[proxy] Notify certificate ready for domains covered by the static certificate (#6389)
This commit is contained in:
@@ -75,29 +75,30 @@ type portRouter struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type Server struct {
|
type Server struct {
|
||||||
ctx context.Context
|
ctx context.Context
|
||||||
mgmtClient proto.ProxyServiceClient
|
mgmtClient proto.ProxyServiceClient
|
||||||
proxy *proxy.ReverseProxy
|
proxy *proxy.ReverseProxy
|
||||||
netbird *roundtrip.NetBird
|
netbird *roundtrip.NetBird
|
||||||
acme *acme.Manager
|
acme *acme.Manager
|
||||||
auth *auth.Middleware
|
staticCertWatcher *certwatch.Watcher
|
||||||
http *http.Server
|
auth *auth.Middleware
|
||||||
https *http.Server
|
http *http.Server
|
||||||
debug *http.Server
|
https *http.Server
|
||||||
healthServer *health.Server
|
debug *http.Server
|
||||||
healthChecker *health.Checker
|
healthServer *health.Server
|
||||||
meter *proxymetrics.Metrics
|
healthChecker *health.Checker
|
||||||
accessLog *accesslog.Logger
|
meter *proxymetrics.Metrics
|
||||||
mainRouter *nbtcp.Router
|
accessLog *accesslog.Logger
|
||||||
mainPort uint16
|
mainRouter *nbtcp.Router
|
||||||
udpMu sync.Mutex
|
mainPort uint16
|
||||||
udpRelays map[types.ServiceID]*udprelay.Relay
|
udpMu sync.Mutex
|
||||||
udpRelayWg sync.WaitGroup
|
udpRelays map[types.ServiceID]*udprelay.Relay
|
||||||
portMu sync.RWMutex
|
udpRelayWg sync.WaitGroup
|
||||||
portRouters map[uint16]*portRouter
|
portMu sync.RWMutex
|
||||||
svcPorts map[types.ServiceID][]uint16
|
portRouters map[uint16]*portRouter
|
||||||
lastMappings map[types.ServiceID]*proto.ProxyMapping
|
svcPorts map[types.ServiceID][]uint16
|
||||||
portRouterWg sync.WaitGroup
|
lastMappings map[types.ServiceID]*proto.ProxyMapping
|
||||||
|
portRouterWg sync.WaitGroup
|
||||||
|
|
||||||
// hijackTracker tracks hijacked connections (e.g. WebSocket upgrades)
|
// hijackTracker tracks hijacked connections (e.g. WebSocket upgrades)
|
||||||
// so they can be closed during graceful shutdown, since http.Server.Shutdown
|
// so they can be closed during graceful shutdown, since http.Server.Shutdown
|
||||||
@@ -792,6 +793,7 @@ func (s *Server) configureTLS(ctx context.Context) (*tls.Config, error) {
|
|||||||
return nil, fmt.Errorf("initialize certificate watcher: %w", err)
|
return nil, fmt.Errorf("initialize certificate watcher: %w", err)
|
||||||
}
|
}
|
||||||
go certWatcher.Watch(ctx)
|
go certWatcher.Watch(ctx)
|
||||||
|
s.staticCertWatcher = certWatcher
|
||||||
tlsConfig.GetCertificate = certWatcher.GetCertificate
|
tlsConfig.GetCertificate = certWatcher.GetCertificate
|
||||||
return tlsConfig, nil
|
return tlsConfig, nil
|
||||||
}
|
}
|
||||||
@@ -1623,6 +1625,8 @@ func (s *Server) setupHTTPMapping(ctx context.Context, mapping *proto.ProxyMappi
|
|||||||
var wildcardHit bool
|
var wildcardHit bool
|
||||||
if s.acme != nil {
|
if s.acme != nil {
|
||||||
wildcardHit = s.acme.AddDomain(d, accountID, svcID)
|
wildcardHit = s.acme.AddDomain(d, accountID, svcID)
|
||||||
|
} else {
|
||||||
|
wildcardHit = s.staticCertCovers(d)
|
||||||
}
|
}
|
||||||
httpRoute := nbtcp.Route{
|
httpRoute := nbtcp.Route{
|
||||||
Type: nbtcp.RouteHTTP,
|
Type: nbtcp.RouteHTTP,
|
||||||
@@ -1647,6 +1651,26 @@ func (s *Server) setupHTTPMapping(ctx context.Context, mapping *proto.ProxyMappi
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// staticCertCovers reports whether the static certificate loaded when ACME is
|
||||||
|
// disabled covers the given domain, making it certificate-ready immediately —
|
||||||
|
// the equivalent of a wildcard hit in the ACME path. Domains the certificate
|
||||||
|
// does not cover are logged: clients connecting to them will get TLS errors.
