-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
logpolicy, ipn/ipnserver: connect to logtail via tailscaled when needed
This is for use by the Windows GUI client to log via when an exit node is in use, so the logs don't go out via the exit node and instead go directly, like tailscaled's. The dialer tried to do that in the unprivileged GUI by binding to a specific interface, but the "Internet Kill Switch" installed by tailscaled for exit nodes precludes that from working and instead the GUI fails to dial out. So, go through tailscaled (with a CONNECT request) instead. Fixes tailscale/corp#3169 Change-Id: I17a8efdc1d4b8fed53a29d1c19995592b651b215 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
- Loading branch information
Showing
5 changed files
with
131 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package ipnserver | ||
|
||
import ( | ||
"bufio" | ||
"context" | ||
"io" | ||
"net" | ||
"net/http" | ||
"time" | ||
|
||
"tailscale.com/logpolicy" | ||
"tailscale.com/types/logger" | ||
) | ||
|
||
// handleProxyConnectConn handles a CONNECT request to | ||
// log.tailscale.io (or whatever the configured log server is). This | ||
// is intended for use by the Windows GUI client to log via when an | ||
// exit node is in use, so the logs don't go out via the exit node and | ||
// instead go directly, like tailscaled's. The dialer tried to do that | ||
// in the unprivileged GUI by binding to a specific interface, but the | ||
// "Internet Kill Switch" installed by tailscaled for exit nodes | ||
// precludes that from working and instead the GUI fails to dial out. | ||
// So, go through tailscaled (with a CONNECT request) instead. | ||
func (s *Server) handleProxyConnectConn(ctx context.Context, br *bufio.Reader, c net.Conn, logf logger.Logf) { | ||
defer c.Close() | ||
|
||
c.SetReadDeadline(time.Now().Add(5 * time.Second)) // should be long enough to send the HTTP headers | ||
req, err := http.ReadRequest(br) | ||
if err != nil { | ||
logf("ReadRequest: %v", err) | ||
return | ||
} | ||
c.SetReadDeadline(time.Time{}) | ||
|
||
if req.Method != "CONNECT" { | ||
logf("ReadRequest: unexpected method %q, not CONNECT", req.Method) | ||
return | ||
} | ||
|
||
hostPort := req.RequestURI | ||
logHost := logpolicy.LogHost() | ||
allowed := net.JoinHostPort(logHost, "443") | ||
if hostPort != allowed { | ||
logf("invalid CONNECT target %q; want %q", hostPort, allowed) | ||
io.WriteString(c, "HTTP/1.1 403 Forbidden\r\n\r\nBad CONNECT target.\n") | ||
return | ||
} | ||
|
||
tr := logpolicy.NewLogtailTransport(logHost) | ||
back, err := tr.DialContext(ctx, "tcp", hostPort) | ||
if err != nil { | ||
logf("error CONNECT dialing %v: %v", hostPort, err) | ||
io.WriteString(c, "HTTP/1.1 502 Fail\r\n\r\nConnect failure.\n") | ||
return | ||
} | ||
defer back.Close() | ||
|
||
io.WriteString(c, "HTTP/1.1 200 OK\r\n\r\n") | ||
|
||
errc := make(chan error, 2) | ||
go func() { | ||
_, err := io.Copy(c, back) | ||
errc <- err | ||
}() | ||
go func() { | ||
_, err := io.Copy(back, br) | ||
errc <- err | ||
}() | ||
<-errc | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters