TUN-1914: Conflate HTTP and Unix OriginConfig, and add TLS config to WebSocketOriginConfig

This commit is contained in:
Chung-Ting Huang 2019-05-30 15:45:46 -05:00
parent 713a2d689e
commit 39d60d1239
4 changed files with 783 additions and 610 deletions

View File

@ -3,6 +3,7 @@ package pogs
import ( import (
"context" "context"
"fmt" "fmt"
"net/url"
"time" "time"
"github.com/cloudflare/cloudflared/tunnelrpc" "github.com/cloudflare/cloudflared/tunnelrpc"
@ -43,7 +44,6 @@ type ReverseProxyConfig struct {
Origin OriginConfig Origin OriginConfig
Retries uint64 Retries uint64
ConnectionTimeout time.Duration ConnectionTimeout time.Duration
ChunkedEncoding bool
CompressionQuality uint64 CompressionQuality uint64
} }
@ -52,7 +52,6 @@ func NewReverseProxyConfig(
originConfig OriginConfig, originConfig OriginConfig,
retries uint64, retries uint64,
connectionTimeout time.Duration, connectionTimeout time.Duration,
chunkedEncoding bool,
compressionQuality uint64, compressionQuality uint64,
) (*ReverseProxyConfig, error) { ) (*ReverseProxyConfig, error) {
if originConfig == nil { if originConfig == nil {
@ -63,7 +62,6 @@ func NewReverseProxyConfig(
Origin: originConfig, Origin: originConfig,
Retries: retries, Retries: retries,
ConnectionTimeout: connectionTimeout, ConnectionTimeout: connectionTimeout,
ChunkedEncoding: chunkedEncoding,
CompressionQuality: compressionQuality, CompressionQuality: compressionQuality,
}, nil }, nil
} }
@ -74,7 +72,7 @@ type OriginConfig interface {
} }
type HTTPOriginConfig struct { type HTTPOriginConfig struct {
URL string `capnp:"url"` URL OriginAddr `capnp:"url"`
TCPKeepAlive time.Duration `capnp:"tcpKeepAlive"` TCPKeepAlive time.Duration `capnp:"tcpKeepAlive"`
DialDualStack bool DialDualStack bool
TLSHandshakeTimeout time.Duration `capnp:"tlsHandshakeTimeout"` TLSHandshakeTimeout time.Duration `capnp:"tlsHandshakeTimeout"`
@ -83,18 +81,49 @@ type HTTPOriginConfig struct {
OriginServerName string OriginServerName string
MaxIdleConnections uint64 MaxIdleConnections uint64
IdleConnectionTimeout time.Duration IdleConnectionTimeout time.Duration
ProxyConnectTimeout time.Duration
ExpectContinueTimeout time.Duration
ChunkedEncoding bool
} }
func (_ *HTTPOriginConfig) isOriginConfig() {} func (_ *HTTPOriginConfig) isOriginConfig() {}
type UnixSocketOriginConfig struct { type OriginAddr interface {
Addr() string
}
type HTTPURL struct {
URL *url.URL
}
func (ha *HTTPURL) Addr() string {
return ha.URL.String()
}
func (ha *HTTPURL) capnpHTTPURL() *CapnpHTTPURL {
return &CapnpHTTPURL{
URL: ha.URL.String(),
}
}
// URL for a HTTP origin, capnp doesn't have native support for URL, so represent it as string
type CapnpHTTPURL struct {
URL string `capnp:"url"`
}
type UnixPath struct {
Path string Path string
} }
func (_ *UnixSocketOriginConfig) isOriginConfig() {} func (up *UnixPath) Addr() string {
return up.Path
}
type WebSocketOriginConfig struct { type WebSocketOriginConfig struct {
URL string `capnp:"url"` URL string `capnp:"url"`
TLSVerify bool `capnp:"tlsVerify"`
OriginCAPool string
OriginServerName string
} }
func (_ *WebSocketOriginConfig) isOriginConfig() {} func (_ *WebSocketOriginConfig) isOriginConfig() {}
@ -239,31 +268,30 @@ func MarshalReverseProxyConfig(s tunnelrpc.ReverseProxyConfig, p *ReverseProxyCo
if err != nil { if err != nil {
return err return err
} }
MarshalHTTPOriginConfig(ss, config) if err := MarshalHTTPOriginConfig(ss, config); err != nil {
case *UnixSocketOriginConfig:
ss, err := s.Origin().NewSocket()
if err != nil {
return err return err
} }
MarshalUnixSocketOriginConfig(ss, config)
case *WebSocketOriginConfig: case *WebSocketOriginConfig:
ss, err := s.Origin().NewWebsocket() ss, err := s.Origin().NewWebsocket()
if err != nil { if err != nil {
return err return err
} }
MarshalWebSocketOriginConfig(ss, config) if err := MarshalWebSocketOriginConfig(ss, config); err != nil {
return err
}
case *HelloWorldOriginConfig: case *HelloWorldOriginConfig:
ss, err := s.Origin().NewHelloWorld() ss, err := s.Origin().NewHelloWorld()
if err != nil { if err != nil {
return err return err
} }
MarshalHelloWorldOriginConfig(ss, config) if err := MarshalHelloWorldOriginConfig(ss, config); err != nil {
return err
}
default: default:
return fmt.Errorf("Unknown type for config: %T", config) return fmt.Errorf("Unknown type for config: %T", config)
} }
s.SetRetries(p.Retries) s.SetRetries(p.Retries)
s.SetConnectionTimeout(p.ConnectionTimeout.Nanoseconds()) s.SetConnectionTimeout(p.ConnectionTimeout.Nanoseconds())
s.SetChunkedEncoding(p.ChunkedEncoding)
s.SetCompressionQuality(p.CompressionQuality) s.SetCompressionQuality(p.CompressionQuality)
return nil return nil
} }
@ -286,16 +314,6 @@ func UnmarshalReverseProxyConfig(s tunnelrpc.ReverseProxyConfig) (*ReverseProxyC
return nil, err return nil, err
} }
p.Origin = config p.Origin = config
case tunnelrpc.ReverseProxyConfig_origin_Which_socket:
ss, err := s.Origin().Socket()
if err != nil {
return nil, err
}
config, err := UnmarshalUnixSocketOriginConfig(ss)
if err != nil {
return nil, err
}
p.Origin = config
case tunnelrpc.ReverseProxyConfig_origin_Which_websocket: case tunnelrpc.ReverseProxyConfig_origin_Which_websocket:
ss, err := s.Origin().Websocket() ss, err := s.Origin().Websocket()
if err != nil { if err != nil {
@ -319,28 +337,120 @@ func UnmarshalReverseProxyConfig(s tunnelrpc.ReverseProxyConfig) (*ReverseProxyC
} }
p.Retries = s.Retries() p.Retries = s.Retries()
p.ConnectionTimeout = time.Duration(s.ConnectionTimeout()) p.ConnectionTimeout = time.Duration(s.ConnectionTimeout())
p.ChunkedEncoding = s.ChunkedEncoding()
p.CompressionQuality = s.CompressionQuality() p.CompressionQuality = s.CompressionQuality()
return p, nil return p, nil
} }
func MarshalHTTPOriginConfig(s tunnelrpc.HTTPOriginConfig, p *HTTPOriginConfig) error { func MarshalHTTPOriginConfig(s tunnelrpc.HTTPOriginConfig, p *HTTPOriginConfig) error {
return pogs.Insert(tunnelrpc.HTTPOriginConfig_TypeID, s.Struct, p) switch originAddr := p.URL.(type) {
case *HTTPURL:
ss, err := s.OriginAddr().NewHttp()
if err != nil {
return err
}
if err := MarshalHTTPURL(ss, originAddr); err != nil {
return err
}
case *UnixPath:
ss, err := s.OriginAddr().NewUnix()
if err != nil {
return err
}
if err := MarshalUnixPath(ss, originAddr); err != nil {
return err
}
default:
return fmt.Errorf("Unknown type for OriginAddr: %T", originAddr)
}
s.SetTcpKeepAlive(p.TCPKeepAlive.Nanoseconds())
s.SetDialDualStack(p.DialDualStack)
s.SetTlsHandshakeTimeout(p.TLSHandshakeTimeout.Nanoseconds())
s.SetTlsVerify(p.TLSVerify)
s.SetOriginCAPool(p.OriginCAPool)
s.SetOriginServerName(p.OriginServerName)
s.SetMaxIdleConnections(p.MaxIdleConnections)
s.SetIdleConnectionTimeout(p.IdleConnectionTimeout.Nanoseconds())
s.SetProxyConnectionTimeout(p.ProxyConnectTimeout.Nanoseconds())
s.SetExpectContinueTimeout(p.ExpectContinueTimeout.Nanoseconds())
