mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-12-05 01:01:09 +01:00
c1cd3e85a7
This PR fixes #7062 For hijacked connections, one has to read from the connection buffer, but still write directly to the connection. Otherwise, when reading directly from such connections, the first byte may be lost. This, in turn corrupts the ClientHello TLS handshake message and when the backend server receives it, it closes the connection and reports the following error in the log: ``` http: TLS handshake error from 127.0.0.1:33150: tls: first record does not look like a TLS handshake ``` The first byte may be lost because underlying HTTP request handler may read it from the connection and put it into the buffer. As the result, subsequent connection reads won't see that byte. - See: https://github.com/golang/go/issues/27408 - The fix is taken from : https://github.com/k3s-io/k3s/pull/6216 ### Checklist The following checks are **mandatory**: - [x] My change adheres [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/contributing/). Signed-off-by: Artem Fetishev <rtm@victoriametrics.com>
203 lines
5.9 KiB
Go
203 lines
5.9 KiB
Go
package promscrape
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil"
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth"
|
|
"github.com/VictoriaMetrics/VictoriaMetrics/lib/proxy"
|
|
)
|
|
|
|
func copyHeader(dst, src http.Header) {
|
|
for k, vv := range src {
|
|
for _, v := range vv {
|
|
dst.Add(k, v)
|
|
}
|
|
}
|
|
}
|
|
|
|
type connReadWriteCloser struct {
|
|
io.Reader
|
|
io.WriteCloser
|
|
}
|
|
|
|
func proxyTunnel(w http.ResponseWriter, r *http.Request) {
|
|
transfer := func(src io.ReadCloser, dst io.WriteCloser) {
|
|
defer dst.Close()
|
|
defer src.Close()
|
|
io.Copy(dst, src) //nolint
|
|
}
|
|
server, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusOK)
|
|
hijacker, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
clientConn, clientBuf, err := hijacker.Hijack()
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusServiceUnavailable)
|
|
}
|
|
// For hijacked connections, one has to read from the connection buffer, but
|
|
// still write directly to the connection.
|
|
client := &connReadWriteCloser{clientBuf, clientConn}
|
|
|
|
go transfer(client, server)
|
|
transfer(server, client)
|
|
}
|
|
|
|
type testProxyServer struct {
|
|
ba *promauth.BasicAuthConfig
|
|
receivedProxyRequest bool
|
|
}
|
|
|
|
func checkBasicAuthHeader(w http.ResponseWriter, headerValue string, ba *promauth.BasicAuthConfig) bool {
|
|
userPasswordEncoded := base64.StdEncoding.EncodeToString([]byte(ba.Username + ":" + ba.Password.String()))
|
|
expectedAuthValue := "Basic " + userPasswordEncoded
|
|
if headerValue != expectedAuthValue {
|
|
w.WriteHeader(403)
|
|
fmt.Fprintf(w, "Proxy Requires authorization got header value=%q, want=%q", headerValue, expectedAuthValue)
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (tps *testProxyServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
tps.receivedProxyRequest = true
|
|
if tps.ba != nil {
|
|
if !checkBasicAuthHeader(w, r.Header.Get("Proxy-Authorization"), tps.ba) {
|
|
return
|
|
}
|
|
}
|
|
if r.Method == http.MethodConnect {
|
|
proxyTunnel(w, r)
|
|
return
|
|
}
|
|
|
|
resp, err := http.DefaultTransport.RoundTrip(r)
|
|
if err != nil {
|
|
http.Error(w, err.Error(), http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
defer resp.Body.Close()
|
|
copyHeader(w.Header(), resp.Header)
|
|
