Support configurable routing of ACME tls-sni-01 challenges.

By design, the tls-sni-01 challenge does not reveal information
about the domain being verified, so the proxy cannot "naively" route
such requests. Instead, it probes the Targets of all SNI routes, looking
for one that responds plausibly to the challenge hostname, and routes the
client connection to that.

ACME support can be turned off by inserting AddStopAcmeSearch in the route
chain. Subsequently registered SNI routes will not be probed by ACME challenges.

Author: danderson

sni.go

@@ -17,21 +17,43 @@ package tcpproxy
 import (
 	"bufio"
 	"bytes"
+	"context"
 	"crypto/tls"
 	"io"
 	"net"
+	"strings"
 )
 
 // AddSNIRoute appends a route to the ipPort listener that says if the
 // incoming TLS SNI server name is sni, the connection is given to
 // dest. If it doesn't match, rule processing continues for any
 // additional routes on ipPort.
 //
+// By default, the proxy will route all ACME tls-sni-01 challenges
+// received on ipPort to all SNI dests. You can disable ACME routing
+// with AddStopACMESearch.
+//
 // The ipPort is any valid net.Listen TCP address.
 func (p *Proxy) AddSNIRoute(ipPort, sni string, dest Target) {
+	cfg := p.configFor(ipPort)
+	if !cfg.stopACME {
+		if len(cfg.acmeTargets) == 0 {
+			p.addRoute(ipPort, &acmeMatch{cfg})
+		}
+		cfg.acmeTargets = append(cfg.acmeTargets, dest)
+	}
+
 	p.addRoute(ipPort, sniMatch{sni, dest})
 }
 
+// AddStopACMESearch prevents ACME probing of subsequent SNI routes.
+// Any ACME challenges on ipPort for SNI routes previously added
+// before this call will still be proxied to all possible SNI
+// backends.
+func (p *Proxy) AddStopACMESearch(ipPort string) {
+	p.configFor(ipPort).stopACME = true
+}
+
 type sniMatch struct {
 	sni    string
 	target Target
@@ -44,6 +66,79 @@ func (m sniMatch) match(br *bufio.Reader) Target {
 	return nil
 }
 
+// acmeMatch matches "*.acme.invalid" ACME tls-sni-01 challenges and
+// searches for a Target in cfg.acmeTargets that has the challenge
+// response.
+type acmeMatch struct {
+	cfg *config
+}
+
+func (m *acmeMatch) match(br *bufio.Reader) Target {
+	sni := clientHelloServerName(br)
+	if !strings.HasSuffix(sni, ".acme.invalid") {
+		return nil
+	}
+
+	// TODO: cache. ACME issuers will hit multiple times in a short
+	// burst for each issuance event. A short TTL cache + singleflight
+	// should have an excellent hit rate.
+	// TODO: maybe an acme-specific timeout as well?
+	// TODO: plumb context upwards?
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ch := make(chan Target, len(m.cfg.acmeTargets))
+	for _, target := range m.cfg.acmeTargets {
+		go tryACME(ctx, ch, target, sni)
+	}
+	for range m.cfg.acmeTargets {
+		if target := <-ch; target != nil {
+			return target
+		}
+	}
+
+	// No target was happy with the provided challenge.
+	return nil
+}
+
+func tryACME(ctx context.Context, ch chan<- Target, dest Target, sni string) {
+	var ret Target
+	defer func() { ch <- ret }()
+
+	conn, targetConn := net.Pipe()
+	defer conn.Close()
+	go dest.HandleConn(targetConn)
+
+	deadline, ok := ctx.Deadline()
+	if ok {
+		conn.SetDeadline(deadline)
+	}
+
+	client := tls.Client(conn, &tls.Config{
+		ServerName:         sni,
+		InsecureSkipVerify: true,
+	})
+	if err := client.Handshake(); err != nil {
+		// TODO: log?
+		return
+	}
+	certs := client.ConnectionState().PeerCertificates
+	if len(certs) == 0 {
+		// TODO: log?
+		return
+	}
+	// acme says the first cert offered by the server must match the
+	// challenge hostname.
+	if err := certs[0].VerifyHostname(sni); err != nil {
+		// TODO: log?
+		return
+	}
+
+	// Target presented what looks like a valid challenge
+	// response, send it back to the matcher.
+	ret = dest
+}
+
 // clientHelloServerName returns the SNI server name inside the TLS ClientHello,
 // without consuming any bytes from br.
 // On any error, the empty string is returned.

