Documentation ¶
Index ¶
- func CheckCertSubject(cert *x509.Certificate, dbRoute tlsca.RouteToDatabase) error
- func DialALPN(ctx context.Context, addr string, cfg ALPNDialerConfig) (*tls.Conn, error)
- func IsALPNConnUpgradeRequired(addr string, insecure bool) bool
- func IsConnectRequest(req *http.Request) bool
- func MatchAWSRequests(req *http.Request) bool
- func MatchAllRequests(req *http.Request) bool
- func MatchAzureRequests(req *http.Request) bool
- type ALPNDialer
- type ALPNDialerConfig
- type AWSAccessMiddleware
- type AzureMSIMiddleware
- type CertGenListener
- type CertGenListenerConfig
- type ConnectRequestHandler
- type ConnectionHandler
- type ConnectionHandlerWrapper
- type ConnectionInfo
- type ContextDialer
- type ForwardProxy
- type ForwardProxyConfig
- type ForwardToHostHandler
- type ForwardToHostHandlerConfig
- type ForwardToSystemProxyHandler
- type ForwardToSystemProxyHandlerConfig
- type HandlerDecs
- type HandlerFunc
- type HandlerFuncWithInfo
- type ListenerMuxWrapper
- type LocalProxy
- func (l *LocalProxy) CheckDBCerts(dbRoute tlsca.RouteToDatabase) error
- func (l *LocalProxy) Close() error
- func (l *LocalProxy) GetAddr() string
- func (l *LocalProxy) SetCerts(certs []tls.Certificate)
- func (l *LocalProxy) Start(ctx context.Context) error
- func (l *LocalProxy) StartHTTPAccessProxy(ctx context.Context) error
- type LocalProxyConfig
- type LocalProxyHTTPMiddleware
- type LocalProxyMiddleware
- type MatchFunc
- type PingConn
- type Proxy
- type ProxyConfig
- type Router
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckCertSubject ¶
func CheckCertSubject(cert *x509.Certificate, dbRoute tlsca.RouteToDatabase) error
CheckCertSubject checks if the route to the database from the cert matches the provided route in terms of username and database (if present).
func IsALPNConnUpgradeRequired ¶
IsALPNConnUpgradeRequired returns true if a tunnel is required through a HTTP connection upgrade for ALPN connections.
The function makes a test connection to the Proxy Service and checks if the ALPN is supported. If not, the Proxy Service is likely behind an AWS ALB or some custom proxy services that strip out ALPN and SNI information on the way to our Proxy Service.
In those cases, the Teleport client should make a HTTP "upgrade" call to the Proxy Service to establish a tunnel for the originally planned traffic to preserve the ALPN and SNI information.
func IsConnectRequest ¶
IsConnectRequest returns true if the request is a HTTP CONNECT tunnel request.
func MatchAWSRequests ¶
MatchAWSRequests is a MatchFunc that returns true if request is an AWS API request.
func MatchAllRequests ¶
MatchAllRequests is a MatchFunc that returns true for all requests.
func MatchAzureRequests ¶
MatchAzureRequests is a MatchFunc that returns true if request is an Azure API request.
Types ¶
type ALPNDialer ¶
type ALPNDialer struct {
// contains filtered or unexported fields
}
ALPNDialer is a ContextDialer that dials a connection to the Proxy Service with ALPN and SNI configured in the provided TLSConfig. An ALPN connection upgrade is also performed at the initial connection, if an upgrade is required.
func (ALPNDialer) DialContext ¶
DialContext implements ContextDialer.
type ALPNDialerConfig ¶
type ALPNDialerConfig struct { // KeepAlivePeriod defines period between keep alives. KeepAlivePeriod time.Duration // DialTimeout defines how long to attempt dialing before timing out. DialTimeout time.Duration // TLSConfig is the TLS config used for the TLS connection. TLSConfig *tls.Config // ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required. ALPNConnUpgradeRequired bool }
ALPNDialerConfig is the config for ALPNDialer.
type AWSAccessMiddleware ¶
type AWSAccessMiddleware struct { // AWSCredentials are AWS Credentials used by LocalProxy for request's signature verification. AWSCredentials *credentials.Credentials Log logrus.FieldLogger }
AWSAccessMiddleware verifies the requests to AWS proxy are properly signed.
