2018-10-08 19:20:28 +00:00
package tunnel
2018-05-01 23:45:06 +00:00
import (
2019-02-14 10:40:54 +00:00
"context"
2018-05-01 23:45:06 +00:00
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"io/ioutil"
"math/rand"
"net"
"net/http"
"os"
"path/filepath"
"runtime"
"strings"
"time"
2018-10-08 19:20:28 +00:00
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
2018-05-01 23:45:06 +00:00
"github.com/cloudflare/cloudflared/origin"
"github.com/cloudflare/cloudflared/tlsconfig"
tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
"github.com/cloudflare/cloudflared/validation"
2018-10-08 19:20:28 +00:00
"golang.org/x/crypto/ssh/terminal"
2018-05-01 23:45:06 +00:00
"github.com/sirupsen/logrus"
"gopkg.in/urfave/cli.v2"
"github.com/mitchellh/go-homedir"
"github.com/pkg/errors"
)
var (
2018-10-08 19:20:28 +00:00
developerPortal = "https://developers.cloudflare.com/argo-tunnel"
quickStartUrl = developerPortal + "/quickstart/quickstart/"
serviceUrl = developerPortal + "/reference/service/"
argumentsUrl = developerPortal + "/reference/arguments/"
2018-05-01 23:45:06 +00:00
)
2018-10-08 19:20:28 +00:00
// returns the first path that contains a cert.pem file. If none of the DefaultConfigDirs
// contains a cert.pem file, return empty string
2018-05-01 23:45:06 +00:00
func findDefaultOriginCertPath ( ) string {
2018-10-08 19:20:28 +00:00
for _ , defaultConfigDir := range config . DefaultConfigDirs {
originCertPath , _ := homedir . Expand ( filepath . Join ( defaultConfigDir , config . DefaultCredentialFile ) )
if ok , _ := config . FileExists ( originCertPath ) ; ok {
2018-05-01 23:45:06 +00:00
return originCertPath
}
}
return ""
}
func generateRandomClientID ( ) string {
r := rand . New ( rand . NewSource ( time . Now ( ) . UnixNano ( ) ) )
id := make ( [ ] byte , 32 )
r . Read ( id )
return hex . EncodeToString ( id )
}
func handleDeprecatedOptions ( c * cli . Context ) error {
// Fail if the user provided an old authentication method
if c . IsSet ( "api-key" ) || c . IsSet ( "api-email" ) || c . IsSet ( "api-ca-key" ) {
logger . Error ( "You don't need to give us your api-key anymore. Please use the new login method. Just run cloudflared login" )
return fmt . Errorf ( "Client provided deprecated options" )
}
return nil
}
func logClientOptions ( c * cli . Context ) {
flags := make ( map [ string ] interface { } )
for _ , flag := range c . LocalFlagNames ( ) {
flags [ flag ] = c . Generic ( flag )
}
2019-03-08 08:36:24 +00:00
sliceFlags := [ ] string { "header" , "tag" , "proxy-dns-upstream" , "upstream" , "edge" }
for _ , sliceFlag := range sliceFlags {
if len ( c . StringSlice ( sliceFlag ) ) > 0 {
flags [ sliceFlag ] = strings . Join ( c . StringSlice ( sliceFlag ) , ", " )
}
}
2018-05-01 23:45:06 +00:00
if len ( flags ) > 0 {
2019-03-08 08:36:24 +00:00
logger . WithFields ( flags ) . Info ( "Flags" )
2018-05-01 23:45:06 +00:00
}
envs := make ( map [ string ] string )
// Find env variables for Argo Tunnel
for _ , env := range os . Environ ( ) {
// All Argo Tunnel env variables start with TUNNEL_
if strings . Contains ( env , "TUNNEL_" ) {
vars := strings . Split ( env , "=" )
if len ( vars ) == 2 {
envs [ vars [ 0 ] ] = vars [ 1 ]
}
}
}
if len ( envs ) > 0 {
logger . Infof ( "Environmental variables %v" , envs )
}
}
func dnsProxyStandAlone ( c * cli . Context ) bool {
return c . IsSet ( "proxy-dns" ) && ( ! c . IsSet ( "hostname" ) && ! c . IsSet ( "tag" ) && ! c . IsSet ( "hello-world" ) )
}
func getOriginCert ( c * cli . Context ) ( [ ] byte , error ) {
if c . String ( "origincert" ) == "" {
2018-10-08 19:20:28 +00:00