w.WriteHeader(resp.StatusCode)
|
|
io.Copy(w, resp.Body) //nolint
|
|
}
|
|
|
|
func newClientTestServer(useTLS bool, rh http.Handler) *httptest.Server {
|
|
var s *httptest.Server
|
|
if useTLS {
|
|
s = httptest.NewTLSServer(rh)
|
|
} else {
|
|
s = httptest.NewServer(rh)
|
|
}
|
|
return s
|
|
}
|
|
|
|
func newTestAuthConfig(t *testing.T, isTLS bool, ba *promauth.BasicAuthConfig) *promauth.Config {
|
|
a := promauth.Options{
|
|
BasicAuth: ba,
|
|
}
|
|
if isTLS {
|
|
a.TLSConfig = &promauth.TLSConfig{InsecureSkipVerify: true}
|
|
}
|
|
ac, err := a.NewConfig()
|
|
if err != nil {
|
|
t.Fatalf("cannot setup promauth.Confg: %s", err)
|
|
}
|
|
return ac
|
|
}
|
|
|
|
func TestClientProxyReadOk(t *testing.T) {
|
|
ctx := context.Background()
|
|
f := func(isBackendTLS, isProxyTLS bool, backendAuth, proxyAuth *promauth.BasicAuthConfig) {
|
|
t.Helper()
|
|
|
|
proxyHandler := &testProxyServer{ba: proxyAuth}
|
|
ps := newClientTestServer(isProxyTLS, proxyHandler)
|
|
|
|
expectedBackendResponse := `metric_name{key="value"} 123\n`
|
|
|
|
backend := newClientTestServer(isBackendTLS, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if backendAuth != nil && !checkBasicAuthHeader(w, r.Header.Get("Authorization"), backendAuth) {
|
|
return
|
|
}
|
|
w.Write([]byte(expectedBackendResponse))
|
|
}))
|
|
|
|
defer backend.Close()
|
|
defer ps.Close()
|
|
|
|
c, err := newClient(ctx, &ScrapeWork{
|
|
ScrapeURL: backend.URL,
|
|
ProxyURL: proxy.MustNewURL(ps.URL),
|
|
// bump timeout for slow CIs
|
|
ScrapeTimeout: 5 * time.Second,
|
|
// force connection re-creating to avoid broken conns in slow CIs
|
|
DisableKeepAlive: true,
|
|
AuthConfig: newTestAuthConfig(t, isBackendTLS, backendAuth),
|
|
ProxyAuthConfig: newTestAuthConfig(t, isProxyTLS, proxyAuth),
|
|
MaxScrapeSize: 16000,
|
|
})
|
|
if err != nil {
|
|
t.Fatalf("failed to create client: %s", err)
|
|
}
|
|
|
|
var bb bytesutil.ByteBuffer
|
|
if err = c.ReadData(&bb); err != nil {
|
|
t.Fatalf("unexpected error at ReadData: %s", err)
|
|
}
|
|
got, err := io.ReadAll(bb.NewReader())
|
|
if err != nil {
|
|
t.Fatalf("err read: %s", err)
|
|
}
|
|
|
|
if !proxyHandler.receivedProxyRequest {
|
|
t.Fatalf("proxy server didn't recieved request")
|
|
}
|
|
if string(got) != expectedBackendResponse {
|
|
t.Fatalf("not expected response: ")
|
|
}
|
|
}
|
|
|
|
// no tls
|
|
f(false, false, nil, nil)
|
|
// both tls no auth
|
|
f(true, true, nil, nil)
|
|
// backend tls, proxy http no auth
|
|
f(true, false, nil, nil)
|
|
// backend http, proxy tls no auth
|
|
f(false, true, nil, nil)
|
|
|
|
// no tls with auth
|
|
f(false, false, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
|
|
// proxy tls and auth
|
|
f(false, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
|
|
// backend tls and auth
|
|
f(true, false, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
|
|
// tls with auth
|
|
f(true, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
|
|
|
|
// tls with backend auth
|
|
f(true, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, nil)
|
|
// tls with proxy auth
|
|
f(true, true, nil, &promauth.BasicAuthConfig{Username: "proxy-test", Password: promauth.NewSecret("1234")})
|
|
// proxy tls with backend auth
|
|
f(false, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, nil)
|
|
// backend tls and proxy auth
|
|
f(true, false, nil, &promauth.BasicAuthConfig{Username: "proxy-test", Password: promauth.NewSecret("1234")})
|
|
}
|