Add ssl support for the probe

Hosts ending in :443 are treated as SSL. There is also a
--probe.insecure flag, for using it in development environments where
SSL cannot be verified.

docker/entrypoint.sh

@@ -91,7 +91,7 @@ while true; do
                 shift
             fi
             PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE"
-            echo "scope.weave.works:80" >/etc/weave/apps
+            echo "scope.weave.works:443" >/etc/weave/apps
             touch /etc/service/app/down
             ;;
         --no-app)

probe/main.go

@@ -45,6 +45,7 @@ func main() {
 		procRoot           = flag.String("proc.root", "/proc", "location of the proc filesystem")
 		printVersion       = flag.Bool("version", false, "print version number and exit")
 		useConntrack       = flag.Bool("conntrack", true, "also use conntrack to track connections")
+		insecure           = flag.Bool("insecure", false, "(SSL) explicitly allow \"insecure\" SSL connections and transfers")
 		logPrefix          = flag.String("log.prefix", "<probe>", "prefix for each log line")
 	)
 	flag.Parse()
@@ -90,7 +91,7 @@ func main() {
 	log.Printf("publishing to: %s", strings.Join(targets, ", "))
 
 	factory := func(endpoint string) (string, xfer.Publisher, error) {
-		id, publisher, err := xfer.NewHTTPPublisher(endpoint, *token, probeID)
+		id, publisher, err := xfer.NewHTTPPublisher(endpoint, *token, probeID, *insecure)
 		if err != nil {
 			return "", nil, err
 		}

xfer/http_publisher.go

@@ -1,9 +1,11 @@
 package xfer
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"time"
 
@@ -15,24 +17,39 @@ type HTTPPublisher struct {
 	url     string
 	token   string
 	probeID string
+	client  *http.Client
 }
 
-var fastClient = http.Client{
+var fastClient = &http.Client{
 	Timeout: 5 * time.Second,
 }
 
 // NewHTTPPublisher returns an HTTPPublisher ready for use.
-func NewHTTPPublisher(target, token, probeID string) (string, *HTTPPublisher, error) {
-	p := &HTTPPublisher{
-		url:     sanitize.URL("http://", 0, "/api/report")(target),
-		token:   token,
-		probeID: probeID,
-	}
-	req, err := p.authorizedRequest("GET", sanitize.URL("http://", 0, "/api")(target), nil)
+func NewHTTPPublisher(target, token, probeID string, insecure bool) (string, *HTTPPublisher, error) {
+	_, port, err := net.SplitHostPort(target)
 	if err != nil {
 		return "", nil, err
 	}
-	resp, err := fastClient.Do(req)
+	scheme := "http"
+	if port == "443" {
+		scheme = "https"
+	}
+	p := &HTTPPublisher{
+		url:     sanitize.URL(scheme+"://", 0, "/api/report")(target),
+		token:   token,
+		probeID: probeID,
+		client:  http.DefaultClient,
+	}
+	client := fastClient
+	if insecure {
+		allowInsecure(fastClient)
+		allowInsecure(p.client)
+	}
+	req, err := p.authorizedRequest("GET", sanitize.URL(scheme+"://", 0, "/api")(target), nil)
+	if err != nil {
+		return "", nil, err
+	}
+	resp, err := client.Do(req)
 	if err != nil {
 		return "", nil, err
 	}
@@ -68,7 +85,7 @@ func (p HTTPPublisher) Publish(r io.Reader) error {
 	req.Header.Set("Content-Encoding", "gzip")
 	// req.Header.Set("Content-Type", "application/binary") // TODO: we should use http.DetectContentType(..) on the gob'ed
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := p.client.Do(req)
 	if err != nil {
 		return err
 	}
@@ -89,6 +106,12 @@ func AuthorizationHeader(token string) string {
 	return fmt.Sprintf("Scope-Probe token=%s", token)
 }
 
+func allowInsecure(c *http.Client) {
+	c.Transport = &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+}
+
 // ScopeProbeIDHeader is the header we use to carry the probe's unique ID. The
 // ID is currently set to the probe's hostname. It's designed to deduplicate
 // reports from the same probe to the same receiver, in case the probe is