2018-10-08 19:20:28 +00:00
package tunnel
2018-05-01 23:45:06 +00:00
import (
2019-02-14 10:40:54 +00:00
"context"
2018-05-01 23:45:06 +00:00
"crypto/tls"
"fmt"
"io/ioutil"
"net"
"net/http"
"os"
"path/filepath"
"strings"
"time"
2019-06-17 21:18:47 +00:00
"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
2018-10-08 19:20:28 +00:00
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
2019-06-18 16:47:29 +00:00
"github.com/cloudflare/cloudflared/connection"
2018-05-01 23:45:06 +00:00
"github.com/cloudflare/cloudflared/origin"
"github.com/cloudflare/cloudflared/tlsconfig"
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
"github.com/cloudflare/cloudflared/validation"
2019-03-28 17:58:23 +00:00
"github.com/google/uuid"
2018-05-01 23:45:06 +00:00
"github.com/mitchellh/go-homedir"
"github.com/pkg/errors"
2019-03-28 17:58:23 +00:00
"github.com/sirupsen/logrus"
"golang.org/x/crypto/ssh/terminal"
"gopkg.in/urfave/cli.v2"
2018-05-01 23:45:06 +00:00
)
var (
2018-10-08 19:20:28 +00:00
developerPortal = "https://developers.cloudflare.com/argo-tunnel"
quickStartUrl = developerPortal + "/quickstart/quickstart/"
serviceUrl = developerPortal + "/reference/service/"
argumentsUrl = developerPortal + "/reference/arguments/"
2018-05-01 23:45:06 +00:00
)
2018-10-08 19:20:28 +00:00
// returns the first path that contains a cert.pem file. If none of the DefaultConfigDirs
// contains a cert.pem file, return empty string
2018-05-01 23:45:06 +00:00
func findDefaultOriginCertPath ( ) string {
2018-10-08 19:20:28 +00:00
for _ , defaultConfigDir := range config . DefaultConfigDirs {
originCertPath , _ := homedir . Expand ( filepath . Join ( defaultConfigDir , config . DefaultCredentialFile ) )
if ok , _ := config . FileExists ( originCertPath ) ; ok {
2018-05-01 23:45:06 +00:00
return originCertPath
}
}
return ""
}
2019-03-28 17:58:23 +00:00
func generateRandomClientID ( logger * logrus . Logger ) ( string , error ) {
u , err := uuid . NewRandom ( )
if err != nil {
logger . WithError ( err ) . Error ( "couldn't create UUID for client ID" )
return "" , err
}
return u . String ( ) , nil
2018-05-01 23:45:06 +00:00
}
func handleDeprecatedOptions ( c * cli . Context ) error {
// Fail if the user provided an old authentication method
if c . IsSet ( "api-key" ) || c . IsSet ( "api-email" ) || c . IsSet ( "api-ca-key" ) {
logger . Error ( "You don't need to give us your api-key anymore. Please use the new login method. Just run cloudflared login" )
return fmt . Errorf ( "Client provided deprecated options" )
}
return nil
}
func logClientOptions ( c * cli . Context ) {
flags := make ( map [ string ] interface { } )
for _ , flag := range c . LocalFlagNames ( ) {
flags [ flag ] = c . Generic ( flag )
}
2019-03-08 08:36:24 +00:00
sliceFlags := [ ] string { "header" , "tag" , "proxy-dns-upstream" , "upstream" , "edge" }
for _ , sliceFlag := range sliceFlags {
if len ( c . StringSlice ( sliceFlag ) ) > 0 {
flags [ sliceFlag ] = strings . Join ( c . StringSlice ( sliceFlag ) , ", " )
}
}
2018-05-01 23:45:06 +00:00
if len ( flags ) > 0 {
2019-03-08 08:36:24 +00:00
logger . WithFields ( flags ) . Info ( "Flags" )
2018-05-01 23:45:06 +00:00
}
envs := make ( map [ string ] string )
// Find env variables for Argo Tunnel
for _ , env := range os . Environ ( ) {
// All Argo Tunnel env variables start with TUNNEL_
if strings . Contains ( env , "TUNNEL_" ) {
vars := strings . Split ( env , "=" )
if len ( vars ) == 2 {
envs [ vars [ 0 ] ] = vars [ 1 ]
}
}
}
if len ( envs ) > 0 {
logger . Infof ( "Environmental variables %v" , envs )
}
}
func dnsProxyStandAlone ( c * cli . Context ) bool {
return c . IsSet ( "proxy-dns" ) && ( ! c . IsSet ( "hostname" ) && ! c . IsSet ( "tag" ) && ! c . IsSet ( "hello-world" ) )
}
func getOriginCert ( c * cli . Context ) ( [ ] byte , error ) {
if c . String ( "origincert" ) == "" {
2018-10-08 19:20:28 +00:00
logger . Warnf ( "Cannot determine default origin certificate path. No file %s in %v" , config . DefaultCredentialFile , config . DefaultConfigDirs )
2018-05-01 23:45:06 +00:00
if isRunningFromTerminal ( ) {
logger . Errorf ( "You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information." , argumentsUrl )
return nil , fmt . Errorf ( "Client didn't specify origincert path when running from terminal" )
} else {
logger . Errorf ( "You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information." , serviceUrl )
return nil , fmt . Errorf ( "Client didn't specify origincert path" )
}
}
// Check that the user has acquired a certificate using the login command
originCertPath , err := homedir . Expand ( c . String ( "origincert" ) )
if err != nil {
logger . WithError ( err ) . Errorf ( "Cannot resolve path %s" , c . String ( "origincert" ) )
return nil , fmt . Errorf ( "Cannot resolve path %s" , c . String ( "origincert" ) )
}
2018-10-08 19:20:28 +00:00
ok , err := config . FileExists ( originCertPath )
2018-05-01 23:45:06 +00:00
if err != nil {
logger . Errorf ( "Cannot check if origin cert exists at path %s" , c . String ( "origincert" ) )
return nil , fmt . Errorf ( "Cannot check if origin cert exists at path %s" , c . String ( "origincert" ) )
}
if ! ok {
logger . Errorf ( ` Cannot find a valid certificate for your origin at the path :
% s
If the path above is wrong , specify the path with the - origincert option .
