cloudflared-mirror/ingress/origin_proxy.go

package ingress

import (
	"context"
	"crypto/tls"
	"fmt"
	"net"
	"net/http"

	"github.com/rs/zerolog"
)

// HTTPOriginProxy can be implemented by origin services that want to proxy http requests.
type HTTPOriginProxy interface {
	// RoundTripper is how cloudflared proxies eyeball requests to the actual origin services
	http.RoundTripper
}

// StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.
type StreamBasedOriginProxy interface {
	EstablishConnection(ctx context.Context, dest string, log *zerolog.Logger) (OriginConnection, error)
}

// HTTPLocalProxy can be implemented by cloudflared services that want to handle incoming http requests.
type HTTPLocalProxy interface {
	// Handler is how cloudflared proxies eyeball requests to the local cloudflared services
	http.Handler
}

func (o *unixSocketPath) RoundTrip(req *http.Request) (*http.Response, error) {
	req.URL.Scheme = o.scheme
	return o.transport.RoundTrip(req)
}

func (o *httpService) RoundTrip(req *http.Request) (*http.Response, error) {
	// Rewrite the request URL so that it goes to the origin service.
	req.URL.Host = o.url.Host
	switch o.url.Scheme {
	case "ws":
		req.URL.Scheme = "http"
	case "wss":
		req.URL.Scheme = "https"
	default:
		req.URL.Scheme = o.url.Scheme
	}

	if o.hostHeader != "" {
		// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.
		// Pass the original Host header as X-Forwarded-Host.
		req.Header.Set("X-Forwarded-Host", req.Host)
		req.Host = o.hostHeader
	}

	if o.matchSNIToHost {
		o.SetOriginServerName(req)
	}

	return o.transport.RoundTrip(req)
}

func (o *httpService) SetOriginServerName(req *http.Request) {
	o.transport.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
		conn, err := o.transport.DialContext(ctx, network, addr)
		if err != nil {
			return nil, err
		}
		return tls.Client(conn, &tls.Config{
			RootCAs:            o.transport.TLSClientConfig.RootCAs,
			InsecureSkipVerify: o.transport.TLSClientConfig.InsecureSkipVerify,
			ServerName:         req.Host,
		}), nil
	}
}

func (o *statusCode) RoundTrip(_ *http.Request) (*http.Response, error) {
	if o.defaultResp {
		o.log.Warn().Msgf(ErrNoIngressRulesCLI.Error())
	}
	resp := &http.Response{
		StatusCode: o.code,
		Status:     fmt.Sprintf("%d %s", o.code, http.StatusText(o.code)),
		Body:       new(NopReadCloser),
	}

	return resp, nil
}

func (o *rawTCPService) EstablishConnection(ctx context.Context, dest string, logger *zerolog.Logger) (OriginConnection, error) {
	conn, err := o.dialer.DialContext(ctx, "tcp", dest)
	if err != nil {
		return nil, err
	}

	originConn := &tcpConnection{
		Conn:         conn,
		writeTimeout: o.writeTimeout,
		logger:       logger,
	}
	return originConn, nil
}

func (o *tcpOverWSService) EstablishConnection(ctx context.Context, dest string, _ *zerolog.Logger) (OriginConnection, error) {
	var err error
	if !o.isBastion {
		dest = o.dest
	}

	conn, err := o.dialer.DialContext(ctx, "tcp", dest)
	if err != nil {
		return nil, err
	}
	originConn := &tcpOverWSConnection{
		conn:          conn,
		streamHandler: o.streamHandler,
	}
	return originConn, nil

}

func (o *socksProxyOverWSService) EstablishConnection(_ context.Context, _ string, _ *zerolog.Logger) (OriginConnection, error) {
	return o.conn, nil
}
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`package ingress`

			`import (`
TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy. For WARP routing the defaults for these new settings are 5 seconds for connect timeout and 30 seconds for keep-alive timeout. These values can be configured either remotely or locally. Local config lives under "warp-routing" section in config.yaml. For websocket-based proxy, the defaults come from originConfig settings (either global or per-service) and use the same defaults as HTTP proxying. 2022-06-13 16:44:27 +00:00			`"context"`
feat: auto tls sni Signed-off-by: Steven Kreitzer <skre@skre.me> 2024-01-18 15:19:11 +00:00			`"crypto/tls"`
TUN-6250: Add upstream response status code to tracing span attributes 2022-05-18 11:11:38 +00:00			`"fmt"`
feat: auto tls sni Signed-off-by: Steven Kreitzer <skre@skre.me> 2024-01-18 15:19:11 +00:00			`"net"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`"net/http"`
TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00
			`"github.com/rs/zerolog"`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`)`

TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`// HTTPOriginProxy can be implemented by origin services that want to proxy http requests.`
			`type HTTPOriginProxy interface {`
TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy. For WARP routing the defaults for these new settings are 5 seconds for connect timeout and 30 seconds for keep-alive timeout. These values can be configured either remotely or locally. Local config lives under "warp-routing" section in config.yaml. For websocket-based proxy, the defaults come from originConfig settings (either global or per-service) and use the same defaults as HTTP proxying. 2022-06-13 16:44:27 +00:00			`// RoundTripper is how cloudflared proxies eyeball requests to the actual origin services`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`http.RoundTripper`
			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`// StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`type StreamBasedOriginProxy interface {`
TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00			`EstablishConnection(ctx context.Context, dest string, log *zerolog.Logger) (OriginConnection, error)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

TUN-7124: Add intercept ingress rule for management requests 2023-03-21 18:42:25 +00:00			`// HTTPLocalProxy can be implemented by cloudflared services that want to handle incoming http requests.`
			`type HTTPLocalProxy interface {`
			`// Handler is how cloudflared proxies eyeball requests to the local cloudflared services`
			`http.Handler`
			`}`

TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`func (o unixSocketPath) RoundTrip(req http.Request) (*http.Response, error) {`
TUN-5737: Support https protocol over unix socket origin 2022-02-28 20:07:47 +00:00			`req.URL.Scheme = o.scheme`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`return o.transport.RoundTrip(req)`
			`}`

			`func (o httpService) RoundTrip(req http.Request) (*http.Response, error) {`
			`// Rewrite the request URL so that it goes to the origin service.`
			`req.URL.Host = o.url.Host`
TUN-4626: Proxy non-stream based origin websockets with http Roundtrip. Reuses HTTPProxy's Roundtrip method to directly proxy websockets from eyeball clients (determined by websocket type and ingress not being connection oriented , i.e. Not ssh or smb for example) to proxy websocket traffic. 2021-07-01 09:29:53 +00:00			`switch o.url.Scheme {`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`case "ws":`
			`req.URL.Scheme = "http"`
			`case "wss":`
			`req.URL.Scheme = "https"`
TUN-4626: Proxy non-stream based origin websockets with http Roundtrip. Reuses HTTPProxy's Roundtrip method to directly proxy websockets from eyeball clients (determined by websocket type and ingress not being connection oriented , i.e. Not ssh or smb for example) to proxy websocket traffic. 2021-07-01 09:29:53 +00:00			`default:`
			`req.URL.Scheme = o.url.Scheme`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`}`

TUN-3889: Move host header override logic to httpService 2021-02-08 19:25:08 +00:00			`if o.hostHeader != "" {`
			`// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.`
Add X-Forwarded-Host for http proxy 2021-10-22 08:27:29 +00:00			`// Pass the original Host header as X-Forwarded-Host.`
			`req.Header.Set("X-Forwarded-Host", req.Host)`
TUN-3889: Move host header override logic to httpService 2021-02-08 19:25:08 +00:00			`req.Host = o.hostHeader`
			`}`
feat: auto tls sni Signed-off-by: Steven Kreitzer <skre@skre.me> 2024-01-18 15:19:11 +00:00
			`if o.matchSNIToHost {`
			`o.SetOriginServerName(req)`
			`}`

TUN-4626: Proxy non-stream based origin websockets with http Roundtrip. Reuses HTTPProxy's Roundtrip method to directly proxy websockets from eyeball clients (determined by websocket type and ingress not being connection oriented , i.e. Not ssh or smb for example) to proxy websocket traffic. 2021-07-01 09:29:53 +00:00			`return o.transport.RoundTrip(req)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

feat: auto tls sni Signed-off-by: Steven Kreitzer <skre@skre.me> 2024-01-18 15:19:11 +00:00			`func (o httpService) SetOriginServerName(req http.Request) {`
			`o.transport.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {`
			`conn, err := o.transport.DialContext(ctx, network, addr)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return tls.Client(conn, &tls.Config{`
			`RootCAs: o.transport.TLSClientConfig.RootCAs,`
			`InsecureSkipVerify: o.transport.TLSClientConfig.InsecureSkipVerify,`
			`ServerName: req.Host,`
			`}), nil`
			`}`
			`}`

TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`func (o statusCode) RoundTrip(_ http.Request) (*http.Response, error) {`
TUN-7259: Add warning for missing ingress rules Providing no ingress rules in the configuration file or via the CLI will now provide a warning and return 502 for all incoming HTTP requests. 2023-03-09 23:23:11 +00:00			`if o.defaultResp {`
			`o.log.Warn().Msgf(ErrNoIngressRulesCLI.Error())`
			`}`
TUN-6250: Add upstream response status code to tracing span attributes 2022-05-18 11:11:38 +00:00			`resp := &http.Response{`
			`StatusCode: o.code,`
			`Status: fmt.Sprintf("%d %s", o.code, http.StatusText(o.code)),`
			`Body: new(NopReadCloser),`
			`}`

			`return resp, nil`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00			`func (o rawTCPService) EstablishConnection(ctx context.Context, dest string, logger zerolog.Logger) (OriginConnection, error) {`
TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy. For WARP routing the defaults for these new settings are 5 seconds for connect timeout and 30 seconds for keep-alive timeout. These values can be configured either remotely or locally. Local config lives under "warp-routing" section in config.yaml. For websocket-based proxy, the defaults come from originConfig settings (either global or per-service) and use the same defaults as HTTP proxying. 2022-06-13 16:44:27 +00:00			`conn, err := o.dialer.DialContext(ctx, "tcp", dest)`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`if err != nil {`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`return nil, err`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`}`

			`originConn := &tcpConnection{`
TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00			`Conn: conn,`
			`writeTimeout: o.writeTimeout,`
			`logger: logger,`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`}`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`return originConn, nil`
TUN-3615: added support to proxy tcp streams added ingress.DefaultStreamHandler and a basic test for tcp stream proxy moved websocket.Stream to ingress cloudflared no longer picks tcpstream host from header 2021-01-11 19:59:45 +00:00			`}`

TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00			`func (o tcpOverWSService) EstablishConnection(ctx context.Context, dest string, _ zerolog.Logger) (OriginConnection, error) {`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`var err error`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`if !o.isBastion {`
			`dest = o.dest`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`}`

TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy. For WARP routing the defaults for these new settings are 5 seconds for connect timeout and 30 seconds for keep-alive timeout. These values can be configured either remotely or locally. Local config lives under "warp-routing" section in config.yaml. For websocket-based proxy, the defaults come from originConfig settings (either global or per-service) and use the same defaults as HTTP proxying. 2022-06-13 16:44:27 +00:00			`conn, err := o.dialer.DialContext(ctx, "tcp", dest)`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`if err != nil {`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`return nil, err`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`}`
			`originConn := &tcpOverWSConnection{`
			`conn: conn,`
			`streamHandler: o.streamHandler,`
			`}`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`return originConn, nil`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00
			`}`

TUN-8236: Add write timeout to quic and tcp connections ## Summary To prevent bad eyeballs and severs to be able to exhaust the quic control flows we are adding the possibility of having a timeout for a write operation to be acknowledged. This will prevent hanging connections from exhausting the quic control flows, creating a DDoS. 2024-02-12 18:58:55 +00:00			`func (o socksProxyOverWSService) EstablishConnection(_ context.Context, _ string, _ zerolog.Logger) (OriginConnection, error) {`
TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input This change extracts the need for EstablishConnection to know about a request's entire context. It also removes the concern of populating the http.Response from EstablishConnection's responsibilities. 2021-07-01 18:30:26 +00:00			`return o.conn, nil`
TUN-4017: Add support for using cloudflared as a full socks proxy. To use cloudflared as a socks proxy, add an ingress on the server side with your desired rules. Rules are matched in the order they are added. If there are no rules, it is an implicit allow. If there are rules, but no rule matches match, the connection is denied. ingress: - hostname: socks.example.com service: socks-proxy originRequest: ipRules: - prefix: 1.1.1.1/24 ports: [80, 443] allow: true - prefix: 0.0.0.0/0 allow: false On the client, run using tcp mode: cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080 Set your socks proxy as 127.0.0.1:8080 and you will now be proxying all connections to the remote machine. 2021-03-01 22:26:37 +00:00			`}`