feat: swap over to websockets if initial derp exchange fails (#8)

kylecarbs · web-flow · commit fb16ae7c5bba · 2023-03-01T14:34:26.000-06:00
* feat: swap over to websockets if initial derp exchange fails

* Allow insecure WebSocket connections if the DERP map provides

* Allow a nil node for the TLS config

* Add WebSockets support to Mac and Windows

* Use the first node

* Swap to use a callback

* Use a pointer to swap the callback

* Only use TLS Config if a node exists

* Move HTTPClient outside of JS compilation
diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go
@@ -25,6 +25,7 @@ import (
 	"runtime"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
@@ -52,6 +53,9 @@ type Client struct {
 	MeshKey   string             // optional; for trusted clients
 	IsProber  bool               // optional; for probers to optional declare themselves as such
 
+	forcedWebsocket         atomic.Bool // optional; set if the server has failed to upgrade the connection on the DERP server
+	forcedWebsocketCallback atomic.Pointer[func(int, string)]
+
 	privateKey key.NodePrivate
 	logf       logger.Logf
 	dialer     func(ctx context.Context, network, addr string) (net.Conn, error)
@@ -191,13 +195,27 @@ func (c *Client) tlsServerName(node *tailcfg.DERPNode) string {
 	if c.url != nil {
 		return c.url.Host
 	}
+	if node == nil {
+		return ""
+	}
 	return node.HostName
 }
 
 func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	if c.url != nil {
 		return c.url.String()
 	}
+	if node.HostName == "" {
+		url := &url.URL{
+			Scheme: "https",
+			Host:   fmt.Sprintf("%s:%d", node.IPv4, node.DERPPort),
+			Path:   "/derp",
+		}
+		if node.ForceHTTP {
+			url.Scheme = "http"
+		}
+		return url.String()
+	}
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }
 
@@ -228,12 +246,15 @@ func (c *Client) preferIPv6() bool {
 }
 
 // dialWebsocketFunc is non-nil (set by websocket.go's init) when compiled in.
-var dialWebsocketFunc func(ctx context.Context, urlStr string) (net.Conn, error)
+var dialWebsocketFunc func(ctx context.Context, urlStr string, tlsConfig *tls.Config) (net.Conn, error)
 
-func useWebsockets() bool {
+func (c *Client) useWebsockets() bool {
 	if runtime.GOOS == "js" {
 		return true
 	}
+	if c.forcedWebsocket.Load() {
+		return true
+	}
 	if dialWebsocketFunc != nil {
 		return envknob.Bool("TS_DEBUG_DERP_WS_CLIENT")
 	}
@@ -293,15 +314,18 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 
 	var node *tailcfg.DERPNode // nil when using c.url to dial
 	switch {
-	case useWebsockets():
+	case c.useWebsockets():
 		var urlStr string
+		var tlsConfig *tls.Config
 		if c.url != nil {
 			urlStr = c.url.String()
+			tlsConfig = c.tlsConfig(nil)
 		} else {
 			urlStr = c.urlString(reg.Nodes[0])
+			tlsConfig = c.tlsConfig(reg.Nodes[0])
 		}
 		c.logf("%s: connecting websocket to %v", caller, urlStr)
-		conn, err := dialWebsocketFunc(ctx, urlStr)
+		conn, err := dialWebsocketFunc(ctx, urlStr, tlsConfig)
 		if err != nil {
 			c.logf("%s: websocket to %v error: %v", caller, urlStr, err)
 			return nil, 0, err
@@ -435,6 +459,19 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		if resp.StatusCode != http.StatusSwitchingProtocols {
 			b, _ := io.ReadAll(resp.Body)
 			resp.Body.Close()
+
+			// Only on StatusCode < 500 in case a gateway timeout
+			// or network intermittency occurs!
+			if resp.StatusCode < 500 {
+				reason := fmt.Sprintf("GET failed with status code %d: %s", resp.StatusCode, b)
+				c.logf("We'll use WebSockets on the next connection attempt. A proxy could be disallowing the use of 'Upgrade: derp': %s", reason)
+				c.forcedWebsocket.Store(true)
+				forcedWebsocketCallback := c.forcedWebsocketCallback.Load()
+				if forcedWebsocketCallback != nil {
+					go (*forcedWebsocketCallback)(reg.RegionID, reason)
+				}
+			}
+
 			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
 		}
 	}
@@ -472,6 +509,12 @@ func (c *Client) SetURLDialer(dialer func(ctx context.Context, network, addr str
 	c.dialer = dialer
 }
 
+// SetForcedWebsocketCallback is a callback that is called when the client
+// decides to force WebSockets on the next connection attempt.
+func (c *Client) SetForcedWebsocketCallback(callback func(region int, reason string)) {
+	c.forcedWebsocketCallback.Store(&callback)
+}
+
 func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
 	host := c.url.Hostname()
 	if c.dialer != nil {
@@ -525,7 +568,7 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
 	return nil, nil, firstErr
 }
 
