├── src ├── observability.rs ├── tls.rs ├── http.rs └── main.rs ├── .gitignore ├── Cargo.toml ├── README.md └── LICENSE /src/observability.rs: -------------------------------------------------------------------------------- 1 | pub fn start() { 2 | tracing_subscriber::fmt::init(); 3 | } 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Generated by Cargo 2 | # will have compiled files and executables 3 | /target/ 4 | 5 | # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries 6 | # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html 7 | Cargo.lock 8 | 9 | # These are backup files generated by rustfmt 10 | **/*.rs.bk 11 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "tailscale-proxy" 3 | version = "0.1.0" 4 | edition = "2021" 5 | 6 | [dependencies] 7 | argh = "0.1.7" 8 | color-eyre = "0.6.1" 9 | eyre = "0.6.8" 10 | futures = { version = "0.3.21", features = ["executor"] } 11 | hyper = { version = "0.14.18", features = ["full"] } 12 | lazy_static = "1.4.0" 13 | rustls = "0.20.4" 14 | tailscale-localapi = "0.2.0" 15 | tokio = { version = "1.17.0", features = ["full"] } 16 | tokio-rustls = "0.23.3" 17 | tokio-stream = { version = "0.1.8", features = ["net"] } 18 | tower = "0.4.12" 19 | tower-layer = "0.3.1" 20 | tracing = "0.1.34" 21 | tracing-subscriber = { version = "0.3.11", features = ["env-filter"] } 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tailscale-proxy 2 | 3 | | :exclamation: You don't want to use this. | 4 | | ----------------------------------------- | 5 | 6 | The entirety of what this project does is now [built into Tailscale serve](https://tailscale.dev/blog/tailscale-serve-obsoleted-my-code). 7 | 8 | ## Overview 9 | 10 | A reverse proxy for [Tailscale](https://tailscale.com/) that auto-configures with certificates from the local daemon. This was inspired by the post on the Tailscale blog about [How To Seamlessly Authenticate to Grafana using Tailscale](https://tailscale.com/blog/grafana-auth/). I wanted to build a more generic version of the Grafana proxy that can be easily used to front any HTTP service. The proxy auto-configures itself with [certificates retrieved from Tailscale](https://tailscale.com/kb/1153/enabling-https). This is similar to the recently announced [Caddy support for Tailscale](https://tailscale.com/kb/1190/caddy-certificates), except it also pulls the whois information for the requesting client. It uses [rustls](https://github.com/rustls/rustls) to get a modern TLS stack on the server-side. 11 | 12 | Overall that is just fun experimental software, so please don't use it for anything serious. 13 | 14 | ## Prior art 15 | 16 | I used code and inspiration from [hyper-reverse-proxy](https://github.com/felipenoris/hyper-reverse-proxy) when building the reverse proxy code. 17 | -------------------------------------------------------------------------------- /src/tls.rs: -------------------------------------------------------------------------------- 1 | use std::{collections::HashSet, sync::Arc}; 2 | 3 | use rustls::{ 4 | server::{ClientHello, ResolvesServerCert}, 5 | sign::CertifiedKey, 6 | ServerConfig, 7 | }; 8 | use tracing::{error, info}; 9 | 10 | pub async fn create_config( 11 | localapi: &tailscale_localapi::LocalApi, 12 | domains: &[String], 13 | ) -> eyre::Result> { 14 | let cert_resolver = Arc::new(TailscaleCertificateResolver { 15 | client: localapi.clone(), 16 | domains: domains.iter().cloned().collect(), 17 | }); 18 | 19 | let mut config = rustls::ServerConfig::builder() 20 | .with_safe_defaults() 21 | .with_no_client_auth() 22 | .with_cert_resolver(cert_resolver); 23 | config.ignore_client_order = true; 24 | config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()]; 25 | Ok(Arc::new(config)) 26 | } 27 | 28 | struct TailscaleCertificateResolver { 29 | client: tailscale_localapi::LocalApi, 30 | domains: HashSet, 31 | } 32 | 33 | impl ResolvesServerCert for TailscaleCertificateResolver { 34 | fn resolve(&self, client_hello: ClientHello) -> Option> { 35 | let domain = match client_hello.server_name() { 36 | Some(sni) if self.domains.contains(sni) => sni.to_string(), 37 | Some(_) => return None, 38 | None => self.domains.iter().next().unwrap().clone(), 39 | }; 40 | 41 | let fut = self.client.certificate_pair(&domain); 42 | match futures::executor::block_on(fut) { 43 | Ok((tailscale_localapi::PrivateKey(key_data), certs)) => { 44 | let key = rustls::PrivateKey(key_data); 45 | let certs = certs 46 | .into_iter() 47 | .map(|tailscale_localapi::Certificate(data)| rustls::Certificate(data)) 48 | .collect(); 49 | 50 | let signing_key = match rustls::sign::any_supported_type(&key) { 51 | Ok(k) => k, 52 | Err(e) => { 53 | error!