diff --git a/Dockerfile.dind b/Dockerfile.dind index 480b044..9faa149 100644 --- a/Dockerfile.dind +++ b/Dockerfile.dind @@ -33,7 +33,7 @@ WORKDIR /root # Remove IPv6 alias for localhost and start docker in the background ... CMD cat /etc/hosts >/etc/hosts.bak && \ sed 's/^::1.*//' /etc/hosts.bak > /etc/hosts && \ - dockerd -g /graph --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 \ + dockerd --experimental -g /graph --host=unix:///var/run/docker.sock --host=tcp://0.0.0.0:2375 \ --storage-driver=$DOCKER_STORAGE_DRIVER &>/docker.log & \ while true ; do /bin/bash ; done # ... and then put a shell in the foreground, restarting it if it exits diff --git a/api.go b/api.go index ce5f99a..40e230c 100644 --- a/api.go +++ b/api.go @@ -1,9 +1,12 @@ package main import ( + "crypto/tls" + "fmt" "log" "net/http" "os" + "strings" "flag" "strconv" @@ -17,8 +20,12 @@ import ( ) func main() { - var portNumber int + var sslPortNumber, portNumber int + var key, cert string flag.IntVar(&portNumber, "port", 3000, "Give a TCP port to run the application") + flag.IntVar(&sslPortNumber, "sslPort", 3001, "Give a SSL TCP port") + flag.StringVar(&key, "key", "./pwd/server-key.pem", "Server key for SSL") + flag.StringVar(&cert, "cert", "./pwd/server.pem", "Give a SSL cert") flag.Parse() bypassCaptcha := len(os.Getenv("GOOGLE_RECAPTCHA_DISABLED")) > 0 @@ -36,14 +43,31 @@ func main() { // Reverse proxy (needs to be the first route, to make sure it is the first thing we check) proxyHandler := handlers.NewMultipleHostReverseProxy() + + // Specific routes r.Host(`{node:ip[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}}-{port:[0-9]*}.{tld:.*}`).Handler(proxyHandler) r.Host(`{node:ip[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}}.{tld:.*}`).Handler(proxyHandler) + r.HandleFunc("/ping", handlers.Ping).Methods("GET") + r.HandleFunc("/sessions/{sessionId}", handlers.GetSession).Methods("GET") + r.HandleFunc("/sessions/{sessionId}/instances", handlers.NewInstance).Methods("POST") + r.HandleFunc("/sessions/{sessionId}/instances/{instanceName}", handlers.DeleteInstance).Methods("DELETE") + r.HandleFunc("/sessions/{sessionId}/instances/{instanceName}/keys", handlers.SetKeys).Methods("POST") - r.StrictSlash(false) + h := func(w http.ResponseWriter, r *http.Request) { + http.ServeFile(w, r, "./www/index.html") + } - r.HandleFunc("/ping", http.HandlerFunc(handlers.Ping)).Methods("GET") + r.HandleFunc("/p/{sessionId}", h).Methods("GET") + r.PathPrefix("/assets").Handler(http.FileServer(http.Dir("./www"))) + r.HandleFunc("/robots.txt", func(rw http.ResponseWriter, r *http.Request) { + http.ServeFile(rw, r, "www/robots.txt") + }) - r.HandleFunc("/", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { + r.Handle("/sessions/{sessionId}/ws/", server) + r.Handle("/metrics", promhttp.Handler()) + + // Generic routes + r.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) { if bypassCaptcha { http.ServeFile(rw, r, "./www/bypass.html") } else { @@ -53,31 +77,38 @@ func main() { } rw.Write(welcome) } - })).Methods("GET") + }).Methods("GET") - r.HandleFunc("/", http.HandlerFunc(handlers.NewSession)).Methods("POST") - - r.HandleFunc("/sessions/{sessionId}", http.HandlerFunc(handlers.GetSession)).Methods("GET") - r.HandleFunc("/sessions/{sessionId}/instances", http.HandlerFunc(handlers.NewInstance)).Methods("POST") - r.HandleFunc("/sessions/{sessionId}/instances/{instanceName}", http.HandlerFunc(handlers.DeleteInstance)).Methods("DELETE") - - h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - http.ServeFile(w, r, "./www/index.html") - }) - - r.HandleFunc("/p/{sessionId}", h).Methods("GET") - r.PathPrefix("/assets").Handler(http.FileServer(http.Dir("./www"))) - r.HandleFunc("/robots.txt", http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - http.ServeFile(rw, r, "www/robots.txt") - })) - - r.Handle("/sessions/{sessionId}/ws/", server) - r.Handle("/metrics", promhttp.Handler()) + r.HandleFunc("/", handlers.NewSession).Methods("POST") n := negroni.Classic() n.UseHandler(r) - log.Println("Listening on port " + strconv.Itoa(portNumber)) - log.Fatal(http.ListenAndServe("0.0.0.0:"+strconv.Itoa(portNumber), n)) + go func() { + log.Println("Listening on port " + strconv.Itoa(portNumber)) + log.Fatal(http.ListenAndServe("0.0.0.0:"+strconv.Itoa(portNumber), n)) + }() + ssl := mux.NewRouter() + sslProxyHandler := handlers.NewSSLDaemonHandler() + ssl.Host(`{node:ip[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}_[0-9]{1,3}}-2375.{tld:.*}`).Handler(sslProxyHandler) + log.Println("Listening TLS on port " + strconv.Itoa(sslPortNumber)) + + s := &http.Server{Addr: "0.0.0.0:" + strconv.Itoa(sslPortNumber), Handler: ssl} + s.TLSConfig = &tls.Config{} + s.TLSConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { + + chunks := strings.Split(clientHello.ServerName, ".") + chunks = strings.Split(chunks[0], "-") + ip := strings.Replace(strings.TrimPrefix(chunks[0], "ip"), "_", ".", -1) + i := services.FindInstanceByIP(ip) + if i == nil { + return nil, fmt.Errorf("Instance %s doesn't exist", clientHello.ServerName) + } + if i.GetCertificate() == nil { + return nil, fmt.Errorf("Instance %s doesn't have a certificate", clientHello.ServerName) + } + return i.GetCertificate(), nil + } + log.Fatal(s.ListenAndServeTLS("", "")) } diff --git a/docker-compose.yml b/docker-compose.yml index e986c75..a29941a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,7 @@ services: ports: # app exposes port 3000 - "3000:3000" + - "3001:3001" volumes: # since this app creates networks and launches containers, we need to talk to docker daemon - /var/run/docker.sock:/var/run/docker.sock diff --git a/handlers/reverseproxy.go b/handlers/reverseproxy.go index de94af8..63d5ed6 100644 --- a/handlers/reverseproxy.go +++ b/handlers/reverseproxy.go @@ -37,3 +37,27 @@ func NewMultipleHostReverseProxy() *httputil.ReverseProxy { return &httputil.ReverseProxy{Director: director} } + +func NewSSLDaemonHandler() *httputil.ReverseProxy { + director := func(req *http.Request) { + v := mux.Vars(req) + node := v["node"] + if strings.HasPrefix(node, "ip") { + // Node is actually an ip, need to convert underscores by dots. + ip := strings.Replace(strings.TrimPrefix(node, "ip"), "_", ".", -1) + + if net.ParseIP(ip) == nil { + // Not a valid IP, so treat this is a hostname. + } else { + node = ip + } + } + + // Only proxy http for now + req.URL.Scheme = "http" + + req.URL.Host = fmt.Sprintf("%s:%s", node, "2375") + } + + return &httputil.ReverseProxy{Director: director} +} diff --git a/handlers/set_keys.go b/handlers/set_keys.go new file mode 100644 index 0000000..9441dd9 --- /dev/null +++ b/handlers/set_keys.go @@ -0,0 +1,43 @@ +package handlers + +import ( + "encoding/json" + "log" + "net/http" + + "github.com/franela/play-with-docker/services" + "github.com/gorilla/mux" +) + +func SetKeys(rw http.ResponseWriter, req *http.Request) { + vars := mux.Vars(req) + sessionId := vars["sessionId"] + instanceName := vars["instanceName"] + + type certs struct { + ServerCert []byte `json:"server_cert"` + ServerKey []byte `json:"server_key"` + } + + var c certs + jsonErr := json.NewDecoder(req.Body).Decode(&c) + if jsonErr != nil { + log.Println(jsonErr) + rw.WriteHeader(http.StatusBadRequest) + return + } + + s := services.GetSession(sessionId) + s.Lock() + defer s.Unlock() + i := services.GetInstance(s, instanceName) + + _, err := i.SetCertificate(c.ServerCert, c.ServerKey) + + if err != nil { + log.Println(err) + rw.WriteHeader(http.StatusBadRequest) + return + } + log.Printf("Set keys for instance %s\n", instanceName) +} diff --git a/services/docker.go b/services/docker.go index 74227b6..3cfd8bb 100644 --- a/services/docker.go +++ b/services/docker.go @@ -180,7 +180,6 @@ func ResizeConnection(name string, cols, rows uint) error { } func CreateInstance(session *Session, dindImage string) (*Instance, error) { - h := &container.HostConfig{NetworkMode: container.NetworkMode(session.Id), Privileged: true} h.Resources.PidsLimit = int64(500) h.Resources.Memory = 4092 * Megabyte diff --git a/services/instance.go b/services/instance.go index da64de3..2a72710 100644 --- a/services/instance.go +++ b/services/instance.go @@ -2,6 +2,7 @@ package services import ( "context" + "crypto/tls" "io" "log" "os" @@ -29,6 +30,9 @@ type Instance struct { Cpu string `json:"cpu"` Ports []uint16 `json:"ports"` tempPorts []uint16 `json:"-"` + ServerCert []byte `json:"server_cert"` + ServerKey []byte `json:"server_key"` + cert *tls.Certificate `json:"-"` } func (i *Instance) setUsedPort(port uint16) { @@ -43,6 +47,25 @@ func (i *Instance) setUsedPort(port uint16) { i.tempPorts = append(i.tempPorts, port) } +func (i *Instance) SetCertificate(cert, key []byte) (*tls.Certificate, error) { + i.ServerCert = cert + i.ServerKey = key + c, e := tls.X509KeyPair(i.ServerCert, i.ServerKey) + if e != nil { + return nil, e + } + i.cert = &c + + // We store sessions as soon as we set instance keys + if err := saveSessionsToDisk(); err != nil { + return nil, err + } + return i.cert, nil +} +func (i *Instance) GetCertificate() *tls.Certificate { + return i.cert +} + func (i *Instance) IsConnected() bool { return i.conn != nil @@ -131,6 +154,18 @@ func (i *Instance) Attach() { func GetInstance(session *Session, name string) *Instance { return session.Instances[name] } + +func FindInstanceByIP(ip string) *Instance { + for _, s := range sessions { + for _, i := range s.Instances { + if i.IP == ip { + return i + } + } + } + return nil +} + func DeleteInstance(session *Session, instance *Instance) error { if instance.conn != nil { instance.conn.Close() diff --git a/services/session.go b/services/session.go index be3cd66..bc7eed3 100644 --- a/services/session.go +++ b/services/session.go @@ -304,6 +304,14 @@ func LoadSessionsFromDisk() error { for _, i := range s.Instances { // wire the session back to the instance i.session = s + + if i.ServerCert != nil && i.ServerKey != nil { + _, err := i.SetCertificate(i.ServerCert, i.ServerKey) + if err != nil { + log.Println(err) + return err + } + } } // Connect PWD daemon to the new network