reversetunnel

package
v4.3.4-dev.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 12, 2020 License: Apache-2.0 Imports: 29 Imported by: 152

Documentation

Overview

Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.

Package reversetunnel provides interfaces for accessing remote clusters

via reverse tunnels and directly.

Reverse Tunnels

Proxy server                      Proxy agent
               Reverse tunnel
+----------+                      +---------+
|          <----------------------+         |
|          |                      |         |

+-----+----------+ +---------+-----+ | | | | | | | | +----------------+ +---------------+

Proxy Cluster "A"                      Proxy Cluster "B"

Reverse tunnel is established from a cluster "B" Proxy to the a cluster "A" proxy, and clients of the cluster "A" can access servers of the cluster "B" via reverse tunnel connection, even if the cluster "B" is behind the firewall.

Multiple Proxies and Revese Tunnels

With multiple proxies behind the load balancer, proxy agents will eventually discover and establish connections to all proxies in cluster.

* Initially Proxy Agent connects to Proxy 1. * Proxy 1 starts sending information about all available proxies to the the Proxy Agent . This process is called "sending discovery request".

+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+

Proxy 1           +-------------------------------+          |
                        |           |             |          |
                        +-----------+             +----------+
                         Load Balancer             Proxy Agent

+----------+ | | | | +----------+

Proxy 2

* Agent will use the discovery request to establish new connections and check if it has connected and "discovered" all the proxies specified

in the discovery request.

* Assuming that load balancer uses fair load balancing algorithm, agent will eventually discover and connect back to all the proxies.

+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+

Proxy 1           +-------------------------------+          |
                  |     |           |             |          |
                  |     +-----------+             +----------+
                  |      Load Balancer             Proxy Agent

+----------+ | | <--------+ | | +----------+

Proxy 2

Index

Constants

View Source
const (
	// LocalNode is a special non-resolvable address that indicates the request
	// wants to connect to a dialed back node.
	LocalNode = "@local-node"
	// RemoteAuthServer is a special non-resolvable address that indicates client
	// requests a connection to the remote auth server.
	RemoteAuthServer = "@remote-auth-server"
	// RemoteKubeProxy is a special non-resolvable address that indicates that clients
	// requests a connection to the remote kubernetes proxy.
	// This has to be a valid domain name, so it lacks @
	RemoteKubeProxy = "remote.kube.proxy.teleport.cluster.local"
)
View Source
const ConnectedEvent = "connected"

ConnectedEvent is used to indicate that reverse tunnel has connected

Variables

This section is empty.

Functions

func NewHostCertificateCache

func NewHostCertificateCache(keygen sshca.Authority, authClient auth.ClientI) (*certificateCache, error)

NewHostCertificateCache creates a shared host certificate cache that is used by the forwarding server.

Types

type Agent

type Agent struct {
	sync.RWMutex
	*log.Entry
	AgentConfig
	// contains filtered or unexported fields
}

Agent is a reverse tunnel agent running as a part of teleport Proxies to establish outbound reverse tunnels to remote proxies.

There are two operation modes for agents: * Standard agent attempts to establish connection to any available proxy. Standard agent transitions between "connecting" -> "connected states. * Discovering agent attempts to establish connection to a subset of remote proxies (specified in the config via DiscoverProxies parameter.) Discovering agent transitions between "discovering" -> "discovered" states.

func NewAgent

func NewAgent(cfg AgentConfig) (*Agent, error)

NewAgent returns a new reverse tunnel agent

func (*Agent) Close added in v1.0.0

func (a *Agent) Close() error

Close signals to close all connections and operations

func (*Agent) Start

func (a *Agent) Start()

Start starts agent that attempts to connect to remote server

func (*Agent) String

func (a *Agent) String() string

func (*Agent) Wait

func (a *Agent) Wait() error

Wait waits until all outstanding operations are completed

type AgentConfig

type AgentConfig struct {
	// Addr is target address to dial
	Addr utils.NetAddr
	// ClusterName is the name of the cluster the tunnel is connected to. When the
	// agent is running in a proxy, it's the name of the remote cluster, when the
	// agent is running in a node, it's the name of the local cluster.
	ClusterName string
	// Signers contains authentication signers
	Signers []ssh.Signer
	// Client is a client to the local auth servers
	Client auth.ClientI
	// AccessPoint is a caching access point to the local auth servers
	AccessPoint auth.AccessPoint
	// Context is a parent context
	Context context.Context
	// DiscoveryC is a channel that receives discovery requests
	// from reverse tunnel server
	DiscoveryC chan *discoveryRequest
	// Username is the name of this client used to authenticate on SSH
	Username string
	// Clock is a clock passed in tests, if not set wall clock
	// will be used
	Clock clockwork.Clock
	// EventsC is an optional events channel, used for testing purposes
	EventsC chan string
	// KubeDialAddr is a dial address for kubernetes proxy
	KubeDialAddr utils.NetAddr
	// Server is a SSH server that can handle a connection (perform a handshake
	// then process). Only set with the agent is running within a node.
	Server ServerHandler
	// ReverseTunnelServer holds all reverse tunnel connections.
	ReverseTunnelServer Server
	// LocalClusterName is the name of the cluster this agent is running in.
	LocalClusterName string
	// Tracker tracks proxy
	Tracker *track.Tracker
	// Lease manages gossip and exclusive claims.  Lease may be nil
	// when used in the context of tests.
	Lease track.Lease
}