func (*AWSAccessMiddleware) CheckAndSetDefaults ¶
func (m *AWSAccessMiddleware) CheckAndSetDefaults() error
func (*AWSAccessMiddleware) HandleRequest ¶
func (m *AWSAccessMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool
type AzureMSIMiddleware ¶
type AzureMSIMiddleware struct { // Identity is the Azure identity to be served by the server. Only single identity will be provided. Identity string // TenantID to be returned in a claim. Doesn't have to match actual TenantID as recognized by Azure. TenantID string // ClientID to be returned in a claim. ClientID string // Key used to sign JWT Key crypto.Signer // Clock is used to override time in tests. Clock clockwork.Clock // Log is the Logger. Log logrus.FieldLogger // Secret to be provided by the client. Secret string }
AzureMSIMiddleware implements a simplified version of MSI server serving auth tokens.
func (*AzureMSIMiddleware) CheckAndSetDefaults ¶
func (m *AzureMSIMiddleware) CheckAndSetDefaults() error
func (*AzureMSIMiddleware) HandleRequest ¶
func (m *AzureMSIMiddleware) HandleRequest(rw http.ResponseWriter, req *http.Request) bool
type CertGenListener ¶
CertGenListener is a HTTPS listener that can generate TLS certificates based on SNI during HTTPS handshake.
func NewCertGenListener ¶
func NewCertGenListener(config CertGenListenerConfig) (*CertGenListener, error)
NewCertGenListener creates a new CertGenListener and listens to the configured listen address.
func (*CertGenListener) GetCertificate ¶
func (r *CertGenListener) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate generates and returns TLS certificate for incoming connection. Implements tls.Config.GetCertificate.
type CertGenListenerConfig ¶
type CertGenListenerConfig struct { // ListenAddr is network address to listen. ListenAddr string // CA is the certificate authority for signing certificates. CA tls.Certificate }
CertGenListenerConfig is the config for CertGenListener.
func (*CertGenListenerConfig) CheckAndSetDefaults ¶
func (c *CertGenListenerConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default config values.
type ConnectRequestHandler ¶
type ConnectRequestHandler interface { // Match returns true if this handler wants to handle the provided request. Match(req *http.Request) bool // Handle handles the request with provided client connection. Handle(ctx context.Context, clientConn net.Conn, req *http.Request) }
ConnectRequestHandler defines handler for handling CONNECT requests.
type ConnectionHandler ¶
ConnectionHandler defines a function for serving incoming connections.
type ConnectionHandlerWrapper ¶
type ConnectionHandlerWrapper struct {
// contains filtered or unexported fields
}
ConnectionHandlerWrapper is a wrapper of ConnectionHandler. This wrapper is mainly used as a placeholder to resolve circular dependencies.
func (*ConnectionHandlerWrapper) HandleConnection ¶
HandleConnection implements ConnectionHandler.
func (*ConnectionHandlerWrapper) Set ¶
func (w *ConnectionHandlerWrapper) Set(h ConnectionHandler)
Set updates inner ConnectionHandler to use.
type ConnectionInfo ¶
type ConnectionInfo struct { // SNI is ServerName value obtained from TLS hello message. SNI string // ALPN protocols obtained from TLS hello message. ALPN []string }
ConnectionInfo contains details about TLS connection.
type ContextDialer ¶
type ContextDialer interface { // DialContext is a function that dials the specified address DialContext(ctx context.Context, network, addr string) (net.Conn, error) }
ContextDialer represents network dialer interface that uses context
func NewALPNDialer ¶
func NewALPNDialer(cfg ALPNDialerConfig) ContextDialer
NewALPNDialer creates a new ALPNDialer.
type ForwardProxy ¶
type ForwardProxy struct {
// contains filtered or unexported fields
}
ForwardProxy is a forward proxy that serves CONNECT tunnel requests.
func NewForwardProxy ¶
func NewForwardProxy(cfg ForwardProxyConfig) (*ForwardProxy, error)
NewForwardProxy creates a new forward proxy server.
func (*ForwardProxy) GetAddr ¶
func (p *ForwardProxy) GetAddr() string
GetAddr returns the listener address.
func (*ForwardProxy) ServeHTTP ¶
func (p *ForwardProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request)
ServeHTTP serves HTTP requests. Implements http.Handler.
func (*ForwardProxy) Start ¶
func (p *ForwardProxy) Start() error
Start starts serving on the listener.
type ForwardProxyConfig ¶
type ForwardProxyConfig struct { // Listener is the network listener. Listener net.Listener // CloseContext is the close context. CloseContext context.Context // Handlers is a list of CONNECT request handlers. Handlers []ConnectRequestHandler }
ForwardProxyConfig is the config for forward proxy server.
