From 2b4f91bc069bdce1dedd1eaf0efb589b8ac198a6 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Wed, 10 Jul 2024 15:49:23 -0400 Subject: [PATCH 01/10] allow setting pre-generated ssl cert for signal --- signal/cmd/run.go | 45 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index 4b0dc583e9f..5d2cc380727 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -2,6 +2,7 @@ package cmd import ( "context" + "crypto/tls" "errors" "flag" "fmt" @@ -41,6 +42,8 @@ var ( signalLetsencryptDomain string signalSSLDir string defaultSignalSSLDir string + signalCertFile string + signalCertKey string tlsEnabled bool signalKaep = grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ @@ -59,9 +62,13 @@ var ( Use: "run", Short: "start NetBird Signal Server daemon", PreRun: func(cmd *cobra.Command, args []string) { + flag.Parse() + // detect whether user specified a port userPort := cmd.Flag("port").Changed - if signalLetsencryptDomain != "" { + + tlsEnabled := false + if signalLetsencryptDomain != "" || (signalCertFile != "" && signalCertKey != "") { tlsEnabled = true } @@ -93,14 +100,25 @@ var ( var opts []grpc.ServerOption var certManager *autocert.Manager - if tlsEnabled { - // Let's encrypt enabled -> generate certificate automatically + var tlsConfig *tls.Config + tlsEnabled := false + if signalLetsencryptDomain != "" { certManager, err = encryption.CreateCertManager(signalSSLDir, signalLetsencryptDomain) if err != nil { return err } transportCredentials := credentials.NewTLS(certManager.TLSConfig()) opts = append(opts, grpc.Creds(transportCredentials)) + tlsEnabled = true + } else if signalCertFile != "" && signalCertKey != "" { + tlsConfig, err = loadTLSConfig(signalCertFile, signalCertKey) + if err != nil { + log.WithContext(ctx).Errorf("cannot load TLS credentials: %v", err) + return err + } + transportCredentials := credentials.NewTLS(tlsConfig) + opts = append(opts, grpc.Creds(transportCredentials)) + tlsEnabled = true } metricsServer := metrics.NewServer(metricsPort, "") @@ -232,6 +250,25 @@ func serveGRPC(grpcServer *grpc.Server, port int) (net.Listener, error) { return listener, nil } +func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) { + // Load server's certificate and private key + serverCert, err := tls.LoadX509KeyPair(certFile, certKey) + if err != nil { + return nil, err + } + + // NewDefaultAppMetrics the credentials and return it + config := &tls.Config{ + Certificates: []tls.Certificate{serverCert}, + ClientAuth: tls.NoClientCert, + NextProtos: []string{ + "h2", "http/1.1", // enable HTTP/2 + }, + } + + return config, nil +} + func cpFile(src, dst string) error { var err error var srcfd *os.File @@ -323,4 +360,6 @@ func init() { runCmd.PersistentFlags().IntVar(&signalPort, "port", 80, "Server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise") runCmd.Flags().StringVar(&signalSSLDir, "ssl-dir", defaultSignalSSLDir, "server ssl directory location. *Required only for Let's Encrypt certificates.") runCmd.Flags().StringVar(&signalLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS") + runCmd.Flags().StringVar(&signalCertFile, "cert-file", "", "Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect") + runCmd.Flags().StringVar(&signalCertKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect") } From c5cb6bf9a39893a897d814d021d36c61a78685a8 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Wed, 10 Jul 2024 16:54:04 -0400 Subject: [PATCH 02/10] work on grpc listeners --- signal/cmd/run.go | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index 5d2cc380727..51d614c04f0 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -113,7 +113,7 @@ var ( } else if signalCertFile != "" && signalCertKey != "" { tlsConfig, err = loadTLSConfig(signalCertFile, signalCertKey) if err != nil { - log.WithContext(ctx).Errorf("cannot load TLS credentials: %v", err) + log.Errorf("cannot load TLS credentials: %v", err) return err } transportCredentials := credentials.NewTLS(tlsConfig) @@ -153,21 +153,29 @@ var ( log.Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String()) } + grpcRootHandler := grpcHandlerFunc(grpcServer) var grpcListener net.Listener var httpListener net.Listener - if tlsEnabled { - httpListener = certManager.Listener() + + if certManager != nil { + // a call to certManager.Listener() always creates a new listener so we do it once + httpListener := certManager.Listener() if signalPort == 443 { // running gRPC and HTTP cert manager on the same port - serveHTTP(httpListener, certManager.HTTPHandler(grpcHandlerFunc(grpcServer))) + serveHTTP(httpListener, certManager.HTTPHandler(grpcRootHandler) log.Infof("running HTTP server (LetsEncrypt challenge handler) and gRPC server on the same port: %s", httpListener.Addr().String()) } else { serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) } - } - - if signalPort != 443 || !tlsEnabled { + } else if tlsConfig != nil { + httpListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) + if err != nil { + return fmt.Errorf("failed creating TLS listener on port %d: %v", signalPort, err) + } + serveHTTP(httpListener, grpcRootHandler) + log.Infof("running TLS gRPC server: %s", httpListener.Addr().String()) + } else { grpcListener, err = serveGRPC(grpcServer, signalPort) if err != nil { return err From a829febe5790efe70f4b8df9a35f9fd0b1eba129 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Wed, 10 Jul 2024 16:58:17 -0400 Subject: [PATCH 03/10] remove unused tlsEnabled --- signal/cmd/run.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index 51d614c04f0..4d08e76bc72 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -44,7 +44,6 @@ var ( defaultSignalSSLDir string signalCertFile string signalCertKey string - tlsEnabled bool signalKaep = grpc.KeepaliveEnforcementPolicy(keepalive.EnforcementPolicy{ MinTime: 5 * time.Second, @@ -101,7 +100,6 @@ var ( var opts []grpc.ServerOption var certManager *autocert.Manager var tlsConfig *tls.Config - tlsEnabled := false if signalLetsencryptDomain != "" { certManager, err = encryption.CreateCertManager(signalSSLDir, signalLetsencryptDomain) if err != nil { @@ -109,7 +107,6 @@ var ( } transportCredentials := credentials.NewTLS(certManager.TLSConfig()) opts = append(opts, grpc.Creds(transportCredentials)) - tlsEnabled = true } else if signalCertFile != "" && signalCertKey != "" { tlsConfig, err = loadTLSConfig(signalCertFile, signalCertKey) if err != nil { @@ -118,7 +115,6 @@ var ( } transportCredentials := credentials.NewTLS(tlsConfig) opts = append(opts, grpc.Creds(transportCredentials)) - tlsEnabled = true } metricsServer := metrics.NewServer(metricsPort, "") @@ -162,7 +158,7 @@ var ( httpListener := certManager.Listener() if signalPort == 443 { // running gRPC and HTTP cert manager on the same port - serveHTTP(httpListener, certManager.HTTPHandler(grpcRootHandler) + serveHTTP(httpListener, certManager.HTTPHandler(grpcRootHandler)) log.Infof("running HTTP server (LetsEncrypt challenge handler) and gRPC server on the same port: %s", httpListener.Addr().String()) } else { serveHTTP(httpListener, certManager.HTTPHandler(nil)) From 430ecc19bceb8115cd981f64f99d1aa10887df0d Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 05:32:42 -0400 Subject: [PATCH 04/10] actually configure gRPC listeners --- signal/cmd/run.go | 66 +++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index 4d08e76bc72..be1d76d378b 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -138,18 +138,8 @@ var ( } proto.RegisterSignalExchangeServer(grpcServer, srv) - var compatListener net.Listener - if signalPort != 10000 { - // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal - // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. - compatListener, err = serveGRPC(grpcServer, 10000) - if err != nil { - return err - } - log.Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String()) - } - grpcRootHandler := grpcHandlerFunc(grpcServer) + var compatListener net.Listener var grpcListener net.Listener var httpListener net.Listener @@ -163,22 +153,53 @@ var ( } else { serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) + grpcListener = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) + if err != nil { + return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) + } + if signalPort != 10000 { + compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) + if err != nil { + return err + } + } } } else if tlsConfig != nil { - httpListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) + grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) if err != nil { - return fmt.Errorf("failed creating TLS listener on port %d: %v", signalPort, err) + return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) + } + if signalPort != 10000 { + compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) + if