~emersion/public-inbox

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
1

[PATCH tlstunnel v2] Add config reloading

minus
Details
Message ID
<20201222110614.3948379-1-minus@mnus.de>
DKIM signature
pass
Download raw message
Patch: +152 -27
Instead of updating the configuration, we configure a new Server instance and
then migrate Listeners that still exist to it. Open client connections are
left completely untouched.

Closes https://todo.sr.ht/~emersion/tlstunnel/1
---
- Does not die on failed reload anymore.
- Handles to Frontends and Server in Listener are now atomically
  exchanged. It's ugly but it's less prone to forgetting locking than
  using locks.
- The Listener error check on closing the socket is unchanged.

 cmd/tlstunnel/main.go |  53 +++++++++++++++---
 server.go             | 124 +++++++++++++++++++++++++++++++++++-------
 tlstunnel.1.scd       |   2 +
 3 files changed, 152 insertions(+), 27 deletions(-)

diff --git a/cmd/tlstunnel/main.go b/cmd/tlstunnel/main.go
index f4ba7ef..5f04c86 100644
--- a/cmd/tlstunnel/main.go
+++ b/cmd/tlstunnel/main.go
@@ -2,7 +2,11 @@ package main

import (
	"flag"
	"fmt"
	"log"
	"os"
	"os/signal"
	"syscall"

	"git.sr.ht/~emersion/go-scfg"
	"git.sr.ht/~emersion/tlstunnel"
@@ -15,13 +19,10 @@ var (
	certDataPath = ""
)

func main() {
	flag.StringVar(&configPath, "config", configPath, "path to configuration file")
	flag.Parse()

func newServer() (*tlstunnel.Server, error) {
	cfg, err := scfg.Load(configPath)
	if err != nil {
		log.Fatalf("failed to load config file: %v", err)
		return nil, fmt.Errorf("failed to load config file: %w", err)
	}

	srv := tlstunnel.NewServer()
@@ -37,7 +38,7 @@ func main() {
	}
	logger, err := loggerCfg.Build()
	if err != nil {
		log.Fatalf("failed to initialize zap logger: %v", err)
		return nil, fmt.Errorf("failed to initialize zap logger: %w", err)
	}
	srv.ACMEConfig.Logger = logger
	srv.ACMEManager.Logger = logger
@@ -47,12 +48,48 @@ func main() {
	}

	if err := srv.Load(cfg); err != nil {
		log.Fatal(err)
		return nil, err
	}

	return srv, nil
}

func main() {
	flag.StringVar(&configPath, "config", configPath, "path to configuration file")
	flag.Parse()

	srv, err := newServer()
	if err != nil {
		log.Fatalf("failed to create server: %v", err)
	}

	sigCh := make(chan os.Signal, 1)
	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM, syscall.SIGHUP)

	if err := srv.Start(); err != nil {
		log.Fatal(err)
	}

	select {}
	for sig := range sigCh {
		switch sig {
		case syscall.SIGINT:
		case syscall.SIGTERM:
			srv.Stop()
			return
		case syscall.SIGHUP:
			log.Print("caught SIGHUP, reloading config")
			newSrv, err := newServer()
			if err != nil {
				log.Printf("reload failed: %v", err)
				continue
			}
			err = newSrv.Replace(srv)
			if err != nil {
				log.Printf("reload failed: %v", err)
				continue
			}
			srv = newSrv
			log.Print("successfully reloaded config")
		}
	}
}
diff --git a/server.go b/server.go
index c9afe32..b96eb2c 100644
--- a/server.go
+++ b/server.go
@@ -8,6 +8,7 @@ import (
	"log"
	"net"
	"strings"
	"sync/atomic"

	"git.sr.ht/~emersion/go-scfg"
	"github.com/caddyserver/certmagic"
@@ -24,6 +25,8 @@ type Server struct {

	ACMEManager *certmagic.ACMEManager
	ACMEConfig  *certmagic.Config

	cancelACME context.CancelFunc
}

func NewServer() *Server {
@@ -57,17 +60,28 @@ func (srv *Server) RegisterListener(addr string) *Listener {
	return ln
}

func (srv *Server) Start() error {
func (srv *Server) startACME() error {
	var ctx context.Context
	ctx, srv.cancelACME = context.WithCancel(context.Background())

	for _, cert := range srv.UnmanagedCerts {
		if err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(cert, nil); err != nil {
			return err
		}
	}

	if err := srv.ACMEConfig.ManageAsync(context.Background(), srv.ManagedNames); err != nil {
	if err := srv.ACMEConfig.ManageAsync(ctx, srv.ManagedNames); err != nil {
		return fmt.Errorf("failed to manage TLS certificates: %v", err)
	}

	return nil
}

func (srv *Server) Start() error {
	if err := srv.startACME(); err != nil {
		return err
	}

	for _, ln := range srv.Listeners {
		if err := ln.Start(); err != nil {
			return err
@@ -76,37 +90,94 @@ func (srv *Server) Start() error {
	return nil
}

type Listener struct {
	Address   string
func (srv *Server) Stop() {
	srv.cancelACME()
	// TODO: clean cached unmanaged certs
	for _, ln := range srv.Listeners {
		ln.Stop()
	}
}

// Replace starts the server but takes over existing listeners from an old
// Server instance. The old instance keeps running unchanged if Replace
// returns an error.
func (srv *Server) Replace(old *Server) error {
	// Try to start new listeners
	for addr, ln := range srv.Listeners {
		if _, ok := old.Listeners[addr]; ok {
			continue
		}
		if err := ln.Start(); err != nil {
			for _, ln2 := range srv.Listeners {
				ln2.Stop()
			}
			return err
		}
	}

