handling.
	MatchFunc MatchFunc
	// TLSConfig is TLS configuration that allows switching TLS settings for the handle.
	// By default, the ProxyConfig.WebTLSConfig configuration is used to TLS terminate incoming connection
	// but if HandleDesc.TLSConfig is present it will take precedence over ProxyConfig TLS configuration.
	TLSConfig *tls.Config
}

HandlerDecs describes the handler for particular protocols.

func (*HandlerDecs) CheckAndSetDefaults 

func (h *HandlerDecs) CheckAndSetDefaults() error

type HandlerFunc 

type HandlerFunc func(ctx context.Context, conn net.Conn) error

HandlerFunc is a common function signature used to handle downstream with particular ALPN protocol.

type HandlerFuncWithInfo 

type HandlerFuncWithInfo func(ctx context.Context, conn net.Conn, info ConnectionInfo) error

HandlerFuncWithInfo is protocol handler function providing additional TLS insight. Used in cases where internal handler function must have access to hello message values without terminating the TLS connection.

func ExtractMySQLEngineVersion 

func ExtractMySQLEngineVersion(fn func(ctx context.Context, conn net.Conn) error) HandlerFuncWithInfo

ExtractMySQLEngineVersion returns a pre-process function for MySQL connections that tries to extract MySQL server version from incoming connection.

type KubeCertReissuer 

type KubeCertReissuer = func(ctx context.Context, teleportCluster, kubeCluster string) (tls.Certificate, error)

KubeCertReissuer reissues a client certificate for a Kubernetes cluster.

type KubeClientCerts 

type KubeClientCerts map[string]tls.Certificate

KubeClientCerts is a map of Kubernetes client certs.

func (KubeClientCerts) Add 

func (c KubeClientCerts) Add(teleportCluster, kubeCluster string, cert tls.Certificate)

Add adds a tls.Certificate for a kube cluster.

type KubeForwardProxyConfig 

type KubeForwardProxyConfig struct {
	// CloseContext is the close context.
	CloseContext context.Context
	// ListenPort is the localhost port to listen.
	ListenPort string
	// Listener is the listener for the forward proxy. A listener is created
	// from ListenPort if Listener is not provided.
	Listener net.Listener
	// ForwardAddr is the target address the requests get forwarded to.
	ForwardAddr string
}

KubeForwardProxyConfig is the config for making kube forward proxy.

func (*KubeForwardProxyConfig) CheckAndSetDefaults 

func (c *KubeForwardProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default config values.

type KubeMiddleware 

type KubeMiddleware struct {
	DefaultLocalProxyHTTPMiddleware
	// contains filtered or unexported fields
}

KubeMiddleware is a LocalProxyHTTPMiddleware for handling Kubernetes requests.

func (*KubeMiddleware) CheckAndSetDefaults 

func (m *KubeMiddleware) CheckAndSetDefaults() error

CheckAndSetDefaults checks configuration validity and sets defaults

func (*KubeMiddleware) HandleRequest 

func (m *KubeMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool

HandleRequest checks if middleware has valid certificate for this request and reissues it if needed. In case of reissuing error we write directly to the response and return true, so caller won't continue processing the request.

func (*KubeMiddleware) OverwriteClientCerts 

func (m *KubeMiddleware) OverwriteClientCerts(req *http.Request) ([]tls.Certificate, error)

OverwriteClientCerts overwrites the client certs used for upstream connection.

type KubeMiddlewareConfig 

type KubeMiddlewareConfig struct {
	Certs        KubeClientCerts
	CertReissuer KubeCertReissuer
	Headless     bool
	Clock        clockwork.Clock
	Logger       logrus.FieldLogger
}

type ListenerMuxWrapper 

type ListenerMuxWrapper struct {
	// net.Listener is the main service listener that is being wrapped.
	net.Listener
	// contains filtered or unexported fields
}

ListenerMuxWrapper wraps the net.Listener and multiplex incoming connection from serviceListener and connection injected by HandleConnection handler.