err != nil { + return err + } } - serveHTTP(httpListener, grpcRootHandler) - log.Infof("running TLS gRPC server: %s", httpListener.Addr().String()) } else { - grpcListener, err = serveGRPC(grpcServer, signalPort) + grpcListener, err := net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) if err != nil { - return err + return fmt.Errorf("failed creating gRPC listener on port %d: %v", signalPort, err) + } + if signalPort != 10000 { + compatListener, err = net.Listen("tcp", fmt.Sprintf(":%d", 10000)) + if err != nil { + return err + } } + } + + if certManager == nil || signalPort != 443 { + serveGRPC(grpcListener, grpcServer) log.Infof("running gRPC server: %s", grpcListener.Addr().String()) } + if signalPort != 10000 { + // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal + // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. + serveGRPC(compatListener, grpcServer) + log.Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String()) + } + log.Infof("signal server version %s", version.NetbirdVersion()) log.Infof("started Signal Service") @@ -240,18 +261,13 @@ func serveHTTP(httpListener net.Listener, handler http.Handler) { }() } -func serveGRPC(grpcServer *grpc.Server, port int) (net.Listener, error) { - listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) - if err != nil { - return nil, err - } +func serveGRPC(grpcListener net.Listener, grpcServer *grpc.Server) { go func() { - err := grpcServer.Serve(listener) + err := grpcServer.Serve(grpcListener) if err != nil { - notifyStop(fmt.Sprintf("failed running gRPC server on port %d: %v", port, err)) + notifyStop(fmt.Sprintf("failed running gRPC server %v", err)) } }() - return listener, nil } func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) { From 20a48798a999be1558ceb3f50270a4808f45b14e Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 05:35:13 -0400 Subject: [PATCH 05/10] fix syntax errors --- signal/cmd/run.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index be1d76d378b..d343ab264dd 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -2,7 +2,7 @@ package cmd import ( "context" - "crypto/tls" + "crypto/tls" "errors" "flag" "fmt" @@ -153,7 +153,7 @@ var ( } else { serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) - grpcListener = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) + grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) if err != nil { return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) } @@ -176,7 +176,7 @@ var ( } } } else { - grpcListener, err := net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) + grpcListener, err = net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) if err != nil { return fmt.Errorf("failed creating gRPC listener on port %d: %v", signalPort, err) } From 68bf5f2e186ed72fe83ed11504d5968d72a0cbf4 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 06:24:15 -0400 Subject: [PATCH 06/10] add comments --- signal/cmd/run.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index d343ab264dd..d7b190ab907 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -151,12 +151,15 @@ var ( serveHTTP(httpListener, certManager.HTTPHandler(grpcRootHandler)) log.Infof("running HTTP server (LetsEncrypt challenge handler) and gRPC server on the same port: %s", httpListener.Addr().String()) } else { + // Start the HTTP cert manager server separately serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) if err != nil { return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) } + // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal + // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. if signalPort != 10000 { compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) if err != nil { @@ -188,6 +191,7 @@ var ( } } + // If certManager is configured and signalPort == 443, then the gRPC server has already been started if certManager == nil || signalPort != 443 { serveGRPC(grpcListener, grpcServer) log.Infof("running gRPC server: %s", grpcListener.Addr().String()) From c931685d5cf0213b2d6d4a894dbf281e8c459777 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 07:44:54 -0400 Subject: [PATCH 07/10] testing a simpler approach * initializing the gRPC server is done with the TLS credentials, so maybe it doesn't have to be done for the listener --- signal/cmd/run.go | 99 ++++++++++++++++++++++++++++------------------- 