2020-03-31 14:56:22 +00:00
|
|
|
package carrier
|
|
|
|
|
|
|
|
import (
|
|
|
|
"io"
|
|
|
|
"net/http"
|
2020-06-08 22:01:48 +00:00
|
|
|
"net/http/httputil"
|
2021-04-02 06:10:43 +00:00
|
|
|
"net/url"
|
2020-03-31 14:56:22 +00:00
|
|
|
|
2021-03-23 14:30:43 +00:00
|
|
|
"github.com/gorilla/websocket"
|
|
|
|
"github.com/rs/zerolog"
|
|
|
|
|
2021-03-08 16:46:23 +00:00
|
|
|
"github.com/cloudflare/cloudflared/token"
|
2020-03-31 14:56:22 +00:00
|
|
|
cfwebsocket "github.com/cloudflare/cloudflared/websocket"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
|
|
|
|
// This implements the functions for glider proxy (sock5) and the carrier interface
|
|
|
|
type Websocket struct {
|
2020-11-25 06:55:13 +00:00
|
|
|
log *zerolog.Logger
|
2020-03-31 14:56:22 +00:00
|
|
|
isSocks bool
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewWSConnection returns a new connection object
|
2021-02-10 16:19:55 +00:00
|
|
|
func NewWSConnection(log *zerolog.Logger) Connection {
|
2020-03-31 14:56:22 +00:00
|
|
|
return &Websocket{
|
2021-02-10 16:19:55 +00:00
|
|
|
log: log,
|
2020-03-31 14:56:22 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ServeStream will create a Websocket client stream connection to the edge
|
|
|
|
// it blocks and writes the raw data from conn over the tunnel
|
|
|
|
func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) error {
|
2020-11-25 06:55:13 +00:00
|
|
|
wsConn, err := createWebsocketStream(options, ws.log)
|
2020-03-31 14:56:22 +00:00
|
|
|
if err != nil {
|
2020-12-28 18:10:01 +00:00
|
|
|
ws.log.Err(err).Str(LogFieldOriginURL, options.OriginURL).Msg("failed to connect to origin")
|
2020-03-31 14:56:22 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
defer wsConn.Close()
|
|
|
|
|
2021-03-26 04:04:56 +00:00
|
|
|
cfwebsocket.Stream(wsConn, conn, ws.log)
|
2020-03-31 14:56:22 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// createWebsocketStream will create a WebSocket connection to stream data over
|
|
|
|
// It also handles redirects from Access and will present that flow if
|
|
|
|
// the token is not present on the request
|
2020-12-09 21:46:53 +00:00
|
|
|
func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
|
2020-03-31 14:56:22 +00:00
|
|
|
req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
req.Header = options.Headers
|
2021-02-03 19:00:55 +00:00
|
|
|
if options.Host != "" {
|
|
|
|
req.Host = options.Host
|
|
|
|
}
|
2020-03-31 14:56:22 +00:00
|
|
|
|
2020-06-08 22:01:48 +00:00
|
|
|
dump, err := httputil.DumpRequest(req, false)
|
2020-11-25 06:55:13 +00:00
|
|
|
log.Debug().Msgf("Websocket request: %s", string(dump))
|
2020-06-08 22:01:48 +00:00
|
|
|
|
2021-02-03 19:00:55 +00:00
|
|
|
dialer := &websocket.Dialer{
|
|
|
|
TLSClientConfig: options.TLSClientConfig,
|
2021-03-09 17:16:17 +00:00
|
|
|
Proxy: http.ProxyFromEnvironment,
|
2021-02-03 19:00:55 +00:00
|
|
|
}
|
2021-04-02 06:10:43 +00:00
|
|
|
wsConn, resp, err := clientConnect(req, dialer)
|
2020-03-31 14:56:22 +00:00
|
|
|
defer closeRespBody(resp)
|
2020-08-12 17:17:25 +00:00
|
|
|
|
2020-03-31 14:56:22 +00:00
|
|
|
if err != nil && IsAccessResponse(resp) {
|
2021-03-10 21:52:35 +00:00
|
|
|
// Only get Access app info if we know the origin is protected by Access
|
|
|
|
originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
appInfo, err := token.GetAppInfo(originReq.URL)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
options.AppInfo = appInfo
|
|
|
|
|
2020-11-25 06:55:13 +00:00
|
|
|
wsConn, err = createAccessAuthenticatedStream(options, log)
|
2020-03-31 14:56:22 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2020-12-09 21:46:53 +00:00
|
|
|
return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
|
2020-03-31 14:56:22 +00:00
|
|
|
}
|
|
|
|
|
2021-04-02 06:10:43 +00:00
|
|
|
var stripWebsocketHeaders = []string{
|
|
|
|
"Upgrade",
|
|
|
|
"Connection",
|
|
|
|
"Sec-Websocket-Key",
|
|
|
|
"Sec-Websocket-Version",
|
|
|
|
"Sec-Websocket-Extensions",
|
|
|
|
}
|
|
|
|
|
|
|
|
// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
|
|
|
|
// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
|
|
|
|
// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
|
|
|
|
func websocketHeaders(req *http.Request) http.Header {
|
|
|
|
wsHeaders := make(http.Header)
|
|
|
|
for key, val := range req.Header {
|
|
|
|
wsHeaders[key] = val
|
|
|
|
}
|
|
|
|
// Assume the header keys are in canonical format.
