Serve accepts postgres client connections on ln and proxies them to the configured upstream. ln can be any net.Listener, but all client connections must originate from tailscale IPs that can be verified with WhoIs.
(ln net.Listener)
| 158 | // connections must originate from tailscale IPs that can be verified |
| 159 | // with WhoIs. |
| 160 | func (p *proxy) Serve(ln net.Listener) error { |
| 161 | var lastSessionID int64 |
| 162 | for { |
| 163 | c, err := ln.Accept() |
| 164 | if err != nil { |
| 165 | return err |
| 166 | } |
| 167 | id := time.Now().UnixNano() |
| 168 | if id == lastSessionID { |
| 169 | // Bluntly enforce SID uniqueness, even if collisions are |
| 170 | // fantastically unlikely (but OSes vary in how much timer |
| 171 | // precision they expose to the OS, so id might be rounded |
| 172 | // e.g. to the same millisecond) |
| 173 | id++ |
| 174 | } |
| 175 | lastSessionID = id |
| 176 | go func(sessionID int64) { |
| 177 | if err := p.serve(sessionID, c); err != nil { |
| 178 | log.Printf("%d: session ended with error: %v", sessionID, err) |
| 179 | } |
| 180 | }(id) |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | var ( |
| 185 | // sslStart is the magic bytes that postgres clients use to indicate |