cloudflared-mirror/ingress/origin_proxy.go

package ingress

import (
	"fmt"
	"io"
	"net"
	"net/http"
	"strings"

	"github.com/pkg/errors"

	"github.com/cloudflare/cloudflared/carrier"
	"github.com/cloudflare/cloudflared/websocket"
)

var (
	switchingProtocolText        = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
	errUnsupportedConnectionType = errors.New("internal error: unsupported connection type")
)

// HTTPOriginProxy can be implemented by origin services that want to proxy http requests.
type HTTPOriginProxy interface {
	// RoundTrip is how cloudflared proxies eyeball requests to the actual origin services
	http.RoundTripper
}

// StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.
type StreamBasedOriginProxy interface {
	EstablishConnection(r *http.Request) (OriginConnection, *http.Response, error)
}

func (o *unixSocketPath) RoundTrip(req *http.Request) (*http.Response, error) {
	return o.transport.RoundTrip(req)
}

func (o *httpService) RoundTrip(req *http.Request) (*http.Response, error) {
	// Rewrite the request URL so that it goes to the origin service.
	req.URL.Host = o.url.Host
	req.URL.Scheme = o.url.Scheme
	if o.hostHeader != "" {
		// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.
		req.Host = o.hostHeader
	}
	return o.transport.RoundTrip(req)
}

func (o *httpService) EstablishConnection(req *http.Request) (OriginConnection, *http.Response, error) {
	req = req.Clone(req.Context())

	req.URL.Host = o.url.Host
	req.URL.Scheme = o.url.Scheme
	// allow ws(s) scheme for websocket-only origins, normal http(s) requests will fail
	switch req.URL.Scheme {
	case "ws":
		req.URL.Scheme = "http"
	case "wss":
		req.URL.Scheme = "https"
	}

	if o.hostHeader != "" {
		// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.
		req.Host = o.hostHeader
	}

	return o.newWebsocketProxyConnection(req)
}

func (o *httpService) newWebsocketProxyConnection(req *http.Request) (OriginConnection, *http.Response, error) {
	req.Header.Set("Connection", "Upgrade")
	req.Header.Set("Upgrade", "websocket")
	req.Header.Set("Sec-WebSocket-Version", "13")

	req.ContentLength = 0
	req.Body = nil

	resp, err := o.transport.RoundTrip(req)
	if err != nil {
		return nil, nil, err
	}

	toClose := resp.Body
	defer func() {
		if toClose != nil {
			_ = toClose.Close()
		}
	}()

	if resp.StatusCode != http.StatusSwitchingProtocols {
		return nil, nil, fmt.Errorf("unexpected origin response: %s", resp.Status)
	}
	if strings.ToLower(resp.Header.Get("Upgrade")) != "websocket" {
		return nil, nil, fmt.Errorf("unexpected upgrade: %q", resp.Header.Get("Upgrade"))
	}

	rwc, ok := resp.Body.(io.ReadWriteCloser)
	if !ok {
		return nil, nil, errUnsupportedConnectionType
	}
	conn := wsProxyConnection{
		rwc: rwc,
	}
	// clear to prevent defer from closing
	toClose = nil

	return &conn, resp, nil
}

func (o *statusCode) RoundTrip(_ *http.Request) (*http.Response, error) {
	return o.resp, nil
}

func (o *rawTCPService) EstablishConnection(r *http.Request) (OriginConnection, *http.Response, error) {
	dest, err := getRequestHost(r)
	if err != nil {
		return nil, nil, err
	}
	conn, err := net.Dial("tcp", dest)
	if err != nil {
		return nil, nil, err
	}

	originConn := &tcpConnection{
		conn: conn,
	}
	resp := &http.Response{
		Status:        switchingProtocolText,
		StatusCode:    http.StatusSwitchingProtocols,
		ContentLength: -1,
	}
	return originConn, resp, nil
}

// getRequestHost returns the host of the http.Request.
func getRequestHost(r *http.Request) (string, error) {
	if r.Host != "" {
		return r.Host, nil
	}
	if r.URL != nil {
		return r.URL.Host, nil
	}
	return "", errors.New("host not found")
}

func (o *tcpOverWSService) EstablishConnection(r *http.Request) (OriginConnection, *http.Response, error) {
	var err error
	dest := o.dest
	if o.isBastion {
		dest, err = carrier.ResolveBastionDest(r)
		if err != nil {
			return nil, nil, err
		}
	}

	conn, err := net.Dial("tcp", dest)
	if err != nil {
		return nil, nil, err
	}
	originConn := &tcpOverWSConnection{
		conn:          conn,
		streamHandler: o.streamHandler,
	}
	resp := &http.Response{
		Status:        switchingProtocolText,
		StatusCode:    http.StatusSwitchingProtocols,
		Header:        websocket.NewResponseHeader(r),
		ContentLength: -1,
	}
	return originConn, resp, nil

