cloudflared-mirror/ingress/origin_connection.go

package ingress

import (
	"context"
	"io"
	"net"

	"github.com/rs/zerolog"

	"github.com/cloudflare/cloudflared/ipaccess"
	"github.com/cloudflare/cloudflared/socks"
	"github.com/cloudflare/cloudflared/websocket"
)

// OriginConnection is a way to stream to a service running on the user's origin.
// Different concrete implementations will stream different protocols as long as they are io.ReadWriters.
type OriginConnection interface {
	// Stream should generally be implemented as a bidirectional io.Copy.
	Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)
	Close()
}

type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)

// DefaultStreamHandler is an implementation of streamHandlerFunc that
// performs a two way io.Copy between originConn and remoteConn.
func DefaultStreamHandler(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger) {
	websocket.Stream(originConn, remoteConn, log)
}

// tcpConnection is an OriginConnection that directly streams to raw TCP.
type tcpConnection struct {
	conn net.Conn
}

func (tc *tcpConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
	websocket.Stream(tunnelConn, tc.conn, log)
}

func (tc *tcpConnection) Close() {
	tc.conn.Close()
}

// tcpOverWSConnection is an OriginConnection that streams to TCP over WS.
type tcpOverWSConnection struct {
	conn          net.Conn
	streamHandler streamHandlerFunc
}

func (wc *tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
	wsCtx, cancel := context.WithCancel(ctx)
	wsConn := websocket.NewConn(wsCtx, tunnelConn, log)
	wc.streamHandler(wsConn, wc.conn, log)
	cancel()
	// Makes sure wsConn stops sending ping before terminating the stream
	wsConn.Close()
}

func (wc *tcpOverWSConnection) Close() {
	wc.conn.Close()
}

// socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.
// The connection to the origin happens inside the SOCKS code as the client specifies the origin
// details in the packet.
type socksProxyOverWSConnection struct {
	accessPolicy *ipaccess.Policy
}

func (sp *socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger) {
	wsCtx, cancel := context.WithCancel(ctx)
	wsConn := websocket.NewConn(wsCtx, tunnelConn, log)
	socks.StreamNetHandler(wsConn, sp.accessPolicy, log)
	cancel()
	// Makes sure wsConn stops sending ping before terminating the stream
	wsConn.Close()
}

func (sp *socksProxyOverWSConnection) Close() {
}
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`package ingress`

			`import (`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`"context"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`"io"`
			`"net"`

TUN-4067: Reformat code for consistent import order, grouping, and fix formatting. Added goimports target to the Makefile to make this easier in the future. 2021-03-23 14:30:43 +00:00			`"github.com/rs/zerolog"`

TUN-4017: Add support for using cloudflared as a full socks proxy. To use cloudflared as a socks proxy, add an ingress on the server side with your desired rules. Rules are matched in the order they are added. If there are no rules, it is an implicit allow. If there are rules, but no rule matches match, the connection is denied. ingress: - hostname: socks.example.com service: socks-proxy originRequest: ipRules: - prefix: 1.1.1.1/24 ports: [80, 443] allow: true - prefix: 0.0.0.0/0 allow: false On the client, run using tcp mode: cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080 Set your socks proxy as 127.0.0.1:8080 and you will now be proxying all connections to the remote machine. 2021-03-01 22:26:37 +00:00			`"github.com/cloudflare/cloudflared/ipaccess"`
			`"github.com/cloudflare/cloudflared/socks"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`"github.com/cloudflare/cloudflared/websocket"`
			`)`

			`// OriginConnection is a way to stream to a service running on the user's origin.`
			`// Different concrete implementations will stream different protocols as long as they are io.ReadWriters.`
			`type OriginConnection interface {`
			`// Stream should generally be implemented as a bidirectional io.Copy.`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`Stream(ctx context.Context, tunnelConn io.ReadWriter, log *zerolog.Logger)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`Close()`
			`}`

TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors 2021-02-04 15:07:18 +00:00			`type streamHandlerFunc func(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger)`
TUN-3615: added support to proxy tcp streams added ingress.DefaultStreamHandler and a basic test for tcp stream proxy moved websocket.Stream to ingress cloudflared no longer picks tcpstream host from header 2021-01-11 19:59:45 +00:00
			`// DefaultStreamHandler is an implementation of streamHandlerFunc that`
			`// performs a two way io.Copy between originConn and remoteConn.`
TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors 2021-02-04 15:07:18 +00:00			`func DefaultStreamHandler(originConn io.ReadWriter, remoteConn net.Conn, log *zerolog.Logger) {`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`websocket.Stream(originConn, remoteConn, log)`
TUN-3615: added support to proxy tcp streams added ingress.DefaultStreamHandler and a basic test for tcp stream proxy moved websocket.Stream to ingress cloudflared no longer picks tcpstream host from header 2021-01-11 19:59:45 +00:00			`}`

TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`// tcpConnection is an OriginConnection that directly streams to raw TCP.`
			`type tcpConnection struct {`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`conn net.Conn`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`func (tc tcpConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log zerolog.Logger) {`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`websocket.Stream(tunnelConn, tc.conn, log)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

			`func (tc *tcpConnection) Close() {`
			`tc.conn.Close()`
			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`// tcpOverWSConnection is an OriginConnection that streams to TCP over WS.`
			`type tcpOverWSConnection struct {`
			`conn net.Conn`
			`streamHandler streamHandlerFunc`
			`}`

			`func (wc tcpOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log zerolog.Logger) {`
TUN-5141: Make sure websocket pinger returns before streaming returns 2021-09-22 16:33:05 +00:00			`wsCtx, cancel := context.WithCancel(ctx)`
			`wsConn := websocket.NewConn(wsCtx, tunnelConn, log)`
			`wc.streamHandler(wsConn, wc.conn, log)`
			`cancel()`
			`// Makes sure wsConn stops sending ping before terminating the stream`
TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown 2021-10-19 19:01:17 +00:00			`wsConn.Close()`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`}`

			`func (wc *tcpOverWSConnection) Close() {`
			`wc.conn.Close()`
TUN-3817: Adds tests for websocket based streaming regression 2021-02-02 18:27:50 +00:00			`}`

TUN-4017: Add support for using cloudflared as a full socks proxy. To use cloudflared as a socks proxy, add an ingress on the server side with your desired rules. Rules are matched in the order they are added. If there are no rules, it is an implicit allow. If there are rules, but no rule matches match, the connection is denied. ingress: - hostname: socks.example.com service: socks-proxy originRequest: ipRules: - prefix: 1.1.1.1/24 ports: [80, 443] allow: true - prefix: 0.0.0.0/0 allow: false On the client, run using tcp mode: cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080 Set your socks proxy as 127.0.0.1:8080 and you will now be proxying all connections to the remote machine. 2021-03-01 22:26:37 +00:00			`// socksProxyOverWSConnection is an OriginConnection that streams SOCKS connections over WS.`
			`// The connection to the origin happens inside the SOCKS code as the client specifies the origin`
			`// details in the packet.`
			`type socksProxyOverWSConnection struct {`
			`accessPolicy *ipaccess.Policy`
			`}`

			`func (sp socksProxyOverWSConnection) Stream(ctx context.Context, tunnelConn io.ReadWriter, log zerolog.Logger) {`
TUN-5141: Make sure websocket pinger returns before streaming returns 2021-09-22 16:33:05 +00:00			`wsCtx, cancel := context.WithCancel(ctx)`
			`wsConn := websocket.NewConn(wsCtx, tunnelConn, log)`
			`socks.StreamNetHandler(wsConn, sp.accessPolicy, log)`
			`cancel()`
			`// Makes sure wsConn stops sending ping before terminating the stream`
TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown 2021-10-19 19:01:17 +00:00			`wsConn.Close()`
TUN-4017: Add support for using cloudflared as a full socks proxy. To use cloudflared as a socks proxy, add an ingress on the server side with your desired rules. Rules are matched in the order they are added. If there are no rules, it is an implicit allow. If there are rules, but no rule matches match, the connection is denied. ingress: - hostname: socks.example.com service: socks-proxy originRequest: ipRules: - prefix: 1.1.1.1/24 ports: [80, 443] allow: true - prefix: 0.0.0.0/0 allow: false On the client, run using tcp mode: cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080 Set your socks proxy as 127.0.0.1:8080 and you will now be proxying all connections to the remote machine. 2021-03-01 22:26:37 +00:00			`}`

			`func (sp *socksProxyOverWSConnection) Close() {`
			`}`