X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/967821ec0ac00aef677f943e709ea079ebc30f78..95de13bdab14eb803a4c9e2243df50e1eb0df69a:/lib/controller/handler.go diff --git a/lib/controller/handler.go b/lib/controller/handler.go index ab6c72735e..78ad89e706 100644 --- a/lib/controller/handler.go +++ b/lib/controller/handler.go @@ -5,12 +5,9 @@ package controller import ( - "context" - "io" "net" "net/http" "net/url" - "regexp" "strings" "sync" "time" @@ -24,9 +21,11 @@ type Handler struct { Cluster *arvados.Cluster NodeProfile *arvados.NodeProfile - setupOnce sync.Once - handlerStack http.Handler - proxyClient *arvados.Client + setupOnce sync.Once + handlerStack http.Handler + proxy *proxy + secureClient *http.Client + insecureClient *http.Client } func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { @@ -36,7 +35,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { func (h *Handler) CheckHealth() error { h.setupOnce.Do(h.setup) - _, err := findRailsAPI(h.Cluster, h.NodeProfile) + _, _, err := findRailsAPI(h.Cluster, h.NodeProfile) return err } @@ -51,19 +50,19 @@ func (h *Handler) setup() { hs = prepend(hs, h.proxyRemoteCluster) mux.Handle("/", hs) h.handlerStack = mux -} -// headers that shouldn't be forwarded when proxying. See -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers -var dropHeaders = map[string]bool{ - "Connection": true, - "Keep-Alive": true, - "Proxy-Authenticate": true, - "Proxy-Authorization": true, - "TE": true, - "Trailer": true, - "Transfer-Encoding": true, - "Upgrade": true, + sc := *arvados.DefaultSecureClient + sc.Timeout = time.Duration(h.Cluster.HTTPRequestTimeout) + h.secureClient = &sc + + ic := *arvados.InsecureHTTPClient + ic.Timeout = time.Duration(h.Cluster.HTTPRequestTimeout) + h.insecureClient = &ic + + h.proxy = &proxy{ + Name: "arvados-controller", + RequestTimeout: time.Duration(h.Cluster.HTTPRequestTimeout), + } } type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler) @@ -74,41 +73,8 @@ func prepend(next http.Handler, middleware middlewareFunc) http.Handler { }) } -var wfRe = regexp.MustCompile(`^/arvados/v1/workflows/([0-9a-z]{5})-[^/]+$`) - -func (h *Handler) proxyRemoteCluster(w http.ResponseWriter, req *http.Request, next http.Handler) { - m := wfRe.FindStringSubmatch(req.URL.Path) - if len(m) < 2 || m[1] == h.Cluster.ClusterID { - next.ServeHTTP(w, req) - return - } - remoteID := m[1] - remote, ok := h.Cluster.RemoteClusters[remoteID] - if !ok { - httpserver.Error(w, "no proxy available for cluster "+remoteID, http.StatusNotFound) - return - } - scheme := remote.Scheme - if scheme == "" { - scheme = "https" - } - urlOut := &url.URL{ - Scheme: scheme, - Host: remote.Host, - Path: req.URL.Path, - RawPath: req.URL.RawPath, - RawQuery: req.URL.RawQuery, - } - err := h.saltAuthToken(req, remoteID) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusBadRequest) - return - } - h.proxy(w, req, urlOut) -} - func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) { - urlOut, err := findRailsAPI(h.Cluster, h.NodeProfile) + urlOut, insecure, err := findRailsAPI(h.Cluster, h.NodeProfile) if err != nil { httpserver.Error(w, err.Error(), http.StatusInternalServerError) return @@ -120,58 +86,16 @@ func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next h RawPath: req.URL.RawPath, RawQuery: req.URL.RawQuery, } - h.proxy(w, req, urlOut) -} - -func (h *Handler) proxy(w http.ResponseWriter, reqIn *http.Request, urlOut *url.URL) { - // Copy headers from incoming request, then add/replace proxy - // headers like Via and X-Forwarded-For. - hdrOut := http.Header{} - for k, v := range reqIn.Header { - if !dropHeaders[k] { - hdrOut[k] = v - } - } - xff := reqIn.RemoteAddr - if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" { - xff = xffIn + "," + xff - } - hdrOut.Set("X-Forwarded-For", xff) - hdrOut.Add("Via", reqIn.Proto+" arvados-controller") - - ctx := reqIn.Context() - if timeout := h.Cluster.HTTPRequestTimeout; timeout > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithDeadline(ctx, time.Now().Add(time.Duration(timeout))) - defer cancel() - } - - reqOut := (&http.Request{ - Method: reqIn.Method, - URL: urlOut, - Header: hdrOut, - Body: reqIn.Body, - }).WithContext(ctx) - resp, err := arvados.InsecureHTTPClient.Do(reqOut) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusInternalServerError) - return - } - for k, v := range resp.Header { - for _, v := range v { - w.Header().Add(k, v) - } - } - w.WriteHeader(resp.StatusCode) - n, err := io.Copy(w, resp.Body) - if err != nil { - httpserver.Logger(reqIn).WithError(err).WithField("bytesCopied", n).Error("error copying response body") + client := h.secureClient + if insecure { + client = h.insecureClient } + h.proxy.Do(w, req, urlOut, client) } // For now, findRailsAPI always uses the rails API running on this // node. -func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, error) { +func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, bool, error) { hostport := np.RailsAPI.Listen if len(hostport) > 1 && hostport[0] == ':' && strings.TrimRight(hostport[1:], "0123456789") == "" { // ":12345" => connect to indicated port on localhost @@ -179,11 +103,12 @@ func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, } else if _, _, err := net.SplitHostPort(hostport); err == nil { // "[::1]:12345" => connect to indicated address & port } else { - return nil, err + return nil, false, err } proto := "http" if np.RailsAPI.TLS { proto = "https" } - return url.Parse(proto + "://" + hostport) + url, err := url.Parse(proto + "://" + hostport) + return url, np.RailsAPI.Insecure, err }