forked from ghostunnel/ghostunnel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
934 lines (816 loc) · 35.5 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
/*-
* Copyright 2015 Square Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package main
import (
"crypto/tls"
"errors"
"fmt"
"io"
"log"
"net"
"net/http"
"net/http/pprof"
"os"
"runtime"
"strings"
"time"
"github.com/ghostunnel/ghostunnel/auth"
"github.com/ghostunnel/ghostunnel/certloader"
"github.com/ghostunnel/ghostunnel/policy"
"github.com/ghostunnel/ghostunnel/proxy"
"github.com/ghostunnel/ghostunnel/socket"
"github.com/ghostunnel/ghostunnel/wildcard"
kingpin "github.com/alecthomas/kingpin/v2"
graphite "github.com/cyberdelia/go-metrics-graphite"
gsyslog "github.com/hashicorp/go-syslog"
http_dialer "github.com/mwitkow/go-http-dialer"
"github.com/prometheus/client_golang/prometheus/promhttp"
metrics "github.com/rcrowley/go-metrics"
sqmetrics "github.com/square/go-sq-metrics"
prometheusmetrics "github.com/deathowl/go-metrics-prometheus"
"github.com/prometheus/client_golang/prometheus"
)
var (
version = "master"
defaultMetricsPrefix = "ghostunnel"
)
// Optional flags (enabled conditionally based on build)
var (
keychainIdentity *string //nolint:golint,unused
keychainIssuer *string //nolint:golint,unused
keychainRequireToken *bool //nolint:golint,unused
pkcs11Module *string //nolint:golint,unused
pkcs11TokenLabel *string //nolint:golint,unused
pkcs11PIN *string //nolint:golint,unused
useLandlock *bool //nolint:golint,unused
)
// Main flags (always supported)
var (
app = kingpin.New("ghostunnel", "A simple SSL/TLS proxy with mutual authentication for securing non-TLS services.")
// Server flags
serverCommand = app.Command("server", "Server mode (TLS listener -> plain TCP/UNIX target).")
serverListenAddress = serverCommand.Flag("listen", "Address and port to listen on (can be HOST:PORT, unix:PATH, systemd:NAME or launchd:NAME).").PlaceHolder("ADDR").Required().String()
serverForwardAddress = serverCommand.Flag("target", "Address to forward connections to (can be HOST:PORT or unix:PATH).").PlaceHolder("ADDR").Required().String()
serverStatusTargetAddress = serverCommand.Flag("target-status", "Address to target for status checking downstream healthchecks. Defaults to a TCP healthcheck if this flag is not passed.").Default("").String()
serverProxyProtocol = serverCommand.Flag("proxy-protocol", "Enable PROXY protocol v2 to signal connection info to backend").Bool()
serverUnsafeTarget = serverCommand.Flag("unsafe-target", "If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets.").Bool()
serverAllowAll = serverCommand.Flag("allow-all", "Allow all clients, do not check client cert subject.").Bool()
serverAllowedCNs = serverCommand.Flag("allow-cn", "Allow clients with given common name (can be repeated).").PlaceHolder("CN").Strings()
serverAllowedOUs = serverCommand.Flag("allow-ou", "Allow clients with given organizational unit name (can be repeated).").PlaceHolder("OU").Strings()
serverAllowedDNSs = serverCommand.Flag("allow-dns", "Allow clients with given DNS subject alternative name (can be repeated).").PlaceHolder("DNS").Strings()
serverAllowedIPs = serverCommand.Flag("allow-ip", "").Hidden().PlaceHolder("SAN").IPList()
serverAllowedURIs = serverCommand.Flag("allow-uri", "Allow clients with given URI subject alternative name (can be repeated).").PlaceHolder("URI").Strings()
serverAllowPolicy = serverCommand.Flag("allow-policy", "Allow passing the location of an OPA rego file").PlaceHolder("POLICY").String()
serverAllowQuery = serverCommand.Flag("allow-query", "Allow defining a query to validate against the client certificate and the rego policy.").PlaceHolder("QUERY").String()
serverDisableAuth = serverCommand.Flag("disable-authentication", "Disable client authentication, no client certificate will be required.").Default("false").Bool()
serverAutoACMEFQDN = serverCommand.Flag("auto-acme-cert", "Automatically obtain a certificate via ACME for the specified FQDN").PlaceHolder("FQDN").String()
serverAutoACMEEmail = serverCommand.Flag("auto-acme-email", "Email address associated with all ACME requests").PlaceHolder("EMAIL").String()
serverAutoACMEAgreedTOS = serverCommand.Flag("auto-acme-agree-to-tos", "Agree to the Terms of Service of the ACME CA").Default("false").Bool()
serverAutoACMEProdCA = serverCommand.Flag("auto-acme-ca", "Specify the URL to the ACME CA. Defaults to Let's Encrypt if not specified.").PlaceHolder("https://some-acme-ca.example.com/").String()
serverAutoACMETestCA = serverCommand.Flag("auto-acme-testca", "Specify the URL to the ACME CA's Test/Staging environment. If set, all requests will go to this CA and --auto-acme-ca will be ignored.").PlaceHolder("https://testing.some-acme-ca.example.com/").String()
// Client flags
clientCommand = app.Command("client", "Client mode (plain TCP/UNIX listener -> TLS target).")
