TUN-3492: Refactor OriginService, shrink its interface
This commit is contained in:
parent
18c359cb86
commit
d01770107e
|
@ -395,7 +395,7 @@ func StartServer(
|
|||
hostname,
|
||||
metricsListener.Addr().String(),
|
||||
// TODO (TUN-3461): Update UI to show multiple origin URLs
|
||||
tunnelConfig.IngressRules.CatchAll().Service.Address(),
|
||||
tunnelConfig.IngressRules.CatchAll().Service.String(),
|
||||
tunnelConfig.HAConnections,
|
||||
)
|
||||
logLevels, err := logger.ParseLevelString(c.String("loglevel"))
|
||||
|
|
|
@ -202,7 +202,7 @@ func prepareTunnelConfig(
|
|||
Version: version,
|
||||
Arch: fmt.Sprintf("%s_%s", buildInfo.GoOS, buildInfo.GoArch),
|
||||
}
|
||||
ingressRules, err = ingress.ParseIngress(config.GetConfiguration(), logger)
|
||||
ingressRules, err = ingress.ParseIngress(config.GetConfiguration())
|
||||
if err != nil && err != ingress.ErrNoIngressRules {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -71,7 +71,7 @@ func buildTestURLCommand() *cli.Command {
|
|||
func validateIngressCommand(c *cli.Context) error {
|
||||
conf := config.GetConfiguration()
|
||||
fmt.Println("Validating rules from", conf.Source())
|
||||
if _, err := ingress.ParseIngressDryRun(conf); err != nil {
|
||||
if _, err := ingress.ParseIngress(conf); err != nil {
|
||||
return errors.Wrap(err, "Validation failed")
|
||||
}
|
||||
if c.IsSet("url") {
|
||||
|
@ -98,7 +98,7 @@ func testURLCommand(c *cli.Context) error {
|
|||
|
||||
conf := config.GetConfiguration()
|
||||
fmt.Println("Using rules from", conf.Source())
|
||||
ing, err := ingress.ParseIngressDryRun(conf)
|
||||
ing, err := ingress.ParseIngress(conf)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "Validation failed")
|
||||
}
|
||||
|
|
|
@ -1,24 +1,17 @@
|
|||
package ingress
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"github.com/urfave/cli/v2"
|
||||
|
||||
"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
|
||||
"github.com/cloudflare/cloudflared/logger"
|
||||
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||
"github.com/cloudflare/cloudflared/validation"
|
||||
)
|
||||
|
||||
var (
|
||||
|
@ -28,82 +21,6 @@ var (
|
|||
ErrURLIncompatibleWithIngress = errors.New("You can't set the --url flag (or $TUNNEL_URL) when using multiple-origin ingress rules")
|
||||
)
|
||||
|
||||
// Finalize the rules by adding missing struct fields and validating each origin.
|
||||
func (ing *Ingress) setHTTPTransport(logger logger.Service) error {
|
||||
for ruleNumber, rule := range ing.Rules {
|
||||
cfg := rule.Config
|
||||
originCertPool, err := tlsconfig.LoadOriginCA(cfg.CAPool, nil)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "Error loading cert pool")
|
||||
}
|
||||
|
||||
httpTransport := &http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
MaxIdleConns: cfg.KeepAliveConnections,
|
||||
MaxIdleConnsPerHost: cfg.KeepAliveConnections,
|
||||
IdleConnTimeout: cfg.KeepAliveTimeout,
|
||||
TLSHandshakeTimeout: cfg.TLSTimeout,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},
|
||||
}
|
||||
if _, isHelloWorld := rule.Service.(*HelloWorld); !isHelloWorld && cfg.OriginServerName != "" {
|
||||
httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName
|
||||
}
|
||||
|
||||
dialer := &net.Dialer{
|
||||
Timeout: cfg.ConnectTimeout,
|
||||
KeepAlive: cfg.TCPKeepAlive,
|
||||
}
|
||||
if cfg.NoHappyEyeballs {
|
||||
dialer.FallbackDelay = -1 // As of Golang 1.12, a negative delay disables "happy eyeballs"
|
||||
}
|
||||
|
||||
// DialContext depends on which kind of origin is being used.
|
||||
dialContext := dialer.DialContext
|
||||
switch service := rule.Service.(type) {
|
||||
|
||||
// If this origin is a unix socket, enforce network type "unix".
|
||||
case UnixSocketPath:
|
||||
httpTransport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
|
||||
return dialContext(ctx, "unix", service.Address())
|
||||
}
|
||||
// Otherwise, use the regular network config.
|
||||
default:
|
||||
httpTransport.DialContext = dialContext
|
||||
}
|
||||
|
||||
ing.Rules[ruleNumber].HTTPTransport = httpTransport
|
||||
ing.Rules[ruleNumber].ClientTLSConfig = httpTransport.TLSClientConfig
|
||||
}
|
||||
|
||||
// Validate each origin
|
||||
for _, rule := range ing.Rules {
|
||||
// If tunnel running in bastion mode, a connection to origin will not exist until initiated by the client.
|
||||
if rule.Config.BastionMode {
|
||||
continue
|
||||
}
|
||||
|
||||
// Unix sockets don't have validation
|
||||
if _, ok := rule.Service.(UnixSocketPath); ok {
|
||||
continue
|
||||
}
|
||||
switch service := rule.Service.(type) {
|
||||
|
||||
case UnixSocketPath:
|
||||
continue
|
||||
|
||||
case *HelloWorld:
|
||||
continue
|
||||
|
||||
default:
|
||||
if err := validation.ValidateHTTPService(service.Address(), rule.Hostname, rule.HTTPTransport); err != nil {
|
||||
logger.Errorf("unable to connect to the origin: %s", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// FindMatchingRule returns the index of the Ingress Rule which matches the given
|
||||
// hostname and path. This function assumes the last rule matches everything,
|
||||
// which is the case if the rules were instantiated via the ingress#Validate method
|
||||
|
@ -154,14 +71,13 @@ func NewSingleOrigin(c *cli.Context, compatibilityMode bool, logger logger.Servi
|
|||
},
|
||||
defaults: originRequestFromSingeRule(c),
|
||||
}
|
||||
err = ing.setHTTPTransport(logger)
|
||||
return ing, err
|
||||
}
|
||||
|
||||
// Get a single origin service from the CLI/config.
|
||||
func parseSingleOriginService(c *cli.Context, compatibilityMode bool) (OriginService, error) {
|
||||
if c.IsSet("hello-world") {
|
||||
return new(HelloWorld), nil
|
||||
return new(helloWorld), nil
|
||||
}
|
||||
if c.IsSet("url") {
|
||||
originURLStr, err := config.ValidateUrl(c, compatibilityMode)
|
||||
|
@ -172,14 +88,14 @@ func parseSingleOriginService(c *cli.Context, compatibilityMode bool) (OriginSer
|
|||
if err != nil {
|
||||
return nil, errors.Wrap(err, "couldn't parse origin URL")
|
||||
}
|
||||
return &URL{URL: originURL, RootURL: originURL}, nil
|
||||
return &localService{URL: originURL, RootURL: originURL}, nil
|
||||
}
|
||||
if c.IsSet("unix-socket") {
|
||||
unixSocket, err := config.ValidateUnixSocket(c)
|
||||
path, err := config.ValidateUnixSocket(c)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error validating --unix-socket")
|
||||
}
|
||||
return UnixSocketPath(unixSocket), nil
|
||||
return &unixSocketPath{path: path}, nil
|
||||
}
|
||||
return nil, errors.New("You must either set ingress rules in your config file, or use --url or use --unix-socket")
|
||||
}
|
||||
|
@ -192,7 +108,7 @@ func (ing Ingress) IsEmpty() bool {
|
|||
// StartOrigins will start any origin services managed by cloudflared, e.g. proxy servers or Hello World.
|
||||
func (ing Ingress) StartOrigins(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error) error {
|
||||
for _, rule := range ing.Rules {
|
||||
if err := rule.Service.Start(wg, log, shutdownC, errC, rule.Config); err != nil {
|
||||
if err := rule.Service.start(wg, log, shutdownC, errC, rule.Config); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -209,11 +125,12 @@ func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestCon
|
|||
for i, r := range ingress {
|
||||
var service OriginService
|
||||
|
||||
if strings.HasPrefix(r.Service, "unix:") {
|
||||
if prefix := "unix:"; strings.HasPrefix(r.Service, prefix) {
|
||||
// No validation necessary for unix socket filepath services
|
||||
service = UnixSocketPath(strings.TrimPrefix(r.Service, "unix:"))
|
||||
path := strings.TrimPrefix(r.Service, prefix)
|
||||
service = &unixSocketPath{path: path}
|
||||
} else if r.Service == "hello_world" || r.Service == "hello-world" || r.Service == "helloworld" {
|
||||
service = new(HelloWorld)
|
||||
service = new(helloWorld)
|
||||
} else {
|
||||
// Validate URL services
|
||||
u, err := url.Parse(r.Service)
|
||||
|
@ -228,7 +145,7 @@ func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestCon
|
|||
if u.Path != "" {
|
||||
return Ingress{}, fmt.Errorf("%s is an invalid address, ingress rules don't support proxying to a different path on the origin service. The path will be the same as the eyeball request's path", r.Service)
|
||||
}
|
||||
serviceURL := URL{URL: u}
|
||||
serviceURL := localService{URL: u}
|
||||
service = &serviceURL
|
||||
}
|
||||
|
||||
|
@ -262,7 +179,7 @@ func validate(ingress []config.UnvalidatedIngressRule, defaults OriginRequestCon
|
|||
Hostname: r.Hostname,
|
||||
Service: service,
|
||||
Path: pathRegex,
|
||||
Config: SetConfig(defaults, r.OriginRequest),
|
||||
Config: setConfig(defaults, r.OriginRequest),
|
||||
}
|
||||
}
|
||||
return Ingress{Rules: rules, defaults: defaults}, nil
|
||||
|
@ -279,20 +196,10 @@ func (e errRuleShouldNotBeCatchAll) Error() string {
|
|||
"will never be triggered.", e.i+1, e.hostname)
|
||||
}
|
||||
|
||||
// ParseIngress parses, validates and initializes HTTP transports to each origin.
