diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 0181edb57..d3b6948e0 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -91,7 +91,7 @@ while true; do shift fi PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE" - echo "scope.weave.works:80" >/etc/weave/apps + echo "scope.weave.works:443" >/etc/weave/apps touch /etc/service/app/down ;; --no-app) diff --git a/probe/main.go b/probe/main.go index cf7778551..fbf027e3c 100644 --- a/probe/main.go +++ b/probe/main.go @@ -45,6 +45,7 @@ func main() { procRoot = flag.String("proc.root", "/proc", "location of the proc filesystem") printVersion = flag.Bool("version", false, "print version number and exit") useConntrack = flag.Bool("conntrack", true, "also use conntrack to track connections") + insecure = flag.Bool("insecure", false, "(SSL) explicitly allow \"insecure\" SSL connections and transfers") logPrefix = flag.String("log.prefix", "", "prefix for each log line") ) flag.Parse() @@ -90,7 +91,7 @@ func main() { log.Printf("publishing to: %s", strings.Join(targets, ", ")) factory := func(endpoint string) (string, xfer.Publisher, error) { - id, publisher, err := xfer.NewHTTPPublisher(endpoint, *token, probeID) + id, publisher, err := xfer.NewHTTPPublisher(endpoint, *token, probeID, *insecure) if err != nil { return "", nil, err } diff --git a/xfer/http_publisher.go b/xfer/http_publisher.go index 508e2370e..32c787290 100644 --- a/xfer/http_publisher.go +++ b/xfer/http_publisher.go @@ -1,9 +1,11 @@ package xfer import ( + "crypto/tls" "encoding/json" "fmt" "io" + "net" "net/http" "time" @@ -15,24 +17,39 @@ type HTTPPublisher struct { url string token string probeID string + client *http.Client } -var fastClient = http.Client{ +var fastClient = &http.Client{ Timeout: 5 * time.Second, } // NewHTTPPublisher returns an HTTPPublisher ready for use. -func NewHTTPPublisher(target, token, probeID string) (string, *HTTPPublisher, error) { - p := &HTTPPublisher{ - url: sanitize.URL("http://", 0, "/api/report")(target), - token: token, - probeID: probeID, - } - req, err := p.authorizedRequest("GET", sanitize.URL("http://", 0, "/api")(target), nil) +func NewHTTPPublisher(target, token, probeID string, insecure bool) (string, *HTTPPublisher, error) { + _, port, err := net.SplitHostPort(target) if err != nil { return "", nil, err } - resp, err := fastClient.Do(req) + scheme := "http" + if port == "443" { + scheme = "https" + } + p := &HTTPPublisher{ + url: sanitize.URL(scheme+"://", 0, "/api/report")(target), + token: token, + probeID: probeID, + client: http.DefaultClient, + } + client := fastClient + if insecure { + allowInsecure(fastClient) + allowInsecure(p.client) + } + req, err := p.authorizedRequest("GET", sanitize.URL(scheme+"://", 0, "/api")(target), nil) + if err != nil { + return "", nil, err + } + resp, err := client.Do(req) if err != nil { return "", nil, err } @@ -68,7 +85,7 @@ func (p HTTPPublisher) Publish(r io.Reader) error { req.Header.Set("Content-Encoding", "gzip") // req.Header.Set("Content-Type", "application/binary") // TODO: we should use http.DetectContentType(..) on the gob'ed - resp, err := http.DefaultClient.Do(req) + resp, err := p.client.Do(req) if err != nil { return err } @@ -89,6 +106,12 @@ func AuthorizationHeader(token string) string { return fmt.Sprintf("Scope-Probe token=%s", token) } +func allowInsecure(c *http.Client) { + c.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } +} + // ScopeProbeIDHeader is the header we use to carry the probe's unique ID. The // ID is currently set to the probe's hostname. It's designed to deduplicate // reports from the same probe to the same receiver, in case the probe is