clientListenAddress = clientCommand.Flag("listen", "Address and port to listen on (can be HOST:PORT, unix:PATH, systemd:NAME or launchd:NAME).").PlaceHolder("ADDR").Required().String()
// Note: can't use .TCP() for clientForwardAddress because we need to set the original string in tls.Config.ServerName.
clientForwardAddress = clientCommand.Flag("target", "Address to forward connections to (must be HOST:PORT).").PlaceHolder("ADDR").Required().String()
clientUnsafeListen = clientCommand.Flag("unsafe-listen", "If set, does not limit listen to localhost, 127.0.0.1, [::1], or UNIX sockets.").Bool()
clientServerName = clientCommand.Flag("override-server-name", "If set, overrides the server name used for hostname verification.").PlaceHolder("NAME").String()
clientConnectProxy = clientCommand.Flag("connect-proxy", "If set, connect to target over given HTTP CONNECT proxy. Must be HTTP/HTTPS URL.").PlaceHolder("URL").URL()
clientAllowedCNs = clientCommand.Flag("verify-cn", "Allow servers with given common name (can be repeated).").PlaceHolder("CN").Strings()
clientAllowedOUs = clientCommand.Flag("verify-ou", "Allow servers with given organizational unit name (can be repeated).").PlaceHolder("OU").Strings()
clientAllowedDNSs = clientCommand.Flag("verify-dns", "Allow servers with given DNS subject alternative name (can be repeated).").PlaceHolder("DNS").Strings()
clientAllowedIPs = clientCommand.Flag("verify-ip", "").Hidden().PlaceHolder("SAN").IPList()
clientAllowedURIs = clientCommand.Flag("verify-uri", "Allow servers with given URI subject alternative name (can be repeated).").PlaceHolder("URI").Strings()
clientAllowPolicy = clientCommand.Flag("verify-policy", "Allow passing the location of an OPA rego file").PlaceHolder("POLICY").String()
clientAllowQuery = clientCommand.Flag("verify-query", "Allow defining a query to validate against the client certificate and the rego policy.").PlaceHolder("QUERY").String()
clientDisableAuth = clientCommand.Flag("disable-authentication", "Disable client authentication, no certificate will be provided to the server.").Default("false").Bool()
// TLS options
keystorePath = app.Flag("keystore", "Path to keystore (combined PEM with cert/key, or PKCS12 keystore).").PlaceHolder("PATH").Envar("KEYSTORE_PATH").String()
certPath = app.Flag("cert", "Path to certificate (PEM with certificate chain).").PlaceHolder("PATH").Envar("CERT_PATH").String()
keyPath = app.Flag("key", "Path to certificate private key (PEM with private key).").PlaceHolder("PATH").Envar("KEY_PATH").String()
keystorePass = app.Flag("storepass", "Password for keystore (if using PKCS keystore, optional).").PlaceHolder("PASS").Envar("KEYSTORE_PASS").String()
caBundlePath = app.Flag("cacert", "Path to CA bundle file (PEM/X509). Uses system trust store by default.").Envar("CACERT_PATH").String()
enabledCipherSuites = app.Flag("cipher-suites", "Set of cipher suites to enable, comma-separated, in order of preference (AES, CHACHA).").Default("AES,CHACHA").String()
useWorkloadAPI = app.Flag("use-workload-api", "If true, certificate and root CAs are retrieved via the SPIFFE Workload API").Bool()
useWorkloadAPIAddr = app.Flag("use-workload-api-addr", "If set, certificates and root CAs are retrieved via the SPIFFE Workload API at the specified address (implies --use-workload-api)").Envar("SPIFFE_ENDPOINT_SOCKET").PlaceHolder("ADDR").String()
allowUnsafeCipherSuites = app.Flag("allow-unsafe-cipher-suites", "Allow cipher suites deemed to be unsafe to be enabled via the cipher-suites flag.").Hidden().Default("false").Bool()
// Reloading and timeouts
timedReload = app.Flag("timed-reload", "Reload keystores every given interval (e.g. 300s), refresh listener/client on changes.").PlaceHolder("DURATION").Duration()
shutdownTimeout = app.Flag("shutdown-timeout", "Graceful shutdown timeout. Terminates after timeout even if connections still open.").Default("5m").Duration()
timeoutDuration = app.Flag("connect-timeout", "Timeout for establishing connections, handshakes.").Default("10s").Duration()
// Metrics options
metricsGraphite = app.Flag("metrics-graphite", "Collect metrics and report them to the given graphite instance (raw TCP).").PlaceHolder("ADDR").TCP()