logger . Warnf ( "Cannot determine default origin certificate path. No file %s in %v" , config . DefaultCredentialFile , config . DefaultConfigDirs )
2018-05-01 23:45:06 +00:00
if isRunningFromTerminal ( ) {
logger . Errorf ( "You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information." , argumentsUrl )
return nil , fmt . Errorf ( "Client didn't specify origincert path when running from terminal" )
} else {
logger . Errorf ( "You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information." , serviceUrl )
return nil , fmt . Errorf ( "Client didn't specify origincert path" )
}
}
// Check that the user has acquired a certificate using the login command
originCertPath , err := homedir . Expand ( c . String ( "origincert" ) )
if err != nil {
logger . WithError ( err ) . Errorf ( "Cannot resolve path %s" , c . String ( "origincert" ) )
return nil , fmt . Errorf ( "Cannot resolve path %s" , c . String ( "origincert" ) )
}
2018-10-08 19:20:28 +00:00
ok , err := config . FileExists ( originCertPath )
2018-05-01 23:45:06 +00:00
if err != nil {
logger . Errorf ( "Cannot check if origin cert exists at path %s" , c . String ( "origincert" ) )
return nil , fmt . Errorf ( "Cannot check if origin cert exists at path %s" , c . String ( "origincert" ) )
}
if ! ok {
logger . Errorf ( ` Cannot find a valid certificate for your origin at the path :
% s
If the path above is wrong , specify the path with the - origincert option .
If you don ' t have a certificate signed by Cloudflare , run the command :
% s login
` , originCertPath , os . Args [ 0 ] )
return nil , fmt . Errorf ( "Cannot find a valid certificate at the path %s" , originCertPath )
}
// Easier to send the certificate as []byte via RPC than decoding it at this point
originCert , err := ioutil . ReadFile ( originCertPath )
if err != nil {
logger . WithError ( err ) . Errorf ( "Cannot read %s to load origin certificate" , originCertPath )
return nil , fmt . Errorf ( "Cannot read %s to load origin certificate" , originCertPath )
}
return originCert , nil
}
2019-02-28 22:56:01 +00:00
func prepareTunnelConfig (
c * cli . Context ,
buildInfo * origin . BuildInfo ,
version string , logger ,
transportLogger * logrus . Logger ,
) ( * origin . TunnelConfig , error ) {
2018-05-01 23:45:06 +00:00
hostname , err := validation . ValidateHostname ( c . String ( "hostname" ) )
if err != nil {
logger . WithError ( err ) . Error ( "Invalid hostname" )
return nil , errors . Wrap ( err , "Invalid hostname" )
}
2019-03-22 17:00:57 +00:00
isFreeTunnel := hostname == ""
2018-05-01 23:45:06 +00:00
clientID := c . String ( "id" )
if ! c . IsSet ( "id" ) {
clientID = generateRandomClientID ( )
}
tags , err := NewTagSliceFromCLI ( c . StringSlice ( "tag" ) )
if err != nil {
logger . WithError ( err ) . Error ( "Tag parse failure" )
return nil , errors . Wrap ( err , "Tag parse failure" )
}
tags = append ( tags , tunnelpogs . Tag { Name : "ID" , Value : clientID } )
2018-10-19 20:44:35 +00:00
originURL , err := config . ValidateUrl ( c )
2018-05-01 23:45:06 +00:00
if err != nil {
2018-10-08 19:20:28 +00:00
logger . WithError ( err ) . Error ( "Error validating origin URL" )
return nil , errors . Wrap ( err , "Error validating origin URL" )
2018-05-01 23:45:06 +00:00
}
2019-03-22 17:00:57 +00:00
var originCert [ ] byte
if ! isFreeTunnel {
originCert , err = getOriginCert ( c )
if err != nil {
return nil , errors . Wrap ( err , "Error getting origin cert" )
}
2018-05-01 23:45:06 +00:00
}
originCertPool , err := loadCertPool ( c , logger )
if err != nil {
logger . WithError ( err ) . Error ( "Error loading cert pool" )
return nil , errors . Wrap ( err , "Error loading cert pool" )
}
tunnelMetrics := origin . NewTunnelMetrics ( )
