Documentation ¶
Overview ¶
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
Package reversetunnel provides interfaces for accessing remote clusters
via reverse tunnels and directly.
Reverse Tunnels
Proxy server Proxy agent Reverse tunnel +----------+ +---------+ | <----------------------+ | | | | |
+-----+----------+ +---------+-----+ | | | | | | | | +----------------+ +---------------+
Proxy Cluster "A" Proxy Cluster "B"
Reverse tunnel is established from a cluster "B" Proxy to the a cluster "A" proxy, and clients of the cluster "A" can access servers of the cluster "B" via reverse tunnel connection, even if the cluster "B" is behind the firewall.
Multiple Proxies and Revese Tunnels ¶
With multiple proxies behind the load balancer, proxy agents will eventually discover and establish connections to all proxies in cluster.
* Initially Proxy Agent connects to Proxy 1. * Proxy 1 starts sending information about all available proxies to the the Proxy Agent . This process is called "sending discovery request".
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ | | | | | +-----------+ +----------+ Load Balancer Proxy Agent
+----------+ | | | | +----------+
Proxy 2
* Agent will use the discovery request to establish new connections and check if it has connected and "discovered" all the proxies specified
in the discovery request.
* Assuming that load balancer uses fair load balancing algorithm, agent will eventually discover and connect back to all the proxies.
+----------+ | <--------+ | | | +----------+ | +-----------+ +----------+
Proxy 1 +-------------------------------+ | | | | | | | +-----------+ +----------+ | Load Balancer Proxy Agent
+----------+ | | <--------+ | | +----------+
Proxy 2
Index ¶
- Constants
- func NewHostCertificateCache(keygen sshca.Authority, authClient auth.ClientI) (*certificateCache, error)
- type Agent
- type AgentConfig
- type AgentPool
- type AgentPoolConfig
- type Config
- type DialParams
- type DirectCluster
- type Proxies
- type RemoteSite
- type Server
- type ServerHandler
- type TunnelAuthDialer
Constants ¶
const ( // LocalNode is a special non-resolvable address that indicates the request // wants to connect to a dialed back node. LocalNode = "@local-node" // RemoteAuthServer is a special non-resolvable address that indicates client // requests a connection to the remote auth server. RemoteAuthServer = "@remote-auth-server" // RemoteKubeProxy is a special non-resolvable address that indicates that clients // requests a connection to the remote kubernetes proxy. // This has to be a valid domain name, so it lacks @ RemoteKubeProxy = "remote.kube.proxy.teleport.cluster.local" )
const ConnectedEvent = "connected"
ConnectedEvent is used to indicate that reverse tunnel has connected
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Agent ¶
type Agent struct { sync.RWMutex *log.Entry AgentConfig // contains filtered or unexported fields }
Agent is a reverse tunnel agent running as a part of teleport Proxies to establish outbound reverse tunnels to remote proxies.
There are two operation modes for agents: * Standard agent attempts to establish connection to any available proxy. Standard agent transitions between "connecting" -> "connected states. * Discovering agent attempts to establish connection to a subset of remote proxies (specified in the config via DiscoverProxies parameter.) Discovering agent transitions between "discovering" -> "discovered" states.
func NewAgent ¶
func NewAgent(cfg AgentConfig) (*Agent, error)
NewAgent returns a new reverse tunnel agent
type AgentConfig ¶
type AgentConfig struct { // Addr is target address to dial Addr utils.NetAddr // ClusterName is the name of the cluster the tunnel is connected to. When the // agent is running in a proxy, it's the name of the remote cluster, when the // agent is running in a node, it's the name of the local cluster. ClusterName string // Signers contains authentication signers Signers []ssh.Signer // Client is a client to the local auth servers Client auth.ClientI // AccessPoint is a caching access point to the local auth servers AccessPoint auth.AccessPoint // Context is a parent context Context context.Context // DiscoveryC is a channel that receives discovery requests // from reverse tunnel server DiscoveryC chan *discoveryRequest // Username is the name of this client used to authenticate on SSH Username string // Clock is a clock passed in tests, if not set wall clock // will be used Clock clockwork.Clock // EventsC is an optional events channel, used for testing purposes EventsC chan string // KubeDialAddr is a dial address for kubernetes proxy KubeDialAddr utils.NetAddr // Server is a SSH server that can handle a connection (perform a handshake // then process). Only set with the agent is running within a node. Server ServerHandler // ReverseTunnelServer holds all reverse tunnel connections. ReverseTunnelServer Server // LocalClusterName is the name of the cluster this agent is running in. LocalClusterName string // Tracker tracks proxy Tracker *track.Tracker // Lease manages gossip and exclusive claims. Lease may be nil // when used in the context of tests. Lease track.Lease }
AgentConfig holds configuration for agent
func (*AgentConfig) CheckAndSetDefaults ¶
func (a *AgentConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks parameters and sets default values
type AgentPool ¶ added in v1.0.0
AgentPool manages the pool of outbound reverse tunnel agents. The agent pool watches the reverse tunnel entries created by the admin and connects/disconnects to added/deleted tunnels.
