Initial implementation of SNI.

It is only done for webapps. It requires absolute paths
This commit is contained in:
Marcin Tolysz 2016-05-22 00:50:23 +01:00
parent 1b10ffabe4
commit 914a999273
8 changed files with 127 additions and 33 deletions

View File

@ -49,6 +49,7 @@ import System.IO (hClose)
import System.Posix.Files (fileAccess)
import System.Posix.Types (EpochTime, GroupID, UserID)
import System.Timeout (timeout)
import qualified Network.TLS as TLS
data App = App
{ appModTime :: !(TVar (Maybe EpochTime))
@ -122,7 +123,7 @@ withConfig asc aid (AIBundle fp modtime) f = bracketOnError
withReservations :: AppStartConfig
-> AppId
-> BundleConfig
-> ([WebAppConfig Port] -> [BackgroundConfig] -> Map Host ProxyAction -> IO a)
-> ([WebAppConfig Port] -> [BackgroundConfig] -> Map Host (ProxyAction, TLS.Credentials) -> IO a)
-> IO a
withReservations asc aid bconfig f = withActions asc bconfig $ \wacs backs actions -> bracketOnError
(reserveHosts (ascLog asc) (ascHostManager asc) aid $ Map.keysSet actions)
@ -131,20 +132,31 @@ withReservations asc aid bconfig f = withActions asc bconfig $ \wacs backs actio
withActions :: AppStartConfig
-> BundleConfig
-> ([WebAppConfig Port] -> [BackgroundConfig] -> Map Host ProxyAction -> IO a)
-> ([WebAppConfig Port] -> [BackgroundConfig] -> Map Host (ProxyAction, TLS.Credentials) -> IO a)
-> IO a
withActions asc bconfig f =
loop (V.toList $ bconfigStanzas bconfig) [] [] Map.empty
where
loop [] wacs backs actions = f wacs backs actions
loop (Stanza (StanzaWebApp wac) rs:stanzas) wacs backs actions = bracketOnError
(getPort (ascLog asc) (ascPortPool asc) >>= either throwIO return)
(releasePort (ascPortPool asc))
(\port -> loop
(
getPort (ascLog asc) (ascPortPool asc) >>= either throwIO
(\p -> do
c <- case waconfigSsl wac of
-- todo: add loading from relative location
SSL certFile chainCertFiles keyFile ->
either (const mempty) (TLS.Credentials . (:[])) <$>
TLS.credentialLoadX509Chain certFile (V.toList chainCertFiles) keyFile
_ -> return mempty
return (p, c)
)
)
(\(port, cert) -> releasePort (ascPortPool asc) port)
(\(port, cert) -> loop
stanzas
(wac { waconfigPort = port } : wacs)
backs
(Map.unions $ actions : map (\host -> Map.singleton host (PAPort port (waconfigTimeout wac), rs)) hosts))
(Map.unions $ actions : map (\host -> Map.singleton host ((PAPort port (waconfigTimeout wac), rs), cert)) hosts))
where
hosts = Set.toList $ Set.insert (waconfigApprootHost wac) (waconfigHosts wac)
loop (Stanza (StanzaStaticFiles sfc) rs:stanzas) wacs backs actions0 =
@ -152,19 +164,19 @@ withActions asc bconfig f =
where
actions = Map.unions
$ actions0
: map (\host -> Map.singleton host (PAStatic sfc, rs))
: map (\host -> Map.singleton host ((PAStatic sfc, rs), mempty))
(Set.toList (sfconfigHosts sfc))
loop (Stanza (StanzaRedirect red) rs:stanzas) wacs backs actions0 =
loop stanzas wacs backs actions
where
actions = Map.unions
$ actions0
: map (\host -> Map.singleton host (PARedirect red, rs))
: map (\host -> Map.singleton host ((PARedirect red, rs), mempty))
(Set.toList (redirconfigHosts red))
loop (Stanza (StanzaReverseProxy rev mid to) rs:stanzas) wacs backs actions0 =
loop stanzas wacs backs actions
where
actions = Map.insert (CI.mk $ reversingHost rev) (PAReverseProxy rev mid to, rs) actions0
actions = Map.insert (CI.mk $ reversingHost rev) ((PAReverseProxy rev mid to, rs), mempty) actions0
loop (Stanza (StanzaBackground back) _:stanzas) wacs backs actions =
loop stanzas wacs (back:backs) actions
@ -271,9 +283,9 @@ launchWebApp AppStartConfig {..} aid BundleConfig {..} mdir rlog WebAppConfig {.
let httpPort = kconfigExternalHttpPort ascKeterConfig
httpsPort = kconfigExternalHttpsPort ascKeterConfig
(scheme, extport) =
if waconfigSsl
then ("https://", if httpsPort == 443 then "" else ':' : show httpsPort)
else ("http://", if httpPort == 80 then "" else ':' : show httpPort)
if waconfigSsl == SSLFalse
then ("http://", if httpPort == 80 then "" else ':' : show httpPort)
else ("https://", if httpsPort == 443 then "" else ':' : show httpsPort)
env = Map.toList $ Map.unions
-- Ordering chosen specifically to precedence rules: app specific,
-- plugins, global, and then auto-set Keter variables.