s.SetChunkedEncoding(p.ChunkedEncoding)
return nil
} }
func UnmarshalHTTPOriginConfig(s tunnelrpc.HTTPOriginConfig) (*HTTPOriginConfig, error) { func UnmarshalHTTPOriginConfig(s tunnelrpc.HTTPOriginConfig) (*HTTPOriginConfig, error) {
p := new(HTTPOriginConfig) p := new(HTTPOriginConfig)
err := pogs.Extract(p, tunnelrpc.HTTPOriginConfig_TypeID, s.Struct) switch s.OriginAddr().Which() {
return p, err case tunnelrpc.HTTPOriginConfig_originAddr_Which_http:
ss, err := s.OriginAddr().Http()
if err != nil {
return nil, err
}
originAddr, err := UnmarshalCapnpHTTPURL(ss)
if err != nil {
return nil, err
}
p.URL = originAddr
case tunnelrpc.HTTPOriginConfig_originAddr_Which_unix:
ss, err := s.OriginAddr().Unix()
if err != nil {
return nil, err
}
originAddr, err := UnmarshalUnixPath(ss)
if err != nil {
return nil, err
}
p.URL = originAddr
default:
return nil, fmt.Errorf("Unknown type for OriginAddr: %T", s.OriginAddr().Which())
}
p.TCPKeepAlive = time.Duration(s.TcpKeepAlive())
p.DialDualStack = s.DialDualStack()
p.TLSHandshakeTimeout = time.Duration(s.TlsHandshakeTimeout())
p.TLSVerify = s.TlsVerify()
originCAPool, err := s.OriginCAPool()
if err != nil {
return nil, err
}
p.OriginCAPool = originCAPool
originServerName, err := s.OriginServerName()
if err != nil {
return nil, err
}
p.OriginServerName = originServerName
p.MaxIdleConnections = s.MaxIdleConnections()
p.IdleConnectionTimeout = time.Duration(s.IdleConnectionTimeout())
p.ProxyConnectTimeout = time.Duration(s.ProxyConnectionTimeout())
p.ExpectContinueTimeout = time.Duration(s.ExpectContinueTimeout())
p.ChunkedEncoding = s.ChunkedEncoding()
return p, nil
} }
func MarshalUnixSocketOriginConfig(s tunnelrpc.UnixSocketOriginConfig, p *UnixSocketOriginConfig) error { func MarshalHTTPURL(s tunnelrpc.CapnpHTTPURL, p *HTTPURL) error {
return pogs.Insert(tunnelrpc.UnixSocketOriginConfig_TypeID, s.Struct, p) return pogs.Insert(tunnelrpc.CapnpHTTPURL_TypeID, s.Struct, p.capnpHTTPURL())
} }
func UnmarshalUnixSocketOriginConfig(s tunnelrpc.UnixSocketOriginConfig) (*UnixSocketOriginConfig, error) { func UnmarshalCapnpHTTPURL(s tunnelrpc.CapnpHTTPURL) (*HTTPURL, error) {
p := new(UnixSocketOriginConfig) p := new(CapnpHTTPURL)
err := pogs.Extract(p, tunnelrpc.UnixSocketOriginConfig_TypeID, s.Struct) err := pogs.Extract(p, tunnelrpc.CapnpHTTPURL_TypeID, s.Struct)
if err != nil {
return nil, err
}
url, err := url.Parse(p.URL)
if err != nil {
return nil, err
}
return &HTTPURL{
URL: url,
}, nil
}
func MarshalUnixPath(s tunnelrpc.UnixPath, p *UnixPath) error {
err := pogs.Insert(tunnelrpc.UnixPath_TypeID, s.Struct, p)
return err
}
func UnmarshalUnixPath(s tunnelrpc.UnixPath) (*UnixPath, error) {
p := new(UnixPath)
err := pogs.Extract(p, tunnelrpc.UnixPath_TypeID, s.Struct)
return p, err return p, err
} }
@ -365,7 +475,7 @@ func UnmarshalHelloWorldOriginConfig(s tunnelrpc.HelloWorldOriginConfig) (*Hello
} }
type ClientService interface { type ClientService interface {
UseConfiguration(ctx context.Context, config *ClientConfig) (*ClientConfig, error) UseConfiguration(ctx context.Context, config *ClientConfig) (*UseConfigurationResult, error)
} }
type ClientService_PogsClient struct { type ClientService_PogsClient struct {
@ -383,7 +493,7 @@ func (c *ClientService_PogsClient) UseConfiguration(
) (*UseConfigurationResult, error) { ) (*UseConfigurationResult, error) {