If you don ' t have a certificate signed by Cloudflare , run the command :
% s login
` , originCertPath , os . Args [ 0 ] )
return nil , fmt . Errorf ( "Cannot find a valid certificate at the path %s" , originCertPath )
}
// Easier to send the certificate as []byte via RPC than decoding it at this point
originCert , err := ioutil . ReadFile ( originCertPath )
if err != nil {
logger . WithError ( err ) . Errorf ( "Cannot read %s to load origin certificate" , originCertPath )
return nil , fmt . Errorf ( "Cannot read %s to load origin certificate" , originCertPath )
}
return originCert , nil
}
2019-02-28 22:56:01 +00:00
func prepareTunnelConfig (
c * cli . Context ,
2019-06-17 21:18:47 +00:00
buildInfo * buildinfo . BuildInfo ,
2019-02-28 22:56:01 +00:00
version string , logger ,
transportLogger * logrus . Logger ,
) ( * origin . TunnelConfig , error ) {
2018-05-01 23:45:06 +00:00
hostname , err := validation . ValidateHostname ( c . String ( "hostname" ) )
if err != nil {
logger . WithError ( err ) . Error ( "Invalid hostname" )
return nil , errors . Wrap ( err , "Invalid hostname" )
}
2019-03-22 17:00:57 +00:00
isFreeTunnel := hostname == ""
2018-05-01 23:45:06 +00:00
clientID := c . String ( "id" )
if ! c . IsSet ( "id" ) {
2019-03-28 17:58:23 +00:00
clientID , err = generateRandomClientID ( logger )
if err != nil {
return nil , err
}
2018-05-01 23:45:06 +00:00
}
tags , err := NewTagSliceFromCLI ( c . StringSlice ( "tag" ) )
if err != nil {
logger . WithError ( err ) . Error ( "Tag parse failure" )
return nil , errors . Wrap ( err , "Tag parse failure" )
}
tags = append ( tags , tunnelpogs . Tag { Name : "ID" , Value : clientID } )
2018-10-19 20:44:35 +00:00
originURL , err := config . ValidateUrl ( c )
2018-05-01 23:45:06 +00:00
if err != nil {
2018-10-08 19:20:28 +00:00
logger . WithError ( err ) . Error ( "Error validating origin URL" )
return nil , errors . Wrap ( err , "Error validating origin URL" )
2018-05-01 23:45:06 +00:00
}
2019-03-22 17:00:57 +00:00
var originCert [ ] byte
if ! isFreeTunnel {
originCert , err = getOriginCert ( c )
if err != nil {
return nil , errors . Wrap ( err , "Error getting origin cert" )
}
2018-05-01 23:45:06 +00:00
}
2019-05-28 20:53:35 +00:00
originCertPool , err := tlsconfig . LoadOriginCA ( c , logger )
2018-05-01 23:45:06 +00:00
if err != nil {
logger . WithError ( err ) . Error ( "Error loading cert pool" )
return nil , errors . Wrap ( err , "Error loading cert pool" )
}
tunnelMetrics := origin . NewTunnelMetrics ( )
httpTransport := & http . Transport {
2019-02-14 10:40:54 +00:00
Proxy : http . ProxyFromEnvironment ,
2018-05-01 23:45:06 +00:00
MaxIdleConns : c . Int ( "proxy-keepalive-connections" ) ,
IdleConnTimeout : c . Duration ( "proxy-keepalive-timeout" ) ,
TLSHandshakeTimeout : c . Duration ( "proxy-tls-timeout" ) ,
ExpectContinueTimeout : 1 * time . Second ,
TLSClientConfig : & tls . Config { RootCAs : originCertPool , InsecureSkipVerify : c . IsSet ( "no-tls-verify" ) } ,
}
2019-02-14 10:40:54 +00:00
dialContext := ( & net . Dialer {
Timeout : c . Duration ( "proxy-connect-timeout" ) ,
KeepAlive : c . Duration ( "proxy-tcp-keepalive" ) ,
DualStack : ! c . Bool ( "proxy-no-happy-eyeballs" ) ,
} ) . DialContext
if c . IsSet ( "unix-socket" ) {
