starred/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-03-31 06:34:14 -04:00
Code Issues Packages Projects Releases Wiki Activity

[relay] Feature/relay integration (#2244)

Browse Source 
This update adds new relay integration for NetBird clients. The new relay is based on web sockets and listens on a single port.

- Adds new relay implementation with websocket with single port relaying mechanism
- refactor peer connection logic, allowing upgrade and downgrade from/to P2P connection
- peer connections are faster since it connects first to relay and then upgrades to P2P
- maintains compatibility with old clients by not using the new relay
- updates infrastructure scripts with new relay service
This commit is contained in:
Zoltan Papp
2024-09-08 12:06:14 +02:00
committed by GitHub
parent fcac02a92f
commit 0c039274a4
120 changed files with 9879 additions and 1940 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
encryption/cert.go Normal file
View File

@@ -0,0 +1,19 @@
package encryption
import "crypto/tls"
func LoadTLSConfig(certFile, keyFile string) (*tls.Config, error) {
serverCert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
config := &tls.Config{
Certificates: []tls.Certificate{serverCert},
ClientAuth: tls.NoClientCert,
NextProtos: []string{
"h2", "http/1.1", // enable HTTP/2
},
}
return config, nil
}

4
encryption/letsencrypt.go
View File

@@ -9,7 +9,7 @@ import (
)
// CreateCertManager wraps common logic of generating Let's encrypt certificate.
func CreateCertManager(datadir string, letsencryptDomain string) (*autocert.Manager, error) {
func CreateCertManager(datadir string, letsencryptDomain ...string) (*autocert.Manager, error) {
certDir := filepath.Join(datadir, "letsencrypt")
if _, err := os.Stat(certDir); os.IsNotExist(err) {
@@ -24,7 +24,7 @@ func CreateCertManager(datadir string, letsencryptDomain string) (*autocert.Mana
certManager := &autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(certDir),
HostPolicy: autocert.HostWhitelist(letsencryptDomain),
HostPolicy: autocert.HostWhitelist(letsencryptDomain...),
}
return certManager, nil

87
encryption/route53.go Normal file
View File

@@ -0,0 +1,87 @@
package encryption
import (
"context"
"crypto/tls"
"fmt"
"os"
"strings"
"github.com/caddyserver/certmagic"
"github.com/libdns/route53"
log "github.com/sirupsen/logrus"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"golang.org/x/crypto/acme"
)
// Route53TLS by default, loads the AWS configuration from the environment.
// env variables: AWS_REGION, AWS_PROFILE, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
type Route53TLS struct {
DataDir string
Email string
Domains []string
CA string
}
func (r *Route53TLS) GetCertificate() (*tls.Config, error) {
if len(r.Domains) == 0 {
return nil, fmt.Errorf("no domains provided")
}
certmagic.Default.Logger = logger()
certmagic.Default.Storage = &certmagic.FileStorage{Path: r.DataDir}
certmagic.DefaultACME.Agreed = true
if r.Email != "" {
certmagic.DefaultACME.Email = r.Email
} else {
certmagic.DefaultACME.Email = emailFromDomain(r.Domains[0])
}
if r.CA == "" {
certmagic.DefaultACME.CA = certmagic.LetsEncryptProductionCA
} else {
certmagic.DefaultACME.CA = r.CA
}
certmagic.DefaultACME.DNS01Solver = &certmagic.DNS01Solver{
DNSManager: certmagic.DNSManager{
DNSProvider: &route53.Provider{},
},
}
cm := certmagic.NewDefault()
if err := cm.ManageSync(context.Background(), r.Domains); err != nil {
log.Errorf("failed to manage certificate: %v", err)
return nil, err
}
tlsConfig := &tls.Config{
GetCertificate: cm.GetCertificate,
NextProtos: []string{"h2", "http/1.1", acme.ALPNProto},
}
return tlsConfig, nil
}
func emailFromDomain(domain string) string {
if domain == "" {
return ""
}
parts := strings.Split(domain, ".")
if len(parts) < 2 {
return ""
}
if parts[0] == "" {
return ""
}
return fmt.Sprintf("admin@%s.%s", parts[len(parts)-2], parts[len(parts)-1])
}
func logger() *zap.Logger {
return zap.New(zapcore.NewCore(
zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
os.Stderr,
zap.ErrorLevel,
))
}

84
encryption/route53_test.go Normal file
View File

@@ -0,0 +1,84 @@
package encryption
import (
"context"
"io"
"net/http"
"os"
"testing"
"time"
)
func TestRoute53TLSConfig(t *testing.T) {
t.SkipNow() // This test requires AWS credentials
exampleString := "Hello, world!"
rtls := &Route53TLS{
DataDir: t.TempDir(),
Email: os.Getenv("LE_EMAIL_ROUTE53"),
Domains: []string{os.Getenv("DOMAIN")},
}
tlsConfig, err := rtls.GetCertificate()
if err != nil {
t.Errorf("Route53TLSConfig failed: %v", err)
}
server := &http.Server{
Addr: ":8443",
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
_, _ = w.Write([]byte(exampleString))
}),
TLSConfig: tlsConfig,
}
go func() {
err := server.ListenAndServeTLS("", "")
if err != http.ErrServerClosed {
t.Errorf("Failed to start server: %v", err)
}
}()
defer func() {
if err := server.Shutdown(context.Background()); err != nil {
t.Errorf("Failed to shutdown server: %v", err)
}
}()
time.Sleep(1 * time.Second)
resp, err := http.Get("https://relay.godevltd.com:8443")
if err != nil {
t.Errorf("Failed to get response: %v", err)
return
}
defer func() {
_ = resp.Body.Close()
}()
body, err := io.ReadAll(resp.Body)
if err != nil {
t.Errorf("Failed to read response body: %v", err)
}
if string(body) != exampleString {
t.Errorf("Unexpected response: %s", body)
}
}
func Test_emailFromDomain(t *testing.T) {
tests := []struct {
input string
want string
}{
{"example.com", "admin@example.com"},
{"x.example.com", "admin@example.com"},
{"x.x.example.com", "admin@example.com"},
{"*.example.com", "admin@example.com"},
{"example", ""},
{"", ""},
{".com", ""},
}
for _, tt := range tests {
t.Run("domain test", func(t *testing.T) {
if got := emailFromDomain(tt.input); got != tt.want {
t.Errorf("emailFromDomain() = %v, want %v", got, tt.want)
}
})
}
}