client := tunnelrpc.ClientService{Client: c.Client} client := tunnelrpc.ClientService{Client: c.Client}
promise := client.UseConfiguration(ctx, func(p tunnelrpc.ClientService_useConfiguration_Params) error { promise := client.UseConfiguration(ctx, func(p tunnelrpc.ClientService_useConfiguration_Params) error {
clientServiceConfig, err := p.NewClientConfig() clientServiceConfig, err := p.NewClientServiceConfig()
if err != nil { if err != nil {
return err return err
} }

View File

@ -2,6 +2,7 @@ package pogs
import ( import (
"fmt" "fmt"
"net/url"
"reflect" "reflect"
"testing" "testing"
"time" "time"
@ -22,13 +23,12 @@ func TestClientConfig(t *testing.T) {
c.ReverseProxyConfigs = []*ReverseProxyConfig{ c.ReverseProxyConfigs = []*ReverseProxyConfig{
sampleReverseProxyConfig(), sampleReverseProxyConfig(),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.ChunkedEncoding = false
}), }),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.Origin = sampleHTTPOriginConfig() c.Origin = sampleHTTPOriginConfig()
}), }),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.Origin = sampleUnixSocketOriginConfig() c.Origin = sampleHTTPOriginUnixPathConfig()
}), }),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.Origin = sampleWebSocketOriginConfig() c.Origin = sampleWebSocketOriginConfig()
@ -120,7 +120,7 @@ func TestReverseProxyConfig(t *testing.T) {
c.Origin = sampleHTTPOriginConfig() c.Origin = sampleHTTPOriginConfig()
}), }),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.Origin = sampleUnixSocketOriginConfig() c.Origin = sampleHTTPOriginUnixPathConfig()
}), }),
sampleReverseProxyConfig(func(c *ReverseProxyConfig) { sampleReverseProxyConfig(func(c *ReverseProxyConfig) {
c.Origin = sampleWebSocketOriginConfig() c.Origin = sampleWebSocketOriginConfig()
@ -166,28 +166,6 @@ func TestHTTPOriginConfig(t *testing.T) {
} }
} }
func TestUnixSocketOriginConfig(t *testing.T) {
testCases := []*UnixSocketOriginConfig{
sampleUnixSocketOriginConfig(),
}
for i, testCase := range testCases {
_, seg, err := capnp.NewMessage(capnp.SingleSegment(nil))
capnpEntity, err := tunnelrpc.NewUnixSocketOriginConfig(seg)
if !assert.NoError(t, err) {
t.Fatal("Couldn't initialize a new message")
}
err = MarshalUnixSocketOriginConfig(capnpEntity, testCase)
if !assert.NoError(t, err, "testCase index %v failed to marshal", i) {
continue
}
result, err := UnmarshalUnixSocketOriginConfig(capnpEntity)
if !assert.NoError(t, err, "testCase index %v failed to unmarshal", i) {
continue
}
assert.Equal(t, testCase, result, "testCase index %v didn't preserve struct through marshalling and unmarshalling", i)
}
}
func TestWebSocketOriginConfig(t *testing.T) { func TestWebSocketOriginConfig(t *testing.T) {
testCases := []*WebSocketOriginConfig{ testCases := []*WebSocketOriginConfig{
sampleWebSocketOriginConfig(), sampleWebSocketOriginConfig(),
@ -249,7 +227,6 @@ func sampleReverseProxyConfig(overrides ...func(*ReverseProxyConfig)) *ReversePr
Origin: &HelloWorldOriginConfig{}, Origin: &HelloWorldOriginConfig{},
Retries: 18, Retries: 18,
ConnectionTimeout: 5 * time.Second, ConnectionTimeout: 5 * time.Second,
ChunkedEncoding: true,
CompressionQuality: 4, CompressionQuality: 4,
} }
sample.ensureNoZeroFields() sample.ensureNoZeroFields()
@ -261,7 +238,12 @@ func sampleReverseProxyConfig(overrides ...func(*ReverseProxyConfig)) *ReversePr
func sampleHTTPOriginConfig(overrides ...func(*HTTPOriginConfig)) *HTTPOriginConfig { func sampleHTTPOriginConfig(overrides ...func(*HTTPOriginConfig)) *HTTPOriginConfig {
