From 7d4afd4ae02dcc6f8f190258d2beed0a2d361886 Mon Sep 17 00:00:00 2001 From: Niklas Rehfeld Date: Wed, 1 Jun 2022 12:51:59 +1200 Subject: [PATCH] Add Http2Origin option to force HTTP/2 origin connections If `http2Origin` is set, it will set `ForceAttemptHTTP2` in the transport config of the `OriginService`. --- cmd/cloudflared/tunnel/cmd.go | 7 +++++++ config/configuration.go | 2 ++ config/configuration_test.go | 4 +++- ingress/config.go | 9 +++++++++ ingress/origin_service.go | 1 + 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/cmd/cloudflared/tunnel/cmd.go b/cmd/cloudflared/tunnel/cmd.go index e9038403..0cae34a2 100644 --- a/cmd/cloudflared/tunnel/cmd.go +++ b/cmd/cloudflared/tunnel/cmd.go @@ -821,6 +821,13 @@ func configureProxyFlags(shouldHide bool) []cli.Flag { EnvVars: []string{"TUNNEL_NO_CHUNKED_ENCODING"}, Hidden: shouldHide, }), + altsrc.NewBoolFlag(&cli.BoolFlag{ + Name: ingress.Http2OriginFlag, + Usage: "Enables HTTP/2 origin servers.", + EnvVars: []string{"TUNNEL_ORIGIN_ENABLE_HTTP2"}, + Hidden: shouldHide, + Value: false, + }), } return append(flags, sshFlags(shouldHide)...) } diff --git a/config/configuration.go b/config/configuration.go index 49395404..82491477 100644 --- a/config/configuration.go +++ b/config/configuration.go @@ -227,6 +227,8 @@ type OriginRequestConfig struct { ProxyType *string `yaml:"proxyType" json:"proxyType,omitempty"` // IP rules for the proxy service IPRules []IngressIPRule `yaml:"ipRules" json:"ipRules,omitempty"` + // Attempt to connect to origin with HTTP/2 + Http2Origin *bool `yaml:"http2Origin" json:"http2Origin,omitempty"` } type IngressIPRule struct { diff --git a/config/configuration_test.go b/config/configuration_test.go index d870913d..2822b80b 100644 --- a/config/configuration_test.go +++ b/config/configuration_test.go @@ -139,7 +139,8 @@ var rawConfig = []byte(` "ports": [443, 4443], "allow": true } - ] + ], + "http2Origin": true } `) @@ -188,6 +189,7 @@ func assertConfig( assert.Equal(t, true, *config.NoTLSVerify) assert.Equal(t, uint(9000), *config.ProxyPort) assert.Equal(t, "socks", *config.ProxyType) + assert.Equal(t, true, *config.Http2Origin) privateV4 := "10.0.0.0/8" privateV6 := "fc00::/7" diff --git a/ingress/config.go b/ingress/config.go index bc2a9f6b..0d692fe9 100644 --- a/ingress/config.go +++ b/ingress/config.go @@ -35,6 +35,7 @@ const ( NoChunkedEncodingFlag = "no-chunked-encoding" ProxyAddressFlag = "proxy-address" ProxyPortFlag = "proxy-port" + Http2OriginFlag = "http2-origin" ) const ( @@ -93,6 +94,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig { var proxyAddress = defaultProxyAddress var proxyPort uint var proxyType string + var http2Origin bool if flag := ProxyConnectTimeoutFlag; c.IsSet(flag) { connectTimeout = config.CustomDuration{Duration: c.Duration(flag)} } @@ -136,9 +138,13 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig { // Note TUN-3758 , we use Int because UInt is not supported with altsrc proxyPort = uint(c.Int(flag)) } + if flag := Http2OriginFlag; c.IsSet(flag) { + http2Origin = c.Bool(flag) + } if c.IsSet(Socks5Flag) { proxyType = socksProxy } + return OriginRequestConfig{ ConnectTimeout: connectTimeout, TLSTimeout: tlsTimeout, @@ -155,6 +161,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig { ProxyAddress: proxyAddress, ProxyPort: proxyPort, ProxyType: proxyType, + Http2Origin: http2Origin, } } @@ -263,6 +270,8 @@ type OriginRequestConfig struct { ProxyType string `yaml:"proxyType" json:"proxyType"` // IP rules for the proxy service IPRules []ipaccess.Rule `yaml:"ipRules" json:"ipRules"` + // Attempt to connect to origin with HTTP/2 + Http2Origin bool `yaml:"http2Origin" json:"http2Origin"` } func (defaults *OriginRequestConfig) setConnectTimeout(overrides config.OriginRequestConfig) { diff --git a/ingress/origin_service.go b/ingress/origin_service.go index c96e4608..8877fdc7 100644 --- a/ingress/origin_service.go +++ b/ingress/origin_service.go @@ -291,6 +291,7 @@ func newHTTPTransport(service OriginService, cfg OriginRequestConfig, log *zerol TLSHandshakeTimeout: cfg.TLSTimeout.Duration, ExpectContinueTimeout: 1 * time.Second, TLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify}, + ForceAttemptHTTP2: cfg.Http2Origin, } if _, isHelloWorld := service.(*helloWorld); !isHelloWorld && cfg.OriginServerName != "" { httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName