tailscale/cmd/sniproxy/server.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package main

import (
	"expvar"
	"log"
	"net"
	"net/netip"
	"sync"
	"time"

	"golang.org/x/net/dns/dnsmessage"
	"tailscale.com/metrics"
	"tailscale.com/tailcfg"
	"tailscale.com/types/appctype"
	"tailscale.com/types/ipproto"
	"tailscale.com/types/nettype"
	"tailscale.com/util/clientmetric"
	"tailscale.com/util/mak"
)

var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")

// target describes the predicates which route some inbound
// traffic to the app connector to a specific handler.
type target struct {
	Dest     netip.Prefix
	Matching tailcfg.ProtoPortRange
}

// Server implements an App Connector as expressed in sniproxy.
type Server struct {
	mu         sync.RWMutex // mu guards following fields
	connectors map[appctype.ConfigID]connector
}

type appcMetrics struct {
	dnsResponses   expvar.Int
	dnsFailures    expvar.Int
	tcpConns       expvar.Int
	sniConns       expvar.Int
	unhandledConns expvar.Int
}

var getMetrics = sync.OnceValue[*appcMetrics](func() *appcMetrics {
	m := appcMetrics{}

	stats := new(metrics.Set)
	stats.Set("tls_sessions", &m.sniConns)
	clientmetric.NewCounterFunc("sniproxy_tls_sessions", m.sniConns.Value)
	stats.Set("tcp_sessions", &m.tcpConns)
	clientmetric.NewCounterFunc("sniproxy_tcp_sessions", m.tcpConns.Value)
	stats.Set("dns_responses", &m.dnsResponses)
	clientmetric.NewCounterFunc("sniproxy_dns_responses", m.dnsResponses.Value)
	stats.Set("dns_failed", &m.dnsFailures)
	clientmetric.NewCounterFunc("sniproxy_dns_failed", m.dnsFailures.Value)
	expvar.Publish("sniproxy", stats)

	return &m
})

// Configure applies the provided configuration to the app connector.
func (s *Server) Configure(cfg *appctype.AppConnectorConfig) {
	s.mu.Lock()
	defer s.mu.Unlock()
	s.connectors = makeConnectorsFromConfig(cfg)
	log.Printf("installed app connector config: %+v", s.connectors)
}

// HandleTCPFlow implements tsnet.FallbackTCPHandler.
func (s *Server) HandleTCPFlow(src, dst netip.AddrPort) (handler func(net.Conn), intercept bool) {
	m := getMetrics()
	s.mu.RLock()
	defer s.mu.RUnlock()

	for _, c := range s.connectors {
		if handler, intercept := c.handleTCPFlow(src, dst, m); intercept {
			return handler, intercept
		}
	}

	return nil, false
}

// HandleDNS handles a DNS request to the app connector.
func (s *Server) HandleDNS(c nettype.ConnPacketConn) {
	defer c.Close()
	c.SetReadDeadline(time.Now().Add(5 * time.Second))
	m := getMetrics()

	buf := make([]byte, 1500)
	n, err := c.Read(buf)
	if err != nil {
		log.Printf("HandleDNS: read failed: %v\n ", err)
		m.dnsFailures.Add(1)
		return
	}

	addrPortStr := c.LocalAddr().String()
	host, _, err := net.SplitHostPort(addrPortStr)
	if err != nil {
		log.Printf("HandleDNS: bogus addrPort %q", addrPortStr)
		m.dnsFailures.Add(1)
		return
	}
	localAddr, err := netip.ParseAddr(host)
	if err != nil {
		log.Printf("HandleDNS: bogus local address %q", host)
		m.dnsFailures.Add(1)
		return
	}

	var msg dnsmessage.Message
	err = msg.Unpack(buf[:n])
	if err != nil {
		log.Printf("HandleDNS: dnsmessage unpack failed: %v\n ", err)
		m.dnsFailures.Add(1)
		return
	}

	s.mu.RLock()
	defer s.mu.RUnlock()
	for _, connector := range s.connectors {
		resp, err := connector.handleDNS(&msg, localAddr)
		if err != nil {
			log.Printf("HandleDNS: connector handling failed: %v\n", err)
			m.dnsFailures.Add(1)
			return
		}
		if len(resp) > 0 {
			// This connector handled the DNS request
			_, err = c.Write(resp)
			if err != nil {
				log.Printf("HandleDNS: write failed: %v\n", err)
				m.dnsFailures.Add(1)
				return
			}

			m.dnsResponses.Add(1)
			return
		}
	}
}

// connector describes a logical collection of
// services which need to be proxied.
type connector struct {
	Handlers map[target]handler
}

// handleTCPFlow implements tsnet.FallbackTCPHandler.
func (c *connector) handleTCPFlow(src, dst netip.AddrPort, m *appcMetrics) (handler func(net.Conn), intercept bool) {
	for t, h := range c.Handlers {
		if t.Matching.Proto != 0 && t.Matching.Proto != int(ipproto.TCP) {
			continue
		}
		if !t.Dest.Contains(dst.Addr()) {
			continue
		}
		if !t.Matching.Ports.Contains(dst.Port()) {
			continue
		}

		switch h.(type) {
		case *tcpSNIHandler:
			m.sniConns.Add(1)
		case *tcpRoundRobinHandler:
			m.tcpConns.Add(1)
		default:
			log.Printf("handleTCPFlow: unhandled handler type %T", h)
		}

		return h.Handle, true
	}

	m.unhandledConns.Add(1)
	return nil, false
}

// handleDNS returns the DNS response to the given query. If this
// connector is unable to handle the request, nil is returned.
func (c *connector) handleDNS(req *dnsmessage.Message, localAddr netip.Addr) (response []byte, err error) {
	for t, h := range c.Handlers {
		if t.Dest.Contains(localAddr) {
			return makeDNSResponse(req, h.ReachableOn())
		}
	}

	// Did not match, signal 'not handled' to caller
	return nil, nil
}

func makeDNSResponse(req *dnsmessage.Message, reachableIPs []netip.Addr) (response []byte, err error) {
	resp := dnsmessage.NewBuilder(response,
		dnsmessage.Header{
			ID:            req.Header.ID,
			Response:      true,
			Authoritative: true,
		})
	resp.EnableCompression()

	if len(req.Questions) == 0 {
		response, _ = resp.Finish()
		return response, nil
	}
	q := req.Questions[0]
	err = resp.StartQuestions()
	if err != nil {
		return
	}
	resp.Question(q)

	err = resp.StartAnswers()
	if err != nil {
		return
	}

	switch q.Type {
	case dnsmessage.TypeAAAA:
		for _, ip := range reachableIPs {
			if ip.Is6() {
				err = resp.AAAAResource(
					dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
					dnsmessage.AAAAResource{AAAA: ip.As16()},
				)
			}
		}

	case dnsmessage.TypeA:
		for _, ip := range reachableIPs {
			if ip.Is4() {
				err = resp.AResource(
					dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
					dnsmessage.AResource{A: ip.As4()},
				)
			}
		}

	case dnsmessage.TypeSOA:
		err = resp.SOAResource(
			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
			dnsmessage.SOAResource{NS: q.Name, MBox: tsMBox, Serial: 2023030600,
				Refresh: 120, Retry: 120, Expire: 120, MinTTL: 60},
		)
	case dnsmessage.TypeNS:
		err = resp.NSResource(
			dnsmessage.ResourceHeader{Name: q.Name, Class: q.Class, TTL: 120},
			dnsmessage.NSResource{NS: tsMBox},
		)
	}

	if err != nil {
		return nil, err
	}
	return resp.Finish()
}

type handler interface {
	// Handle handles the given socket.
	Handle(c net.Conn)

	// ReachableOn returns the IP addresses this handler is reachable on.
	ReachableOn() []netip.Addr
}

func installDNATHandler(d *appctype.DNATConfig, out *connector) {
	// These handlers don't actually do DNAT, they just
	// proxy the data over the connection.
	var dialer net.Dialer
	dialer.Timeout = 5 * time.Second
	h := tcpRoundRobinHandler{
		To:           d.To,
		DialContext:  dialer.DialContext,
		ReachableIPs: d.Addrs,
	}

	for _, addr := range d.Addrs {
		for _, protoPort := range d.IP {
			t := target{
				Dest:     netip.PrefixFrom(addr, addr.BitLen()),
				Matching: protoPort,
			}

			mak.Set(&out.Handlers, t, handler(&h))
		}
	}
}

func installSNIHandler(c *appctype.SNIProxyConfig, out *connector) {
	var dialer net.Dialer
	dialer.Timeout = 5 * time.Second
	h := tcpSNIHandler{
		Allowlist:    c.AllowedDomains,
		DialContext:  dialer.DialContext,
		ReachableIPs: c.Addrs,
	}

	for _, addr := range c.Addrs {
		for _, protoPort := range c.IP {
			t := target{
				Dest:     netip.PrefixFrom(addr, addr.BitLen()),
				Matching: protoPort,
			}

			mak.Set(&out.Handlers, t, handler(&h))
		}
	}
}

func makeConnectorsFromConfig(cfg *appctype.AppConnectorConfig) map[appctype.ConfigID]connector {
	var connectors map[appctype.ConfigID]connector

	for cID, d := range cfg.DNAT {
		c := connectors[cID]
		installDNATHandler(&d, &c)
		mak.Set(&connectors, cID, c)
	}
	for cID, d := range cfg.SNIProxy {
		c := connectors[cID]
		installSNIHandler(&d, &c)
		mak.Set(&connectors, cID, c)
	}

	return connectors
}