unixSocket , err := config . ValidateUnixSocket ( c )
if err != nil {
logger . WithError ( err ) . Error ( "Error validating --unix-socket" )
return nil , errors . Wrap ( err , "Error validating --unix-socket" )
}
logger . Infof ( "Proxying tunnel requests to unix:%s" , unixSocket )
httpTransport . DialContext = func ( ctx context . Context , _ , _ string ) ( net . Conn , error ) {
// if --unix-socket specified, enforce network type "unix"
return dialContext ( ctx , "unix" , unixSocket )
}
} else {
logger . Infof ( "Proxying tunnel requests to %s" , originURL )
httpTransport . DialContext = dialContext
}
2018-05-01 23:45:06 +00:00
if ! c . IsSet ( "hello-world" ) && c . IsSet ( "origin-server-name" ) {
httpTransport . TLSClientConfig . ServerName = c . String ( "origin-server-name" )
}
2018-10-29 16:57:58 +00:00
err = validation . ValidateHTTPService ( originURL , hostname , httpTransport )
2018-10-08 19:20:28 +00:00
if err != nil {
logger . WithError ( err ) . Error ( "unable to connect to the origin" )
return nil , errors . Wrap ( err , "unable to connect to the origin" )
}
2019-05-28 20:53:35 +00:00
toEdgeTLSConfig , err := tlsconfig . CreateTunnelConfig ( c )
2018-11-15 15:43:50 +00:00
if err != nil {
logger . WithError ( err ) . Error ( "unable to create TLS config to connect with edge" )
return nil , errors . Wrap ( err , "unable to create TLS config to connect with edge" )
}
2018-05-01 23:45:06 +00:00
return & origin . TunnelConfig {
2019-04-04 22:04:55 +00:00
BuildInfo : buildInfo ,
ClientID : clientID ,
ClientTlsConfig : httpTransport . TLSClientConfig ,
CompressionQuality : c . Uint64 ( "compression-quality" ) ,
EdgeAddrs : c . StringSlice ( "edge" ) ,
GracePeriod : c . Duration ( "grace-period" ) ,
HAConnections : c . Int ( "ha-connections" ) ,
HTTPTransport : httpTransport ,
HeartbeatInterval : c . Duration ( "heartbeat-interval" ) ,
Hostname : hostname ,
2019-08-30 03:55:54 +00:00
HTTPHostHeader : c . String ( "http-host-header" ) ,
2019-04-04 22:04:55 +00:00
IncidentLookup : origin . NewIncidentLookup ( ) ,
IsAutoupdated : c . Bool ( "is-autoupdated" ) ,
IsFreeTunnel : isFreeTunnel ,
LBPool : c . String ( "lb-pool" ) ,
Logger : logger ,
MaxHeartbeats : c . Uint64 ( "heartbeat-count" ) ,
Metrics : tunnelMetrics ,
MetricsUpdateFreq : c . Duration ( "metrics-update-freq" ) ,
NoChunkedEncoding : c . Bool ( "no-chunked-encoding" ) ,
OriginCert : originCert ,
OriginUrl : originURL ,
ReportedVersion : version ,
Retries : c . Uint ( "retries" ) ,
RunFromTerminal : isRunningFromTerminal ( ) ,
Tags : tags ,
TlsConfig : toEdgeTLSConfig ,
TransportLogger : transportLogger ,
UseDeclarativeTunnel : c . Bool ( "use-declarative-tunnels" ) ,
2018-05-01 23:45:06 +00:00
} , nil
}
2019-06-18 16:47:29 +00:00
func serviceDiscoverer ( c * cli . Context , logger * logrus . Logger ) ( connection . EdgeServiceDiscoverer , error ) {
// If --edge is specfied, resolve edge server addresses
if len ( c . StringSlice ( "edge" ) ) > 0 {
return connection . NewEdgeHostnameResolver ( c . StringSlice ( "edge" ) )
}
// Otherwise lookup edge server addresses through service discovery
return connection . NewEdgeAddrResolver ( logger )
}
2018-10-08 19:20:28 +00:00
func isRunningFromTerminal ( ) bool {
return terminal . IsTerminal ( int ( os . Stdout . Fd ( ) ) )
}