sample := &HTTPOriginConfig{ sample := &HTTPOriginConfig{
URL: "https://example.com", URL: &HTTPURL{
URL: &url.URL{
Scheme: "https",
Host: "example.com",
},
},
TCPKeepAlive: 7 * time.Second, TCPKeepAlive: 7 * time.Second,
DialDualStack: true, DialDualStack: true,
TLSHandshakeTimeout: 11 * time.Second, TLSHandshakeTimeout: 11 * time.Second,
@ -270,6 +252,9 @@ func sampleHTTPOriginConfig(overrides ...func(*HTTPOriginConfig)) *HTTPOriginCon
OriginServerName: "secure.example.com", OriginServerName: "secure.example.com",
MaxIdleConnections: 19, MaxIdleConnections: 19,
IdleConnectionTimeout: 17 * time.Second, IdleConnectionTimeout: 17 * time.Second,
ProxyConnectTimeout: 15 * time.Second,
ExpectContinueTimeout: 21 * time.Second,
ChunkedEncoding: true,
} }
sample.ensureNoZeroFields() sample.ensureNoZeroFields()
for _, f := range overrides { for _, f := range overrides {
@ -278,9 +263,22 @@ func sampleHTTPOriginConfig(overrides ...func(*HTTPOriginConfig)) *HTTPOriginCon
return sample return sample
} }
func sampleUnixSocketOriginConfig(overrides ...func(*UnixSocketOriginConfig)) *UnixSocketOriginConfig { func sampleHTTPOriginUnixPathConfig(overrides ...func(*HTTPOriginConfig)) *HTTPOriginConfig {
sample := &UnixSocketOriginConfig{ sample := &HTTPOriginConfig{
URL: &UnixPath{
Path: "/var/lib/file.sock", Path: "/var/lib/file.sock",
},
TCPKeepAlive: 7 * time.Second,
DialDualStack: true,
TLSHandshakeTimeout: 11 * time.Second,
TLSVerify: true,
OriginCAPool: "/etc/cert.pem",
OriginServerName: "secure.example.com",
MaxIdleConnections: 19,
IdleConnectionTimeout: 17 * time.Second,
ProxyConnectTimeout: 15 * time.Second,
ExpectContinueTimeout: 21 * time.Second,
ChunkedEncoding: true,
} }
sample.ensureNoZeroFields() sample.ensureNoZeroFields()
for _, f := range overrides { for _, f := range overrides {
@ -292,6 +290,9 @@ func sampleUnixSocketOriginConfig(overrides ...func(*UnixSocketOriginConfig)) *U
func sampleWebSocketOriginConfig(overrides ...func(*WebSocketOriginConfig)) *WebSocketOriginConfig { func sampleWebSocketOriginConfig(overrides ...func(*WebSocketOriginConfig)) *WebSocketOriginConfig {
sample := &WebSocketOriginConfig{ sample := &WebSocketOriginConfig{
URL: "ssh://example.com", URL: "ssh://example.com",
TLSVerify: true,
OriginCAPool: "/etc/cert.pem",
OriginServerName: "secure.example.com",
} }
sample.ensureNoZeroFields() sample.ensureNoZeroFields()
for _, f := range overrides { for _, f := range overrides {
@ -316,10 +317,6 @@ func (c *HTTPOriginConfig) ensureNoZeroFields() {
ensureNoZeroFieldsInSample(reflect.ValueOf(c), []string{}) ensureNoZeroFieldsInSample(reflect.ValueOf(c), []string{})
} }
func (c *UnixSocketOriginConfig) ensureNoZeroFields() {
ensureNoZeroFieldsInSample(reflect.ValueOf(c), []string{})
}
func (c *WebSocketOriginConfig) ensureNoZeroFields() { func (c *WebSocketOriginConfig) ensureNoZeroFields() {
ensureNoZeroFieldsInSample(reflect.ValueOf(c), []string{}) ensureNoZeroFieldsInSample(reflect.ValueOf(c), []string{})
} }

View File

@ -112,63 +112,32 @@ struct ReverseProxyConfig {
tunnelHostname @0 :Text; tunnelHostname @0 :Text;
origin :union { origin :union {
http @1 :HTTPOriginConfig; http @1 :HTTPOriginConfig;
socket @2 :UnixSocketOriginConfig; websocket @2 :WebSocketOriginConfig;
websocket @3 :WebSocketOriginConfig; helloWorld @3 :HelloWorldOriginConfig;
helloWorld @4 :HelloWorldOriginConfig;