}

func (o *socksProxyOverWSService) EstablishConnection(r *http.Request) (OriginConnection, *http.Response, error) {
	originConn := o.conn
	resp := &http.Response{
		Status:        switchingProtocolText,
		StatusCode:    http.StatusSwitchingProtocols,
		Header:        websocket.NewResponseHeader(r),
		ContentLength: -1,
	}
	return originConn, resp, nil
}
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`package ingress`

			`import (`
			`"fmt"`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`"io"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`"net"`
			`"net/http"`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`"strings"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00
TUN-4067: Reformat code for consistent import order, grouping, and fix formatting. Added goimports target to the Makefile to make this easier in the future. 2021-03-23 14:30:43 +00:00			`"github.com/pkg/errors"`

TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`"github.com/cloudflare/cloudflared/carrier"`
TUN-3817: Adds tests for websocket based streaming regression 2021-02-02 18:27:50 +00:00			`"github.com/cloudflare/cloudflared/websocket"`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`)`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`var (`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))`
			`errUnsupportedConnectionType = errors.New("internal error: unsupported connection type")`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`)`

TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`// HTTPOriginProxy can be implemented by origin services that want to proxy http requests.`
			`type HTTPOriginProxy interface {`
			`// RoundTrip is how cloudflared proxies eyeball requests to the actual origin services`
			`http.RoundTripper`
			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`// StreamBasedOriginProxy can be implemented by origin services that want to proxy ws/TCP.`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`type StreamBasedOriginProxy interface {`
TUN-3853: Respond with ws headers from the origin service rather than generating our own 2021-02-04 18:03:34 +00:00			`EstablishConnection(r http.Request) (OriginConnection, http.Response, error)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

			`func (o unixSocketPath) RoundTrip(req http.Request) (*http.Response, error) {`
			`return o.transport.RoundTrip(req)`
			`}`

			`func (o httpService) RoundTrip(req http.Request) (*http.Response, error) {`
			`// Rewrite the request URL so that it goes to the origin service.`
			`req.URL.Host = o.url.Host`
			`req.URL.Scheme = o.url.Scheme`
TUN-3889: Move host header override logic to httpService 2021-02-08 19:25:08 +00:00			`if o.hostHeader != "" {`
			`// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.`
			`req.Host = o.hostHeader`
			`}`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`return o.transport.RoundTrip(req)`
			`}`

TUN-3853: Respond with ws headers from the origin service rather than generating our own 2021-02-04 18:03:34 +00:00			`func (o httpService) EstablishConnection(req http.Request) (OriginConnection, *http.Response, error) {`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`req = req.Clone(req.Context())`

TUN-3817: Adds tests for websocket based streaming regression 2021-02-02 18:27:50 +00:00			`req.URL.Host = o.url.Host`
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`req.URL.Scheme = o.url.Scheme`
			`// allow ws(s) scheme for websocket-only origins, normal http(s) requests will fail`
			`switch req.URL.Scheme {`
			`case "ws":`
			`req.URL.Scheme = "http"`
			`case "wss":`
			`req.URL.Scheme = "https"`
			`}`

TUN-3889: Move host header override logic to httpService 2021-02-08 19:25:08 +00:00			`if o.hostHeader != "" {`
			`// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.`
			`req.Host = o.hostHeader`
			`}`
TUN-3817: Adds tests for websocket based streaming regression 2021-02-02 18:27:50 +00:00
TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`return o.newWebsocketProxyConnection(req)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345). 2021-04-02 06:10:43 +00:00			`func (o httpService) newWebsocketProxyConnection(req http.Request) (OriginConnection, *http.Response, error) {`
			`req.Header.Set("Connection", "Upgrade")`
			`req.Header.Set("Upgrade", "websocket")`
			`req.Header.Set("Sec-WebSocket-Version", "13")`

			`req.ContentLength = 0`
			`req.Body = nil`

			`resp, err := o.transport.RoundTrip(req)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`toClose := resp.Body`
			`defer func() {`
			`if toClose != nil {`
			`_ = toClose.Close()`
			`}`
			`}()`

			`if resp.StatusCode != http.StatusSwitchingProtocols {`
			`return nil, nil, fmt.Errorf("unexpected origin response: %s", resp.Status)`
			`}`
			`if strings.ToLower(resp.Header.Get("Upgrade")) != "websocket" {`
			`return nil, nil, fmt.Errorf("unexpected upgrade: %q", resp.Header.Get("Upgrade"))`
			`}`

