2022-03-27 05:52:53 -04:00
|
|
|
package headscale
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"golang.org/x/net/http2"
|
|
|
|
"golang.org/x/net/http2/h2c"
|
|
|
|
"tailscale.com/control/controlbase"
|
|
|
|
"tailscale.com/net/netutil"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
errWrongConnectionUpgrade = Error("wrong connection upgrade")
|
|
|
|
errCannotHijack = Error("cannot hijack connection")
|
2022-03-29 10:16:05 -04:00
|
|
|
errNoiseHandshakeFailed = Error("noise handshake failed")
|
2022-03-27 05:52:53 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// upgradeHeader is the value of the Upgrade HTTP header used to
|
|
|
|
// indicate the Tailscale control protocol.
|
|
|
|
upgradeHeaderValue = "tailscale-control-protocol"
|
|
|
|
|
|
|
|
// handshakeHeaderName is the HTTP request header that can
|
|
|
|
// optionally contain base64-encoded initial handshake
|
|
|
|
// payload, to save an RTT.
|
|
|
|
handshakeHeaderName = "X-Tailscale-Handshake"
|
|
|
|
)
|
|
|
|
|
|
|
|
// NoiseUpgradeHandler is to upgrade the connection and hijack the net.Conn
|
|
|
|
// in order to use the Noise-based TS2021 protocol. Listens in /ts2021
|
|
|
|
func (h *Headscale) NoiseUpgradeHandler(ctx *gin.Context) {
|
|
|
|
log.Trace().Caller().Msgf("Noise upgrade handler for client %s", ctx.ClientIP())
|
|
|
|
|
|
|
|
// Under normal circumpstances, we should be able to use the controlhttp.AcceptHTTP()
|
|
|
|
// function to do this - kindly left there by the Tailscale authors for us to use.
|
|
|
|
// (https://github.com/tailscale/tailscale/blob/main/control/controlhttp/server.go)
|
|
|
|
//
|
|
|
|
// However, Gin seems to be doing something funny/different with its writer (see AcceptHTTP code).
|
|
|
|
// This causes problems when the upgrade headers are sent in AcceptHTTP.
|
|
|
|
// So have getNoiseConnection() that is essentially an AcceptHTTP but using the native Gin methods.
|
|
|
|
noiseConn, err := h.getNoiseConnection(ctx)
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Msg("noise upgrade failed")
|
|
|
|
ctx.AbortWithError(http.StatusInternalServerError, err)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
server := http.Server{}
|
2022-03-27 15:33:31 -04:00
|
|
|
server.Handler = h2c.NewHandler(h.noiseRouter, &http2.Server{})
|
2022-03-27 05:52:53 -04:00
|
|
|
server.Serve(netutil.NewOneConnListener(noiseConn, nil))
|
|
|
|
}
|
|
|
|
|
|
|
|
// getNoiseConnection is basically AcceptHTTP from tailscale, but more _alla_ Gin
|
|
|
|
// TODO(juan): Figure out why we need to do this at all.
|
|
|
|
func (h *Headscale) getNoiseConnection(ctx *gin.Context) (*controlbase.Conn, error) {
|
|
|
|
next := ctx.GetHeader("Upgrade")
|
|
|
|
if next == "" {
|
|
|
|
ctx.String(http.StatusBadRequest, "missing next protocol")
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errWrongConnectionUpgrade
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
if next != upgradeHeaderValue {
|
|
|
|
ctx.String(http.StatusBadRequest, "unknown next protocol")
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errWrongConnectionUpgrade
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
initB64 := ctx.GetHeader(handshakeHeaderName)
|
|
|
|
if initB64 == "" {
|
|
|
|
ctx.String(http.StatusBadRequest, "missing Tailscale handshake header")
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errWrongConnectionUpgrade
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
init, err := base64.StdEncoding.DecodeString(initB64)
|
|
|
|
if err != nil {
|
|
|
|
ctx.String(http.StatusBadRequest, "invalid tailscale handshake header")
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errWrongConnectionUpgrade
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
hijacker, ok := ctx.Writer.(http.Hijacker)
|
|
|
|
if !ok {
|
|
|
|
log.Error().Caller().Err(err).Msgf("Hijack failed")
|
|
|
|
ctx.String(http.StatusInternalServerError, "HTTP does not support general TCP support")
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errCannotHijack
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
// This is what changes from the original AcceptHTTP() function.
|
|
|
|
ctx.Header("Upgrade", upgradeHeaderValue)
|
|
|
|
ctx.Header("Connection", "upgrade")
|
|
|
|
ctx.Status(http.StatusSwitchingProtocols)
|
|
|
|
ctx.Writer.WriteHeaderNow()
|
|
|
|
// end
|
|
|
|
|
|
|
|
netConn, conn, err := hijacker.Hijack()
|
|
|
|
if err != nil {
|
|
|
|
log.Error().Caller().Err(err).Msgf("Hijack failed")
|
|
|
|
ctx.String(http.StatusInternalServerError, "HTTP does not support general TCP support")
|
|
|
|
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errCannotHijack
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
if err := conn.Flush(); err != nil {
|
|
|
|
netConn.Close()
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errCannotHijack
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
netConn = netutil.NewDrainBufConn(netConn, conn.Reader)
|
|
|
|
|
|
|
|
nc, err := controlbase.Server(ctx.Request.Context(), netConn, *h.noisePrivateKey, init)
|
|
|
|
if err != nil {
|
|
|
|
netConn.Close()
|
2022-03-29 10:16:05 -04:00
|
|
|
return nil, errNoiseHandshakeFailed
|
2022-03-27 05:52:53 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
return nc, nil
|
|
|
|
}
|