httpTransport := & http . Transport {
2019-02-14 10:40:54 +00:00
Proxy : http . ProxyFromEnvironment ,
2018-05-01 23:45:06 +00:00
MaxIdleConns : c . Int ( "proxy-keepalive-connections" ) ,
IdleConnTimeout : c . Duration ( "proxy-keepalive-timeout" ) ,
TLSHandshakeTimeout : c . Duration ( "proxy-tls-timeout" ) ,
ExpectContinueTimeout : 1 * time . Second ,
TLSClientConfig : & tls . Config { RootCAs : originCertPool , InsecureSkipVerify : c . IsSet ( "no-tls-verify" ) } ,
}
2019-02-14 10:40:54 +00:00
dialContext := ( & net . Dialer {
Timeout : c . Duration ( "proxy-connect-timeout" ) ,
KeepAlive : c . Duration ( "proxy-tcp-keepalive" ) ,
DualStack : ! c . Bool ( "proxy-no-happy-eyeballs" ) ,
} ) . DialContext
if c . IsSet ( "unix-socket" ) {
unixSocket , err := config . ValidateUnixSocket ( c )
if err != nil {
logger . WithError ( err ) . Error ( "Error validating --unix-socket" )
return nil , errors . Wrap ( err , "Error validating --unix-socket" )
}
logger . Infof ( "Proxying tunnel requests to unix:%s" , unixSocket )
httpTransport . DialContext = func ( ctx context . Context , _ , _ string ) ( net . Conn , error ) {
// if --unix-socket specified, enforce network type "unix"
return dialContext ( ctx , "unix" , unixSocket )
}
} else {
logger . Infof ( "Proxying tunnel requests to %s" , originURL )
httpTransport . DialContext = dialContext
}
2018-05-01 23:45:06 +00:00
if ! c . IsSet ( "hello-world" ) && c . IsSet ( "origin-server-name" ) {
httpTransport . TLSClientConfig . ServerName = c . String ( "origin-server-name" )
}
2018-10-29 16:57:58 +00:00
err = validation . ValidateHTTPService ( originURL , hostname , httpTransport )
2018-10-08 19:20:28 +00:00
if err != nil {
logger . WithError ( err ) . Error ( "unable to connect to the origin" )
return nil , errors . Wrap ( err , "unable to connect to the origin" )
}
2018-11-15 15:43:50 +00:00
toEdgeTLSConfig , err := createTunnelConfig ( c )
if err != nil {
logger . WithError ( err ) . Error ( "unable to create TLS config to connect with edge" )
return nil , errors . Wrap ( err , "unable to create TLS config to connect with edge" )
}
2018-05-01 23:45:06 +00:00
return & origin . TunnelConfig {
EdgeAddrs : c . StringSlice ( "edge" ) ,
2018-10-08 19:20:28 +00:00
OriginUrl : originURL ,
2018-05-01 23:45:06 +00:00
Hostname : hostname ,
OriginCert : originCert ,
2018-11-15 15:43:50 +00:00
TlsConfig : toEdgeTLSConfig ,
2018-05-01 23:45:06 +00:00
ClientTlsConfig : httpTransport . TLSClientConfig ,
Retries : c . Uint ( "retries" ) ,
HeartbeatInterval : c . Duration ( "heartbeat-interval" ) ,
MaxHeartbeats : c . Uint64 ( "heartbeat-count" ) ,
ClientID : clientID ,
BuildInfo : buildInfo ,
2018-10-08 19:20:28 +00:00
ReportedVersion : version ,
2018-05-01 23:45:06 +00:00
LBPool : c . String ( "lb-pool" ) ,
Tags : tags ,
HAConnections : c . Int ( "ha-connections" ) ,
HTTPTransport : httpTransport ,
Metrics : tunnelMetrics ,
MetricsUpdateFreq : c . Duration ( "metrics-update-freq" ) ,
2019-01-28 20:11:56 +00:00
TransportLogger : transportLogger ,
2018-05-01 23:45:06 +00:00
Logger : logger ,
IsAutoupdated : c . Bool ( "is-autoupdated" ) ,
GracePeriod : c . Duration ( "grace-period" ) ,
RunFromTerminal : isRunningFromTerminal ( ) ,
NoChunkedEncoding : c . Bool ( "no-chunked-encoding" ) ,
CompressionQuality : c . Uint64 ( "compression-quality" ) ,
2019-01-10 20:55:44 +00:00
IncidentLookup : origin . NewIncidentLookup ( ) ,
2019-03-22 17:00:57 +00:00
IsFreeTunnel : isFreeTunnel ,
2018-05-01 23:45:06 +00:00
} , nil
}
func loadCertPool ( c * cli . Context , logger * logrus . Logger ) ( * x509 . CertPool , error ) {
const originCAPoolFlag = "origin-ca-pool"