} }
# Maximum number of retries for connection/protocol errors. # Maximum number of retries for connection/protocol errors.
# cloudflared CLI option: `retries` # cloudflared CLI option: `retries`
retries @5 :UInt64; retries @4 :UInt64;
# maximum time (in ns) for cloudflared to wait to establish a connection # maximum time (in ns) for cloudflared to wait to establish a connection
# to the origin. Zero means no timeout. # to the origin. Zero means no timeout.
# cloudflared CLI option: `proxy-connect-timeout` # cloudflared CLI option: `proxy-connect-timeout`
connectionTimeout @6 :Int64; connectionTimeout @5 :Int64;
# Whether cloudflared should allow chunked transfer encoding to the
# origin. (This should be disabled for WSGI origins, for example.)
# negation of cloudflared CLI option: `no-chunked-encoding`
chunkedEncoding @7 :Bool;
# (beta) Use cross-stream compression instead of HTTP compression. # (beta) Use cross-stream compression instead of HTTP compression.
# 0=off, 1=low, 2=medium, 3=high. # 0=off, 1=low, 2=medium, 3=high.
# For more context see the mapping here: https://github.com/cloudflare/cloudflared/blob/2019.3.2/h2mux/h2_dictionaries.go#L62 # For more context see the mapping here: https://github.com/cloudflare/cloudflared/blob/2019.3.2/h2mux/h2_dictionaries.go#L62
# cloudflared CLI option: `compression-quality` # cloudflared CLI option: `compression-quality`
compressionQuality @8 :UInt64; compressionQuality @6 :UInt64;
} }
struct UnixSocketOriginConfig {
# path to the socket file.
# cloudflared will send data to this socket via a Unix socket connection.
# cloudflared CLI option: `unix-socket`
path @0 :Text;
}
#
struct WebSocketOriginConfig { struct WebSocketOriginConfig {
# URI of the origin service. # URI of the origin service.
# cloudflared will start a websocket server that forwards data to this URI # cloudflared will start a websocket server that forwards data to this URI
# cloudflared CLI option: `url` # cloudflared CLI option: `url`
# cloudflared logic: https://github.com/cloudflare/cloudflared/blob/2019.3.2/cmd/cloudflared/tunnel/cmd.go#L304 # cloudflared logic: https://github.com/cloudflare/cloudflared/blob/2019.3.2/cmd/cloudflared/tunnel/cmd.go#L304
url @0 :Text; url @0 :Text;
}
struct HTTPOriginConfig {
# HTTP(S) URL of the origin service.
# cloudflared CLI option: `url`
url @0 :Text;
# the TCP keep-alive period (in ns) for an active network connection.
# Zero means keep-alives are not enabled.
# cloudflared CLI option: `proxy-tcp-keepalive`
tcpKeepAlive @1 :Int64;
# whether cloudflared should use a "happy eyeballs"-compliant procedure
# to connect to origins that resolve to both IPv4 and IPv6 addresses
# negation of cloudflared CLI option: `proxy-no-happy-eyeballs`
dialDualStack @2 :Bool;
# maximum time (in ns) for cloudflared to wait for a TLS handshake
# with the origin. Zero means no timeout.
# cloudflared CLI option: `proxy-tls-timeout`
tlsHandshakeTimeout @3 :Int64;
# Whether cloudflared should verify TLS connections to the origin. # Whether cloudflared should verify TLS connections to the origin.
