Merge pull request #785 from weaveworks/777-probes-https

Make probes use TLS against scope.weave.works by default
2026-03-03 02:00:43 +00:00 · 2016-01-04 18:17:05 +00:00
parent c468dd5f32 7e87caf3ee
commit 6850e840bd
3 changed files with 25 additions and 12 deletions
--- a/common/sanitize/sanitize.go
+++ b/common/sanitize/sanitize.go
@@ -29,7 +29,11 @@ func URL(defaultScheme string, defaultPort int, defaultPath string) func(string)
 		if _, port, err := net.SplitHostPort(u.Host); err != nil && defaultPort > 0 {
 			u.Host += fmt.Sprintf(":%d", defaultPort)
 		} else if port == "443" {
-			u.Scheme = "https"
+			if u.Scheme == "ws" {
+				u.Scheme = "wss"
+			} else {
+				u.Scheme = "https"
+			}
 		}
 		if defaultPath != "" && u.Path != defaultPath {
 			u.Path = defaultPath
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -67,6 +67,7 @@ weave_expose() {
 mkdir -p /etc/weave
 APP_ARGS=""
 PROBE_ARGS=""
+TOKEN_PROVIDED=false

 if [ "$1" = version ]; then
    /home/weave/scope version
@@ -108,7 +109,7 @@ while true; do
                shift
            fi
            PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE"
-            echo "scope.weave.works:80" >/etc/weave/apps
+            TOKEN_PROVIDED=true
            touch /etc/service/app/down
            ;;
        --no-app)
@@ -157,7 +158,15 @@ echo "$PROBE_ARGS" >/etc/weave/scope-probe.args
 # using Weave DNS. We stick these in /etc/weave/apps
 # for the run-probe script to pick up.
 MANUAL_APPS=$@
+
+# Implicitly target the Scope Service if a service token was provided with
+# no explicit manual app.
+if [ "$MANUAL_APPS" = "" -a "$TOKEN_PROVIDED" = "true" ]; then
+    MANUAL_APPS="scope.weave.works:443"
+fi
+
 echo "$MANUAL_APPS" >>/etc/weave/apps

+
 exec /home/weave/runsvinit

--- a/xfer/app_client.go
+++ b/xfer/app_client.go
@@ -41,10 +41,11 @@ type AppClient interface {
 type appClient struct {
 	ProbeConfig

-	quit   chan struct{}
-	mtx    sync.Mutex
-	target string
-	client http.Client
+	quit     chan struct{}
+	mtx      sync.Mutex
+	target   string
+	client   http.Client
+	wsDialer websocket.Dialer

 	// Track all the background goroutines, ensure they all stop
 	backgroundWait sync.WaitGroup
@@ -74,6 +75,9 @@ func NewAppClient(pc ProbeConfig, hostname, target string, control ControlHandle
 		client: http.Client{
 			Transport: httpTransport,
 		},
+		wsDialer: websocket.Dialer{
+			TLSClientConfig: httpTransport.TLSClientConfig,
+		},
 		conns:   map[string]*websocket.Conn{},
 		readers: make(chan io.Reader),
 		control: control,
@@ -186,12 +190,10 @@ func (c *appClient) doWithBackoff(msg string, f func() (bool, error)) {
 }

 func (c *appClient) controlConnection() (bool, error) {
-	dialer := websocket.Dialer{}
 	headers := http.Header{}
 	c.ProbeConfig.authorizeHeaders(headers)
-	// TODO(twilkie) need to update sanitize to work with wss
 	url := sanitize.URL("ws://", 0, "/api/control/ws")(c.target)
-	conn, _, err := dialer.Dial(url, headers)
+	conn, _, err := c.wsDialer.Dial(url, headers)
 	if err != nil {
 		return false, err
 	}
@@ -270,12 +272,10 @@ func (c *appClient) Publish(r io.Reader) error {
 }

 func (c *appClient) pipeConnection(id string, pipe Pipe) (bool, error) {
-	dialer := websocket.Dialer{}
 	headers := http.Header{}
 	c.ProbeConfig.authorizeHeaders(headers)
-	// TODO(twilkie) need to update sanitize to work with wss
 	url := sanitize.URL("ws://", 0, fmt.Sprintf("/api/pipe/%s/probe", id))(c.target)
-	conn, resp, err := dialer.Dial(url, headers)
+	conn, resp, err := c.wsDialer.Dial(url, headers)
 	if resp != nil && resp.StatusCode == http.StatusNotFound {
 		// Special handling - 404 means the app/user has closed the pipe
 		pipe.Close()