AgentConfig holds configuration for agent

func (*AgentConfig) CheckAndSetDefaults

func (a *AgentConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values

type AgentPool added in v1.0.0

type AgentPool struct {
	sync.Mutex
	*log.Entry
	// contains filtered or unexported fields
}

AgentPool manages the pool of outbound reverse tunnel agents. The agent pool watches the reverse tunnel entries created by the admin and connects/disconnects to added/deleted tunnels.

func NewAgentPool added in v1.0.0

func NewAgentPool(cfg AgentPoolConfig) (*AgentPool, error)

NewAgentPool returns new isntance of the agent pool

func (*AgentPool) Counts

func (m *AgentPool) Counts() map[string]int

Counts returns a count of the number of proxies a outbound tunnel is connected to. Used in tests to determine if a proxy has been found and/or removed.

func (*AgentPool) FetchAndSyncAgents added in v1.0.0

func (m *AgentPool) FetchAndSyncAgents() error

FetchAndSyncAgents executes one time fetch and sync request (used in tests instead of polling)

func (*AgentPool) Start added in v1.0.0

func (m *AgentPool) Start() error

Start starts the agent pool

func (*AgentPool) Stop added in v1.0.0

func (m *AgentPool) Stop()

Stop stops the agent pool

func (*AgentPool) Wait added in v1.0.0

func (m *AgentPool) Wait()

Wait returns when agent pool is closed

type AgentPoolConfig added in v1.0.0

type AgentPoolConfig struct {
	// Client is client to the auth server this agent connects to receive
	// a list of pools
	Client auth.ClientI
	// AccessPoint is a lightweight access point
	// that can optionally cache some values
	AccessPoint auth.AccessPoint
	// HostSigners is a list of host signers this agent presents itself as
	HostSigners []ssh.Signer
	// HostUUID is a unique ID of this host
	HostUUID string
	// Context is an optional context
	Context context.Context
	// Cluster is a cluster name
	Cluster string
	// Clock is a clock used to get time, if not set,
	// system clock is used
	Clock clockwork.Clock
	// KubeDialAddr is an address of a kubernetes proxy
	KubeDialAddr utils.NetAddr
	// Server is a SSH server that can handle a connection (perform a handshake
	// then process). Only set with the agent is running within a node.
	Server ServerHandler
	// Component is the Teleport component this agent pool is running in. It can
	// either be proxy (trusted clusters) or node (dial back).
	Component string
	// ReverseTunnelServer holds all reverse tunnel connections.
	ReverseTunnelServer Server
	// ProxyAddr if set, points to the address of the ssh proxy
	ProxyAddr string
}

AgentPoolConfig holds configuration parameters for the agent pool

func (*AgentPoolConfig) CheckAndSetDefaults

func (cfg *AgentPoolConfig) CheckAndSetDefaults() error

CheckAndSetDefaults checks and sets defaults

type Config

type Config struct {
	// ID is the ID of this server proxy
	ID string
	// ClusterName is a name of this cluster
	ClusterName string
	// ClientTLS is a TLS config associated with this proxy
	// used to connect to remote auth servers on remote clusters
	ClientTLS *tls.Config
	// Listener is a listener address for reverse tunnel server
	Listener net.Listener
	// HostSigners is a list of host signers
	HostSigners []ssh.Signer
	// HostKeyCallback
	// Limiter is optional request limiter
	Limiter *limiter.Limiter
	// LocalAuthClient provides access to a full AuthClient for the local cluster.
	LocalAuthClient auth.ClientI
	// AccessPoint provides access to a subset of AuthClient of the cluster.
	// AccessPoint caches values and can still return results during connection
	// problems.
	LocalAccessPoint auth.AccessPoint
	// NewCachingAccessPoint returns new caching access points
	// per remote cluster
	NewCachingAccessPoint auth.NewCachingAccessPoint
	// DirectClusters is a list of clusters accessed directly
	DirectClusters []DirectCluster
	// Context is a signalling context
	Context context.Context
	// Clock is a clock used in the server, set up to
	// wall clock if not set
	Clock clockwork.Clock

	// KeyGen is a process wide key generator. It is shared to speed up
	// generation of public/private keypairs.
	KeyGen sshca.Authority

	// Ciphers is a list of ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string

	// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string

	// MACAlgorithms is a list of message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string

	// DataDir is a local server data directory
	DataDir string

	// PollingPeriod specifies polling period for internal sync
	// goroutines, used to speed up sync-ups in tests.
	PollingPeriod time.Duration

	// Component is a component used in logs
	Component string

	// FIPS means Teleport was started in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool
}

Config is a reverse tunnel server configuration

func (*Config) CheckAndSetDefaults

func (cfg *Config) CheckAndSetDefaults() error

CheckAndSetDefaults checks parameters and sets default values

type DialParams

type DialParams struct {
	// From is the source address.
	From net.Addr

	// To is the destination address.
	To net.Addr

	// GetUserAgent gets an SSH agent for use in connecting to the remote host. Used by the
	// forwarding proxy.
	GetUserAgent teleagent.Getter

	// Address is used by the forwarding proxy to generate a host certificate for
	// the target node. This is needed because while dialing occurs via IP
	// address, tsh thinks it's connecting via DNS name and that's how it
	// validates the host certificate.
	Address string

	// Principals are additional principals that need to be added to the host
	// certificate. Used by the recording proxy to correctly generate a host
	// certificate.
	Principals []string

	// ServerID the hostUUID.clusterName of a Teleport node. Used with nodes
	// that are connected over a reverse tunnel.
	ServerID string
}

DialParams is a list of parameters used to Dial to a node within a cluster.

func (DialParams) String

func (params DialParams) String() string

type DirectCluster

type DirectCluster struct {
	// Name is a cluster name
	Name string
	// Client is a client to the cluster
	Client auth.ClientI
}

DirectCluster is used to access cluster directly

type Proxies

type Proxies []services.Server

Proxies is a list of proxies to discover

func (Proxies) Equal

func (proxies Proxies) Equal(other []services.Server) bool

Equal compares two lists of proxies as sets

func (Proxies) String

func (proxies Proxies) String() string

String returns text representation of the proxies

type RemoteSite

type RemoteSite interface {
	// DialAuthServer returns a net.Conn to the Auth Server of a site.
	DialAuthServer() (net.Conn, error)
	// Dial dials any address within the site network, in terminating
	// mode it uses local instance of forwarding server to terminate
	// and record the connection
	Dial(DialParams) (net.Conn, error)
	// DialTCP dials any address within the site network,
	// ignores recording mode and always uses TCP dial, used
	// in components that need direct dialer.
	DialTCP(DialParams) (net.Conn, error)
	// GetLastConnected returns last time the remote site was seen connected
	GetLastConnected() time.Time
	// GetName returns site name (identified by authority domain's name)
	GetName() string
	// GetStatus returns status of this site (either offline or connected)
	GetStatus() string
	// GetClient returns client connected to remote auth server
	GetClient() (auth.ClientI, error)
	// CachingAccessPoint returns access point that is lightweight
	// but is resilient to auth server crashes
	CachingAccessPoint() (auth.AccessPoint, error)
	// GetTunnelsCount returns the amount of active inbound tunnels
	// from the remote cluster
	GetTunnelsCount() int
	// IsClosed reports whether this RemoteSite has been closed and should no
	// longer be used.
	IsClosed() bool
}

RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy

There are two implementations of this interface: local and remote sites.

type Server

type Server interface {
	// GetSites returns a list of connected remote sites
	GetSites() []RemoteSite
	// GetSite returns remote site this node belongs to
	GetSite(domainName string) (RemoteSite, error)
	// RemoveSite removes the site with the specified name from the list of connected sites
	RemoveSite(domainName string) error
	// Start starts server
	Start() error
	// Close closes server's operations immediately
	Close() error
	// Shutdown performs graceful server shutdown
	Shutdown(context.Context) error
	// Wait waits for server to close all outstanding operations
	Wait()
}

Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.

func NewServer

func NewServer(cfg Config) (Server, error)

NewServer creates and returns a reverse tunnel server which is fully initialized but hasn't been started yet

type ServerHandler

type ServerHandler interface {
	// HandleConnection performs a handshake then process the connection.
	HandleConnection(conn net.Conn)
}

ServerHandler implements an interface which can handle a connection (perform a handshake then process). This is needed because importing lib/srv in lib/reversetunnel causes a circular import.

type TunnelAuthDialer

type TunnelAuthDialer struct {
	// ProxyAddr is the address of the proxy
	ProxyAddr string
	// ClientConfig is SSH tunnel client config
	ClientConfig *ssh.ClientConfig
}

TunnelAuthDialer connects to the Auth Server through the reverse tunnel.

func (*TunnelAuthDialer) DialContext

func (t *TunnelAuthDialer) DialContext(ctx context.Context, network string, addr string) (net.Conn, error)

DialContext dials auth server via SSH tunnel

Directories

Path Synopsis
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity.
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL