self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-22 10:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
teleport/lib/reversetunnel/remotesite.go

622 lines
17 KiB
Go
Raw Normal View History

Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
/*
Add keep alive support to GRPC clients. This commit turns on KeepAlive support for GRPC clients to make sure that dropped connections are detected properly.
2019-05-02 01:56:42 +00:00
Copyright 2015-2019 Gravitational, Inc.
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
package reversetunnel
import (
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
"context"
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
"fmt"
"net"
"sync"
"time"
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
"golang.org/x/crypto/ssh"
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
"github.com/gravitational/teleport"
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
"github.com/gravitational/teleport/lib/auth"
refactoring
2017-10-06 00:29:31 +00:00
"github.com/gravitational/teleport/lib/services"
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
"github.com/gravitational/teleport/lib/srv/forward"
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
"github.com/gravitational/teleport/lib/utils"
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
"github.com/gravitational/trace"
more work, discovery works
2017-10-08 01:11:03 +00:00
"github.com/jonboulle/clockwork"
log "github.com/sirupsen/logrus"
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
)
refactoring
2017-10-06 00:29:31 +00:00
// remoteSite is a remote site that established the inbound connecton to
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
// the local reverse tunnel server, and now it can provide access to the
// cluster behind it.
type remoteSite struct {
fix data race
2017-10-13 16:11:13 +00:00
sync.RWMutex
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
*log.Entry
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
domainName string
connections []*remoteConn
lastUsed int
srv *server
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// connInfo represents the connection to the remote cluster.
connInfo services.TunnelConnection
// lastConnInfo is the last connInfo.
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
lastConnInfo services.TunnelConnection
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
ctx context.Context
cancel context.CancelFunc
clock clockwork.Clock
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
// certificateCache caches host certificates for the forwarding server.
certificateCache *certificateCache
// localClient provides access to the Auth Server API of the cluster
// within which reversetunnel.Server is running.
localClient auth.ClientI
// remoteClient provides access to the Auth Server API of the remote cluster that
// this site belongs to.
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
remoteClient auth.ClientI
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
// localAccessPoint provides access to a cached subset of the Auth Server API of
// the local cluster.
localAccessPoint auth.AccessPoint
// remoteAccessPoint provides access to a cached subset of the Auth Server API of
// the remote cluster this site belongs to.
remoteAccessPoint auth.AccessPoint
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
// remoteCA is the last remote certificate authority recorded by the client.
// It is used to detect CA rotation status changes. If the rotation
// state has been changed, the tunnel will reconnect to re-create the client
// with new settings.
remoteCA services.CertAuthority
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
// offlineThreshold is how long to wait for a keep alive message before
// marking a reverse tunnel connection as invalid.
offlineThreshold time.Duration
Sasha High Availability.
2017-04-07 23:51:31 +00:00
}
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
func (s *remoteSite) getRemoteClient() (auth.ClientI, bool, error) {
// check if all cert authorities are initiated and if everything is OK
ca, err := s.srv.localAccessPoint.GetCertAuthority(services.CertAuthID{Type: services.HostCA, DomainName: s.domainName}, false)
if err != nil {
return nil, false, trace.Wrap(err)
}
keys := ca.GetTLSKeyPairs()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// The fact that cluster has keys to remote CA means that the key exchange
// has completed.
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
if len(keys) != 0 {
s.Debugf("Using TLS client to remote cluster.")
pool, err := services.CertPool(ca)
if err != nil {
return nil, false, trace.Wrap(err)
}
tlsConfig := s.srv.ClientTLS.Clone()
tlsConfig.RootCAs = pool
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
// encode the name of this cluster to identify this cluster,
// connecting to the remote one (it is used to find the right certificate
// authority to verify)
tlsConfig.ServerName = auth.EncodeClusterName(s.srv.ClusterName)
Add keep alive support to GRPC clients. This commit turns on KeepAlive support for GRPC clients to make sure that dropped connections are detected properly.
2019-05-02 01:56:42 +00:00
clt, err := auth.NewTLSClient(auth.ClientConfig{
Simplify IOT reverse tunnel logic. In case of IOT (whenever teleport nodes are connecting to the proxy), there is no need to create ReverseTunnel objects in the backend, as there is always one reverse tunnel per node. This commit removes the logic that created reverse tunnel object in the backed in IOT cases and refactors some other parts of the code.
2019-05-03 04:34:15 +00:00
Dialer: auth.ContextDialerFunc(s.authServerContextDialer),
TLS: tlsConfig,
Add keep alive support to GRPC clients. This commit turns on KeepAlive support for GRPC clients to make sure that dropped connections are detected properly.
2019-05-02 01:56:42 +00:00
})
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
if err != nil {
return nil, false, trace.Wrap(err)
}
return clt, false, nil
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
return nil, false, trace.BadParameter("no TLS keys found")
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
}
func (s *remoteSite) authServerContextDialer(ctx context.Context, network, address string) (net.Conn, error) {
return s.DialAuthServer()
}
Add readyz endpoint and clusters metrics. This commit fixes #1610. New readyz endpoint is added to existing /metrics and /healthz endpoints activated by diag addr-flag: `teleport start --diag-addr=127.0.0.1:1234` Readyz endpoint will report 503 if node or proxy failed to connect to the cluster and 200 OK otherwise. Additional prometheus gagues report connection count for trusted and remote clusters: ``` remote_clusters{cluster="one"} 1 remote_clusters{cluster="two"} 1 trusted_clusters{cluster="one",state="connected"} 0 trusted_clusters{cluster="one",state="connecting"} 0 trusted_clusters{cluster="one",state="disconnected"} 0 trusted_clusters{cluster="one",state="discovered"} 1 trusted_clusters{cluster="one",state="discovering"} 0 ```
2018-07-21 01:50:29 +00:00
// GetTunnelsCount always returns 0 for local cluster
func (s *remoteSite) GetTunnelsCount() int {
return s.connectionCount()
}
Sasha High Availability.
2017-04-07 23:51:31 +00:00
func (s *remoteSite) CachingAccessPoint() (auth.AccessPoint, error) {
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
return s.remoteAccessPoint, nil
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
func (s *remoteSite) GetClient() (auth.ClientI, error) {
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
return s.remoteClient, nil
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
func (s *remoteSite) String() string {
return fmt.Sprintf("remoteSite(%v)", s.domainName)
}
func (s *remoteSite) connectionCount() int {
fix data race
2017-10-13 16:11:13 +00:00
s.RLock()
defer s.RUnlock()
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
return len(s.connections)
}
fix tests
2017-10-12 23:51:18 +00:00
func (s *remoteSite) hasValidConnections() bool {
fix data race
2017-10-13 16:11:13 +00:00
s.RLock()
defer s.RUnlock()
fix tests
2017-10-12 23:51:18 +00:00
for _, conn := range s.connections {
if !conn.isInvalid() {
return true
}
}
return false
}
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
// Clos closes remote cluster connections
func (s *remoteSite) Close() error {
s.Lock()
defer s.Unlock()
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
s.cancel()
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
for i := range s.connections {
s.connections[i].Close()
}
s.connections = []*remoteConn{}
return nil
}
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// nextConn returns next connection that is ready
// and has not been marked as invalid
// it will close connections marked as invalid
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
func (s *remoteSite) nextConn() (*remoteConn, error) {
s.Lock()
defer s.Unlock()
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.removeInvalidConns()
for i := 0; i < len(s.connections); i++ {
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
s.lastUsed = (s.lastUsed + 1) % len(s.connections)
remoteConn := s.connections[s.lastUsed]
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
// connection could have been initated, but agent
// on the other side is not ready yet.
// Proxy assumes that connection is ready to serve when
// it has received a first heartbeat, otherwise
// it could attempt to use it before the agent
// had a chance to start handling connection requests,
// what could lead to proxy marking the connection
// as invalid without a good reason.
if remoteConn.isReady() {
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
return remoteConn, nil
}
}
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
return nil, trace.NotFound("%v is offline: no active tunnels to %v found", s.GetName(), s.srv.ClusterName)
}
// removeInvalidConns removes connections marked as invalid,
// it should be called only under write lock
func (s *remoteSite) removeInvalidConns() {
// for first pass, do nothing if no connections are marked
count := 0
for _, conn := range s.connections {
if conn.isInvalid() {
count++
}
}
if count == 0 {
return
}
s.lastUsed = 0
conns := make([]*remoteConn, 0, len(s.connections)-count)
for i := range s.connections {
if !s.connections[i].isInvalid() {
conns = append(conns, s.connections[i])
} else {
go s.connections[i].Close()
}
}
s.connections = conns
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
// addConn helper adds a new active remote cluster connection to the list
// of such connections
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
func (s *remoteSite) addConn(conn net.Conn, sconn ssh.Conn) (*remoteConn, error) {
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
s.Lock()
defer s.Unlock()
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
rconn := newRemoteConn(&connConfig{
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
conn: conn,
sconn: sconn,
accessPoint: s.localAccessPoint,
tunnelType: string(services.ProxyTunnel),
proxyName: s.connInfo.GetProxyName(),
clusterName: s.domainName,
offlineThreshold: s.offlineThreshold,
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
})
s.connections = append(s.connections, rconn)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
s.lastUsed = 0
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
return rconn, nil
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
func (s *remoteSite) GetStatus() string {
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
connInfo, err := s.getLastConnInfo()
refactoring
2017-10-06 00:29:31 +00:00
if err != nil {
Add support for remote_cluster, implements #1526 This commit adds remote cluster resource that specifies connection and trust of the remote trusted cluster to the local cluster. Deleting remote cluster resource deletes trust established between clusters on the local cluster side and terminates all reverse tunnel connections. Migrations make sure that remote cluster resources exist after upgrade of the auth server.
2017-12-28 02:51:46 +00:00
return teleport.RemoteClusterStatusOffline
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
return services.TunnelConnectionStatus(s.clock, connInfo, s.offlineThreshold)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
fix data race
2017-10-13 16:11:13 +00:00
func (s *remoteSite) copyConnInfo() services.TunnelConnection {
s.RLock()
defer s.RUnlock()
return s.connInfo.Clone()
}
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
func (s *remoteSite) setLastConnInfo(connInfo services.TunnelConnection) {
s.Lock()
defer s.Unlock()
s.lastConnInfo = connInfo.Clone()
}
func (s *remoteSite) getLastConnInfo() (services.TunnelConnection, error) {
s.RLock()
defer s.RUnlock()
if s.lastConnInfo == nil {
return nil, trace.NotFound("no last connection found")
}
return s.lastConnInfo.Clone(), nil
}
refactoring
2017-10-06 00:29:31 +00:00
func (s *remoteSite) registerHeartbeat(t time.Time) {
fix data race
2017-10-13 16:11:13 +00:00
connInfo := s.copyConnInfo()
connInfo.SetLastHeartbeat(t)
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
connInfo.SetExpiry(s.clock.Now().Add(s.offlineThreshold))
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
s.setLastConnInfo(connInfo)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
err := s.localAccessPoint.UpsertTunnelConnection(connInfo)
refactoring
2017-10-06 00:29:31 +00:00
if err != nil {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.Warningf("Failed to register heartbeat: %v.", err)
refactoring
2017-10-06 00:29:31 +00:00
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
fix tests
2017-10-12 23:51:18 +00:00
// deleteConnectionRecord deletes connection record to let know peer proxies
// that this node lost the connection and needs to be discovered
func (s *remoteSite) deleteConnectionRecord() {
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
s.localAccessPoint.DeleteTunnelConnection(s.connInfo.GetClusterName(), s.connInfo.GetName())
fix tests
2017-10-12 23:51:18 +00:00
}
Refactor discovery protocol. This commit refactor discovery protocol to make it less dependent on the database and scale better on large numbers of tunnels. Reverse tunnel is now always sending back the list of all proxies registered in the cluster in the form of discovery requests. Before this commit, reverse tunnel server was comparing existing TunnelConnection with the Proxies and sending back the list of proxies that were not discovered. This required nodes to register tunnel connections in the database and servers poll the connections. On 10K clusters this is not scalable. Instead, the change assumes that there is not a lot of proxies so it's OK to send the information about them back to all connected agents. Agent pools can make up their own mind about what to do with the information - they can ignore the request as long as they observe all agents connected to the requested proxies. At the same time, to avoid using too much traffic, reverse tunnel server only sends the discovery requests after the first agent heartbeat and in case if proxy list changes. To make it possible reverse tunnel sets up a watch on the proxies.
2019-05-09 21:34:32 +00:00
// fanOutProxies is a non-blocking call that puts the new proxies
// list so that remote connection can notify the remote agent
// about the list update
func (s *remoteSite) fanOutProxies(proxies []services.Server) {
s.Lock()
defer s.Unlock()
for _, conn := range s.connections {
if err := conn.updateProxies(proxies); err != nil {
conn.markInvalid(err)
}
}
}
update according to code review comments
2017-10-14 02:26:49 +00:00
// handleHearbeat receives heartbeat messages from the connected agent
// if the agent has missed several heartbeats in a row, Proxy marks
// the connection as invalid.
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
func (s *remoteSite) handleHeartbeat(conn *remoteConn, ch ssh.Channel, reqC <-chan *ssh.Request) {
defer func() {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.Infof("Cluster connection closed.")
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
conn.Close()
}()
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
Refactor discovery protocol. This commit refactor discovery protocol to make it less dependent on the database and scale better on large numbers of tunnels. Reverse tunnel is now always sending back the list of all proxies registered in the cluster in the form of discovery requests. Before this commit, reverse tunnel server was comparing existing TunnelConnection with the Proxies and sending back the list of proxies that were not discovered. This required nodes to register tunnel connections in the database and servers poll the connections. On 10K clusters this is not scalable. Instead, the change assumes that there is not a lot of proxies so it's OK to send the information about them back to all connected agents. Agent pools can make up their own mind about what to do with the information - they can ignore the request as long as they observe all agents connected to the requested proxies. At the same time, to avoid using too much traffic, reverse tunnel server only sends the discovery requests after the first agent heartbeat and in case if proxy list changes. To make it possible reverse tunnel sets up a watch on the proxies.
2019-05-09 21:34:32 +00:00
firstHeartbeat := true
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
for {
select {
introduce curiosity protocol and fix logs
2017-10-06 22:38:15 +00:00
case <-s.ctx.Done():
s.Infof("closing")
return
Refactor discovery protocol. This commit refactor discovery protocol to make it less dependent on the database and scale better on large numbers of tunnels. Reverse tunnel is now always sending back the list of all proxies registered in the cluster in the form of discovery requests. Before this commit, reverse tunnel server was comparing existing TunnelConnection with the Proxies and sending back the list of proxies that were not discovered. This required nodes to register tunnel connections in the database and servers poll the connections. On 10K clusters this is not scalable. Instead, the change assumes that there is not a lot of proxies so it's OK to send the information about them back to all connected agents. Agent pools can make up their own mind about what to do with the information - they can ignore the request as long as they observe all agents connected to the requested proxies. At the same time, to avoid using too much traffic, reverse tunnel server only sends the discovery requests after the first agent heartbeat and in case if proxy list changes. To make it possible reverse tunnel sets up a watch on the proxies.
2019-05-09 21:34:32 +00:00
case proxies := <-conn.newProxiesC:
req := discoveryRequest{
ClusterName: s.srv.ClusterName,
Type: string(conn.tunnelType),
Proxies: proxies,
}
if err := conn.sendDiscoveryRequest(req); err != nil {
s.Debugf("Marking connection invalid on error: %v.", err)
conn.markInvalid(err)
return
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
case req := <-reqC:
if req == nil {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.Infof("Cluster agent disconnected.")
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
conn.markInvalid(trace.ConnectionProblem(nil, "agent disconnected"))
fix tests
2017-10-12 23:51:18 +00:00
if !s.hasValidConnections() {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.Debugf("Deleting connection record.")
fix tests
2017-10-12 23:51:18 +00:00
s.deleteConnectionRecord()
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
return
}
Refactor discovery protocol. This commit refactor discovery protocol to make it less dependent on the database and scale better on large numbers of tunnels. Reverse tunnel is now always sending back the list of all proxies registered in the cluster in the form of discovery requests. Before this commit, reverse tunnel server was comparing existing TunnelConnection with the Proxies and sending back the list of proxies that were not discovered. This required nodes to register tunnel connections in the database and servers poll the connections. On 10K clusters this is not scalable. Instead, the change assumes that there is not a lot of proxies so it's OK to send the information about them back to all connected agents. Agent pools can make up their own mind about what to do with the information - they can ignore the request as long as they observe all agents connected to the requested proxies. At the same time, to avoid using too much traffic, reverse tunnel server only sends the discovery requests after the first agent heartbeat and in case if proxy list changes. To make it possible reverse tunnel sets up a watch on the proxies.
2019-05-09 21:34:32 +00:00
if firstHeartbeat {
// as soon as the agent connects and sends a first heartbeat
// send it the list of current proxies back
current := s.srv.proxyWatcher.GetCurrent()
if len(current) > 0 {
conn.updateProxies(current)
}
firstHeartbeat = false
}
before refactoring
2017-10-09 01:07:01 +00:00
var timeSent time.Time
var roundtrip time.Duration
if req.Payload != nil {
if err := timeSent.UnmarshalText(req.Payload); err == nil {
roundtrip = s.srv.Clock.Now().Sub(timeSent)
}
}
if roundtrip != 0 {
Refactor discovery protocol. This commit refactor discovery protocol to make it less dependent on the database and scale better on large numbers of tunnels. Reverse tunnel is now always sending back the list of all proxies registered in the cluster in the form of discovery requests. Before this commit, reverse tunnel server was comparing existing TunnelConnection with the Proxies and sending back the list of proxies that were not discovered. This required nodes to register tunnel connections in the database and servers poll the connections. On 10K clusters this is not scalable. Instead, the change assumes that there is not a lot of proxies so it's OK to send the information about them back to all connected agents. Agent pools can make up their own mind about what to do with the information - they can ignore the request as long as they observe all agents connected to the requested proxies. At the same time, to avoid using too much traffic, reverse tunnel server only sends the discovery requests after the first agent heartbeat and in case if proxy list changes. To make it possible reverse tunnel sets up a watch on the proxies.
2019-05-09 21:34:32 +00:00
s.WithFields(log.Fields{"latency": roundtrip}).Debugf("Ping <- %v.", conn.conn.RemoteAddr())
before refactoring
2017-10-09 01:07:01 +00:00
} else {
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
s.Debugf("Ping <- %v.", conn.conn.RemoteAddr())
before refactoring
2017-10-09 01:07:01 +00:00
}
Use in-memory cache for the auth server API. This commit expands the usage of the caching layer for auth server API: * Introduces in-memory cache that is used to serve all Auth server API requests. This is done to achieve scalability on 10K+ node clusters, where each node fetches certificate authorities, roles, users and join tokens. It is not possible to scale DynamoDB backend or other backends on 10K reads per seconds on a single shard or partition. The solution is to introduce an in-memory cache of the backend state that is always used for reads. * In-memory cache has been expanded to support all resources required by the auth server. * Experimental `tctl top` command has been introduced to display common single node metrics. Replace SQLite Memory Backend with BTree SQLite in memory backend was suffering from high tail latencies under load (up to 8 seconds in 99.9%-ile on load configurations). This commit replaces the SQLite memory caching backend with in-memory BTree backend that brought down tail latencies to 2 seconds (99.9%-ile) and brought overall performance improvement.
2018-12-12 00:22:44 +00:00
tm := time.Now().UTC()
conn.setLastHeartbeat(tm)
go s.registerHeartbeat(tm)
Configurable timeout for tunnel offline threshold. Added support for a configurable offline threshold based off the keep alive interval and max count for marking a connection from an agent as offline.
2019-05-21 22:48:41 +00:00
// Note that time.After is re-created everytime a request is processed.
case <-time.After(s.offlineThreshold):
conn.markInvalid(trace.ConnectionProblem(nil, "no heartbeats for %v", s.offlineThreshold))
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
}
}
func (s *remoteSite) GetName() string {
return s.domainName
}
func (s *remoteSite) GetLastConnected() time.Time {
Detect remote cluster by SNI name This commit improves performance of teleport with hundreds of connected trusted clusters. TLS handshake protocol expects server to send a list of trusted certificate authorities to the client and client must present certificate signed by those. With Teleport current implementation, every remote cluster client is signed by local certificate and is not cross signed. Auth server now expects clients to announce the remote cluster they are connecting from using SNI. Auth server will send only certificate authorities of the cluster announced via SNI. Alternative idea is to cross sign the certificate of the client of the remote cluster. We will explore this idea in the next releases. This commit also removes unnecessary reads from the database to check the remote server status that slows down user interface and other clients. This is done at the expense of proxies showing servers as offline in case if this individual proxy does not have the connection, although it's a small UI price to pay for not reading the database, as proxy will eventually get the connection thanks to the discovery protocol.
2018-09-21 20:07:48 +00:00
connInfo, err := s.getLastConnInfo()
refactoring
2017-10-06 00:29:31 +00:00
if err != nil {
return time.Time{}
}
return connInfo.GetLastHeartbeat()
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
func (s *remoteSite) compareAndSwapCertAuthority(ca services.CertAuthority) error {
s.Lock()
defer s.Unlock()
if s.remoteCA == nil {
s.remoteCA = ca
return nil
}
rotation := s.remoteCA.GetRotation()
if rotation.Matches(ca.GetRotation()) {
s.remoteCA = ca
return nil
}
s.remoteCA = ca
return trace.CompareFailed("remote certificate authority rotation has been updated")
}
// updateCertAuthorities updates local and remote cert authorities
func (s *remoteSite) updateCertAuthorities() error {
// update main cluster cert authorities on the remote side
// remote side makes sure that only relevant fields
// are updated
hostCA, err := s.localClient.GetCertAuthority(services.CertAuthID{
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
Type: services.HostCA,
DomainName: s.srv.ClusterName,
}, false)
if err != nil {
return trace.Wrap(err)
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
err = s.remoteClient.RotateExternalCertAuthority(hostCA)
if err != nil {
return trace.Wrap(err)
}
userCA, err := s.localClient.GetCertAuthority(services.CertAuthID{
Type: services.UserCA,
DomainName: s.srv.ClusterName,
}, false)
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
if err != nil {
return trace.Wrap(err)
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
err = s.remoteClient.RotateExternalCertAuthority(userCA)
if err != nil {
return trace.Wrap(err)
}
// update remote cluster's host cert authoritiy on a local cluster
// local proxy is authorized to perform this operation only for
// host authorities of remote clusters.
remoteCA, err := s.remoteClient.GetCertAuthority(services.CertAuthID{
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
Type: services.HostCA,
DomainName: s.domainName,
}, false)
if err != nil {
return trace.Wrap(err)
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
if remoteCA.GetClusterName() != s.domainName {
return trace.BadParameter(
"remote cluster sent different cluster name %v instead of expected one %v",
remoteCA.GetClusterName(), s.domainName)
}
err = s.localClient.UpsertCertAuthority(remoteCA)
if err != nil {
return trace.Wrap(err)
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
}
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
return s.compareAndSwapCertAuthority(remoteCA)
}
func (s *remoteSite) periodicUpdateCertAuthorities() {
s.Debugf("Ticking with period %v", s.srv.PollingPeriod)
ticker := time.NewTicker(s.srv.PollingPeriod)
defer ticker.Stop()
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
for {
select {
case <-s.ctx.Done():
s.Debugf("Context is closing.")
return
case <-ticker.C:
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
err := s.updateCertAuthorities()
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
if err != nil {
Teleport certificate authority rotation. This commit implements #1860 During the the rotation procedure issuing TLS and SSH certificate authorities are re-generated and all internal components of the cluster re-register to get new credentials. The rotation procedure is based on a distributed state machine algorithm - certificate authorities have explicit rotation state and all parts of the cluster sync local state machines by following transitions between phases. Operator can launch CA rotation in auto or manual modes. In manual mode operator moves cluster bewtween rotation states and watches the states of the components to sync. In auto mode state transitions are happening automatically on a specified schedule. The design documentation is embedded in the code: lib/auth/rotate.go
2018-04-08 21:37:33 +00:00
switch {
case trace.IsNotFound(err):
s.Debugf("Remote cluster %v does not support cert authorities rotation yet.", s.domainName)
case trace.IsCompareFailed(err):
s.Infof("Remote cluster has updated certificate authorities, going to force reconnect.")
s.srv.RemoveSite(s.domainName)
s.Close()
return
case trace.IsConnectionProblem(err):
s.Debugf("Remote cluster %v is offline.", s.domainName)
default:
s.Warningf("Could not perform cert authorities updated: %v.", trace.DebugReport(err))
}
Mutual TLS Auth server and clients. This commit introduced mutual TLS authentication for auth server API server. Auth server multiplexes HTTP over SSH - existing protocol and HTTP over TLS - new protocol on the same listening socket. Nodes and users authenticate with 2.5.0 Teleport using TLS mutual TLS except backwards-compatibility cases.
2017-11-25 01:09:11 +00:00
}
}
}
}
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
func (s *remoteSite) DialAuthServer() (net.Conn, error) {
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
return s.connThroughTunnel(&dialReq{
Address: RemoteAuthServer,
})
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
// Dial is used to connect a requesting client (say, tsh) to an SSH server
// located in a remote connected site, the connection goes through the
// reverse proxy tunnel.
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
func (s *remoteSite) Dial(params DialParams) (net.Conn, error) {
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
clusterConfig, err := s.localAccessPoint.GetClusterConfig()
if err != nil {
return nil, trace.Wrap(err)
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
// If the proxy is in recording mode use the agent to dial and build a
// in-memory forwarding server.
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
if clusterConfig.GetSessionRecording() == services.RecordAtProxy {
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
if params.UserAgent == nil {
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
return nil, trace.BadParameter("user agent missing")
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
return s.dialWithAgent(params)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
}
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
return s.DialTCP(params)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
}
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
func (s *remoteSite) DialTCP(params DialParams) (net.Conn, error) {
s.Debugf("Dialing from %v to %v.", params.From, params.To)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
conn, err := s.connThroughTunnel(&dialReq{
Only pass hostUUID.clusterName in in Dial requests. In the proxy subsystem, pass ServerID (hostUUID.clusterName) when calling Dial on a cluster instead of passing SearchNames (list of principals). Passing SearchNames was ununnecessary, nodes only register themselves by serverID (hostUUID.clusterName) and looking up SearchNames could lead to bugs.
2019-06-05 23:25:13 +00:00
Address: params.To.String(),
ServerID: params.ServerID,
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
})
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
if err != nil {
return nil, trace.Wrap(err)
}
return conn, nil
}
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
func (s *remoteSite) dialWithAgent(params DialParams) (net.Conn, error) {
s.Debugf("Dialing with an agent from %v to %v.", params.From, params.To)
// Get a host certificate for the forwarding node from the cache.
Only pass hostUUID.clusterName in in Dial requests. In the proxy subsystem, pass ServerID (hostUUID.clusterName) when calling Dial on a cluster instead of passing SearchNames (list of principals). Passing SearchNames was ununnecessary, nodes only register themselves by serverID (hostUUID.clusterName) and looking up SearchNames could lead to bugs.
2019-06-05 23:25:13 +00:00
hostCertificate, err := s.certificateCache.GetHostCertificate(params.Address, params.Principals)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
if err != nil {
return nil, trace.Wrap(err)
}
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
targetConn, err := s.connThroughTunnel(&dialReq{
Only pass hostUUID.clusterName in in Dial requests. In the proxy subsystem, pass ServerID (hostUUID.clusterName) when calling Dial on a cluster instead of passing SearchNames (list of principals). Passing SearchNames was ununnecessary, nodes only register themselves by serverID (hostUUID.clusterName) and looking up SearchNames could lead to bugs.
2019-06-05 23:25:13 +00:00
Address: params.To.String(),
ServerID: params.ServerID,
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
})
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
if err != nil {
return nil, trace.Wrap(err)
}
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
// Create a forwarding server that serves a single SSH connection on it. This
// server does not need to close, it will close and release all resources
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
// once conn is closed.
//
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
// Note: A localClient is passed to the forwarding server to make sure the
// session gets recorded in the local cluster instead of the remote cluster.
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
serverConfig := forward.ServerConfig{
AuthClient: s.localClient,
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
UserAgent: params.UserAgent,
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
TargetConn: targetConn,
Validate host certificates in both tsh as well as the recording proxy. Add IP addresses to host certificate.
2018-11-20 01:36:19 +00:00
SrcAddr: params.From,
DstAddr: params.To,
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
HostCertificate: hostCertificate,
Added integration tests and minor fixes.
2017-12-13 02:17:18 +00:00
Ciphers: s.srv.Config.Ciphers,
KEXAlgorithms: s.srv.Config.KEXAlgorithms,
MACAlgorithms: s.srv.Config.MACAlgorithms,
External events and sessions storage. Updates #1755 Design ------ This commit adds support for pluggable events and sessions recordings and adds several plugins. In case if external sessions recording storage is used, nodes or proxies depending on configuration store the session recordings locally and then upload the recordings in the background. Non-print session events are always sent to the remote auth server as usual. In case if remote events storage is used, auth servers download recordings from it during playbacks. DynamoDB event backend ---------------------- Transient DynamoDB backend is added for events storage. Events are stored with default TTL of 1 year. External lambda functions should be used to forward events from DynamoDB. Parameter audit_table_name in storage section turns on dynamodb backend. The table will be auto created. S3 sessions backend ------------------- If audit_sessions_uri is specified to s3://bucket-name node or proxy depending on recording mode will start uploading the recorded sessions to the bucket. If the bucket does not exist, teleport will attempt to create a bucket with versioning and encryption turned on by default. Teleport will turn on bucket-side encryption for the tarballs using aws:kms key. File sessions backend --------------------- If audit_sessions_uri is specified to file:///folder teleport will start writing tarballs to this folder instead of sending records to the file server. This is helpful for plugin writers who can use fuse or NFS mounted storage to handle the data. Working dynamic configuration.
2018-03-04 02:26:44 +00:00
DataDir: s.srv.Config.DataDir,
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
Address: params.Address,
UseTunnel: targetConn.UseTunnel(),
Only check certificate algorithms in FIPS mode. Update utils.CertChecker to only check key and certificate algorithms when in FIPS mode. Otherwise accept keys and certificates generated with any algorithm.
2019-07-25 21:36:11 +00:00
FIPS: s.srv.FIPS,
Always emit session related events with host UUID. When emitting session related events, emit them with the ID of the host not of the server. This is because the forwarding server has a randomly generated ID that will note validate with TLS identity that connects to the Auth Server.
2019-09-05 23:37:42 +00:00
HostUUID: s.srv.ID,
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
}
remoteServer, err := forward.New(serverConfig)
if err != nil {
return nil, trace.Wrap(err)
}
go remoteServer.Serve()
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
// Return a connection to the forwarding server.
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
conn, err := remoteServer.Dial()
if err != nil {
return nil, trace.Wrap(err)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
return conn, nil
}
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
func (s *remoteSite) connThroughTunnel(req *dialReq) (*utils.ChConn, error) {
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
var err error
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
Only pass hostUUID.clusterName in in Dial requests. In the proxy subsystem, pass ServerID (hostUUID.clusterName) when calling Dial on a cluster instead of passing SearchNames (list of principals). Passing SearchNames was ununnecessary, nodes only register themselves by serverID (hostUUID.clusterName) and looking up SearchNames could lead to bugs.
2019-06-05 23:25:13 +00:00
s.Debugf("Requesting connection to %v [%v] in remote cluster.",
req.Address, req.ServerID)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// Loop through existing remote connections and try and establish a
// connection over the "reverse tunnel".
for i := 0; i < s.connectionCount(); i++ {
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
conn, err := s.chanTransportConn(req)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
if err == nil {
return conn, nil
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
s.Warnf("Request for connection to remote site failed: %v.", err)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// Didn't connect and no error? This means we didn't have any connected
// tunnels to try.
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
if err == nil {
refactoring
2017-10-06 00:29:31 +00:00
err = trace.ConnectionProblem(nil, "%v is offline", s.GetName())
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
return nil, err
}
Connect to tunnel nodes through recording proxy. Pass connection to target node, even if it's a node connected over a reverse tunnel, to the forwarding server.
2019-06-10 21:38:56 +00:00
func (s *remoteSite) chanTransportConn(req *dialReq) (*utils.ChConn, error) {
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
rconn, err := s.nextConn()
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
if err != nil {
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
return nil, trace.Wrap(err)
Updated reverse tunnel to allow use to forwarding server.
2017-12-05 01:51:59 +00:00
}
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
conn, markInvalid, err := connectProxyTransport(rconn.sconn, req)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
if err != nil {
Support dial back nodes with Trusted Clusters. Instantiate agent pool (and agent) with a reference to the reverse tunnel server. Pass list of principals to agents when initiating a transport dial request. The above two changes allow the agent to look up principals in local site when attempting to connect to a node within a trusted cluster.
2019-04-30 01:19:22 +00:00
if markInvalid {
rconn.markInvalid(err)
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
return nil, trace.Wrap(err)
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Added support for nodes dialing back to cluster. Updated services.ReverseTunnel to support type (proxy or node). For proxy types, which represent trusted cluster connections, when a services.ReverseTunnel is created, it's created on the remote side with name /reverseTunnels/example.com. For node types, services.ReverseTunnel is created on the main side as /reverseTunnels/{nodeUUID}.clusterName. Updated services.TunnelConn to support type (proxy or node). For proxy types, which represent trusted cluster connections, tunnel connections are created on the main side under /tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com. For nodes, tunnel connections are created on the main side under /tunnelConnections/example.com/{proxyUUID}-example.com. This allows searching for tunnel connections by cluster then allows easily creating a set of proxies that are missing matching services.TunnelConn. The reverse tunnel server has been updated to handle heartbeats from proxies as well as nodes. Proxy heartbeat behavior has not changed. Heartbeats from nodes now add remote connections to the matching local site. In addition, the reverse tunnel server now proxies connection to the Auth Server for requests that are already authenticated (a second authentication to the Auth Server is required). For registration, nodes try and connect to the Auth Server to fetch host credentials. Upon failure, nodes now try and fallback to fetching host credentials from the web proxy. To establish a connection to an Auth Server, nodes first try and connect directly, and if the connection fails, fallback to obtaining a connection to the Auth Server through the reverse tunnel. If a connection is established directly, node startup behavior has not changed. If a node establishes a connection through the reverse tunnel, it creates an AgentPool that attempts to dial back to the cluster and establish a reverse tunnel. When nodes heartbeat, they also heartbeat if they are connected directly to the cluster or through a reverse tunnel. For nodes that are connected through a reverse tunnel, the proxy subsystem now directs the reverse tunnel server to establish a connection through the reverse tunnel instead of directly. When sending discovery requests, the domain field has been replaced with tunnelID. The tunnelID field is either the cluster name (same as before) for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
return conn, nil
Semi-serious connection overhaul of Teleport SSH - Added idle timeout handling to every SSH connection. - A bit of code refactoring (removing unused code paths) Most importantly: Added a custom SSH handshake between SSH Teleport proxies and SSH Teleport servers. This handshake sends a custom JSON payload from a proxy to a server, allowing to exchange additional information, like the true IP of a client.
2016-12-30 09:21:28 +00:00
}
Reference in a new issue Copy permalink