-func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
+func (c *Client) tlsConfig(node *tailcfg.DERPNode) *tls.Config {
 	tlsConf := tlsdial.Config(c.tlsServerName(node), c.TLSConfig)
 	if node != nil {
 		if node.InsecureForTests {
@@ -536,7 +579,11 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
-	return tls.Client(nc, tlsConf)
+	return tlsConf
+}
+
+func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
+	return tls.Client(nc, c.tlsConfig(node))
 }
 
 // DialRegionTLS returns a TLS connection to a DERP node in the given region.
diff --git a/derp/derphttp/websocket.go b/derp/derphttp/websocket.go
@@ -1,14 +1,13 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux || js
+//go:build !js
 
 package derphttp
 
 import (
 	"context"
+	"crypto/tls"
 	"log"
 	"net"
+	"net/http"
 
 	"nhooyr.io/websocket"
 	"tailscale.com/net/wsconn"
@@ -18,9 +17,14 @@ func init() {
 	dialWebsocketFunc = dialWebsocket
 }
 
-func dialWebsocket(ctx context.Context, urlStr string) (net.Conn, error) {
+func dialWebsocket(ctx context.Context, urlStr string, tlsConfig *tls.Config) (net.Conn, error) {
 	c, res, err := websocket.Dial(ctx, urlStr, &websocket.DialOptions{
 		Subprotocols: []string{"derp"},
+		HTTPClient: &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsConfig,
+			},
+		},
 	})
 	if err != nil {
 		log.Printf("websocket Dial: %v, %+v", err, res)
diff --git a/derp/derphttp/websocket_js.go b/derp/derphttp/websocket_js.go
@@ -0,0 +1,33 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build js
+
+package derphttp
+
+import (
+	"context"
+	"crypto/tls"
+	"log"
+	"net"
+
+	"nhooyr.io/websocket"
+	"tailscale.com/net/wsconn"
+)
+
+func init() {
+	dialWebsocketFunc = dialWebsocket
+}
+
+func dialWebsocket(ctx context.Context, urlStr string, _ *tls.Config) (net.Conn, error) {
+	c, res, err := websocket.Dial(ctx, urlStr, &websocket.DialOptions{
+		Subprotocols: []string{"derp"},
+	})
+	if err != nil {
+		log.Printf("websocket Dial: %v, %+v", err, res)
+		return nil, err
+	}
+	log.Printf("websocket: connected to %v", urlStr)
+	netConn := wsconn.NetConn(context.Background(), c, websocket.MessageBinary)
+	return netConn, nil
+}
diff --git a/wgengine/magicsock/magicsock.go b/wgengine/magicsock/magicsock.go
@@ -448,6 +448,10 @@ type Conn struct {
 	// peerLastDerp tracks which DERP node we last used to speak with a
 	// peer. It's only used to quiet logging, so we only log on change.
 	peerLastDerp map[key.NodePublic]int
+
+	// derpForcedWebsocketFunc is a callback that is called when a DERP
+	// connection is forced to use WebSockets.
+	derpForcedWebsocketFunc func(region int, reason string)
 }
 
 // SetDebugLoggingEnabled controls whether spammy debug logging is enabled.
@@ -842,6 +846,7 @@ func (c *Conn) updateNetInfo(ctx context.Context) (*netcheck.Report, error) {
 	for rid, d := range report.RegionV6Latency {
 		ni.DERPLatency[fmt.Sprintf("%d-v6", rid)] = d.Seconds()
 	}
+
 	ni.WorkingIPv6.Set(report.IPv6)
 	ni.OSHasIPv6.Set(report.OSHasIPv6)
 	ni.WorkingUDP.Set(report.UDP)
@@ -952,6 +957,20 @@ func (c *Conn) SetNetInfoCallback(fn func(*tailcfg.NetInfo)) {
 	}
 }
 
+// SetDERPForcedWebsocketCallback is called when a DERP connection
+// switches to using WebSockets.
+func (c *Conn) SetDERPForcedWebsocketCallback(fn func(region int, reason string)) {
+	if fn == nil {
+		panic("nil DERPClientForcedWebsocketCallback")
+	}
+	c.mu.Lock()
+	c.derpForcedWebsocketFunc = fn
+	for _, a := range c.activeDerp {
+		a.c.SetForcedWebsocketCallback(fn)
+	}
+	c.mu.Unlock()
+}
+
 // LastRecvActivityOfNodeKey describes the time we last got traffic from
 // this endpoint (updated every ~10 seconds).
 func (c *Conn) LastRecvActivityOfNodeKey(nk key.NodePublic) string {
@@ -1486,6 +1505,7 @@ func (c *Conn) derpWriteChanOfAddr(addr netip.AddrPort, peer key.NodePublic) cha
 	dc.SetCanAckPings(true)
 	dc.NotePreferred(c.myDerp == regionID)
 	dc.SetAddressFamilySelector(derpAddrFamSelector{c})
+	dc.SetForcedWebsocketCallback(c.derpForcedWebsocketFunc)
 	dc.DNSCache = dnscache.Get()
 
 	ctx, cancel := context.WithCancel(c.connCtx)