func NewAgentPool ¶ added in v1.0.0
func NewAgentPool(cfg AgentPoolConfig) (*AgentPool, error)
NewAgentPool returns new isntance of the agent pool
func (*AgentPool) Counts ¶
Counts returns a count of the number of proxies a outbound tunnel is connected to. Used in tests to determine if a proxy has been found and/or removed.
func (*AgentPool) FetchAndSyncAgents ¶ added in v1.0.0
FetchAndSyncAgents executes one time fetch and sync request (used in tests instead of polling)
type AgentPoolConfig ¶ added in v1.0.0
type AgentPoolConfig struct { // Client is client to the auth server this agent connects to receive // a list of pools Client auth.ClientI // AccessPoint is a lightweight access point // that can optionally cache some values AccessPoint auth.AccessPoint // HostSigners is a list of host signers this agent presents itself as HostSigners []ssh.Signer // HostUUID is a unique ID of this host HostUUID string // Context is an optional context Context context.Context // Cluster is a cluster name Cluster string // Clock is a clock used to get time, if not set, // system clock is used Clock clockwork.Clock // KubeDialAddr is an address of a kubernetes proxy KubeDialAddr utils.NetAddr // Server is a SSH server that can handle a connection (perform a handshake // then process). Only set with the agent is running within a node. Server ServerHandler // Component is the Teleport component this agent pool is running in. It can // either be proxy (trusted clusters) or node (dial back). Component string // ReverseTunnelServer holds all reverse tunnel connections. ReverseTunnelServer Server // ProxyAddr if set, points to the address of the ssh proxy ProxyAddr string }
AgentPoolConfig holds configuration parameters for the agent pool
func (*AgentPoolConfig) CheckAndSetDefaults ¶
func (cfg *AgentPoolConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets defaults
type Config ¶
type Config struct { // ID is the ID of this server proxy ID string // ClusterName is a name of this cluster ClusterName string // ClientTLS is a TLS config associated with this proxy // used to connect to remote auth servers on remote clusters ClientTLS *tls.Config // Listener is a listener address for reverse tunnel server Listener net.Listener // HostSigners is a list of host signers HostSigners []ssh.Signer // HostKeyCallback // Limiter is optional request limiter Limiter *limiter.Limiter // LocalAuthClient provides access to a full AuthClient for the local cluster. LocalAuthClient auth.ClientI // AccessPoint provides access to a subset of AuthClient of the cluster. // AccessPoint caches values and can still return results during connection // problems. LocalAccessPoint auth.AccessPoint // NewCachingAccessPoint returns new caching access points // per remote cluster NewCachingAccessPoint auth.NewCachingAccessPoint // DirectClusters is a list of clusters accessed directly DirectClusters []DirectCluster // Context is a signalling context Context context.Context // Clock is a clock used in the server, set up to // wall clock if not set Clock clockwork.Clock // KeyGen is a process wide key generator. It is shared to speed up // generation of public/private keypairs. KeyGen sshca.Authority // Ciphers is a list of ciphers that the server supports. If omitted, // the defaults will be used. Ciphers []string // KEXAlgorithms is a list of key exchange (KEX) algorithms that the // server supports. If omitted, the defaults will be used. KEXAlgorithms []string // MACAlgorithms is a list of message authentication codes (MAC) that // the server supports. If omitted the defaults will be used. MACAlgorithms []string // DataDir is a local server data directory DataDir string // PollingPeriod specifies polling period for internal sync // goroutines, used to speed up sync-ups in tests. PollingPeriod time.Duration // Component is a component used in logs Component string // FIPS means Teleport was started in a FedRAMP/FIPS 140-2 compliant // configuration. FIPS bool }
Config is a reverse tunnel server configuration
func (*Config) CheckAndSetDefaults ¶
CheckAndSetDefaults checks parameters and sets default values
type DialParams ¶
type DialParams struct { // From is the source address. From net.Addr // To is the destination address. To net.Addr // UserAgent is SSH agent used to connect to the remote host. Used by the // forwarding proxy. UserAgent agent.Agent // Address is used by the forwarding proxy to generate a host certificate for // the target node. This is needed because while dialing occurs via IP // address, tsh thinks it's connecting via DNS name and that's how it // validates the host certificate. Address string // Principals are additional principals that need to be added to the host // certificate. Used by the recording proxy to correctly generate a host // certificate. Principals []string // ServerID the hostUUID.clusterName of a Teleport node. Used with nodes // that are connected over a reverse tunnel. ServerID string }
DialParams is a list of parameters used to Dial to a node within a cluster.