			`rwc, ok := resp.Body.(io.ReadWriteCloser)`
			`if !ok {`
			`return nil, nil, errUnsupportedConnectionType`
			`}`
			`conn := wsProxyConnection{`
			`rwc: rwc,`
			`}`
			`// clear to prevent defer from closing`
			`toClose = nil`

			`return &conn, resp, nil`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

			`func (o statusCode) RoundTrip(_ http.Request) (*http.Response, error) {`
			`return o.resp, nil`
			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`func (o rawTCPService) EstablishConnection(r http.Request) (OriginConnection, *http.Response, error) {`
			`dest, err := getRequestHost(r)`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`if err != nil {`
TUN-3853: Respond with ws headers from the origin service rather than generating our own 2021-02-04 18:03:34 +00:00			`return nil, nil, err`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`conn, err := net.Dial("tcp", dest)`
			`if err != nil {`
			`return nil, nil, err`
			`}`

			`originConn := &tcpConnection{`
			`conn: conn,`
			`}`
			`resp := &http.Response{`
			`Status: switchingProtocolText,`
			`StatusCode: http.StatusSwitchingProtocols,`
			`ContentLength: -1,`
			`}`
			`return originConn, resp, nil`
TUN-3617: Separate service from client, and implement different client for http vs. tcp origins - extracted ResponseWriter from proxyConnection - added bastion tests over websocket - removed HTTPResp() - added some docstrings - Renamed some ingress clients as proxies - renamed instances of client to proxy in connection and origin - Stream no longer takes a context and logger.Service 2020-12-09 21:46:53 +00:00			`}`

TUN-3615: added support to proxy tcp streams added ingress.DefaultStreamHandler and a basic test for tcp stream proxy moved websocket.Stream to ingress cloudflared no longer picks tcpstream host from header 2021-01-11 19:59:45 +00:00			`// getRequestHost returns the host of the http.Request.`
			`func getRequestHost(r *http.Request) (string, error) {`
			`if r.Host != "" {`
			`return r.Host, nil`
			`}`
			`if r.URL != nil {`
			`return r.URL.Host, nil`
			`}`
			`return "", errors.New("host not found")`
			`}`

TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`func (o tcpOverWSService) EstablishConnection(r http.Request) (OriginConnection, *http.Response, error) {`
			`var err error`
			`dest := o.dest`
			`if o.isBastion {`
TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic. Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge. Moved access-related headers to corresponding packages that have the code that sets/uses these headers. Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared. Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages. 2021-03-26 04:04:56 +00:00			`dest, err = carrier.ResolveBastionDest(r)`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`if err != nil {`
			`return nil, nil, err`
			`}`
			`}`

			`conn, err := net.Dial("tcp", dest)`
			`if err != nil {`
			`return nil, nil, err`
			`}`
			`originConn := &tcpOverWSConnection{`
			`conn: conn,`
			`streamHandler: o.streamHandler,`
			`}`
			`resp := &http.Response{`
			`Status: switchingProtocolText,`
			`StatusCode: http.StatusSwitchingProtocols,`
			`Header: websocket.NewResponseHeader(r),`
			`ContentLength: -1,`
TUN-3615: added support to proxy tcp streams added ingress.DefaultStreamHandler and a basic test for tcp stream proxy moved websocket.Stream to ingress cloudflared no longer picks tcpstream host from header 2021-01-11 19:59:45 +00:00			`}`
TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService 2021-02-05 13:01:53 +00:00			`return originConn, resp, nil`

			`}`

TUN-4017: Add support for using cloudflared as a full socks proxy. To use cloudflared as a socks proxy, add an ingress on the server side with your desired rules. Rules are matched in the order they are added. If there are no rules, it is an implicit allow. If there are rules, but no rule matches match, the connection is denied. ingress: - hostname: socks.example.com service: socks-proxy originRequest: ipRules: - prefix: 1.1.1.1/24 ports: [80, 443] allow: true - prefix: 0.0.0.0/0 allow: false On the client, run using tcp mode: cloudflared access tcp --hostname socks.example.com --url 127.0.0.1:8080 Set your socks proxy as 127.0.0.1:8080 and you will now be proxying all connections to the remote machine. 2021-03-01 22:26:37 +00:00			`func (o socksProxyOverWSService) EstablishConnection(r http.Request) (OriginConnection, *http.Response, error) {`
			`originConn := o.conn`
			`resp := &http.Response{`
			`Status: switchingProtocolText,`
			`StatusCode: http.StatusSwitchingProtocols,`
			`Header: websocket.NewResponseHeader(r),`
			`ContentLength: -1,`
			`}`
			`return originConn, resp, nil`
			`}`