originCAPoolFilename := c . String ( originCAPoolFlag )
var originCustomCAPool [ ] byte
if originCAPoolFilename != "" {
var err error
originCustomCAPool , err = ioutil . ReadFile ( originCAPoolFilename )
if err != nil {
return nil , errors . Wrap ( err , fmt . Sprintf ( "unable to read the file %s for --%s" , originCAPoolFilename , originCAPoolFlag ) )
}
}
2018-11-15 15:43:50 +00:00
originCertPool , err := loadOriginCertPool ( originCustomCAPool )
2018-05-01 23:45:06 +00:00
if err != nil {
return nil , errors . Wrap ( err , "error loading the certificate pool" )
}
// Windows users should be notified that they can use the flag
if runtime . GOOS == "windows" && originCAPoolFilename == "" {
logger . Infof ( "cloudflared does not support loading the system root certificate pool on Windows. Please use the --%s to specify it" , originCAPoolFlag )
}
return originCertPool , nil
}
2018-10-08 19:20:28 +00:00
2018-11-15 15:43:50 +00:00
func loadOriginCertPool ( originCAPoolPEM [ ] byte ) ( * x509 . CertPool , error ) {
// Get the global pool
certPool , err := loadGlobalCertPool ( )
if err != nil {
return nil , err
}
// Then, add any custom origin CA pool the user may have passed
if originCAPoolPEM != nil {
if ! certPool . AppendCertsFromPEM ( originCAPoolPEM ) {
logger . Warn ( "could not append the provided origin CA to the cloudflared certificate pool" )
}
}
return certPool , nil
}
func loadGlobalCertPool ( ) ( * x509 . CertPool , error ) {
// First, obtain the system certificate pool
certPool , err := x509 . SystemCertPool ( )
if err != nil {
if runtime . GOOS != "windows" {
logger . WithError ( err ) . Warn ( "error obtaining the system certificates" )
}
certPool = x509 . NewCertPool ( )
}
// Next, append the Cloudflare CAs into the system pool
cfRootCA , err := tlsconfig . GetCloudflareRootCA ( )
if err != nil {
return nil , errors . Wrap ( err , "could not append Cloudflare Root CAs to cloudflared certificate pool" )
}
for _ , cert := range cfRootCA {
certPool . AddCert ( cert )
}
// Finally, add the Hello certificate into the pool (since it's self-signed)
helloCert , err := tlsconfig . GetHelloCertificateX509 ( )
if err != nil {
return nil , errors . Wrap ( err , "could not append Hello server certificate to cloudflared certificate pool" )
}
certPool . AddCert ( helloCert )
return certPool , nil
}
func createTunnelConfig ( c * cli . Context ) ( * tls . Config , error ) {
var rootCAs [ ] string
if c . String ( "cacert" ) != "" {
rootCAs = append ( rootCAs , c . String ( "cacert" ) )
}
edgeAddrs := c . StringSlice ( "edge" )
userConfig := & tlsconfig . TLSParameters { RootCAs : rootCAs }
tlsConfig , err := tlsconfig . GetConfig ( userConfig )
if err != nil {
return nil , err
}
if tlsConfig . RootCAs == nil {
rootCAPool := x509 . NewCertPool ( )
cfRootCA , err := tlsconfig . GetCloudflareRootCA ( )
if err != nil {
return nil , errors . Wrap ( err , "could not append Cloudflare Root CAs to cloudflared certificate pool" )
}
for _ , cert := range cfRootCA {
rootCAPool . AddCert ( cert )
}
tlsConfig . RootCAs = rootCAPool
tlsConfig . ServerName = "cftunnel.com"
} else if len ( edgeAddrs ) > 0 {
// Set for development environments and for testing specific origintunneld instances
tlsConfig . ServerName , _ , _ = net . SplitHostPort ( edgeAddrs [ 0 ] )
}
if tlsConfig . ServerName == "" && ! tlsConfig . InsecureSkipVerify {
return nil , fmt . Errorf ( "either ServerName or InsecureSkipVerify must be specified in the tls.Config" )
}
return tlsConfig , nil
}
2018-10-08 19:20:28 +00:00
func isRunningFromTerminal ( ) bool {
return terminal . IsTerminal ( int ( os . Stdout . Fd ( ) ) )
}