1 file changed, 60 insertions(+), 39 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index d7b190ab907..a6d7cbf2f23 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -107,6 +107,7 @@ var ( } transportCredentials := credentials.NewTLS(certManager.TLSConfig()) opts = append(opts, grpc.Creds(transportCredentials)) + log.Infof("setting up TLS with LetsEncrypt.") } else if signalCertFile != "" && signalCertKey != "" { tlsConfig, err = loadTLSConfig(signalCertFile, signalCertKey) if err != nil { @@ -115,6 +116,7 @@ var ( } transportCredentials := credentials.NewTLS(tlsConfig) opts = append(opts, grpc.Creds(transportCredentials)) + log.Infof("setting up TLS with custom certificates.") } metricsServer := metrics.NewServer(metricsPort, "") @@ -154,53 +156,59 @@ var ( // Start the HTTP cert manager server separately serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) - grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) - if err != nil { - return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) - } - // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal - // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. - if signalPort != 10000 { - compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) - if err != nil { - return err - } - } - } - } else if tlsConfig != nil { - grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) - if err != nil { - return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) - } - if signalPort != 10000 { - compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) - if err != nil { - return err - } - } - } else { - grpcListener, err = net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) - if err != nil { - return fmt.Errorf("failed creating gRPC listener on port %d: %v", signalPort, err) - } - if signalPort != 10000 { - compatListener, err = net.Listen("tcp", fmt.Sprintf(":%d", 10000)) - if err != nil { - return err - } + // grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) + // if err != nil { + // return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) + // } + // // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal + // // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. + // if signalPort != 10000 { + // compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) + // if err != nil { + // return err + // } + // } } + // } else if tlsConfig != nil { + // grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) + // if err != nil { + // return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) + // } + // if signalPort != 10000 { + // compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) + // if err != nil { + // return err + // } + // } + // } else { + // grpcListener, err = net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) + // if err != nil { + // return fmt.Errorf("failed creating gRPC listener on port %d: %v", signalPort, err) + // } + // if signalPort != 10000 { + // compatListener, err = net.Listen("tcp", fmt.Sprintf(":%d", 10000)) + // if err != nil { + // return err + // } + // } } // If certManager is configured and signalPort == 443, then the gRPC server has already been started if certManager == nil || signalPort != 443 { - serveGRPC(grpcListener, grpcServer) + grpcListener, err = serveGRPC(grpcServer, signalPort) + if err != nil { + return err + } log.Infof("running gRPC server: %s", grpcListener.Addr().String()) } if signalPort != 10000 { // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. - serveGRPC(compatListener, grpcServer) + compatListener, err = serveGRPC(grpcServer, 10000) + if err != nil { + return err + } log.Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String()) } @@ -265,13 +273,26 @@ func serveHTTP(httpListener net.Listener, handler http.Handler) { }() } -func serveGRPC(grpcListener net.Listener, grpcServer *grpc.Server) { +// func serveGRPC(grpcListener net.Listener, grpcServer *grpc.Server) { +// go func() { +// err := grpcServer.Serve(grpcListener) +// if err != nil { +// notifyStop(fmt.Sprintf("failed running gRPC server %v", err)) +// } +// }() +// } +func serveGRPC(grpcServer *grpc.Server, port int) (net.Listener, error) { + listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + return nil, err + } go func() { - err := grpcServer.Serve(grpcListener) + err := grpcServer.Serve(listener) if err != nil { - notifyStop(fmt.Sprintf("failed running gRPC server %v", err)) + notifyStop(fmt.Sprintf("failed running gRPC server on port %d: %v", port, err)) } }() + return listener, nil } func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) { From 48949495719b4c474086961c6dc756e8a78a3c50 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 07:49:56 -0400 Subject: [PATCH 08/10] remove commented code * it was much simpler --- signal/cmd/run.go | 42 ------------------------------------------ 1 file changed, 42 deletions(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index a6d7cbf2f23..38886ff8331 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -156,41 +156,7 @@ var ( // Start the HTTP cert manager server separately serveHTTP(httpListener, certManager.HTTPHandler(nil)) log.Infof("running HTTP server (LetsEncrypt challenge handler): %s", httpListener.Addr().String()) - // grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), certManager.TLSConfig()) - // if err != nil { - // return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) - // } - // // The Signal gRPC server was running on port 10000 previously. Old agents that are already connected to Signal - // // are using port 10000. For compatibility purposes we keep running a 2nd gRPC server on port 10000. - // if signalPort != 10000 { - // compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) - // if err != nil { - // return err - // } - // } } - // } else if tlsConfig != nil { - // grpcListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", signalPort), tlsConfig) - // if err != nil { - // return fmt.Errorf("failed creating TLS gRPC listener on port %d: %v", signalPort, err) - // } - // if signalPort != 10000 { - // compatListener, err = tls.Listen("tcp", fmt.Sprintf(":%d", 10000), tlsConfig) - // if err != nil { - // return err - // } - // } - // } else { - // grpcListener, err = net.Listen("tcp", fmt.Sprintf(":%d", signalPort)) - // if err != nil { - // return fmt.Errorf("failed creating gRPC listener on port %d: %v", signalPort, err) - // } - // if signalPort != 10000 { - // compatListener, err = net.Listen("tcp", fmt.Sprintf(":%d", 10000)) - // if err != nil { - // return err - // } - // } } // If certManager is configured and signalPort == 443, then the gRPC server has already been started @@ -273,14 +239,6 @@ func serveHTTP(httpListener net.Listener, handler http.Handler) { }() } -// func serveGRPC(grpcListener net.Listener, grpcServer *grpc.Server) { -// go func() { -// err := grpcServer.Serve(grpcListener) -// if err != nil { -// notifyStop(fmt.Sprintf("failed running gRPC server %v", err)) -// } -// }() -// } func serveGRPC(grpcServer *grpc.Server, port int) (net.Listener, error) { listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) if err != nil { From 02ab7a45d38282c21cea6cad7806bbc6a936e1b0 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 07:53:24 -0400 Subject: [PATCH 09/10] formatting --- signal/cmd/run.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signal/cmd/run.go b/signal/cmd/run.go index 38886ff8331..8f75c1e04ab 100644 --- a/signal/cmd/run.go +++ b/signal/cmd/run.go @@ -140,7 +140,7 @@ var ( } proto.RegisterSignalExchangeServer(grpcServer, srv) - grpcRootHandler := grpcHandlerFunc(grpcServer) + grpcRootHandler := grpcHandlerFunc(grpcServer) var compatListener net.Listener var grpcListener net.Listener var httpListener net.Listener From 93499daaa8314781ba98a9ef7e95012de23eb490 Mon Sep 17 00:00:00 2001 From: benniekiss <63211101+benniekiss@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:08:53 -0400 Subject: [PATCH 10/10] update readme --- signal/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/signal/README.md b/signal/README.md index dd2d761ad90..c930c8af584 100644 --- a/signal/README.md +++ b/signal/README.md @@ -18,6 +18,8 @@ Flags: --letsencrypt-domain string a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS --port int Server port to listen on (e.g. 10000) (default 10000) --ssl-dir string server ssl directory location. *Required only for Let's Encrypt certificates. (default "/var/lib/netbird/") + --cert-file string Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect + --cert-key string Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect Global Flags: --log-file string sets Netbird log path. If console is specified the the log will be output to stdout (default "/var/log/netbird/signal.log")