metricsURL = app.Flag("metrics-url", "Collect metrics and POST them periodically to the given URL (via HTTP/JSON).").PlaceHolder("URL").String()
metricsPrefix = app.Flag("metrics-prefix", fmt.Sprintf("Set prefix string for all reported metrics (default: %s).", defaultMetricsPrefix)).PlaceHolder("PREFIX").Default(defaultMetricsPrefix).String()
metricsInterval = app.Flag("metrics-interval", "Collect (and post/send) metrics every specified interval.").Default("30s").Duration()
// Status & logging
statusAddress = app.Flag("status", "Enable serving /_status and /_metrics on given HOST:PORT (or unix:SOCKET).").PlaceHolder("ADDR").String()
enableProf = app.Flag("enable-pprof", "Enable serving /debug/pprof endpoints alongside /_status (for profiling).").Bool()
enableShutdown = app.Flag("enable-shutdown", "Enable serving a /_shutdown endpoint alongside /_status to allow terminating via HTTP.").Default("false").Bool()
quiet = app.Flag("quiet", "Silence log messages (can be all, conns, conn-errs, handshake-errs; repeat flag for more than one)").Default("").Enums("", "all", "conns", "handshake-errs", "conn-errs")
// Man page /help
helpMan = app.Flag("help-custom-man", "Generate a man page.").Hidden().PreAction(generateManPage).Bool()
)
func init() {
// Optional keychain identity flag, if compiled for a supported platform
if certloader.SupportsKeychain() {
keychainIdentity = app.Flag("keychain-identity", "Use local keychain identity with given serial/common name (instead of keystore file).").PlaceHolder("CN").String()
keychainIssuer = app.Flag("keychain-issuer", "Use local keychain identity with given issuer name (instead of keystore file).").PlaceHolder("CN").String()
if runtime.GOOS == "darwin" {
keychainRequireToken = app.Flag("keychain-require-token", "Require keychain identity to be from a physical token (sets 'access group' to 'token').").Bool()
} else {
// The "require token" flag doesn't do anything on Windows/Linux, so we hide it.
isFalse := false
keychainRequireToken = &isFalse
}
}
// Optional PKCS#11 flags, if compiled with CGO enabled
if certloader.SupportsPKCS11() {
pkcs11Module = app.Flag("pkcs11-module", "Path to PKCS11 module (SO) file (optional).").Envar("PKCS11_MODULE").PlaceHolder("PATH").ExistingFile()
pkcs11TokenLabel = app.Flag("pkcs11-token-label", "Token label for slot/key in PKCS11 module (optional).").Envar("PKCS11_TOKEN_LABEL").PlaceHolder("LABEL").String()
pkcs11PIN = app.Flag("pkcs11-pin", "PIN code for slot/key in PKCS11 module (optional).").Envar("PKCS11_PIN").PlaceHolder("PIN").String()
}
if runtime.GOOS == "linux" {
useLandlock = app.Flag("use-landlock", "If true, will use landlock to limit file and socket access on supported kernels.").Bool()
}
// Aliases for flags that were renamed to be backwards-compatible
serverCommand.Flag("allow-dns-san", "").Hidden().StringsVar(serverAllowedDNSs)
serverCommand.Flag("allow-ip-san", "").Hidden().IPListVar(serverAllowedIPs)
serverCommand.Flag("allow-uri-san", "").Hidden().StringsVar(serverAllowedURIs)
clientCommand.Flag("verify-dns-san", "").Hidden().StringsVar(clientAllowedDNSs)
clientCommand.Flag("verify-ip-san", "").Hidden().IPListVar(clientAllowedIPs)
clientCommand.Flag("verify-uri-san", "").Hidden().StringsVar(clientAllowedURIs)
}
var exitFunc = os.Exit
// Context groups listening context data together
type Context struct {
status *statusHandler
statusHTTP *http.Server
shutdownChannel chan bool
shutdownTimeout time.Duration
dial func() (net.Conn, error)
metrics *sqmetrics.SquareMetrics
tlsConfigSource certloader.TLSConfigSource
regoPolicy policy.Policy
}
// Dialer is an interface for dialers (either net.Dialer, or http_dialer.HttpTunnel)
type Dialer interface {
Dial(network, address string) (net.Conn, error)
}
// Global logger instance
var logger = log.New(os.Stdout, "", log.LstdFlags|log.Lmicroseconds)
func initLogger(syslog bool, flags []string) (err error) {
// If user has indicated request for syslog, override default stdout
// logger with a syslog one instead. This can fail, e.g. in containers
// that don't have syslog available.
for _, flag := range flags {
if flag == "all" {
// If --quiet=all if passed, disable all logging
logger = log.New(io.Discard, "", 0)
return
}
}
if syslog {
var syslogWriter gsyslog.Syslogger
syslogWriter, err = gsyslog.NewLogger(gsyslog.LOG_INFO, "DAEMON", "")
if err == nil {
logger = log.New(syslogWriter, "", log.LstdFlags|log.Lmicroseconds)
}
}
return
}
// panicOnError panics if err is not nil
func panicOnError(err error) {
if err != nil {
panic(err)
}
}
// Validate flags for both, server and client mode
func validateFlags(app *kingpin.Application) error {
if *statusAddress == "" {
if *enableProf {
return fmt.Errorf("--enable-pprof requires --status to be set")
}
if *enableShutdown {
return fmt.Errorf("--enable-shutdown requires --status to be set")
}
}
if *metricsURL != "" && !strings.HasPrefix(*metricsURL, "http://") && !strings.HasPrefix(*metricsURL, "https://") {
return fmt.Errorf("--metrics-url should start with http:// or https://")
}
if *serverStatusTargetAddress != "" && !strings.HasPrefix(*serverStatusTargetAddress, "http://") && !strings.HasPrefix(*serverStatusTargetAddress, "https://") {
return fmt.Errorf("--target-status should start with http:// or https://")
}
if *timeoutDuration == 0 {
return fmt.Errorf("--connect-timeout duration must not be zero")
}
if pkcs11Module != nil && *pkcs11Module != "" && useLandlock != nil && *useLandlock {
return fmt.Errorf("--use-landlock is not compatible with --pkcs11-module")
}
return nil
}
// Validates that addr is "safe" and does not need --unsafe-listen (or --unsafe-target).
func consideredSafe(addr string) bool {
safePrefixes := []string{
"unix:",
"systemd:",
"launchd:",
"127.0.0.1:",
"[::1]:",
"localhost:",
}
for _, prefix := range safePrefixes {
if strings.HasPrefix(addr, prefix) {
return true
}
}
return false
}
func validateCredentials(creds []bool) int {
count := 0
for _, cred := range creds {
if cred {
count++
}
}
return count
}
func validateCipherSuites() error {
for _, suite := range strings.Split(*enabledCipherSuites, ",") {
name := strings.TrimSpace(suite)
_, ok := cipherSuites[name]
if !ok && *allowUnsafeCipherSuites {
_, ok = unsafeCipherSuites[name]
}
if !ok {
return fmt.Errorf("invalid cipher suite option: %s", suite)
}
}
return nil
}
// Validate flags for server mode
func serverValidateFlags() error {
// hasAccessFlags is true if access control flags (besides allow-all) were specified
hasAccessFlags := len(*serverAllowedCNs) > 0 ||
len(*serverAllowedOUs) > 0 ||
len(*serverAllowedDNSs) > 0 ||
len(*serverAllowedIPs) > 0 ||
len(*serverAllowedURIs) > 0
hasOPAFlags := len(*serverAllowPolicy) > 0 ||
len(*serverAllowQuery) > 0
hasValidCredentials := validateCredentials([]bool{
// Standard keystore
*keystorePath != "",
// macOS keychain identity
hasKeychainIdentity(),
// A certificate and a key, in separate files
(*certPath != "" && *keyPath != ""),
// A certificate, with the key in a PKCS#11 module
(*certPath != "" && hasPKCS11()),
// SPIFFE Workload API
*useWorkloadAPI,
// Auto via ACME
*serverAutoACMEFQDN != "",
})
if hasValidCredentials == 0 {
return errors.New("at least one of --keystore, --cert/--key, --auto-acme-cert, or --keychain-identity/issuer (if supported) flags is required")
}
if hasValidCredentials > 1 {
return errors.New("--keystore, --cert/--key, --auto-acme-cert, and --keychain-identity/issuer flags are mutually exclusive")
}
if (*keyPath != "" && *certPath == "") || (*certPath != "" && *keyPath == "" && !hasPKCS11()) {
return errors.New("--cert/--key must be set together, unless using PKCS11 for private key")
}
if !(*serverDisableAuth) && !(*serverAllowAll) && !hasAccessFlags && !hasOPAFlags {
return errors.New("at least one access control flag (--allow-{all,cn,ou,dns-san,ip-san,uri-san}, or OPA flags, or --disable-authentication) is required")
}
if !(*serverDisableAuth) && *serverAllowAll && (hasAccessFlags || hasOPAFlags) {
return errors.New("--allow-all is mutually exclusive with other access control flags")
}
if *serverDisableAuth && (*serverAllowAll || hasAccessFlags || hasOPAFlags) {
return errors.New("--disable-authentication is mutually exclusive with other access control flags")
}
if !*serverUnsafeTarget && !consideredSafe(*serverForwardAddress) {
return errors.New("--target must be unix:PATH or localhost:PORT (unless --unsafe-target is set)")
}
if *serverAutoACMEFQDN != "" {
if *serverAutoACMEEmail == "" {
return errors.New("--auto-cert-acme was specified but no email address was provided with --auto-acme-email")
}
if !*serverAutoACMEAgreedTOS {
return errors.New("--auto-acme-agree-to-tos was not specified and is required if --auto-acme-cert is specified")
}
}
if hasOPAFlags && (*serverAllowPolicy == "" || *serverAllowQuery == "") {
return errors.New("--allow-policy and --allow-query have to be used together")
}
if hasOPAFlags && hasAccessFlags {
return errors.New("--allow-policy and --allow-query are mutually exclusive with other access control flags")
}
if err := validateCipherSuites(); err != nil {
return err
}
return nil
}
// Validate flags for client mode
func clientValidateFlags() error {
hasValidCredentials := validateCredentials([]bool{
// Standard keystore
*keystorePath != "",
// macOS keychain identity
hasKeychainIdentity(),
// A certificate and a key, in separate files
(*certPath != "" && *keyPath != ""),
// A certificate, with the key in a PKCS#11 module
(*certPath != "" && hasPKCS11()),
// No credentials needed if auth is disabled
*clientDisableAuth,
})
if hasValidCredentials == 0 && !*useWorkloadAPI {
return errors.New("at least one of --keystore, --cert/--key, --keychain-identity/issuer (if supported) or --disable-authentication flags is required")
}
if hasValidCredentials > 1 {
return errors.New("--keystore, --cert/--key, --keychain-identity/issuer and --disable-authentication flags are mutually exclusive")
}
if (*keyPath != "" && *certPath == "") || (*certPath != "" && *keyPath == "" && !hasPKCS11()) {
return errors.New("--cert/--key must be set together, unless using PKCS11 for private key")
}
if !*clientUnsafeListen && !consideredSafe(*clientListenAddress) {
return fmt.Errorf("--listen must be unix:PATH, localhost:PORT, systemd:NAME or launchd:NAME (unless --unsafe-listen is set)")
}
if *clientConnectProxy != nil && (*clientConnectProxy).Scheme != "http" && (*clientConnectProxy).Scheme != "https" {
return fmt.Errorf("invalid CONNECT proxy %s, must have HTTP or HTTPS connection scheme", (*clientConnectProxy).String())
}
if err := validateCipherSuites(); err != nil {
return err
}
return nil
}
func main() {
err := run(os.Args[1:])
if err != nil {
fmt.Fprintf(os.Stderr, "error: %s\n", err)
exitFunc(1)
}
exitFunc(0)
}
func run(args []string) error {
runtime.GOMAXPROCS(runtime.NumCPU())
app.Version(fmt.Sprintf("rev %s built with %s", version, runtime.Version()))
app.Validate(validateFlags)
app.UsageTemplate(kingpin.LongHelpTemplate)
command := kingpin.MustParse(app.Parse(args))
// use-workload-api-addr implies use-workload-api
if *useWorkloadAPIAddr != "" {
*useWorkloadAPI = true
}
// Logger
err := initLogger(useSyslog(), *quiet)
if err != nil {
return fmt.Errorf("unable to set up logger: %v", err)
}
logger.SetPrefix(fmt.Sprintf("[%d] ", os.Getpid()))
logger.Printf("starting ghostunnel in %s mode", command)
// Landlock
if useLandlock != nil && *useLandlock {
logger.Printf("setting up landlock rules to limit process privileges")
// Ignore landlock errors (for now). Landlock is a relatively new feature
// and not supported on older kernels (net rules were added in v6.7, Jan
// 2024). We may change this in a future version of Ghostunnel as we get
// more comfortable with Landlock.
_ = setupLandlock(logger)
}
// Metrics
if *metricsGraphite != nil {
logger.Printf("metrics enabled; reporting metrics via TCP to %s", *metricsGraphite)
go graphite.Graphite(metrics.DefaultRegistry, 1*time.Second, *metricsPrefix, *metricsGraphite)
}
if *metricsURL != "" {
logger.Printf("metrics enabled; reporting metrics via POST to %s", *metricsURL)
}
// Always enable prometheus registry. The overhead should be quite minimal as an in-mem map is updated
// with the values.
pClient := prometheusmetrics.NewPrometheusProvider(metrics.DefaultRegistry, *metricsPrefix, "", prometheus.DefaultRegisterer, 1*time.Second)
go pClient.UpdatePrometheusMetrics()
// Read CA bundle for passing to metrics library
ca, err := certloader.LoadTrustStore(*caBundlePath)
if err != nil {
logger.Printf("error: unable to build TLS config: %s\n", err)
return err
}
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
RootCAs: ca,
},
},
}
metrics := sqmetrics.NewMetrics(*metricsURL, *metricsPrefix, client, *metricsInterval, metrics.DefaultRegistry, logger)
switch command {
case serverCommand.FullCommand():
if err := serverValidateFlags(); err != nil {
logger.Printf("error: %s\n", err)
return err
}
// Duplicating this call to getTLSConfigSource() in all switch cases
// because we need to complete the validation of the command flags first.
tlsConfigSource, err := getTLSConfigSource(*serverDisableAuth)
if err != nil {
return err
}
dial, err := serverBackendDialer()
if err != nil {
logger.Printf("error: invalid target address: %s\n", err)
return err
}
logger.Printf("using target address %s", *serverForwardAddress)
status := newStatusHandler(dial, *serverStatusTargetAddress)
context := &Context{
status: status,
shutdownChannel: make(chan bool, 1),
shutdownTimeout: *shutdownTimeout,
dial: dial,
metrics: metrics,
tlsConfigSource: tlsConfigSource,
}
go context.reloadHandler(*timedReload)
// Start listening
err = serverListen(context)
if err != nil {
logger.Printf("error from server listen: %s\n", err)
}
return err
case clientCommand.FullCommand():
if err := clientValidateFlags(); err != nil {
logger.Printf("error: %s\n", err)
return err
}
// Duplicating this call to getTLSConfigSource() in all switch cases
// because we need to complete the validation of the command flags first.
tlsConfigSource, err := getTLSConfigSource(*clientDisableAuth)
if err != nil {
return err
}
// Note: A target address given on the command line may not be resolvable
// on our side if the connection is forwarded through a CONNECT proxy. Hence,
// we ignore "no such host" errors when a proxy is set and trust that the
// proxy will be able to find the target for us.
skipResolve := *clientConnectProxy != nil
network, address, host, err := socket.ParseAddress(*clientForwardAddress, skipResolve)
if err != nil {
logger.Printf("error: invalid target address: %s\n", err)
return err
}
logger.Printf("using target address %s", *clientForwardAddress)
dial, policy, err := clientBackendDialer(tlsConfigSource, network, address, host)
if err != nil {
logger.Printf("error: unable to build dialer: %s\n", err)
return err
}
// NOTE: We don't provide a target status address here because this the client
// /_status endpoint and therefore, its target will be a ghostunnel in server
// mode and therefore, should be a (default) TCP check.
status := newStatusHandler(dial, "")
context := &Context{
status: status,
shutdownChannel: make(chan bool, 1),
shutdownTimeout: *shutdownTimeout,
dial: dial,
metrics: metrics,
tlsConfigSource: tlsConfigSource,
regoPolicy: policy,
}
go context.reloadHandler(*timedReload)
// Start listening
err = clientListen(context)
if err != nil {
logger.Printf("error from client listen: %s\n", err)
}
return err
}
return errors.New("unknown command")
}
// Open listening socket in server mode. Take note that we create a
// "reusable port listener", meaning we pass SO_REUSEPORT to the kernel. This
// allows us to have multiple sockets listening on the same port and accept
// connections. This is useful for the purpose of replacing certificates
// in-place without having to take downtime, e.g. if a certificate is expiring.
func serverListen(context *Context) error {
config, err := buildServerConfig(*enabledCipherSuites)
if err != nil {
logger.Printf("error trying to read CA bundle: %s", err)
return err
}
allowedURIs, err := wildcard.CompileList(*serverAllowedURIs)
if err != nil {
logger.Printf("invalid URI pattern in --allow-uri flag (%s)", err)
return err
}
// Compile the rego policy
var regoPolicy policy.Policy
if len(*serverAllowPolicy) > 0 && len(*serverAllowQuery) > 0 {
regoPolicy, err = policy.LoadFromFile(*serverAllowPolicy, *serverAllowQuery)
if err != nil {
logger.Printf("Invalid rego policy or query: %s", err)
return err
}
context.regoPolicy = regoPolicy
}
serverACL := auth.ACL{
AllowAll: *serverAllowAll,
AllowedCNs: *serverAllowedCNs,
AllowedOUs: *serverAllowedOUs,
AllowedDNSs: *serverAllowedDNSs,
AllowedIPs: *serverAllowedIPs,
AllowOPAQuery: regoPolicy,
AllowedURIs: allowedURIs,
OPAQueryTimeout: *timeoutDuration,
}
if *serverDisableAuth {
config.ClientAuth = tls.NoClientCert
} else {
config.VerifyPeerCertificate = serverACL.VerifyPeerCertificateServer
}
listener, err := socket.ParseAndOpen(*serverListenAddress)
if err != nil {
logger.Printf("error trying to listen: %s", err)
return err
}
serverConfig := mustGetServerConfig(context.tlsConfigSource, config)
p := proxy.New(
certloader.NewListener(listener, serverConfig),
*timeoutDuration,
context.dial,
logger,
proxyLoggerFlags(*quiet),
*serverProxyProtocol,
)
if *statusAddress != "" {
err := context.serveStatus()
if err != nil {
logger.Printf("error serving /_status: %s", err)
return err
}
}
logger.Printf("listening for connections on %s", *serverListenAddress)
go p.Accept()
context.status.Listening()
context.status.HandleWatchdog()
context.signalHandler(p)
p.Wait()
return nil
}
// Open listening socket in client mode.
func clientListen(context *Context) error {
listener, err := socket.ParseAndOpen(*clientListenAddress)
if err != nil {
logger.Printf("error opening socket: %s", err)
return err
}
// If this is a UNIX socket, make sure we cleanup files on close.
if ul, ok := listener.(*net.UnixListener); ok {
ul.SetUnlinkOnClose(true)
}
p := proxy.New(
listener,
*timeoutDuration,
context.dial,
logger,
proxyLoggerFlags(*quiet),
false,
)
if *statusAddress != "" {
err := context.serveStatus()
if err != nil {
logger.Printf("error serving /_status: %s", err)
return err
}
}
logger.Printf("listening for connections on %s", *clientListenAddress)
go p.Accept()
context.status.Listening()
context.status.HandleWatchdog()
context.signalHandler(p)
p.Wait()
return nil
}
// Serve /_status (if configured)
func (context *Context) serveStatus() error {
promHandler := promhttp.Handler()
mux := http.NewServeMux()
mux.Handle("/_status", context.status)
mux.HandleFunc("/_metrics/json", func(w http.ResponseWriter, r *http.Request) {
context.metrics.ServeHTTP(w, r)
})
mux.HandleFunc("/_metrics/prometheus", func(w http.ResponseWriter, r *http.Request) {
promHandler.ServeHTTP(w, r)
})
mux.HandleFunc("/_metrics", func(w http.ResponseWriter, r *http.Request) {
params := r.URL.Query()
format, ok := params["format"]
if !ok || format[0] != "prometheus" {
context.metrics.ServeHTTP(w, r)
return
}
promHandler.ServeHTTP(w, r)
})
if *enableShutdown {
mux.HandleFunc("/_shutdown", func(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
w.WriteHeader(http.StatusMethodNotAllowed)
return
}
logger.Printf("shutdown was requested via status endpoint")
context.shutdownChannel <- true
w.WriteHeader(http.StatusOK)
})
}
if *enableProf {
mux.Handle("/debug/pprof/", http.HandlerFunc(pprof.Index))
mux.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
mux.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
mux.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
mux.Handle("/debug/pprof/trace", http.HandlerFunc(pprof.Trace))
}
https, addr := socket.ParseHTTPAddress(*statusAddress)
network, address, _, err := socket.ParseAddress(addr, false)
if err != nil {
return err
}
listener, err := socket.Open(network, address)
if err != nil {
logger.Printf("error: unable to bind on status port: %s\n", err)
return err
}
if network != "unix" && https && context.tlsConfigSource.CanServe() {
config, err := buildServerConfig(*enabledCipherSuites)
if err != nil {
return err
}
config.ClientAuth = tls.NoClientCert
serverConfig := mustGetServerConfig(context.tlsConfigSource, config)
listener = certloader.NewListener(listener, serverConfig)
}
context.statusHTTP = &http.Server{
Handler: mux,
ErrorLog: logger,
}
go func() {
err := context.statusHTTP.Serve(listener)
if err != nil {
logger.Printf("error serving status port: %s", err)
}
}()
return nil
}
// Get backend dialer function in server mode (connecting to a unix socket or tcp port)
func serverBackendDialer() (func() (net.Conn, error), error) {
backendNet, backendAddr, _, err := socket.ParseAddress(*serverForwardAddress, false)
if err != nil {
return nil, err
}
return func() (net.Conn, error) {
return net.DialTimeout(backendNet, backendAddr, *timeoutDuration)
}, nil
}
// Get backend dialer function in client mode (connecting to a TLS port)
func clientBackendDialer(tlsConfigSource certloader.TLSConfigSource, network, address, host string) (func() (net.Conn, error), policy.Policy, error) {
config, err := buildClientConfig(*enabledCipherSuites)
if err != nil {
return nil, nil, err
}
if *clientServerName == "" {
config.ServerName = host
} else {
config.ServerName = *clientServerName
}
allowedURIs, err := wildcard.CompileList(*clientAllowedURIs)
if err != nil {
logger.Printf("invalid URI pattern in --verify-uri flag (%s)", err)
return nil, nil, err
}
// Compile the rego policy
var regoPolicy policy.Policy
if len(*clientAllowPolicy) > 0 && len(*clientAllowQuery) > 0 {
regoPolicy, err = policy.LoadFromFile(*clientAllowPolicy, *clientAllowQuery)
if err != nil {
logger.Printf("Invalid rego policy or query: %s", err)
return nil, nil, err
}
}
clientACL := auth.ACL{
AllowedCNs: *clientAllowedCNs,
AllowedOUs: *clientAllowedOUs,
AllowedDNSs: *clientAllowedDNSs,
AllowedIPs: *clientAllowedIPs,
AllowedURIs: allowedURIs,
AllowOPAQuery: regoPolicy,
OPAQueryTimeout: *timeoutDuration,
}
config.VerifyPeerCertificate = clientACL.VerifyPeerCertificateClient
var dialer Dialer = &net.Dialer{Timeout: *timeoutDuration}
if *clientConnectProxy != nil {
logger.Printf("using HTTP(S) CONNECT proxy %s", (*clientConnectProxy).String())
// Use HTTP CONNECT proxy to connect to target.
proxyConfig, err := buildClientConfig(*enabledCipherSuites)
if err != nil {
return nil, nil, err
}
config.ClientAuth = tls.NoClientCert
// Read CA bundle for passing to proxy library
ca, err := certloader.LoadTrustStore(*caBundlePath)
if err != nil {
logger.Printf("error: unable to build TLS config: %s\n", err)
return nil, nil, err
}
config.RootCAs = ca
dialer = http_dialer.New(
*clientConnectProxy,
http_dialer.WithDialer(dialer.(*net.Dialer)),
http_dialer.WithTls(proxyConfig))
}
clientConfig := mustGetClientConfig(tlsConfigSource, config)
d := certloader.DialerWithCertificate(clientConfig, *timeoutDuration, dialer)
return func() (net.Conn, error) { return d.Dial(network, address) }, regoPolicy, nil
}
func proxyLoggerFlags(flags []string) int {
out := proxy.LogEverything
for _, flag := range flags {
switch flag {
case "all":
// Disable all proxy logs
out = 0
case "conns":
// Disable connection logs
out = out & ^proxy.LogConnections
case "conn-errs":
// Disable connection errors logs
out = out & ^proxy.LogConnectionErrors
case "handshake-errs":
// Disable handshake error logs
out = out & ^proxy.LogHandshakeErrors
}
}
return out
}
func getTLSConfigSource(disableAuth bool) (certloader.TLSConfigSource, error) {
if *useWorkloadAPI {
logger.Printf("using SPIFFE Workload API as certificate source")
source, err := certloader.TLSConfigSourceFromWorkloadAPI(*useWorkloadAPIAddr, disableAuth, logger)
if err != nil {
logger.Printf("error: unable to create workload API TLS source: %s\n", err)
return nil, err
}
return source, nil
}
if *serverAutoACMEFQDN != "" {
logger.Printf("using ACME server as certificate source")
acmeConfig := certloader.ACMEConfig{
FQDN: *serverAutoACMEFQDN,
Email: *serverAutoACMEEmail,
TOSAgreed: *serverAutoACMEAgreedTOS,
ProdCAURL: *serverAutoACMEProdCA,
TestCAURL: *serverAutoACMETestCA,
}
source, err := certloader.TLSConfigSourceFromACME(&acmeConfig)
if err != nil {
logger.Printf("error: Unable to load or obtain ACME cert: %s\n", err)
return nil, err
}
return source, nil
}
cert, err := buildCertificate(*keystorePath, *certPath, *keyPath, *keystorePass, *caBundlePath, logger)
if err != nil {
logger.Printf("error: unable to load certificates: %s\n", err)
return nil, err
}
return certloader.TLSConfigSourceFromCertificate(cert, logger), nil
}
func mustGetServerConfig(source certloader.TLSConfigSource, config *tls.Config) certloader.TLSServerConfig {
serverConfig, err := source.GetServerConfig(config)
if err != nil {
panic(err)
}
return serverConfig
}
func mustGetClientConfig(source certloader.TLSConfigSource, config *tls.Config) certloader.TLSClientConfig {
clientConfig, err := source.GetClientConfig(config)
if err != nil {
panic(err)
}
return clientConfig
}