fix(health): use TCP dialing instead of ping

- `HEALTH_TARGET_ADDRESS` to replace `HEALTH_ADDRESS_TO_PING`
- Remove `github.com/go-ping/ping` dependency
- Dial TCP the target address, appending `:443` if port is not set

Author: qdm12

Dockerfile

@@ -126,7 +126,7 @@ ENV VPNSP=pia \
     LOG_LEVEL=info \
     # Health
     HEALTH_SERVER_ADDRESS=127.0.0.1:9999 \
-    HEALTH_ADDRESS_TO_PING=github.com \
+    HEALTH_TARGET_ADDRESS=github.com:443 \
     HEALTH_VPN_DURATION_INITIAL=6s \
     HEALTH_VPN_DURATION_ADDITION=5s \
     # DNS over TLS

go.mod

@@ -5,7 +5,6 @@ go 1.17
 require (
 	github.com/breml/rootcerts v0.2.1
 	github.com/fatih/color v1.13.0
-	github.com/go-ping/ping v0.0.0-20210911151512-381826476871
 	github.com/golang/mock v1.6.0
 	github.com/qdm12/dns v1.11.0
 	github.com/qdm12/golibs v0.0.0-20210822203818-5c568b0777b6
@@ -26,7 +25,6 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-cmp v0.5.5 // indirect
-	github.com/google/uuid v1.2.0 // indirect
 	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
 	github.com/mattn/go-colorable v0.1.9 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
@@ -41,6 +39,5 @@ require (
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063 // indirect
 	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
 	golang.org/x/net v0.0.0-20210504132125-bbd867fde50d // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )

go.sum

@@ -32,8 +32,6 @@ github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsd
 github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/validate v0.17.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-ping/ping v0.0.0-20210911151512-381826476871 h1:wtjTfjwAR/BYYMJ+QOLI/3J/qGEI0fgrkZvgsEWK2/Q=
-github.com/go-ping/ping v0.0.0-20210911151512-381826476871/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
@@ -47,8 +45,6 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
-github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gotify/go-api-client/v2 v2.0.4/go.mod h1:VKiah/UK20bXsr0JObE1eBVLW44zbBouzjuri9iwjFU=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -176,7 +172,6 @@ golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210504132125-bbd867fde50d h1:nTDGCTeAu2LhcsHTRzjyIUbZHCJ4QePArsm27Hka0UM=
 golang.org/x/net v0.0.0-20210504132125-bbd867fde50d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -210,7 +205,6 @@ golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

internal/configuration/settings/health.go

@@ -15,10 +15,10 @@ type Health struct {
 	// for the health check server.
 	// It cannot be the empty string in the internal state.
 	ServerAddress string
-	// AddressToPing is the IP address or domain name to
-	// ping periodically for the health check.
+	// TargetAddress is the address (host or host:port)
+	// to TCP dial to periodically for the health check.
 	// It cannot be the empty string in the internal state.
-	AddressToPing string
+	TargetAddress string
 	VPN           HealthyWait
 }
 
@@ -42,7 +42,7 @@ func (h Health) Validate() (err error) {
 func (h *Health) copy() (copied Health) {
 	return Health{
 		ServerAddress: h.ServerAddress,
-		AddressToPing: h.AddressToPing,
+		TargetAddress: h.TargetAddress,
 		VPN:           h.VPN.copy(),
 	}
 }
@@ -51,7 +51,7 @@ func (h *Health) copy() (copied Health) {
 // unset field of the receiver settings object.
 func (h *Health) MergeWith(other Health) {
 	h.ServerAddress = helpers.MergeWithString(h.ServerAddress, other.ServerAddress)
-	h.AddressToPing = helpers.MergeWithString(h.AddressToPing, other.AddressToPing)
+	h.TargetAddress = helpers.MergeWithString(h.TargetAddress, other.TargetAddress)
 	h.VPN.mergeWith(other.VPN)
 }
 
@@ -60,13 +60,13 @@ func (h *Health) MergeWith(other Health) {
 // settings.
 func (h *Health) OverrideWith(other Health) {
 	h.ServerAddress = helpers.OverrideWithString(h.ServerAddress, other.ServerAddress)
-	h.AddressToPing = helpers.OverrideWithString(h.AddressToPing, other.AddressToPing)
+	h.TargetAddress = helpers.OverrideWithString(h.TargetAddress, other.TargetAddress)
 	h.VPN.overrideWith(other.VPN)
 }
 
 func (h *Health) SetDefaults() {
 	h.ServerAddress = helpers.DefaultString(h.ServerAddress, "127.0.0.1:9999")
-	h.AddressToPing = helpers.DefaultString(h.AddressToPing, "github.com")
+	h.TargetAddress = helpers.DefaultString(h.TargetAddress, "github.com:443")
 	h.VPN.setDefaults()
 }
 
