Merge pull request #785 from weaveworks/777-probes-https

Make probes use TLS against scope.weave.works by default

common/sanitize/sanitize.go

@@ -29,7 +29,11 @@ func URL(defaultScheme string, defaultPort int, defaultPath string) func(string)
 		if _, port, err := net.SplitHostPort(u.Host); err != nil && defaultPort > 0 {
 			u.Host += fmt.Sprintf(":%d", defaultPort)
 		} else if port == "443" {
-			u.Scheme = "https"
+			if u.Scheme == "ws" {
+				u.Scheme = "wss"
+			} else {
+				u.Scheme = "https"
+			}
 		}
 		if defaultPath != "" && u.Path != defaultPath {
 			u.Path = defaultPath

docker/entrypoint.sh

@@ -67,6 +67,7 @@ weave_expose() {
 mkdir -p /etc/weave
 APP_ARGS=""
 PROBE_ARGS=""
+TOKEN_PROVIDED=false
 
 if [ "$1" = version ]; then
     /home/weave/scope version
@@ -108,7 +109,7 @@ while true; do
                 shift
             fi
             PROBE_ARGS="$PROBE_ARGS -token=$ARG_VALUE"
-            echo "scope.weave.works:80" >/etc/weave/apps
+            TOKEN_PROVIDED=true
             touch /etc/service/app/down
             ;;
         --no-app)
@@ -157,7 +158,15 @@ echo "$PROBE_ARGS" >/etc/weave/scope-probe.args
 # using Weave DNS. We stick these in /etc/weave/apps
 # for the run-probe script to pick up.
 MANUAL_APPS=$@
+
+# Implicitly target the Scope Service if a service token was provided with
+# no explicit manual app.
+if [ "$MANUAL_APPS" = "" -a "$TOKEN_PROVIDED" = "true" ]; then
+    MANUAL_APPS="scope.weave.works:443"
+fi
+
 echo "$MANUAL_APPS" >>/etc/weave/apps
 
+
 exec /home/weave/runsvinit
 

xfer/app_client.go

@@ -41,10 +41,11 @@ type AppClient interface {
 type appClient struct {
 	ProbeConfig
 
-	quit   chan struct{}
-	mtx    sync.Mutex
-	target string
-	client http.Client
+	quit     chan struct{}
+	mtx      sync.Mutex
+	target   string
+	client   http.Client
+	wsDialer websocket.Dialer
 
 	// Track all the background goroutines, ensure they all stop
 	backgroundWait sync.WaitGroup
@@ -74,6 +75,9 @@ func NewAppClient(pc ProbeConfig, hostname, target string, control ControlHandle
 		client: http.Client{
 			Transport: httpTransport,
 		},
+		wsDialer: websocket.Dialer{
+			TLSClientConfig: httpTransport.TLSClientConfig,
+		},
 		conns:   map[string]*websocket.Conn{},
 		readers: make(chan io.Reader),
 		control: control,
@@ -186,12 +190,10 @@ func (c *appClient) doWithBackoff(msg string, f func() (bool, error)) {
 }
 
 func (c *appClient) controlConnection() (bool, error) {
-	dialer := websocket.Dialer{}
 	headers := http.Header{}
 	c.ProbeConfig.authorizeHeaders(headers)
-	// TODO(twilkie) need to update sanitize to work with wss
 	url := sanitize.URL("ws://", 0, "/api/control/ws")(c.target)
-	conn, _, err := dialer.Dial(url, headers)
+	conn, _, err := c.wsDialer.Dial(url, headers)
 	if err != nil {
 		return false, err
 	}
@@ -270,12 +272,10 @@ func (c *appClient) Publish(r io.Reader) error {
 }
 
 func (c *appClient) pipeConnection(id string, pipe Pipe) (bool, error) {
-	dialer := websocket.Dialer{}
 	headers := http.Header{}
 	c.ProbeConfig.authorizeHeaders(headers)
-	// TODO(twilkie) need to update sanitize to work with wss
 	url := sanitize.URL("ws://", 0, fmt.Sprintf("/api/pipe/%s/probe", id))(c.target)
-	conn, resp, err := dialer.Dial(url, headers)
+	conn, resp, err := c.wsDialer.Dial(url, headers)
 	if resp != nil && resp.StatusCode == http.StatusNotFound {
 		// Special handling - 404 means the app/user has closed the pipe
 		pipe.Close()