	// Restart ACME
	old.cancelACME()
	if err := srv.startACME(); err != nil {
		for _, ln2 := range srv.Listeners {
			ln2.Stop()
		}
		return err
	}
	// TODO: clean cached unmanaged certs

	// Take over existing listeners and terminate old ones
	for addr, oldLn := range old.Listeners {
		if ln, ok := srv.Listeners[addr]; ok {
			srv.Listeners[addr] = oldLn.UpdateFrom(ln)
		} else {
			oldLn.Stop()
		}
	}

	return nil
}

type listenerHandles struct {
	Server    *Server
	Frontends map[string]*Frontend // indexed by server name
}

type Listener struct {
	Address string
	netLn   net.Listener
	atomic  atomic.Value
}

func newListener(srv *Server, addr string) *Listener {
	return &Listener{
		Address:   addr,
	ln := &Listener{
		Address: addr,
	}
	ln.atomic.Store(&listenerHandles{
		Server:    srv,
		Frontends: make(map[string]*Frontend),
	}
	})
	return ln
}

func (ln *Listener) RegisterFrontend(name string, fe *Frontend) error {
	if _, ok := ln.Frontends[name]; ok {
	fes := ln.atomic.Load().(*listenerHandles).Frontends
	if _, ok := fes[name]; ok {
		return fmt.Errorf("listener %q: duplicate frontends for server name %q", ln.Address, name)
	}
	ln.Frontends[name] = fe
	fes[name] = fe
	return nil
}

func (ln *Listener) Start() error {
	netLn, err := net.Listen("tcp", ln.Address)
	var err error
	ln.netLn, err = net.Listen("tcp", ln.Address)
	if err != nil {
		return err
	}
	log.Printf("listening on %q", ln.Address)

	go func() {
		if err := ln.serve(netLn); err != nil {
		if err := ln.serve(); err != nil {
			log.Fatalf("listener %q: %v", ln.Address, err)
		}
	}()
@@ -114,10 +185,22 @@ func (ln *Listener) Start() error {
	return nil
}

func (ln *Listener) serve(netLn net.Listener) error {
func (ln *Listener) Stop() {
	ln.netLn.Close()
}

func (ln *Listener) UpdateFrom(new *Listener) *Listener {
	ln.atomic.Store(new.atomic.Load())
	return ln
}

func (ln *Listener) serve() error {
	for {
		conn, err := netLn.Accept()
		if err != nil {
		conn, err := ln.netLn.Accept()
		if err != nil && strings.Contains(err.Error(), "use of closed network connection") {
			// Listening socket has been closed by Stop()
			return nil
		} else if err != nil {
			return fmt.Errorf("failed to accept connection: %v", err)
		}

@@ -131,9 +214,10 @@ func (ln *Listener) serve(netLn net.Listener) error {

func (ln *Listener) handle(conn net.Conn) error {
	defer conn.Close()
	srv := ln.atomic.Load().(*listenerHandles).Server

	// TODO: setup timeouts
	tlsConfig := ln.Server.ACMEConfig.TLSConfig()
	tlsConfig := srv.ACMEConfig.TLSConfig()
	getConfigForClient := tlsConfig.GetConfigForClient
	tlsConfig.GetConfigForClient = func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
		// Call previous GetConfigForClient function, if any
@@ -145,7 +229,7 @@ func (ln *Listener) handle(conn net.Conn) error {
				return nil, err
			}
		} else {
			tlsConfig = ln.Server.ACMEConfig.TLSConfig()
			tlsConfig = srv.ACMEConfig.TLSConfig()
		}

		fe, err := ln.matchFrontend(hello.ServerName)
@@ -171,18 +255,20 @@ func (ln *Listener) handle(conn net.Conn) error {
}

func (ln *Listener) matchFrontend(serverName string) (*Frontend, error) {
	fe, ok := ln.Frontends[serverName]
	fes := ln.atomic.Load().(*listenerHandles).Frontends

	fe, ok := fes[serverName]
	if !ok {
		// Match wildcard certificates, allowing only a single, non-partial
		// wildcard, in the left-most label
		i := strings.IndexByte(serverName, '.')
		// Don't allow wildcards with only a TLD (e.g. *.com)
		if i >= 0 && strings.IndexByte(serverName[i+1:], '.') >= 0 {
			fe, ok = ln.Frontends["*"+serverName[i:]]
			fe, ok = fes["*"+serverName[i:]]
		}
	}
	if !ok {
		fe, ok = ln.Frontends[""]
		fe, ok = fes[""]
	}
	if !ok {
		return nil, fmt.Errorf("can't find frontend for server name %q", serverName)
diff --git a/tlstunnel.1.scd b/tlstunnel.1.scd
index 30ee269..b4c409a 100644
--- a/tlstunnel.1.scd
+++ b/tlstunnel.1.scd
@@ -27,6 +27,8 @@ The config file has one directive per line. Directives have a name, followed
by parameters separated by space characters. Directives may have children in
blocks delimited by "{" and "}". Lines beginning with "#" are comments.

tlstunnel will reload the config file when it receives the HUP signal.

Example:

```
-- 
2.29.2
Details
Message ID
<XZfzKhclfCe-75X3OvaSlZTKn2n0-Dn76a0SBe0aXsHwIvafX9VJE_bc_DKFsQSoQ8gXMJatUecHRQfRd40uaob1UY358FK6vPLfehFv8IA=@emersion.fr>
In-Reply-To
<20201222110614.3948379-1-minus@mnus.de> (view parent)
DKIM signature
pass
Download raw message
Pushed, thanks for working on this!
Reply to thread Export thread (mbox)