("error resolving certificate for {domain}: {e}"); 54 | return None; 55 | } 56 | }; 57 | 58 | info!("got TLS certificate for {domain}"); 59 | 60 | Some(Arc::new(CertifiedKey::new(certs, signing_key))) 61 | } 62 | Err(e) => { 63 | error!("error resolving certificate for {domain}: {e}"); 64 | None 65 | } 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /src/http.rs: -------------------------------------------------------------------------------- 1 | use std::{net::IpAddr, sync::Arc, time::Duration}; 2 | 3 | use eyre::ContextCompat; 4 | use hyper::{ 5 | header::HeaderName, header::HeaderValue, Body, HeaderMap, Request, Response, StatusCode, 6 | }; 7 | use lazy_static::lazy_static; 8 | use tailscale_localapi::Whois; 9 | use tokio::{net::TcpStream, time::error::Elapsed}; 10 | use tracing::{error, warn}; 11 | 12 | use crate::Args; 13 | 14 | const TIMEOUT: Duration = Duration::from_secs(60); 15 | 16 | lazy_static! { 17 | static ref HOP_HEADERS: [HeaderName; 8] = [ 18 | HeaderName::from_static("connection"), 19 | HeaderName::from_static("keep-alive"), 20 | HeaderName::from_static("proxy-authenticate"), 21 | HeaderName::from_static("proxy-authorization"), 22 | HeaderName::from_static("te"), 23 | HeaderName::from_static("trailers"), 24 | HeaderName::from_static("transfer-encoding"), 25 | HeaderName::from_static("upgrade"), 26 | ]; 27 | static ref X_FORWARDED_FOR: HeaderName = HeaderName::from_static("x-forwarded-for"); 28 | static ref X_WEBAUTH_USER: HeaderName = HeaderName::from_static("x-webauth-user"); 29 | } 30 | 31 | pub fn is_hop_header(name: &str) -> bool { 32 | HOP_HEADERS.iter().any(|h| h == name) 33 | } 34 | 35 | /// Returns a clone of the headers without the [hop-by-hop headers]. 36 | /// 37 | /// [hop-by-hop headers]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html 38 | pub fn remove_hop_headers(headers: &HeaderMap) -> HeaderMap { 39 | let mut result = HeaderMap::new(); 40 | for (k, v) in headers.iter() { 41 | if !is_hop_header(k.as_str()) { 42 | result.insert(k.clone(), v.clone()); 43 | } 44 | } 45 | 46 | result 47 | } 48 | 49 | pub(crate) fn create_proxied_request(mut request: Request) -> eyre::Result> { 50 | let remote_ip = *request 51 | .extensions() 52 | .get::() 53 | .context("missing remote IP")?; 54 | let whois = request 55 | .extensions() 56 | .get::>() 57 | .context("missing whois")? 58 | .clone(); 59 | *request.headers_mut() = remove_hop_headers(request.headers()); 60 | 61 | match request.headers_mut().entry(&*X_FORWARDED_FOR) { 62 | hyper::header::Entry::Vacant(entry) => { 63 | entry.insert(remote_ip.to_string().parse()?); 64 | } 65 | hyper::header::Entry::Occupied(mut entry) => { 66 | let addr = format!("{}, {}", entry.get().to_str()?, remote_ip); 67 | entry.insert(addr.parse()?); 68 | } 69 | } 70 | 71 | request 72 | .headers_mut() 73 | .entry(&*X_WEBAUTH_USER) 74 | .or_insert(whois.user_profile.login_name.parse()?); 75 | 76 | Ok(request) 77 | } 78 | 79 | pub async fn proxy_request(request: Request) -> eyre::Result> { 80 | let config = request 81 | .extensions() 82 | .get::>() 83 | .context("missing config")? 84 | .clone(); 85 | let request = create_proxied_request(request)?; 86 | let stream = TcpStream::connect(&config.upstream).await?; 87 | 88 | let (mut request_sender, connection) = hyper::client::conn::Builder::new() 89 | .handshake::(stream) 90 | .await?; 91 | 92 | tokio::spawn(async move { 93 | if let Err(e) = connection.await { 94 | warn!("error in connection: {e}"); 95 | } 96 | }); 97 | 98 | let request_future = request_sender.send_request(request); 99 | let response = tokio::time::timeout(TIMEOUT, request_future).await??; 100 | 101 | Ok(response) 102 | } 103 | 104 | #[tracing::instrument(skip(req))] 105 | pub async fn handle_request(req: Request) -> eyre::Result> { 106 | match proxy_request(req).await { 107 | Ok(resp) => Ok(resp), 108 | Err(e) if e.is::() => { 109 | error!("error handling connection: {e}"); 110 | let mut resp = Response::new(Body::from("Gateway Timeout")); 111 | *resp.status_mut() = StatusCode::GATEWAY_TIMEOUT; 112 | Ok(resp) 113 | } 114 | Err(e) => { 115 | error!