View File

@ -28,10 +28,11 @@ import Keter.Types
import Keter.LabelMap (LabelMap)
import qualified Keter.LabelMap as LabelMap
import Prelude hiding (log)
import qualified Network.TLS as TLS
type HMState = LabelMap HostValue
data HostValue = HVActive !AppId !ProxyAction
data HostValue = HVActive !AppId !ProxyAction !TLS.Credentials
| HVReserved !AppId
newtype HostManager = HostManager (IORef HMState)
@ -77,7 +78,7 @@ reserveHosts log (HostManager mstate) aid hosts = do
Nothing -> Right $ Set.singleton host
Just (HVReserved aid') -> assert (aid /= aid')
$ Left (host, aid')
Just (HVActive aid' _)
Just (HVActive aid' _ _)
| aid == aid' -> Right Set.empty
| otherwise -> Left (host, aid')
where hostBS = encodeUtf8 $ CI.original host
@ -113,26 +114,26 @@ forgetReservations log (HostManager mstate) app hosts = do
activateApp :: (LogMessage -> IO ())
-> HostManager
-> AppId
-> Map.Map Host ProxyAction
-> Map.Map Host (ProxyAction, TLS.Credentials)
-> IO ()
activateApp log (HostManager mstate) app actions = do
log $ ActivatingApp app $ Map.keysSet actions
atomicModifyIORef mstate $ \state0 ->
(activateHelper app state0 actions, ())
activateHelper :: AppId -> HMState -> Map Host ProxyAction -> HMState
activateHelper :: AppId -> HMState -> Map Host (ProxyAction, TLS.Credentials) -> HMState
activateHelper app =
Map.foldrWithKey activate
where
activate host action state =
assert isOwnedByMe $ LabelMap.insert hostBS (HVActive app action) state
activate host (action, cr) state =
assert isOwnedByMe $ LabelMap.insert hostBS (HVActive app action cr) state
where
hostBS = encodeUtf8 $ CI.original host
isOwnedByMe = LabelMap.labelAssigned hostBS state &&
case LabelMap.lookup hostBS state of
Nothing -> False
Just (HVReserved app') -> app == app'
Just (HVActive app' _) -> app == app'
Just (HVActive app' _ _) -> app == app'
deactivateApp :: (LogMessage -> IO ())
-> HostManager
@ -155,13 +156,13 @@ deactivateHelper app =
isOwnedByMe = LabelMap.labelAssigned hostBS state &&
case LabelMap.lookup hostBS state of
Nothing -> False
Just (HVActive app' _) -> app == app'
Just (HVActive app' _ _) -> app == app'
Just HVReserved {} -> False
reactivateApp :: (LogMessage -> IO ())
-> HostManager
-> AppId
-> Map Host ProxyAction
-> Map Host (ProxyAction, TLS.Credentials)
-> Set Host
-> IO ()
reactivateApp log (HostManager mstate) app actions hosts = do
@ -171,10 +172,10 @@ reactivateApp log (HostManager mstate) app actions hosts = do
lookupAction :: HostManager
-> HostBS
-> IO (Maybe ProxyAction)
-> IO (Maybe (ProxyAction, TLS.Credentials))
lookupAction (HostManager mstate) host = do
state <- readIORef mstate
return $ case LabelMap.lookup (CI.original host) state of
Nothing -> Nothing
Just (HVActive _ action) -> Just action
Just (HVActive _ action cert) -> Just (action, cert)
Just (HVReserved _) -> Nothing

