Line data Source code
1 : /// A stand-alone program that routes connections, e.g. from
2 : /// `aaa--bbb--1234.external.domain` to `aaa.bbb.internal.domain:1234`.
3 : ///
4 : /// This allows connecting to pods/services running in the same Kubernetes cluster from
5 : /// the outside. Similar to an ingress controller for HTTPS.
6 : use std::{net::SocketAddr, sync::Arc};
7 :
8 : use futures::future::Either;
9 : use itertools::Itertools;
10 : use proxy::config::TlsServerEndPoint;
11 : use proxy::context::RequestMonitoring;
12 : use proxy::metrics::{Metrics, ThreadPoolMetrics};
13 : use proxy::proxy::{copy_bidirectional_client_compute, run_until_cancelled};
14 : use rustls::pki_types::PrivateKeyDer;
15 : use tokio::net::TcpListener;
16 :
17 : use anyhow::{anyhow, bail, ensure, Context};
18 : use clap::Arg;
19 : use futures::TryFutureExt;
20 : use proxy::stream::{PqStream, Stream};
21 :
22 : use tokio::io::{AsyncRead, AsyncWrite};
23 : use tokio_util::sync::CancellationToken;
24 : use utils::{project_git_version, sentry_init::init_sentry};
25 :
26 : use tracing::{error, info, Instrument};
27 :
28 : project_git_version!(GIT_VERSION);
29 :
30 0 : fn cli() -> clap::Command {
31 0 : clap::Command::new("Neon proxy/router")
32 0 : .version(GIT_VERSION)
33 0 : .arg(
34 0 : Arg::new("listen")
35 0 : .short('l')
36 0 : .long("listen")
37 0 : .help("listen for incoming client connections on ip:port")
38 0 : .default_value("127.0.0.1:4432"),
39 0 : )
40 0 : .arg(
41 0 : Arg::new("tls-key")
42 0 : .short('k')
43 0 : .long("tls-key")
44 0 : .help("path to TLS key for client postgres connections")
45 0 : .required(true),
46 0 : )
47 0 : .arg(
48 0 : Arg::new("tls-cert")
49 0 : .short('c')
50 0 : .long("tls-cert")
51 0 : .help("path to TLS cert for client postgres connections")
52 0 : .required(true),
53 0 : )
54 0 : .arg(
55 0 : Arg::new("dest")
56 0 : .short('d')
57 0 : .long("destination")
58 0 : .help("append this domain zone to the SNI hostname to get the destination address")
59 0 : .required(true),
60 0 : )
61 0 : }
62 :
63 : #[tokio::main]
64 0 : async fn main() -> anyhow::Result<()> {
65 0 : let _logging_guard = proxy::logging::init().await?;
66 0 : let _panic_hook_guard = utils::logging::replace_panic_hook_with_tracing_panic_hook();
67 0 : let _sentry_guard = init_sentry(Some(GIT_VERSION.into()), &[]);
68 0 :
69 0 : Metrics::install(Arc::new(ThreadPoolMetrics::new(0)));
70 0 :
71 0 : let args = cli().get_matches();
72 0 : let destination: String = args.get_one::<String>("dest").unwrap().parse()?;
73 0 :
74 0 : // Configure TLS
75 0 : let (tls_config, tls_server_end_point): (Arc<rustls::ServerConfig>, TlsServerEndPoint) = match (
76 0 : args.get_one::<String>("tls-key"),
77 0 : args.get_one::<String>("tls-cert"),
78 0 : ) {
79 0 : (Some(key_path), Some(cert_path)) => {
80 0 : let key = {
81 0 : let key_bytes = std::fs::read(key_path).context("TLS key file")?;
82 0 :
83 0 : let mut keys =
84 0 : rustls_pemfile::pkcs8_private_keys(&mut &key_bytes[..]).collect_vec();
85 0 :
86 0 : ensure!(keys.len() == 1, "keys.len() = {} (should be 1)", keys.len());
87 0 : PrivateKeyDer::Pkcs8(
88 0 : keys.pop()
89 0 : .unwrap()
90 0 : .context(format!("Failed to read TLS keys at '{key_path}'"))?,
91 0 : )
92 0 : };
93 0 :
94 0 : let cert_chain_bytes = std::fs::read(cert_path)
95 0 : .context(format!("Failed to read TLS cert file at '{cert_path}.'"))?;
96 0 :
97 0 : let cert_chain: Vec<_> = {
98 0 : rustls_pemfile::certs(&mut &cert_chain_bytes[..])
99 0 : .try_collect()
100 0 : .with_context(|| {
101 0 : format!("Failed to read TLS certificate chain from bytes from file at '{cert_path}'.")
102 0 : })?
103 0 : };
104 0 :
105 0 : // needed for channel bindings
106 0 : let first_cert = cert_chain.first().context("missing certificate")?;
107 0 : let tls_server_end_point = TlsServerEndPoint::new(first_cert)?;
108 0 :
109 0 : let tls_config = rustls::ServerConfig::builder_with_protocol_versions(&[
110 0 : &rustls::version::TLS13,
111 0 : &rustls::version::TLS12,
112 0 : ])
113 0 : .with_no_client_auth()
114 0 : .with_single_cert(cert_chain, key)?
115 0 : .into();
116 0 :
117 0 : (tls_config, tls_server_end_point)
118 0 : }
119 0 : _ => bail!("tls-key and tls-cert must be specified"),
120 0 : };
121 0 :
122 0 : // Start listening for incoming client connections
123 0 : let proxy_address: SocketAddr = args.get_one::<String>("listen").unwrap().parse()?;
124 0 : info!("Starting sni router on {proxy_address}");
125 0 : let proxy_listener = TcpListener::bind(proxy_address).await?;
126 0 :
127 0 : let cancellation_token = CancellationToken::new();
128 0 :
129 0 : let main = tokio::spawn(task_main(
130 0 : Arc::new(destination),
131 0 : tls_config,
132 0 : tls_server_end_point,
133 0 : proxy_listener,
134 0 : cancellation_token.clone(),
135 0 : ));
136 0 : let signals_task = tokio::spawn(proxy::handle_signals(cancellation_token));
137 0 :
138 0 : // the signal task cant ever succeed.
139 0 : // the main task can error, or can succeed on cancellation.
140 0 : // we want to immediately exit on either of these cases
141 0 : let signal = match futures::future::select(signals_task, main).await {
142 0 : Either::Left((res, _)) => proxy::flatten_err(res)?,
143 0 : Either::Right((res, _)) => return proxy::flatten_err(res),
144 0 : };
145 0 :
146 0 : // maintenance tasks return `Infallible` success values, this is an impossible value
147 0 : // so this match statically ensures that there are no possibilities for that value
148 0 : match signal {}
149 0 : }
150 :
151 0 : async fn task_main(
152 0 : dest_suffix: Arc<String>,
153 0 : tls_config: Arc<rustls::ServerConfig>,
154 0 : tls_server_end_point: TlsServerEndPoint,
155 0 : listener: tokio::net::TcpListener,
156 0 : cancellation_token: CancellationToken,
157 0 : ) -> anyhow::Result<()> {
158 0 : // When set for the server socket, the keepalive setting
159 0 : // will be inherited by all accepted client sockets.
160 0 : socket2::SockRef::from(&listener).set_keepalive(true)?;
161 :
162 0 : let connections = tokio_util::task::task_tracker::TaskTracker::new();
163 :
164 0 : while let Some(accept_result) =
165 0 : run_until_cancelled(listener.accept(), &cancellation_token).await
166 : {
167 0 : let (socket, peer_addr) = accept_result?;
168 :
169 0 : let session_id = uuid::Uuid::new_v4();
170 0 : let tls_config = Arc::clone(&tls_config);
171 0 : let dest_suffix = Arc::clone(&dest_suffix);
172 0 :
173 0 : connections.spawn(
174 0 : async move {
175 0 : socket
176 0 : .set_nodelay(true)
177 0 : .context("failed to set socket option")?;
178 :
179 0 : info!(%peer_addr, "serving");
180 0 : let ctx = RequestMonitoring::new(
181 0 : session_id,
182 0 : peer_addr.ip(),
183 0 : proxy::metrics::Protocol::SniRouter,
184 0 : "sni",
185 0 : );
186 0 : handle_client(ctx, dest_suffix, tls_config, tls_server_end_point, socket).await
187 0 : }
188 0 : .unwrap_or_else(|e| {
189 0 : // Acknowledge that the task has finished with an error.
190 0 : error!("per-client task finished with an error: {e:#}");
191 0 : })
192 0 : .instrument(tracing::info_span!("handle_client", ?session_id)),
193 : );
194 : }
195 :
196 0 : connections.close();
197 0 : drop(listener);
198 0 :
199 0 : connections.wait().await;
200 :
201 0 : info!("all client connections have finished");
202 0 : Ok(())
203 0 : }
204 :
205 : const ERR_INSECURE_CONNECTION: &str = "connection is insecure (try using `sslmode=require`)";
206 :
207 0 : async fn ssl_handshake<S: AsyncRead + AsyncWrite + Unpin>(
208 0 : ctx: &mut RequestMonitoring,
209 0 : raw_stream: S,
210 0 : tls_config: Arc<rustls::ServerConfig>,
211 0 : tls_server_end_point: TlsServerEndPoint,
212 0 : ) -> anyhow::Result<Stream<S>> {
213 0 : let mut stream = PqStream::new(Stream::from_raw(raw_stream));
214 :
215 0 : let msg = stream.read_startup_packet().await?;
216 : use pq_proto::FeStartupPacket::*;
217 :
218 0 : match msg {
219 : SslRequest => {
220 0 : stream
221 0 : .write_message(&pq_proto::BeMessage::EncryptionResponse(true))
222 0 : .await?;
223 : // Upgrade raw stream into a secure TLS-backed stream.
224 : // NOTE: We've consumed `tls`; this fact will be used later.
225 :
226 0 : let (raw, read_buf) = stream.into_inner();
227 0 : // TODO: Normally, client doesn't send any data before
228 0 : // server says TLS handshake is ok and read_buf is empy.
229 0 : // However, you could imagine pipelining of postgres
230 0 : // SSLRequest + TLS ClientHello in one hunk similar to
231 0 : // pipelining in our node js driver. We should probably
232 0 : // support that by chaining read_buf with the stream.
233 0 : if !read_buf.is_empty() {
234 0 : bail!("data is sent before server replied with EncryptionResponse");
235 0 : }
236 0 :
237 0 : Ok(Stream::Tls {
238 0 : tls: Box::new(
239 0 : raw.upgrade(tls_config, !ctx.has_private_peer_addr())
240 0 : .await?,
241 : ),
242 0 : tls_server_end_point,
243 : })
244 : }
245 0 : unexpected => {
246 0 : info!(
247 : ?unexpected,
248 0 : "unexpected startup packet, rejecting connection"
249 : );
250 0 : stream
251 0 : .throw_error_str(ERR_INSECURE_CONNECTION, proxy::error::ErrorKind::User)
252 0 : .await?
253 : }
254 : }
255 0 : }
256 :
257 0 : async fn handle_client(
258 0 : mut ctx: RequestMonitoring,
259 0 : dest_suffix: Arc<String>,
260 0 : tls_config: Arc<rustls::ServerConfig>,
261 0 : tls_server_end_point: TlsServerEndPoint,
262 0 : stream: impl AsyncRead + AsyncWrite + Unpin,
263 0 : ) -> anyhow::Result<()> {
264 0 : let mut tls_stream = ssl_handshake(&mut ctx, stream, tls_config, tls_server_end_point).await?;
265 :
266 : // Cut off first part of the SNI domain
267 : // We receive required destination details in the format of
268 : // `{k8s_service_name}--{k8s_namespace}--{port}.non-sni-domain`
269 0 : let sni = tls_stream.sni_hostname().ok_or(anyhow!("SNI missing"))?;
270 0 : let dest: Vec<&str> = sni
271 0 : .split_once('.')
272 0 : .context("invalid SNI")?
273 : .0
274 0 : .splitn(3, "--")
275 0 : .collect();
276 0 : let port = dest[2].parse::<u16>().context("invalid port")?;
277 0 : let destination = format!("{}.{}.{}:{}", dest[0], dest[1], dest_suffix, port);
278 0 :
279 0 : info!("destination: {}", destination);
280 :
281 0 : let mut client = tokio::net::TcpStream::connect(destination).await?;
282 :
283 : // doesn't yet matter as pg-sni-router doesn't report analytics logs
284 0 : ctx.set_success();
285 0 : ctx.log_connect();
286 0 :
287 0 : // Starting from here we only proxy the client's traffic.
288 0 : info!("performing the proxy pass...");
289 0 : let _ = copy_bidirectional_client_compute(&mut tls_stream, &mut client).await?;
290 :
291 0 : Ok(())
292 0 : }
|