From 4841340b3311fb3678aec7b817e5849b7038a00a Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Mon, 21 Dec 2015 14:47:11 +0000 Subject: [PATCH 1/4] [probe] Use https with scope.weave.works by default --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index b38721d14d..313bafadcd 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -108,7 +108,7 @@ while true; do shift fi PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE" - echo "scope.weave.works:80" >/etc/weave/apps + echo "scope.weave.works:443" >/etc/weave/apps touch /etc/service/app/down ;; --no-app) From f183590cf4a45c04e7c891ef6089fd2463690c07 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Mon, 21 Dec 2015 14:50:54 +0000 Subject: [PATCH 2/4] [probe] Only target scope.weave.works implicitly if no app is provided --- docker/entrypoint.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 313bafadcd..a58e0f5bf8 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -67,6 +67,7 @@ weave_expose() { mkdir -p /etc/weave APP_ARGS="" PROBE_ARGS="" +TOKEN_PROVIDED=false if [ "$1" = version ]; then /home/weave/scope version @@ -108,7 +109,7 @@ while true; do shift fi PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE" - echo "scope.weave.works:443" >/etc/weave/apps + TOKEN_PROVIDED=true touch /etc/service/app/down ;; --no-app) @@ -157,7 +158,15 @@ echo "$PROBE_ARGS" >/etc/weave/scope-probe.args # using Weave DNS. We stick these in /etc/weave/apps # for the run-probe script to pick up. MANUAL_APPS=$@ + +# Implicitly target the Scope Service if a service token was provided with +# no explicit manual app. +if [ "$MANUAL_APPS" = "" -a "$TOKEN_PROVIDED" = "true" ]; then + MANUAL_APPS="scope.weave.works:443" +fi + echo "$MANUAL_APPS" >>/etc/weave/apps + exec /home/weave/runsvinit From 840fcb24415756874995282714b9b99beb19a94e Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Mon, 21 Dec 2015 16:12:25 +0000 Subject: [PATCH 3/4] [probe] Make sanitize.URL work with wss --- common/sanitize/sanitize.go | 6 +++++- xfer/app_client.go | 2 -- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/common/sanitize/sanitize.go b/common/sanitize/sanitize.go index fa35b897e6..6f2c081e0b 100644 --- a/common/sanitize/sanitize.go +++ b/common/sanitize/sanitize.go @@ -29,7 +29,11 @@ func URL(defaultScheme string, defaultPort int, defaultPath string) func(string) if _, port, err := net.SplitHostPort(u.Host); err != nil && defaultPort > 0 { u.Host += fmt.Sprintf(":%d", defaultPort) } else if port == "443" { - u.Scheme = "https" + if u.Scheme == "ws" { + u.Scheme = "wss" + } else { + u.Scheme = "https" + } } if defaultPath != "" && u.Path != defaultPath { u.Path = defaultPath diff --git a/xfer/app_client.go b/xfer/app_client.go index 6043ea2193..023ceb8973 100644 --- a/xfer/app_client.go +++ b/xfer/app_client.go @@ -189,7 +189,6 @@ func (c *appClient) controlConnection() (bool, error) { dialer := websocket.Dialer{} headers := http.Header{} c.ProbeConfig.authorizeHeaders(headers) - // TODO(twilkie) need to update sanitize to work with wss url := sanitize.URL("ws://", 0, "/api/control/ws")(c.target) conn, _, err := dialer.Dial(url, headers) if err != nil { @@ -273,7 +272,6 @@ func (c *appClient) pipeConnection(id string, pipe Pipe) (bool, error) { dialer := websocket.Dialer{} headers := http.Header{} c.ProbeConfig.authorizeHeaders(headers) - // TODO(twilkie) need to update sanitize to work with wss url := sanitize.URL("ws://", 0, fmt.Sprintf("/api/pipe/%s/probe", id))(c.target) conn, resp, err := dialer.Dial(url, headers) if resp != nil && resp.StatusCode == http.StatusNotFound { From 7e87caf3eee8b814907955ac1e5520d5965e9914 Mon Sep 17 00:00:00 2001 From: Alfonso Acosta Date: Mon, 21 Dec 2015 16:34:46 +0000 Subject: [PATCH 4/4] [probe] Share TLS configuration with websockets --- xfer/app_client.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/xfer/app_client.go b/xfer/app_client.go index 023ceb8973..379b936048 100644 --- a/xfer/app_client.go +++ b/xfer/app_client.go @@ -41,10 +41,11 @@ type AppClient interface { type appClient struct { ProbeConfig - quit chan struct{} - mtx sync.Mutex - target string - client http.Client + quit chan struct{} + mtx sync.Mutex + target string + client http.Client + wsDialer websocket.Dialer // Track all the background goroutines, ensure they all stop backgroundWait sync.WaitGroup @@ -74,6 +75,9 @@ func NewAppClient(pc ProbeConfig, hostname, target string, control ControlHandle client: http.Client{ Transport: httpTransport, }, + wsDialer: websocket.Dialer{ + TLSClientConfig: httpTransport.TLSClientConfig, + }, conns: map[string]*websocket.Conn{}, readers: make(chan io.Reader), control: control, @@ -186,11 +190,10 @@ func (c *appClient) doWithBackoff(msg string, f func() (bool, error)) { } func (c *appClient) controlConnection() (bool, error) { - dialer := websocket.Dialer{} headers := http.Header{} c.ProbeConfig.authorizeHeaders(headers) url := sanitize.URL("ws://", 0, "/api/control/ws")(c.target) - conn, _, err := dialer.Dial(url, headers) + conn, _, err := c.wsDialer.Dial(url, headers) if err != nil { return false, err } @@ -269,11 +272,10 @@ func (c *appClient) Publish(r io.Reader) error { } func (c *appClient) pipeConnection(id string, pipe Pipe) (bool, error) { - dialer := websocket.Dialer{} headers := http.Header{} c.ProbeConfig.authorizeHeaders(headers) url := sanitize.URL("ws://", 0, fmt.Sprintf("/api/pipe/%s/probe", id))(c.target) - conn, resp, err := dialer.Dial(url, headers) + conn, resp, err := c.wsDialer.Dial(url, headers) if resp != nil && resp.StatusCode == http.StatusNotFound { // Special handling - 404 means the app/user has closed the pipe pipe.Close()