tcpproxy.go

@@ -69,7 +69,7 @@ import (
 // The order that routes are added in matters; each is matched in the order
 // registered.
 type Proxy struct {
-	routes map[string][]route // ip:port => routes
+	configs map[string]*config // ip:port => config
 
 	lns   []net.Listener
 	donec chan struct{} // closed before err
@@ -81,7 +81,22 @@ type Proxy struct {
 	ListenFunc func(net, laddr string) (net.Listener, error)
 }
 
+// config contains the proxying state for one listener.
+type config struct {
+	routes      []route
+	acmeTargets []Target // accumulates targets that should be probed for acme.
+	stopACME    bool     // if true, AddSNIRoute doesn't add targets to acmeTargets.
+}
+
+// A route matches a connection to a target.
 type route interface {
+	// match examines the initial bytes of a connection, looking for a
+	// match. If a match is found, match returns a non-nil Target to
+	// which the stream should be proxied. match returns nil if the
+	// connection doesn't match.
+	//
+	// match must not consume bytes from the given bufio.Reader, it
+	// can only Peek.
 	match(*bufio.Reader) Target
 }
 
@@ -92,11 +107,19 @@ func (p *Proxy) netListen() func(net, laddr string) (net.Listener, error) {
 	return net.Listen
 }
 
-func (p *Proxy) addRoute(ipPort string, r route) {
-	if p.routes == nil {
-		p.routes = make(map[string][]route)
+func (p *Proxy) configFor(ipPort string) *config {
+	if p.configs == nil {
+		p.configs = make(map[string]*config)
 	}
-	p.routes[ipPort] = append(p.routes[ipPort], r)
+	if p.configs[ipPort] == nil {
+		p.configs[ipPort] = &config{}
+	}
+	return p.configs[ipPort]
+}
+
+func (p *Proxy) addRoute(ipPort string, r route) {
+	cfg := p.configFor(ipPort)
+	cfg.routes = append(cfg.routes, r)
 }
 
 // AddRoute appends an always-matching route to the ipPort listener,
@@ -107,14 +130,14 @@ func (p *Proxy) addRoute(ipPort string, r route) {
 //
 // The ipPort is any valid net.Listen TCP address.
 func (p *Proxy) AddRoute(ipPort string, dest Target) {
-	p.addRoute(ipPort, alwaysMatch{dest})
+	p.addRoute(ipPort, fixedTarget{dest})
 }
 
-type alwaysMatch struct {
+type fixedTarget struct {
 	t Target
 }
 
-func (m alwaysMatch) match(*bufio.Reader) Target { return m.t }
+func (m fixedTarget) match(*bufio.Reader) Target { return m.t }
 
 // Run is calls Start, and then Wait.
 //
@@ -155,16 +178,16 @@ func (p *Proxy) Start() error {
 		return errors.New("already started")
 	}
 	p.donec = make(chan struct{})
-	errc := make(chan error, len(p.routes))
-	p.lns = make([]net.Listener, 0, len(p.routes))
-	for ipPort, routes := range p.routes {
+	errc := make(chan error, len(p.configs))
+	p.lns = make([]net.Listener, 0, len(p.configs))
+	for ipPort, config := range p.configs {
 		ln, err := p.netListen()("tcp", ipPort)
 		if err != nil {
 			p.Close()
 			return err
 		}
 		p.lns = append(p.lns, ln)
-		go p.serveListener(errc, ln, routes)
+		go p.serveListener(errc, ln, config.routes)
 	}
 	go p.awaitFirstError(errc)
 	return nil