("error handling connection: {e}"); 116 | let mut resp = Response::new(Body::from("Bad Gateway")); 117 | *resp.status_mut() = StatusCode::BAD_GATEWAY; 118 | Ok(resp) 119 | } 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | mod http; 2 | mod observability; 3 | mod tls; 4 | 5 | use std::{net::SocketAddr, sync::Arc}; 6 | 7 | use argh::FromArgs; 8 | use futures::{future, stream, StreamExt}; 9 | use hyper::{server::conn::Http, service::service_fn}; 10 | use tokio::net::TcpListener; 11 | use tokio_rustls::TlsAcceptor; 12 | use tokio_stream::wrappers::TcpListenerStream; 13 | use tracing::{debug, info, warn}; 14 | 15 | #[derive(FromArgs)] 16 | /// Proxy requests from Tailscale clients to an upstream with a TLS certificate provided by the Tailscale daemon. 17 | pub struct Args { 18 | /// port to listen on for connections (defaults to 443) 19 | #[argh(option, short = 'p', default = "443")] 20 | port: u16, 21 | 22 | /// upstream to proxy connections to 23 | #[argh(option, short = 'u')] 24 | upstream: String, 25 | 26 | /// path to the Tailscale socket (defaults to /var/run/tailscale/tailscaled.sock) 27 | #[argh( 28 | option, 29 | short = 's', 30 | default = "\"/var/run/tailscale/tailscaled.sock\".to_string()" 31 | )] 32 | socket: String, 33 | } 34 | 35 | #[tokio::main] 36 | async fn main() -> eyre::Result<()> { 37 | observability::start(); 38 | 39 | let config: Arc = Arc::new(argh::from_env()); 40 | 41 | let localapi = tailscale_localapi::LocalApi::new_with_socket_path(config.socket.clone()); 42 | let status = localapi.status().await?; 43 | 44 | let tls_config = tls::create_config(&localapi, &status.cert_domains).await?; 45 | let tls_acceptor = TlsAcceptor::from(tls_config); 46 | 47 | let listen_addresses = status 48 | .tailscale_ips 49 | .iter() 50 | .copied() 51 | .map(|ip| SocketAddr::from((ip, config.port))) 52 | .collect::>(); 53 | 54 | info!("listening on {listen_addresses:?}"); 55 | serve(&localapi, tls_acceptor, config, &listen_addresses).await?; 56 | 57 | Ok(()) 58 | } 59 | 60 | async fn serve( 61 | localapi: &tailscale_localapi::LocalApi, 62 | tls_acceptor: TlsAcceptor, 63 | config: Arc, 64 | listen_addresses: &[SocketAddr], 65 | ) -> eyre::Result<()> { 66 | let listeners = listen_addresses.iter().map(TcpListener::bind); 67 | let streams = future::join_all(listeners) 68 | .await 69 | .into_iter() 70 | .map(|listener| listener.map(TcpListenerStream::new)) 71 | .collect::, _>>()?; 72 | 73 | stream::select_all(streams) 74 | .filter_map(|stream| async { 75 | match stream { 76 | Ok(s) => Some(s), 77 | Err(e) => { 78 | warn!("error accepting connection: {e}"); 79 | None 80 | } 81 | } 82 | }) 83 | .filter_map(|stream| async { 84 | let remote_addr = match stream.peer_addr() { 85 | Ok(v) => v, 86 | Err(e) => { 87 | warn!("unable to retreive peer address: {e}"); 88 | return None; 89 | } 90 | }; 91 | 92 | let whois = match localapi.whois(remote_addr).await { 93 | Ok(v) => v, 94 | Err(e) => { 95 | warn!(%remote_addr, "unable to retreive whois information: {e}"); 96 | return None; 97 | } 98 | }; 99 | 100 | let remote_ip = remote_addr.ip(); 101 | debug!(%remote_ip, "accepted connection"); 102 | 103 | match tls_acceptor.accept(stream).await { 104 | Ok(s) => Some((remote_ip, whois, s)), 105 | Err(e) => { 106 | warn!(%remote_ip, "error during TLS handshake: {e}"); 107 | None 108 | } 109 | } 110 | }) 111 | .for_each(|(remote_ip, whois, stream)| { 112 | let (_, tls_conn) = stream.get_ref(); 113 | debug!(%remote_ip, "negotiated TLS with {:?}", tls_conn.negotiated_cipher_suite().unwrap()); 114 | 115 | let config = config.clone(); 116 | let whois = Arc::new(whois); 117 | async move { 118 | let serve_connection = Http::new().serve_connection( 119 | stream, 120 | service_fn(move |mut request| { 121 | request.extensions_mut().insert(config.clone()); 122 | request.extensions_mut().insert(whois.clone()); 123 | request.extensions_mut().insert(remote_ip); 124 | 125 | http::handle_request(request) 126 | }), 127 | ); 128 | 129 | tokio::spawn(async move { 130 | if let Err(e) = serve_connection.await { 131 | warn!(%remote_ip, "error serving HTTP connection: {e}"); 132 | } 133 | }); 134 | } 135 | }) 136 | .await; 137 | 138 | Ok(()) 139 | } 140 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------