func NewMuxListenerWrapper 

func NewMuxListenerWrapper(serviceListener, alpnListener net.Listener) *ListenerMuxWrapper

NewMuxListenerWrapper creates a new instance of ListenerMuxWrapper

func (*ListenerMuxWrapper) Accept 

func (l *ListenerMuxWrapper) Accept() (net.Conn, error)

Accept waits for the next injected by HandleConnection or received from serviceListener and returns it.

func (*ListenerMuxWrapper) Addr 

func (l *ListenerMuxWrapper) Addr() net.Addr

Addr returns address of the listeners. If both serviceListener and alpnListener listeners were provided. function will return address obtained from the alpnListener listener.

func (*ListenerMuxWrapper) Close 

func (l *ListenerMuxWrapper) Close() error

Close the ListenerMuxWrapper.

func (*ListenerMuxWrapper) HandleConnection 

func (l *ListenerMuxWrapper) HandleConnection(ctx context.Context, conn net.Conn) error

HandleConnection allows injecting connection to the listener.

type LocalProxy 

type LocalProxy struct {
	// contains filtered or unexported fields
}

LocalProxy allows upgrading incoming connection to TLS where custom TLS values are set SNI ALPN and updated connection is forwarded to remote ALPN SNI teleport proxy service.

func NewLocalProxy 

func NewLocalProxy(cfg LocalProxyConfig, opts ...LocalProxyConfigOpt) (*LocalProxy, error)

NewLocalProxy creates a new instance of LocalProxy.

func (*LocalProxy) CheckDBCerts 

func (l *LocalProxy) CheckDBCerts(dbRoute tlsca.RouteToDatabase) error

CheckDBCerts checks the proxy certificates for expiration and that the cert subject matches a database route.

func (*LocalProxy) Close 

func (l *LocalProxy) Close() error

func (*LocalProxy) GetAddr 

func (l *LocalProxy) GetAddr() string

GetAddr returns the LocalProxy listener address.

func (*LocalProxy) SetCerts 

func (l *LocalProxy) SetCerts(certs []tls.Certificate)

SetCerts sets the local proxy's configured TLS certificates.

func (*LocalProxy) Start 

func (l *LocalProxy) Start(ctx context.Context) error

Start starts the LocalProxy.

func (*LocalProxy) StartHTTPAccessProxy 

func (l *LocalProxy) StartHTTPAccessProxy(ctx context.Context) error

StartHTTPAccessProxy starts the local HTTP access proxy.

type LocalProxyConfig 

type LocalProxyConfig struct {
	// RemoteProxyAddr is the upstream destination address of remote ALPN proxy service.
	RemoteProxyAddr string
	// Protocol set for the upstream TLS connection.
	Protocols []common.Protocol
	// InsecureSkipTLSVerify turns off verification for x509 upstream ALPN proxy service certificate.
	InsecureSkipVerify bool
	// Listener is listener running on local machine.
	Listener net.Listener
	// SNI is a ServerName value set for upstream TLS connection.
	SNI string
	// ParentContext is a parent context, used to signal global closure>
	ParentContext context.Context
	// Certs are the client certificates used to connect to the remote Teleport Proxy.
	Certs []tls.Certificate
	// RootCAs overwrites the root CAs used in tls.Config if specified.
	RootCAs *x509.CertPool
	// ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required.
	ALPNConnUpgradeRequired bool
	// Middleware provides callback functions to the local proxy.
	Middleware LocalProxyMiddleware
	// Middleware provides callback functions to the local proxy running in HTTP mode.
	HTTPMiddleware LocalProxyHTTPMiddleware
	// Clock is used to override time in tests.
	Clock clockwork.Clock
	// Log is the Logger.
	Log logrus.FieldLogger
	// CheckCertsNeeded determines if the local proxy will check if it should
	// load certs for dialing upstream. Defaults to false, in which case
	// the local proxy will always use whatever certs it has to dial upstream.
	// For example postgres cancel requests are not sent with TLS even if the
	// postgres client was configured to use client certs, so a local proxy
	// needs to always have certs loaded for postgres in case they are needed,
	// but only use those certs as needed.
	CheckCertsNeeded bool
	// contains filtered or unexported fields
}