|
||||
func ParseIngress(conf *config.Configuration, logger logger.Service) (Ingress, error) {
|
||||
ing, err := ParseIngressDryRun(conf)
|
||||
if err != nil {
|
||||
return Ingress{}, err
|
||||
}
|
||||
err = ing.setHTTPTransport(logger)
|
||||
return ing, err
|
||||
}
|
||||
|
||||
// ParseIngressDryRun parses ingress rules, but does not send HTTP requests to the origins.
|
||||
func ParseIngressDryRun(conf *config.Configuration) (Ingress, error) {
|
||||
// ParseIngress parses ingress rules, but does not send HTTP requests to the origins.
|
||||
func ParseIngress(conf *config.Configuration) (Ingress, error) {
|
||||
if len(conf.Ingress) == 0 {
|
||||
return Ingress{}, ErrNoIngressRules
|
||||
}
|
||||
return validate(conf.Ingress, OriginRequestFromYAML(conf.OriginRequest))
|
||||
return validate(conf.Ingress, originRequestFromYAML(conf.OriginRequest))
|
||||
}
|
||||
|
|
|
@ -4,7 +4,6 @@ import (
|
|||
"net/url"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"gopkg.in/yaml.v2"
|
||||
|
||||
|
@ -16,16 +15,16 @@ func TestParseUnixSocket(t *testing.T) {
|
|||
ingress:
|
||||
- service: unix:/tmp/echo.sock
|
||||
`
|
||||
ing, err := ParseIngressDryRun(MustReadIngress(rawYAML))
|
||||
ing, err := ParseIngress(MustReadIngress(rawYAML))
|
||||
require.NoError(t, err)
|
||||
_, ok := ing.Rules[0].Service.(UnixSocketPath)
|
||||
_, ok := ing.Rules[0].Service.(*unixSocketPath)
|
||||
require.True(t, ok)
|
||||
}
|
||||
|
||||
func Test_parseIngress(t *testing.T) {
|
||||
localhost8000 := MustParseURL(t, "https://localhost:8000")
|
||||
localhost8001 := MustParseURL(t, "https://localhost:8001")
|
||||
defaultConfig := SetConfig(OriginRequestFromYAML(config.OriginRequestConfig{}), config.OriginRequestConfig{})
|
||||
defaultConfig := setConfig(originRequestFromYAML(config.OriginRequestConfig{}), config.OriginRequestConfig{})
|
||||
require.Equal(t, defaultKeepAliveConnections, defaultConfig.KeepAliveConnections)
|
||||
type args struct {
|
||||
rawYAML string
|
||||
|
@ -53,12 +52,12 @@ ingress:
|
|||
want: []Rule{
|
||||
{
|
||||
Hostname: "tunnel1.example.com",
|
||||
Service: &URL{URL: localhost8000},
|
||||
Service: &localService{URL: localhost8000},
|
||||
Config: defaultConfig,
|
||||
},
|
||||
{
|
||||
Hostname: "*",
|
||||
Service: &URL{URL: localhost8001},
|
||||
Service: &localService{URL: localhost8001},
|
||||
Config: defaultConfig,
|
||||
},
|
||||
},
|
||||
|
@ -74,7 +73,7 @@ extraKey: extraValue
|
|||
want: []Rule{
|
||||
{
|
||||
Hostname: "*",
|
||||
Service: &URL{URL: localhost8000},
|
||||
Service: &localService{URL: localhost8000},
|
||||
Config: defaultConfig,
|
||||
},
|
||||
},
|
||||
|
@ -87,7 +86,7 @@ ingress:
|
|||
`},
|
||||
want: []Rule{
|
||||
{
|
||||
Service: &URL{URL: localhost8000},
|
||||
Service: &localService{URL: localhost8000},
|
||||
Config: defaultConfig,
|
||||
},
|
||||
},
|
||||
|
@ -165,15 +164,37 @@ ingress:
|
|||
`},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "Invalid HTTP status",
|
||||
args: args{rawYAML: `
|
||||
ingress:
|
||||
- service: http_status:asdf
|
||||
`},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "Valid hello world service",
|
||||
args: args{rawYAML: `
|
||||
ingress:
|
||||
- service: hello_world