func (*ForwardProxyConfig) CheckAndSetDefaults ¶
func (c *ForwardProxyConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default config values.
type ForwardToHostHandler ¶
type ForwardToHostHandler struct {
// contains filtered or unexported fields
}
ForwardToHostHandler is a CONNECT request handler that forwards requests to designated host.
func NewForwardToHostHandler ¶
func NewForwardToHostHandler(cfg ForwardToHostHandlerConfig) *ForwardToHostHandler
NewForwardToHostHandler creates a new ForwardToHostHandler.
func NewForwardToOriginalHostHandler ¶
func NewForwardToOriginalHostHandler() *ForwardToHostHandler
NewForwardToOriginalHostHandler creates a new CONNECT request handler that forwards all requests to their original hosts.
type ForwardToHostHandlerConfig ¶
type ForwardToHostHandlerConfig struct { // Match returns true if this handler wants to handle the provided request. MatchFunc func(req *http.Request) bool // Host is the destination to forward the request to. If empty, the request // is forwarded to its original host. Host string }
ForwardToHostHandlerConfig is the config for ForwardToHostHandler.
func (*ForwardToHostHandlerConfig) SetDefaults ¶
func (c *ForwardToHostHandlerConfig) SetDefaults()
SetDefaults sets default config values.
type ForwardToSystemProxyHandler ¶
type ForwardToSystemProxyHandler struct {
// contains filtered or unexported fields
}
ForwardToSystemProxyHandler is a CONNECT request handler that forwards requests to existing system or corporate forward proxies where our server is run.
Here "system" is used to differentiate the forward proxy users have outside Teleport from our own forward proxy server. The purpose of this handler is to honor "system" proxy settings so the requests are forwarded to "system" proxies as intended instead of going to their original hosts.
func NewForwardToSystemProxyHandler ¶
func NewForwardToSystemProxyHandler(cfg ForwardToSystemProxyHandlerConfig) *ForwardToSystemProxyHandler
NewForwardToSystemProxyHandler creates a new ForwardToSystemProxyHandler.
type ForwardToSystemProxyHandlerConfig ¶
type ForwardToSystemProxyHandlerConfig struct { // TunnelProtocol is the protocol of the requests being tunneled. TunnelProtocol string // InsecureSystemProxy allows insecure system proxy when forwarding // unwanted requests. InsecureSystemProxy bool // SystemProxyFunc is the function that determines the system proxy URL to // use for provided request URL. SystemProxyFunc func(reqURL *url.URL) (*url.URL, error) }
ForwardToSystemProxyHandlerConfig is the config for ForwardToSystemProxyHandler.
func (*ForwardToSystemProxyHandlerConfig) SetDefaults ¶
func (c *ForwardToSystemProxyHandlerConfig) SetDefaults()
SetDefaults sets default config values.
type HandlerDecs ¶
type HandlerDecs struct { // Handler is protocol handling logic. Handler HandlerFunc // HandlerWithConnInfo is protocol handler function providing additional TLS insight. // Used in cases where internal handler function must have access to hello message values without // terminating the TLS connection. HandlerWithConnInfo HandlerFuncWithInfo // ForwardTLS tells is ALPN proxy service should terminate TLS traffic or delegate the // TLS termination to the protocol handler (Used in Kube handler case) ForwardTLS bool // MatchFunc is a routing route match function based on ALPN SNI TLS values. // If is evaluated to true the current HandleDesc will be used // for connection handling. MatchFunc MatchFunc // TLSConfig is TLS configuration that allows switching TLS settings for the handle. // By default, the ProxyConfig.WebTLSConfig configuration is used to TLS terminate incoming connection // but if HandleDesc.TLSConfig is present it will take precedence over ProxyConfig TLS configuration. TLSConfig *tls.Config }
HandlerDecs describes the handler for particular protocols.
func (*HandlerDecs) CheckAndSetDefaults ¶
func (h *HandlerDecs) CheckAndSetDefaults() error
type HandlerFunc ¶
HandlerFunc is a common function signature used to handle downstream with particular ALPN protocol.
type HandlerFuncWithInfo ¶
HandlerFuncWithInfo is protocol handler function providing additional TLS insight. Used in cases where internal handler function must have access to hello message values without terminating the TLS connection.
func ExtractMySQLEngineVersion ¶
func ExtractMySQLEngineVersion(fn func(ctx context.Context, conn net.Conn) error) HandlerFuncWithInfo
ExtractMySQLEngineVersion returns a pre-process function for MySQL connections that tries to extract MySQL server version from incoming connection.