|
||||||
|
func (s *Server) staticCertCovers(d domain.Domain) bool {
|
||||||
|
if s.staticCertWatcher == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
leaf := s.staticCertWatcher.Leaf()
|
||||||
|
if leaf == nil {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
name := d.PunycodeString()
|
||||||
|
if err := leaf.VerifyHostname(name); err != nil {
|
||||||
|
s.Logger.Warnf("static certificate (SANs %v) does not cover domain %q: %v", leaf.DNSNames, name, err)
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
// setupTCPMapping sets up a TCP port-forwarding fallback route on the listen port.
|
// setupTCPMapping sets up a TCP port-forwarding fallback route on the listen port.
|
||||||
func (s *Server) setupTCPMapping(ctx context.Context, mapping *proto.ProxyMapping) error {
|
func (s *Server) setupTCPMapping(ctx context.Context, mapping *proto.ProxyMapping) error {
|
||||||
svcID := types.ServiceID(mapping.GetId())
|
svcID := types.ServiceID(mapping.GetId())
|
||||||
|
|||||||
89
proxy/static_cert_test.go
Normal file
89
proxy/static_cert_test.go
Normal file
@@ -0,0 +1,89 @@
|
|||||||
|
package proxy
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"encoding/pem"
|
||||||
|
"math/big"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
|
"github.com/netbirdio/netbird/proxy/internal/certwatch"
|
||||||
|
"github.com/netbirdio/netbird/shared/management/domain"
|
||||||
|
)
|
||||||
|
|
||||||
|
func generateCertWithSANs(t *testing.T, dnsNames []string) (certPEM, keyPEM []byte) {
|
||||||
|
t.Helper()
|
||||||
|
|
||||||
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
template := &x509.Certificate{
|
||||||
|
SerialNumber: big.NewInt(1),
|
||||||
|
Subject: pkix.Name{CommonName: dnsNames[0]},
|
||||||
|
DNSNames: dnsNames,
|
||||||
|
NotBefore: time.Now().Add(-time.Hour),
|
||||||
|
NotAfter: time.Now().Add(24 * time.Hour),
|
||||||
|
}
|
||||||
|
|
||||||
|
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
|
||||||
|
require.NoError(t, err)
|
||||||
|
certPEM = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
||||||
|
|
||||||
|
keyDER, err := x509.MarshalECPrivateKey(key)
|
||||||
|
require.NoError(t, err)
|
||||||
|
keyPEM = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyDER})
|
||||||
|
|
||||||
|
return certPEM, keyPEM
|
||||||
|
}
|
||||||
|
|
||||||
|
func newStaticWatcher(t *testing.T, dnsNames []string) *certwatch.Watcher {
|
||||||
|
t.Helper()
|
||||||
|
|
||||||
|
dir := t.TempDir()
|
||||||
|
certPEM, keyPEM := generateCertWithSANs(t, dnsNames)
|
||||||
|
certPath := filepath.Join(dir, "tls.crt")
|
||||||
|
keyPath := filepath.Join(dir, "tls.key")
|
||||||
|
require.NoError(t, os.WriteFile(certPath, certPEM, 0o600))
|
||||||
|
require.NoError(t, os.WriteFile(keyPath, keyPEM, 0o600))
|
||||||
|
|
||||||
|
w, err := certwatch.NewWatcher(certPath, keyPath, quietLifecycleLogger())
|
||||||
|
require.NoError(t, err)
|
||||||
|
return w
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestStaticCertCovers(t *testing.T) {
|
||||||
|
s := &Server{
|
||||||
|
Logger: quietLifecycleLogger(),
|
||||||
|
staticCertWatcher: newStaticWatcher(t, []string{"*.p.example.com", "exact.example.com"}),
|
||||||
|
}
|
||||||
|
|
||||||
|
cases := []struct {
|
||||||
|
domain string
|
||||||
|
covered bool
|
||||||
|
}{
|
||||||
|
{"svc.p.example.com", true},
|
||||||
|
{"exact.example.com", true},
|
||||||
|
{"a.b.p.example.com", false}, // wildcard does not span labels
|
||||||
|
{"p.example.com", false},
|
||||||
|
{"other.example.com", false},
|
||||||
|
}
|
||||||
|
for _, tc := range cases {
|
||||||
|
t.Run(tc.domain, func(t *testing.T) {
|
||||||
|
assert.Equal(t, tc.covered, s.staticCertCovers(domain.Domain(tc.domain)))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestStaticCertCoversNoWatcher(t *testing.T) {
|
||||||
|
s := &Server{Logger: quietLifecycleLogger()}
|
||||||
|
assert.False(t, s.staticCertCovers(domain.Domain("svc.p.example.com")))
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user