2022-03-23 18:33:53 +00:00
|
|
|
// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
// proxy-to-grafana is a reverse proxy which identifies users based on their
|
|
|
|
// originating Tailscale identity and maps them to corresponding Grafana
|
|
|
|
// users, creating them if needed.
|
|
|
|
//
|
|
|
|
// It uses Grafana's AuthProxy feature:
|
|
|
|
// https://grafana.com/docs/grafana/latest/auth/auth-proxy/
|
|
|
|
//
|
|
|
|
// Set the TS_AUTHKEY environment variable to have this server automatically
|
|
|
|
// join your tailnet, or look for the logged auth link on first start.
|
|
|
|
//
|
|
|
|
// Use this Grafana configuration to enable the auth proxy:
|
|
|
|
//
|
2022-03-23 19:36:11 +00:00
|
|
|
// [auth.proxy]
|
|
|
|
// enabled = true
|
|
|
|
// header_name = X-WEBAUTH-USER
|
|
|
|
// header_property = username
|
|
|
|
// auto_sign_up = true
|
|
|
|
// whitelist = 127.0.0.1
|
|
|
|
// headers = Name:X-WEBAUTH-NAME
|
|
|
|
// enable_login_token = true
|
2022-03-23 18:33:53 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/tls"
|
|
|
|
"flag"
|
|
|
|
"fmt"
|
|
|
|
"log"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httputil"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"tailscale.com/client/tailscale"
|
|
|
|
"tailscale.com/tailcfg"
|
|
|
|
"tailscale.com/tsnet"
|
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
hostname = flag.String("hostname", "", "Tailscale hostname to serve on, used as the base name for MagicDNS or subdomain in your domain alias for HTTPS.")
|
|
|
|
backendAddr = flag.String("backend-addr", "", "Address of the Grafana server served over HTTP, in host:port format. Typically localhost:nnnn.")
|
|
|
|
tailscaleDir = flag.String("state-dir", "./", "Alternate directory to use for Tailscale state storage. If empty, a default is used.")
|
|
|
|
useHTTPS = flag.Bool("use-https", false, "Serve over HTTPS via your *.ts.net subdomain if enabled in Tailscale admin.")
|
|
|
|
)
|
|
|
|
|
|
|
|
func main() {
|
|
|
|
flag.Parse()
|
|
|
|
if *hostname == "" || strings.Contains(*hostname, ".") {
|
|
|
|
log.Fatal("missing or invalid --hostname")
|
|
|
|
}
|
|
|
|
if *backendAddr == "" {
|
|
|
|
log.Fatal("missing --backend-addr")
|
|
|
|
}
|
|
|
|
ts := &tsnet.Server{
|
|
|
|
Dir: *tailscaleDir,
|
|
|
|
Hostname: *hostname,
|
|
|
|
}
|
|
|
|
|
2022-04-29 19:20:11 +01:00
|
|
|
// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
|
|
|
|
if err := ts.Start(); err != nil {
|
|
|
|
log.Fatalf("Error starting tsnet.Server: %v", err)
|
|
|
|
}
|
|
|
|
localClient, _ := ts.LocalClient()
|
|
|
|
|
2022-03-23 18:33:53 +00:00
|
|
|
url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
|
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("couldn't parse backend address: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
proxy := httputil.NewSingleHostReverseProxy(url)
|
|
|
|
originalDirector := proxy.Director
|
|
|
|
proxy.Director = func(req *http.Request) {
|
|
|
|
originalDirector(req)
|
2022-04-29 19:20:11 +01:00
|
|
|
modifyRequest(req, localClient)
|
2022-03-23 18:33:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var ln net.Listener
|
|
|
|
if *useHTTPS {
|
|
|
|
ln, err = ts.Listen("tcp", ":443")
|
|
|
|
ln = tls.NewListener(ln, &tls.Config{
|
2022-07-08 19:33:14 +01:00
|
|
|
GetCertificate: localClient.GetCertificate,
|
2022-03-23 18:33:53 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
// wait for tailscale to start before trying to fetch cert names
|
|
|
|
for i := 0; i < 60; i++ {
|
2022-04-29 19:20:11 +01:00
|
|
|
st, err := localClient.Status(context.Background())
|
2022-03-23 18:33:53 +00:00
|
|
|
if err != nil {
|
2022-04-19 19:08:16 +01:00
|
|
|
log.Printf("error retrieving tailscale status; retrying: %v", err)
|
|
|
|
} else {
|
|
|
|
log.Printf("tailscale status: %v", st.BackendState)
|
|
|
|
if st.BackendState == "Running" {
|
|
|
|
break
|
|
|
|
}
|
2022-03-23 18:33:53 +00:00
|
|
|
}
|
|
|
|
time.Sleep(time.Second)
|
|
|
|
}
|
|
|
|
|
|
|
|
l80, err := ts.Listen("tcp", ":80")
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
2022-04-29 19:20:11 +01:00
|
|
|
name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
|
2022-03-23 18:33:53 +00:00
|
|
|
if !ok {
|
|
|
|
log.Fatalf("can't get hostname for https redirect")
|
|
|
|
}
|
|
|
|
if err := http.Serve(l80, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
http.Redirect(w, r, fmt.Sprintf("https://%s", name), http.StatusMovedPermanently)
|
|
|
|
})); err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
} else {
|
|
|
|
ln, err = ts.Listen("tcp", ":80")
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal(err)
|
|
|
|
}
|
|
|
|
log.Printf("proxy-to-grafana running at %v, proxying to %v", ln.Addr(), *backendAddr)
|
|
|
|
log.Fatal(http.Serve(ln, proxy))
|
|
|
|
}
|
|
|
|
|
2022-04-29 19:20:11 +01:00
|
|
|
func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
|
2022-03-23 18:33:53 +00:00
|
|
|
// with enable_login_token set to true, we get a cookie that handles
|
|
|
|
// auth for paths that are not /login
|
|
|
|
if req.URL.Path != "/login" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-04-29 19:20:11 +01:00
|
|
|
user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
|
2022-03-23 18:33:53 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Printf("error getting Tailscale user: %v", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
req.Header.Set("X-Webauth-User", user.LoginName)
|
|
|
|
req.Header.Set("X-Webauth-Name", user.DisplayName)
|
|
|
|
}
|
|
|
|
|
2022-04-29 19:20:11 +01:00
|
|
|
func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
|
|
|
|
whois, err := localClient.WhoIs(ctx, ipPort)
|
2022-03-23 18:33:53 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed to identify remote host: %w", err)
|
|
|
|
}
|
|
|
|
if len(whois.Node.Tags) != 0 {
|
|
|
|
return nil, fmt.Errorf("tagged nodes are not users")
|
|
|
|
}
|
|
|
|
if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
|
|
|
|
return nil, fmt.Errorf("failed to identify remote user")
|
|
|
|
}
|
|
|
|
|
|
|
|
return whois.UserProfile, nil
|
|
|
|
}
|