View File

@ -43,9 +43,10 @@ import qualified Network.Wai.Handler.WarpTLS as WarpTLS
import Network.Wai.Middleware.Gzip (gzip)
import Prelude hiding (FilePath, (++))
import WaiAppStatic.Listing (defaultListing)
import qualified Network.TLS as TLS
-- | Mapping from virtual hostname to port number.
type HostLookup = ByteString -> IO (Maybe ProxyAction)
type HostLookup = ByteString -> IO (Maybe (ProxyAction, TLS.Credentials))
reverseProxy :: Bool
-> Int -> Manager -> HostLookup -> ListeningPort -> IO ()
@ -57,12 +58,24 @@ reverseProxy useHeader timeBound manager hostLookup listener =
case listener of
LPInsecure host port -> (Warp.runSettings (warp host port), False)
LPSecure host port cert chainCerts key -> (WarpTLS.runTLS
(WarpTLS.tlsSettingsChain
(connectClientCertificates hostLookup $ WarpTLS.tlsSettingsChain
cert
(V.toList chainCerts)
key)
(warp host port), True)
connectClientCertificates :: HostLookup -> WarpTLS.TLSSettings -> WarpTLS.TLSSettings
connectClientCertificates hl s =
let
newHooks@TLS.ServerHooks{..} = WarpTLS.tlsServerHooks s
-- todo: add nested lookup
newOnServerNameIndication (Just n) =
maybe mempty snd <$> hl (S8.pack n)
newOnServerNameIndication Nothing =
return mempty -- we could return default certificate here
in
s { WarpTLS.tlsServerHooks = newHooks{TLS.onServerNameIndication = newOnServerNameIndication}}
withClient :: Bool -- ^ is secure?
-> Bool -- ^ use incoming request header for IP address
-> Int -- ^ time bound for connections
@ -120,7 +133,7 @@ withClient isSecure useHeader bound manager hostLookup =
else hostLookup host'
case mport of
Nothing -> return (def, WPRResponse $ unknownHostResponse host)
Just (action, requiresSecure)
Just ((action, requiresSecure), _)
| requiresSecure && not isSecure -> performHttpsRedirect host req
| otherwise -> performAction req action

View File

@ -22,5 +22,6 @@ import Keter.Types.V10 as X
, BackgroundConfig (..)
, RestartCount (..)
, RequiresSecure
, SSLConfig (..)
)
import Network.HTTP.ReverseProxy.Rewrite as X (ReverseProxyConfig (..), RewriteRule (..))