# negation of cloudflared CLI option: `no-tls-verify` # negation of cloudflared CLI option: `no-tls-verify`
tlsVerify @4 :Bool; tlsVerify @1 :Bool;
# originCAPool specifies the root CA that cloudflared should use when # originCAPool specifies the root CA that cloudflared should use when
# verifying TLS connections to the origin. # verifying TLS connections to the origin.
# - if tlsVerify is false, originCAPool will be ignored. # - if tlsVerify is false, originCAPool will be ignored.
@ -177,18 +146,75 @@ struct HTTPOriginConfig {
# - if tlsVerify is true and originCAPool is non-empty, cloudflared will # - if tlsVerify is true and originCAPool is non-empty, cloudflared will
# treat it as the filepath to the root CA. # treat it as the filepath to the root CA.
# cloudflared CLI option: `origin-ca-pool` # cloudflared CLI option: `origin-ca-pool`
originCAPool @5 :Text; originCAPool @2 :Text;
# Hostname to use when verifying TLS connections to the origin. # Hostname to use when verifying TLS connections to the origin.
# cloudflared CLI option: `origin-server-name` # cloudflared CLI option: `origin-server-name`
originServerName @6 :Text; originServerName @3 :Text;
}
struct HTTPOriginConfig {
# HTTP(S) URL of the origin service.
# cloudflared CLI option: `url`
originAddr :union {
http @0 :CapnpHTTPURL;
unix @1 :UnixPath;
}
# the TCP keep-alive period (in ns) for an active network connection.
# Zero means keep-alives are not enabled.
# cloudflared CLI option: `proxy-tcp-keepalive`
tcpKeepAlive @2 :Int64;
# whether cloudflared should use a "happy eyeballs"-compliant procedure
# to connect to origins that resolve to both IPv4 and IPv6 addresses
# negation of cloudflared CLI option: `proxy-no-happy-eyeballs`
dialDualStack @3 :Bool;
# maximum time (in ns) for cloudflared to wait for a TLS handshake
# with the origin. Zero means no timeout.
# cloudflared CLI option: `proxy-tls-timeout`
tlsHandshakeTimeout @4 :Int64;
# Whether cloudflared should verify TLS connections to the origin.
# negation of cloudflared CLI option: `no-tls-verify`
tlsVerify @5 :Bool;
# originCAPool specifies the root CA that cloudflared should use when
# verifying TLS connections to the origin.
# - if tlsVerify is false, originCAPool will be ignored.
# - if tlsVerify is true and originCAPool is empty, the system CA pool
# will be loaded if possible.
# - if tlsVerify is true and originCAPool is non-empty, cloudflared will
# treat it as the filepath to the root CA.
# cloudflared CLI option: `origin-ca-pool`
originCAPool @6 :Text;
# Hostname to use when verifying TLS connections to the origin.
# cloudflared CLI option: `origin-server-name`
originServerName @7 :Text;
# maximum number of idle (keep-alive) connections for cloudflared to # maximum number of idle (keep-alive) connections for cloudflared to
# keep open with the origin. Zero means no limit. # keep open with the origin. Zero means no limit.
# cloudflared CLI option: `proxy-keepalive-connections` # cloudflared CLI option: `proxy-keepalive-connections`
maxIdleConnections @7 :UInt64; maxIdleConnections @8 :UInt64;
# maximum time (in ns) for an idle (keep-alive) connection to remain # maximum time (in ns) for an idle (keep-alive) connection to remain
# idle before closing itself. Zero means no timeout. # idle before closing itself. Zero means no timeout.
# cloudflared CLI option: `proxy-keepalive-timeout` # cloudflared CLI option: `proxy-keepalive-timeout`
idleConnectionTimeout @8 :Int64; idleConnectionTimeout @9 :Int64;
# maximum amount of time a dial will wait for a connect to complete.
proxyConnectionTimeout @10 :Int64;
# The amount of time to wait for origin's first response headers after fully
# writing the request headers if the request has an "Expect: 100-continue" header.
# Zero means no timeout and causes the body to be sent immediately, without
# waiting for the server to approve.
expectContinueTimeout @11 :Int64;
# Whether cloudflared should allow chunked transfer encoding to the
# origin. (This should be disabled for WSGI origins, for example.)
# negation of cloudflared CLI option: `no-chunked-encoding`
chunkedEncoding @12 :Bool;
}
# URL for a HTTP origin, capnp doesn't have native support for URL, so represent it as Text
struct CapnpHTTPURL {
url @0: Text;
}
# Path to a unix socket
struct UnixPath {
path @0: Text;
} }
# configuration for cloudflared to provide a DNS over HTTPS proxy server # configuration for cloudflared to provide a DNS over HTTPS proxy server

File diff suppressed because it is too large Load Diff