type ListenerMuxWrapper ¶
type ListenerMuxWrapper struct { // net.Listener is the main service listener that is being wrapped. net.Listener // contains filtered or unexported fields }
ListenerMuxWrapper wraps the net.Listener and multiplex incoming connection from serviceListener and connection injected by HandleConnection handler.
func NewMuxListenerWrapper ¶
func NewMuxListenerWrapper(serviceListener, alpnListener net.Listener) *ListenerMuxWrapper
NewMuxListenerWrapper creates a new instance of ListenerMuxWrapper
func (*ListenerMuxWrapper) Accept ¶
func (l *ListenerMuxWrapper) Accept() (net.Conn, error)
Accept waits for the next injected by HandleConnection or received from serviceListener and returns it.
func (*ListenerMuxWrapper) Addr ¶
func (l *ListenerMuxWrapper) Addr() net.Addr
Addr returns address of the listeners. If both serviceListener and alpnListener listeners were provided. function will return address obtained from the alpnListener listener.
func (*ListenerMuxWrapper) Close ¶
func (l *ListenerMuxWrapper) Close() error
Close the ListenerMuxWrapper.
func (*ListenerMuxWrapper) HandleConnection ¶
HandleConnection allows injecting connection to the listener.
type LocalProxy ¶
type LocalProxy struct {
// contains filtered or unexported fields
}
LocalProxy allows upgrading incoming connection to TLS where custom TLS values are set SNI ALPN and updated connection is forwarded to remote ALPN SNI teleport proxy service.
func NewLocalProxy ¶
func NewLocalProxy(cfg LocalProxyConfig) (*LocalProxy, error)
NewLocalProxy creates a new instance of LocalProxy.
func (*LocalProxy) CheckDBCerts ¶
func (l *LocalProxy) CheckDBCerts(dbRoute tlsca.RouteToDatabase) error
CheckDBCerts checks the proxy certificates for expiration and that the cert subject matches a database route.
func (*LocalProxy) Close ¶
func (l *LocalProxy) Close() error
func (*LocalProxy) GetAddr ¶
func (l *LocalProxy) GetAddr() string
GetAddr returns the LocalProxy listener address.
func (*LocalProxy) SetCerts ¶
func (l *LocalProxy) SetCerts(certs []tls.Certificate)
SetCerts sets the local proxy's configured TLS certificates.
func (*LocalProxy) Start ¶
func (l *LocalProxy) Start(ctx context.Context) error
Start starts the LocalProxy.
func (*LocalProxy) StartHTTPAccessProxy ¶
func (l *LocalProxy) StartHTTPAccessProxy(ctx context.Context) error
StartHTTPAccessProxy starts the local HTTP access proxy.
type LocalProxyConfig ¶
type LocalProxyConfig struct { // RemoteProxyAddr is the downstream destination address of remote ALPN proxy service. RemoteProxyAddr string // Protocol set for the upstream TLS connection. Protocols []common.Protocol // InsecureSkipTLSVerify turns off verification for x509 upstream ALPN proxy service certificate. InsecureSkipVerify bool // Listener is listener running on local machine. Listener net.Listener // SNI is a ServerName value set for upstream TLS connection. SNI string // ParentContext is a parent context, used to signal global closure> ParentContext context.Context // SSHUser is an SSH username. SSHUser string // SSHUserHost is user host requested by ssh subsystem. SSHUserHost string // SSHHostKeyCallback is the function type used for verifying server keys. SSHHostKeyCallback ssh.HostKeyCallback // SSHTrustedCluster allows selecting trusted cluster ssh subsystem request. SSHTrustedCluster string // Certs are the client certificates used to connect to the remote Teleport Proxy. Certs []tls.Certificate // RootCAs overwrites the root CAs used in tls.Config if specified. RootCAs *x509.CertPool // ALPNConnUpgradeRequired specifies if ALPN connection upgrade is required. ALPNConnUpgradeRequired bool // Middleware provides callback functions to the local proxy. Middleware LocalProxyMiddleware // Middleware provides callback functions to the local proxy running in HTTP mode. HTTPMiddleware LocalProxyHTTPMiddleware // Clock is used to override time in tests. Clock clockwork.Clock // Log is the Logger. Log logrus.FieldLogger }
LocalProxyConfig is configuration for LocalProxy.
func (*LocalProxyConfig) CheckAndSetDefaults ¶
func (cfg *LocalProxyConfig) CheckAndSetDefaults() error
CheckAndSetDefaults verifies the constraints for LocalProxyConfig.
func (*LocalProxyConfig) GetProtocols ¶
func (cfg *LocalProxyConfig) GetProtocols() []string
type LocalProxyHTTPMiddleware ¶
type LocalProxyHTTPMiddleware interface { // CheckAndSetDefaults checks configuration validity and sets defaults CheckAndSetDefaults() error // HandleRequest returns true if requests has been handled and must not be processed further, false otherwise. HandleRequest(rw http.ResponseWriter, req *http.Request) bool }
LocalProxyHTTPMiddleware provides callback functions for LocalProxy in HTTP proxy mode.
type LocalProxyMiddleware ¶
type LocalProxyMiddleware interface { // OnNewConnection is a callback triggered when a new downstream connection is // accepted by the local proxy. If an error is returned, the connection will be closed // by the local proxy. OnNewConnection(ctx context.Context, lp *LocalProxy, conn net.Conn) error // OnStart is a callback triggered when the local proxy starts. OnStart(ctx context.Context, lp *LocalProxy) error }
LocalProxyMiddleware provides callback functions for LocalProxy.
type MatchFunc ¶
MatchFunc is a type of the match route functions.
func MatchByALPNPrefix ¶
MatchByALPNPrefix creates match function based on client TLS ALPN protocol prefix.
func MatchByProtocol ¶
MatchByProtocol creates match function based on client TLS ALPN protocol.
func MatchByProtocolWithPing ¶
MatchByProtocolWithPing creates match function based on client TLS APLN protocol matching also their ping protocol variations.
type PingConn ¶
PingConn wraps a *tls.Conn and add ping capabilities to it, including the `WritePing` function and `Read` (which excludes ping packets).
When using this connection, the packets written will contain an initial data: the packet size. When reading, this information is taken into account, but it is not returned to the caller.
Ping messages have a packet size of zero and are produced only when `WritePing` is called. On `Read`, any Ping packet is discarded.
func NewPingConn ¶
NewPingConn returns a ping connection wrapping the provided net.Conn.
func (*PingConn) Read ¶
Read reads content from the underlaying connection, discarding any ping messages it finds.
type Proxy ¶
type Proxy struct {
// contains filtered or unexported fields
}
Proxy server allows routing downstream connections based on TLS SNI ALPN values to particular service.
func (*Proxy) MakeConnectionHandler ¶
func (p *Proxy) MakeConnectionHandler(defaultOverride *tls.Config) ConnectionHandler
MakeConnectionHandler creates a ConnectionHandler which provides a callback to handle incoming connections by this ALPN proxy server.
type ProxyConfig ¶
type ProxyConfig struct { // Listener is a listener to serve requests on. Listener net.Listener // WebTLSConfig specifies the TLS configuration used by the Proxy server. WebTLSConfig *tls.Config // Router contains definition of protocol routing and handlers description. Router *Router // Log is used for logging. Log logrus.FieldLogger // Clock is a clock to override in tests, set to real time clock // by default Clock clockwork.Clock // ReadDeadline is a connection read deadline during the TLS handshake (start // of the connection). It is set to defaults.HandshakeReadDeadline if // unspecified. ReadDeadline time.Duration // IdentityTLSConfig is the TLS ProxyRole identity used in servers with localhost SANs values. IdentityTLSConfig *tls.Config // AccessPoint is the auth server client. AccessPoint auth.ReadProxyAccessPoint // ClusterName is the name of the teleport cluster. ClusterName string // PingInterval defines the ping interval for ping-wrapped connections. PingInterval time.Duration }
ProxyConfig is the configuration for an ALPN proxy server.
func (*ProxyConfig) CheckAndSetDefaults ¶
func (c *ProxyConfig) CheckAndSetDefaults() error
CheckAndSetDefaults checks and sets default values of ProxyConfig
type Router ¶
type Router struct {
// contains filtered or unexported fields
}
Router contains information about protocol handlers and routing rules.
func (*Router) Add ¶
func (r *Router) Add(desc HandlerDecs)
Add sets the handler for DB TLS traffic.
func (*Router) AddDBTLSHandler ¶
func (r *Router) AddDBTLSHandler(handler HandlerFunc)
AddDBTLSHandler adds the handler for DB TLS traffic.
func (*Router) AddKubeHandler ¶
func (r *Router) AddKubeHandler(handler HandlerFunc)
AddKubeHandler adds the handle for Kubernetes protocol (distinguishable by "kube." SNI prefix).
func (*Router) CheckAndSetDefaults ¶
CheckAndSetDefaults verifies the constraints for Router.