View File

@ -8,8 +8,8 @@ module Keter.Types.V10 where
import Control.Applicative ((<$>), (<*>), (<|>))
import Data.Aeson (Object, ToJSON (..))
import Data.Aeson (FromJSON (..),
Value (Object, String),
withObject, (.!=), (.:),
Value (Object, String, Bool),
withObject, withBool, (.!=), (.:),
(.:?))
import Data.Aeson (Value (Bool), object, (.=))
import qualified Data.CaseInsensitive as CI
@ -251,7 +251,7 @@ instance ToCurrent StaticFilesConfig where
instance ParseYamlFile StaticFilesConfig where
parseYamlFile basedir = withObject "StaticFilesConfig" $ \o -> StaticFilesConfig
<$> lookupBase basedir o "root"
<*> (Set.map CI.mk <$> ((o .: "hosts" <|> (Set.singleton <$> (o .: "host")))))
<*> (Set.map CI.mk <$> (o .: "hosts" <|> (Set.singleton <$> (o .: "host"))))
<*> o .:? "directory-listing" .!= False
<*> o .:? "middleware" .!= []
<*> o .:? "connection-time-bound"
@ -341,13 +341,54 @@ instance ToJSON RedirectDest where
type IsSecure = Bool
data SSLConfig
= SSLFalse
| SSLTrue
| SSL !F.FilePath !(V.Vector F.FilePath) !F.FilePath
deriving (Show, Eq)
instance ParseYamlFile SSLConfig where
parseYamlFile _ v@(Bool _) =
withBool "ssl" ( \b ->
return (if b then SSLTrue else SSLFalse) ) v
parseYamlFile basedir v = withObject "ssl" ( \o -> do
mcert <- lookupBaseMaybe basedir o "certificate"
mkey <- lookupBaseMaybe basedir o "key"
case (mcert, mkey) of
(Just cert, Just key) -> do
chainCerts <- o .:? "chain-certificates"
>>= maybe (return V.empty) (parseYamlFile basedir)
return $ SSL cert chainCerts key
_ -> return SSLFalse
) v
instance ToJSON SSLConfig where
toJSON SSLTrue = Bool True
toJSON SSLFalse = Bool False
toJSON (SSL c cc k) = object [ "certificate" .= c
, "chain-certificates" .= cc
, "key" .= k
]
instance FromJSON SSLConfig where
parseJSON v@(Bool _) = withBool "ssl" ( \b ->
return (if b then SSLTrue else SSLFalse) ) v
parseJSON v = withObject "ssl" ( \o -> do
mcert <- o .:? "certificate"
mkey <- o .:? "key"
case (mcert, mkey) of
(Just cert, Just key) -> do
chainCerts <- o .:? "chain-certificates" .!= V.empty
return $ SSL cert chainCerts key
_ -> return SSLFalse -- fail "Must provide both certificate and key files"
) v
data WebAppConfig port = WebAppConfig
{ waconfigExec :: !F.FilePath
, waconfigArgs :: !(Vector Text)
, waconfigEnvironment :: !(Map Text Text)
, waconfigApprootHost :: !Host -- ^ primary host, used for approot
, waconfigHosts :: !(Set Host) -- ^ all hosts, not including the approot host
, waconfigSsl :: !Bool
, waconfigSsl :: !SSLConfig
, waconfigPort :: !port
, waconfigForwardEnv :: !(Set Text)
, waconfigTimeout :: !(Maybe Int)
@ -362,7 +403,7 @@ instance ToCurrent (WebAppConfig ()) where
, waconfigEnvironment = Map.empty
, waconfigApprootHost = CI.mk host
, waconfigHosts = Set.map CI.mk hosts
, waconfigSsl = ssl
, waconfigSsl = if ssl then SSLTrue else SSLFalse
, waconfigPort = ()
, waconfigForwardEnv = Set.empty
, waconfigTimeout = Nothing
@ -385,7 +426,7 @@ instance ParseYamlFile (WebAppConfig ()) where
<*> o .:? "env" .!= Map.empty
<*> return ahost
<*> return hosts
<*> o .:? "ssl" .!= False
<*> o .:? "ssl" .!= SSLFalse
<*> return ()
<*> o .:? "forward-env" .!= Set.empty
<*> o .:? "connection-time-bound"

View File

@ -4,6 +4,13 @@ stanzas:
args:
- Hello World v1.0
#ssl : true
# ssl:
# key: /opt/keter/etc/cert/hello.key
# certificate: /opt/keter/etc/cert/hello.crt
# chain-certificates:
# - /opt/keter/etc/middle.crt
# - /opt/keter/etc/root.crt
env:
FROM_KETER_CONFIG: foo bar baz
forward-env:

View File

@ -61,6 +61,7 @@ Library
, stm >= 2.4
, async
, lifted-base
, tls
if impl(ghc < 7.6)
build-depends: ghc-prim

View File

@ -2,5 +2,23 @@ flags:
keter: {}
packages:
- '.'
- location:
git: https://github.com/tolysz/hs-tls.git
commit: 0e5ba492a686b9aed32abbd1437860dbca2ebf4a
subdirs:
- core
- location:
git: https://github.com/yesodweb/wai.git
commit: 7eded0855ea50dda4f3944f3d7ececb384b7eda3
subdirs:
- warp-tls
- wai
- warp
- wai-app-static
- auto-update
- mime-types
extra-dep: true
extra-deps: []
resolver: lts-3.5
allow-newer: true
resolver: nightly-2016-05-19