LocalProxyConfig is configuration for LocalProxy.

func (*LocalProxyConfig) CheckAndSetDefaults 

func (cfg *LocalProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for LocalProxyConfig.

type LocalProxyConfigOpt 

type LocalProxyConfigOpt func(*LocalProxyConfig) error

LocalProxyConfigOpt is an option func to update LocalProxyConfig.

func WithALPNConnUpgradeTest 

func WithALPNConnUpgradeTest(ctx context.Context, getClusterCertPool GetClusterCACertPoolFunc) LocalProxyConfigOpt

WithALPNConnUpgradeTest performs the test to see if ALPN connection upgrade is required and update other configs if necessary.

This LocalProxyConfigOpt assumes RemoteProxyAddr and InsecureSkipVerify has already been set.

func WithALPNProtocol 

func WithALPNProtocol(protocol common.Protocol) LocalProxyConfigOpt

WithALPNProtocol is a LocalProxyConfigOpt that sets the ALPN protocol used for TLS Routing.

func WithCheckCertsNeeded 

func WithCheckCertsNeeded() LocalProxyConfigOpt

WithCheckCertsNeeded is a LocalProxyConfigOpt that enables check certs on demand.

func WithClientCerts 

func WithClientCerts(certs ...tls.Certificate) LocalProxyConfigOpt

WithClientCerts is a LocalProxyConfigOpt that sets the client certs used to connect to the remote Teleport Proxy.

func WithClusterCAs 

func WithClusterCAs(ctx context.Context, getClusterCertPool GetClusterCACertPoolFunc) LocalProxyConfigOpt

WithClusterCAs is a LocalProxyConfigOpt that fetches the cluster CAs.

func WithClusterCAsIfConnUpgrade 

func WithClusterCAsIfConnUpgrade(ctx context.Context, getClusterCertPool GetClusterCACertPoolFunc) LocalProxyConfigOpt

WithClusterCAsIfConnUpgrade is a LocalProxyConfigOpt that fetches the cluster CAs when ALPN connection upgrades are required.

func WithDatabaseProtocol 

func WithDatabaseProtocol(dbProtocol string) LocalProxyConfigOpt

WithDatabaseProtocol is a LocalProxyConfigOpt that sets the ALPN protocol based on the provided database protocol.

func WithHTTPMiddleware 

func WithHTTPMiddleware(middleware LocalProxyHTTPMiddleware) LocalProxyConfigOpt

WithHTTPMiddleware is a LocalProxyConfigOpt that sets HTTPMiddleware.

func WithMiddleware 

func WithMiddleware(middleware LocalProxyMiddleware) LocalProxyConfigOpt

WithMiddleware is a LocalProxyConfigOpt that sets Middleware.

func WithMySQLVersionProto 

func WithMySQLVersionProto(db types.Database) LocalProxyConfigOpt

WithMySQLVersionProto is a LocalProxyConfigOpt that encodes MySQL version in the ALPN protocol.

func WithSNI 

func WithSNI(sni string) LocalProxyConfigOpt

WithSNI is a LocalProxyConfigOpt that sets the SNI.

type LocalProxyHTTPMiddleware 

type LocalProxyHTTPMiddleware interface {
	// CheckAndSetDefaults checks configuration validity and sets defaults
	CheckAndSetDefaults() error

	// HandleRequest returns true if requests has been handled and must not be processed further, false otherwise.
	HandleRequest(rw http.ResponseWriter, req *http.Request) bool

	// HandleResponse processes the server response before sending it to the client.
	HandleResponse(resp *http.Response) error

	// OverwriteClientCerts overwrites the client certs used for upstream connection.
	OverwriteClientCerts(req *http.Request) ([]tls.Certificate, error)
}

LocalProxyHTTPMiddleware provides callback functions for LocalProxy in HTTP proxy mode.

func NewKubeMiddleware 

func NewKubeMiddleware(cfg KubeMiddlewareConfig) LocalProxyHTTPMiddleware

NewKubeMiddleware creates a new KubeMiddleware.