|
||||
`},
|
||||
want: []Rule{
|
||||
{
|
||||
Hostname: "",
|
||||
Service: new(helloWorld),
|
||||
Config: defaultConfig,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
got, err := ParseIngressDryRun(MustReadIngress(tt.args.rawYAML))
|
||||
got, err := ParseIngress(MustReadIngress(tt.args.rawYAML))
|
||||
if (err != nil) != tt.wantErr {
|
||||
t.Errorf("ParseIngressDryRun() error = %v, wantErr %v", err, tt.wantErr)
|
||||
t.Errorf("ParseIngress() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
assert.Equal(t, tt.want, got.Rules)
|
||||
require.Equal(t, tt.want, got.Rules)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
@ -195,7 +216,7 @@ ingress:
|
|||
service: https://localhost:8002
|
||||
`
|
||||
|
||||
ing, err := ParseIngressDryRun(MustReadIngress(rulesYAML))
|
||||
ing, err := ParseIngress(MustReadIngress(rulesYAML))
|
||||
if err != nil {
|
||||
b.Error(err)
|
||||
}
|
||||
|
|
|
@ -116,7 +116,7 @@ func originRequestFromSingeRule(c *cli.Context) OriginRequestConfig {
|
|||
}
|
||||
}
|
||||
|
||||
func OriginRequestFromYAML(y config.OriginRequestConfig) OriginRequestConfig {
|
||||
func originRequestFromYAML(y config.OriginRequestConfig) OriginRequestConfig {
|
||||
out := OriginRequestConfig{
|
||||
ConnectTimeout: defaultConnectTimeout,
|
||||
TLSTimeout: defaultTLSTimeout,
|
||||
|
@ -310,7 +310,7 @@ func (defaults *OriginRequestConfig) setProxyType(overrides config.OriginRequest
|
|||
// 3. Defaults chosen by the cloudflared team
|
||||
// 4. Golang zero values for that type
|
||||
// If an earlier option isn't set, it will try the next option down.
|
||||
func SetConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfig) OriginRequestConfig {
|
||||
func setConfig(defaults OriginRequestConfig, overrides config.OriginRequestConfig) OriginRequestConfig {
|
||||
cfg := defaults
|
||||
cfg.setConnectTimeout(overrides)
|
||||
cfg.setTLSTimeout(overrides)
|
||||
|
|
|
@ -71,7 +71,7 @@ ingress:
|
|||
proxyPort: 200
|
||||
proxyType: ""
|
||||
`
|
||||
ing, err := ParseIngressDryRun(MustReadIngress(rulesYAML))
|
||||
ing, err := ParseIngress(MustReadIngress(rulesYAML))
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
@ -144,7 +144,7 @@ ingress:
|
|||
proxyPort: 200
|
||||
proxyType: ""
|
||||
`
|
||||
ing, err := ParseIngressDryRun(MustReadIngress(rulesYAML))
|
||||
ing, err := ParseIngress(MustReadIngress(rulesYAML))
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
|
|
@ -1,73 +1,104 @@
|
|||
package ingress
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/cloudflare/cloudflared/hello"
|
||||
"github.com/cloudflare/cloudflared/logger"
|
||||
"github.com/cloudflare/cloudflared/socks"
|
||||
"github.com/cloudflare/cloudflared/tlsconfig"
|
||||
"github.com/cloudflare/cloudflared/websocket"
|
||||
gws "github.com/gorilla/websocket"
|
||||
"github.com/pkg/errors"
|
||||
)
|
||||
|
||||
// OriginService is something a tunnel can proxy traffic to.
|
||||
type OriginService interface {
|
||||
Address() string
|
||||
// RoundTrip is how cloudflared proxies eyeball requests to the actual origin services
|
||||
http.RoundTripper
|
||||
String() string
|
||||
// Start the origin service if it's managed by cloudflared, e.g. proxy servers or Hello World.