func (DialParams) String ¶
func (params DialParams) String() string
type DirectCluster ¶
type DirectCluster struct { // Name is a cluster name Name string // Client is a client to the cluster Client auth.ClientI }
DirectCluster is used to access cluster directly
type Proxies ¶
Proxies is a list of proxies to discover
type RemoteSite ¶
type RemoteSite interface { // DialAuthServer returns a net.Conn to the Auth Server of a site. DialAuthServer() (net.Conn, error) // Dial dials any address within the site network, in terminating // mode it uses local instance of forwarding server to terminate // and record the connection Dial(DialParams) (net.Conn, error) // DialTCP dials any address within the site network, // ignores recording mode and always uses TCP dial, used // in components that need direct dialer. DialTCP(DialParams) (net.Conn, error) // GetLastConnected returns last time the remote site was seen connected GetLastConnected() time.Time // GetName returns site name (identified by authority domain's name) GetName() string // GetStatus returns status of this site (either offline or connected) GetStatus() string // GetClient returns client connected to remote auth server GetClient() (auth.ClientI, error) // CachingAccessPoint returns access point that is lightweight // but is resilient to auth server crashes CachingAccessPoint() (auth.AccessPoint, error) // GetTunnelsCount returns the amount of active inbound tunnels // from the remote cluster GetTunnelsCount() int // IsClosed reports whether this RemoteSite has been closed and should no // longer be used. IsClosed() bool }
RemoteSite represents remote teleport site that can be accessed via teleport tunnel or directly by proxy
There are two implementations of this interface: local and remote sites.
type Server ¶
type Server interface { // GetSites returns a list of connected remote sites GetSites() []RemoteSite // GetSite returns remote site this node belongs to GetSite(domainName string) (RemoteSite, error) // RemoveSite removes the site with the specified name from the list of connected sites RemoveSite(domainName string) error // Start starts server Start() error // Close closes server's operations immediately Close() error // Shutdown performs graceful server shutdown Shutdown(context.Context) error // Wait waits for server to close all outstanding operations Wait() }
Server is a TCP/IP SSH server which listens on an SSH endpoint and remote/local sites connect and register with it.
type ServerHandler ¶
type ServerHandler interface { // HandleConnection performs a handshake then process the connection. HandleConnection(conn net.Conn) }
ServerHandler implements an interface which can handle a connection (perform a handshake then process). This is needed because importing lib/srv in lib/reversetunnel causes a circular import.
type TunnelAuthDialer ¶
type TunnelAuthDialer struct { // ProxyAddr is the address of the proxy ProxyAddr string // ClientConfig is SSH tunnel client config ClientConfig *ssh.ClientConfig }
TunnelAuthDialer connects to the Auth Server through the reverse tunnel.
func (*TunnelAuthDialer) DialContext ¶
func (t *TunnelAuthDialer) DialContext(ctx context.Context, network string, addr string) (net.Conn, error)
DialContext dials auth server via SSH tunnel
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity.
|
Package track provides a simple interface for tracking known proxies by endpoint/name and correctly handling expiration and exclusivity. |