@@ -77,7 +77,7 @@ func (h Health) String() string {
 func (h Health) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Health settings:")
 	node.Appendf("Server listening address: %s", h.ServerAddress)
-	node.Appendf("Address to ping: %s", h.AddressToPing)
+	node.Appendf("Target address: %s", h.TargetAddress)
 	node.AppendNode(h.VPN.toLinesNode("VPN"))
 	return node
 }

internal/configuration/settings/settings_test.go

@@ -66,7 +66,7 @@ func Test_Settings_String(t *testing.T) {
 |   └── Log level: INFO
 ├── Health settings:
 |   ├── Server listening address: 127.0.0.1:9999
-|   ├── Address to ping: github.com
+|   ├── Target address: github.com:443
 |   └── VPN wait durations:
 |       ├── Initial duration: 6s
 |       └── Additional duration: 5s

internal/configuration/sources/env/health.go

@@ -10,7 +10,10 @@ import (
 
 func (r *Reader) ReadHealth() (health settings.Health, err error) {
 	health.ServerAddress = os.Getenv("HEALTH_SERVER_ADDRESS")
-	health.AddressToPing = os.Getenv("HEALTH_ADDRESS_TO_PING")
+	health.TargetAddress = os.Getenv("HEALTH_ADDRESS_TO_PING")
+	if health.TargetAddress == "" {
+		health.TargetAddress = os.Getenv("HEALTH_TARGET_ADDRESS")
+	}
 
 	health.VPN.Initial, err = r.readDurationWithRetro(
 		"HEALTH_VPN_DURATION_INITIAL",

internal/healthcheck/health.go

@@ -3,6 +3,9 @@ package healthcheck
 
 import (
 	"context"
+	"errors"
+	"fmt"
+	"net"
 	"time"
 )
 
@@ -14,7 +17,12 @@ func (s *Server) runHealthcheckLoop(ctx context.Context, done chan<- struct{}) {
 	for {
 		previousErr := s.handler.getErr()
 
-		err := healthCheck(ctx, s.pinger)
+		const healthcheckTimeout = 3 * time.Second
+		healthcheckCtx, healthcheckCancel := context.WithTimeout(
+			ctx, healthcheckTimeout)
+		err := s.healthCheck(healthcheckCtx)
+		healthcheckCancel()
+
 		s.handler.setErr(err)
 
 		if previousErr != nil && err == nil {
@@ -56,23 +64,40 @@ func (s *Server) runHealthcheckLoop(ctx context.Context, done chan<- struct{}) {
 	}
 }
 
-func healthCheck(ctx context.Context, pinger Pinger) (err error) {
+func (s *Server) healthCheck(ctx context.Context) (err error) {
 	// TODO use mullvad API if current provider is Mullvad
-	// If we run without root, you need to run this on the gluetun binary:
-	// setcap cap_net_raw=+ep /path/to/your/compiled/binary
-	// Alternatively, we could have a separate binary just for healthcheck to
-	// reduce attack surface.
-	errCh := make(chan error)
-	go func() {
-		errCh <- pinger.Run()
-	}()
 
-	select {
-	case <-ctx.Done():
-		pinger.Stop()
-		<-errCh
-		return ctx.Err()
-	case err = <-errCh:
+	address, err := makeAddressToDial(s.config.TargetAddress)
+	if err != nil {
 		return err
 	}
+
+	const dialNetwork = "tcp4"
+	connection, err := s.dialer.DialContext(ctx, dialNetwork, address)
+	if err != nil {
+		return fmt.Errorf("cannot dial: %w", err)
+	}
+
+	err = connection.Close()
+	if err != nil {
+		return fmt.Errorf("cannot close connection: %w", err)
+	}
+
+	return nil
+}
+
+func makeAddressToDial(address string) (addressToDial string, err error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		addrErr := new(net.AddrError)
+		ok := errors.As(err, &addrErr)
+		if !ok || addrErr.Err != "missing port in address" {
+			return "", fmt.Errorf("cannot split host and port from address: %w", err)
+		}
+		host = address
+		const defaultPort = "443"
+		port = defaultPort
+	}
+	address = net.JoinHostPort(host, port)
+	return address, nil
 }