type LocalProxyMiddleware 

type LocalProxyMiddleware interface {
	// OnNewConnection is a callback triggered when a new downstream connection is
	// accepted by the local proxy. If an error is returned, the connection will be closed
	// by the local proxy.
	OnNewConnection(ctx context.Context, lp *LocalProxy, conn net.Conn) error
	// OnStart is a callback triggered when the local proxy starts.
	OnStart(ctx context.Context, lp *LocalProxy) error
}

LocalProxyMiddleware provides callback functions for LocalProxy.

type MatchFunc 

type MatchFunc func(sni, alpn string) bool

MatchFunc is a type of the match route functions.

func MatchByALPNPrefix 

func MatchByALPNPrefix(prefix string) MatchFunc

MatchByALPNPrefix creates match function based on client TLS ALPN protocol prefix.

func MatchByProtocol 

func MatchByProtocol(protocols ...common.Protocol) MatchFunc

MatchByProtocol creates a match function that matches the client TLS ALPN protocol against the provided list of ALPN protocols and their corresponding Ping protocols.

type Proxy 

type Proxy struct {
	// contains filtered or unexported fields
}

Proxy server allows routing downstream connections based on TLS SNI ALPN values to particular service.

func New 

func New(cfg ProxyConfig) (*Proxy, error)

New creates a new instance of the Proxy.

func (*Proxy) Close 

func (p *Proxy) Close() error

Close the Proxy server.

func (*Proxy) MakeConnectionHandler 

func (p *Proxy) MakeConnectionHandler(defaultOverride *tls.Config) ConnectionHandler

MakeConnectionHandler creates a ConnectionHandler which provides a callback to handle incoming connections by this ALPN proxy server.

func (*Proxy) Serve 

func (p *Proxy) Serve(ctx context.Context) error

Serve starts accepting connections.

type ProxyConfig 

type ProxyConfig struct {
	// Listener is a listener to serve requests on.
	Listener net.Listener
	// WebTLSConfig specifies the TLS configuration used by the Proxy server.
	WebTLSConfig *tls.Config
	// Router contains definition of protocol routing and handlers description.
	Router *Router
	// Log is used for logging.
	Log logrus.FieldLogger
	// Clock is a clock to override in tests, set to real time clock
	// by default
	Clock clockwork.Clock
	// ReadDeadline is a connection read deadline during the TLS handshake (start
	// of the connection). It is set to defaults.HandshakeReadDeadline if
	// unspecified.
	ReadDeadline time.Duration
	// IdentityTLSConfig is the TLS ProxyRole identity used in servers with localhost SANs values.
	IdentityTLSConfig *tls.Config
	// AccessPoint is the auth server client.
	AccessPoint auth.ReadProxyAccessPoint
	// ClusterName is the name of the teleport cluster.
	ClusterName string
	// PingInterval defines the ping interval for ping-wrapped connections.
	PingInterval time.Duration
}

ProxyConfig is the configuration for an ALPN proxy server.

func (*ProxyConfig) CheckAndSetDefaults 

func (c *ProxyConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets default values of ProxyConfig

type Router 

type Router struct {
	// contains filtered or unexported fields
}

Router contains information about protocol handlers and routing rules.

func NewRouter 

func NewRouter() *Router

NewRouter creates a ALPN new router.

func (*Router) Add 

func (r *Router) Add(desc HandlerDecs)

Add sets the handler for DB TLS traffic.

func (*Router) AddDBTLSHandler 

func (r *Router) AddDBTLSHandler(handler HandlerFunc)

AddDBTLSHandler adds the handler for DB TLS traffic.

func (*Router) AddKubeHandler 

func (r *Router) AddKubeHandler(handler HandlerFunc)

AddKubeHandler adds the handle for Kubernetes protocol (distinguishable by "kube-teleport-proxy-alpn." SNI prefix).

func (*Router) CheckAndSetDefaults 

func (r *Router) CheckAndSetDefaults() error

CheckAndSetDefaults verifies the constraints for Router.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.