|
|
|
|
for _, header := range stripWebsocketHeaders {
|
|
|
|
wsHeaders.Del(header)
|
|
|
|
}
|
|
|
|
wsHeaders.Set("Host", req.Host) // See TUN-1097
|
|
|
|
return wsHeaders
|
|
|
|
}
|
|
|
|
|
|
|
|
// clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
|
|
|
|
// the connection. The response body may not contain the entire response and does
|
|
|
|
// not need to be closed by the application.
|
|
|
|
func clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
|
|
|
|
req.URL.Scheme = changeRequestScheme(req.URL)
|
|
|
|
wsHeaders := websocketHeaders(req)
|
|
|
|
if dialler == nil {
|
|
|
|
dialler = &websocket.Dialer{
|
|
|
|
Proxy: http.ProxyFromEnvironment,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
|
|
|
|
if err != nil {
|
|
|
|
return nil, response, err
|
|
|
|
}
|
|
|
|
return conn, response, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
|
|
|
|
// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
|
|
|
|
func changeRequestScheme(reqURL *url.URL) string {
|
|
|
|
switch reqURL.Scheme {
|
|
|
|
case "https":
|
|
|
|
return "wss"
|
|
|
|
case "http":
|
|
|
|
return "ws"
|
|
|
|
case "":
|
|
|
|
return "ws"
|
|
|
|
default:
|
|
|
|
return reqURL.Scheme
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-03-31 14:56:22 +00:00
|
|
|
// createAccessAuthenticatedStream will try load a token from storage and make
|
|
|
|
// a connection with the token set on the request. If it still get redirect,
|
|
|
|
// this probably means the token in storage is invalid (expired/revoked). If that
|
|
|
|
// happens it deletes the token and runs the connection again, so the user can
|
|
|
|
// login again and generate a new one.
|
2020-11-25 06:55:13 +00:00
|
|
|
func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, error) {
|
|
|
|
wsConn, resp, err := createAccessWebSocketStream(options, log)
|
2020-03-31 14:56:22 +00:00
|
|
|
defer closeRespBody(resp)
|
|
|
|
if err == nil {
|
|
|
|
return wsConn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if !IsAccessResponse(resp) {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Access Token is invalid for some reason. Go through regen flow
|
2021-03-10 21:52:35 +00:00
|
|
|
if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
|
2020-03-31 14:56:22 +00:00
|
|
|
return nil, err
|
|
|
|
}
|
2020-11-25 06:55:13 +00:00
|
|
|
wsConn, resp, err = createAccessWebSocketStream(options, log)
|
2020-03-31 14:56:22 +00:00
|
|
|
defer closeRespBody(resp)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return wsConn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// createAccessWebSocketStream builds an Access request and makes a connection
|
2020-11-25 06:55:13 +00:00
|
|
|
func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, *http.Response, error) {
|
|
|
|
req, err := BuildAccessRequest(options, log)
|
2020-03-31 14:56:22 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2020-06-08 22:01:48 +00:00
|
|
|
|
|
|
|
dump, err := httputil.DumpRequest(req, false)
|
2020-11-25 06:55:13 +00:00
|
|
|
log.Debug().Msgf("Access Websocket request: %s", string(dump))
|
2020-06-08 22:01:48 +00:00
|
|
|
|
2021-04-02 06:10:43 +00:00
|
|
|
conn, resp, err := clientConnect(req, nil)
|
2020-08-12 17:17:25 +00:00
|
|
|
|
|
|
|
if resp != nil {
|
|
|
|
r, err := httputil.DumpResponse(resp, true)
|
|
|
|
if r != nil {
|
2020-11-25 06:55:13 +00:00
|
|
|
log.Debug().Msgf("Websocket response: %q", r)
|
2020-08-12 17:17:25 +00:00
|
|
|
} else if err != nil {
|
2020-11-25 06:55:13 +00:00
|
|
|
log.Debug().Msgf("Websocket response error: %v", err)
|
2020-08-12 17:17:25 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return conn, resp, err
|
2020-03-31 14:56:22 +00:00
|
|
|
}
|