|
||||
// If it's not managed by cloudflared, this is a no-op because the user is responsible for
|
||||
// starting the origin service.
|
||||
Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error
|
||||
String() string
|
||||
// RewriteOriginURL modifies the HTTP request from cloudflared to the origin, so that it apply
|
||||
// this particular type of origin service's specific routing logic.
|
||||
RewriteOriginURL(*url.URL)
|
||||
start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error
|
||||
}
|
||||
|
||||
// UnixSocketPath is an OriginService representing a unix socket (which accepts HTTP)
|
||||
type UnixSocketPath string
|
||||
|
||||
func (o UnixSocketPath) Address() string {
|
||||
return string(o)
|
||||
// unixSocketPath is an OriginService representing a unix socket (which accepts HTTP)
|
||||
type unixSocketPath struct {
|
||||
path string
|
||||
transport *http.Transport
|
||||
}
|
||||
|
||||
func (o UnixSocketPath) String() string {
|
||||
return "unix socket: " + string(o)
|
||||
func (o *unixSocketPath) String() string {
|
||||
return "unix socket: " + o.path
|
||||
}
|
||||
|
||||
func (o UnixSocketPath) Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
func (o *unixSocketPath) start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
transport, err := newHTTPTransport(o, cfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
o.transport = transport
|
||||
return nil
|
||||
}
|
||||
|
||||
func (o UnixSocketPath) RewriteOriginURL(u *url.URL) {
|
||||
// No changes necessary because the origin request URL isn't used.
|
||||
// Instead, HTTPTransport's dial is already configured to address the unix socket.
|
||||
func (o *unixSocketPath) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
return o.transport.RoundTrip(req)
|
||||
}
|
||||
|
||||
// URL is an OriginService listening on a TCP address
|
||||
type URL struct {
|
||||
func (o *unixSocketPath) Dial(url string, headers http.Header) (*gws.Conn, *http.Response, error) {
|
||||
d := &gws.Dialer{TLSClientConfig: o.transport.TLSClientConfig}
|
||||
return d.Dial(url, headers)
|
||||
}
|
||||
|
||||
// localService is an OriginService listening on a TCP/IP address the user's origin can route to.
|
||||
type localService struct {
|
||||
// The URL for the user's origin service
|
||||
RootURL *url.URL
|
||||
// The URL that cloudflared should send requests to.
|
||||
// If this origin requires starting a proxy, this is the proxy's address,
|
||||
// and that proxy points to RootURL. Otherwise, this is equal to RootURL.
|
||||
URL *url.URL
|
||||
transport *http.Transport
|
||||
}
|
||||
|
||||
func (o *URL) Address() string {
|
||||
func (o *localService) Dial(url string, headers http.Header) (*gws.Conn, *http.Response, error) {
|
||||
d := &gws.Dialer{TLSClientConfig: o.transport.TLSClientConfig}
|
||||
return d.Dial(url, headers)
|
||||
}
|
||||
|
||||
func (o *localService) address() string {
|
||||
return o.URL.String()
|
||||
}
|
||||
|
||||
func (o *URL) Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
func (o *localService) start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
transport, err := newHTTPTransport(o, cfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
o.transport = transport
|
||||
|
||||
// Start a proxy if one is needed
|
||||
staticHost := o.staticHost()
|
||||
if !originRequiresProxy(staticHost, cfg) {
|
||||
if originRequiresProxy(staticHost, cfg) {
|
||||
if err := o.startProxy(staticHost, wg, log, shutdownC, errC, cfg); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (o *localService) startProxy(staticHost string, wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
|
||||
// Start a listener for the proxy
|
||||
proxyAddress := net.JoinHostPort(cfg.ProxyAddress, strconv.Itoa(int(cfg.ProxyPort)))
|
||||
listener, err := net.Listen("tcp", proxyAddress)
|
||||
|
@ -111,16 +142,18 @@ func (o *URL) Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan str
|
|||
return nil
|
||||
}
|
||||
|
||||
func (o *URL) String() string {
|
||||
return o.Address()
|
||||
func (o *localService) String() string {
|
||||
return o.address()
|
||||
}
|
||||
|
||||
func (o *URL) RewriteOriginURL(u *url.URL) {
|
||||
u.Host = o.URL.Host
|
||||
u.Scheme = o.URL.Scheme
|
||||
func (o *localService) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
// Rewrite the request URL so that it goes to the origin service.
|
||||
req.URL.Host = o.URL.Host
|
||||
req.URL.Scheme = o.URL.Scheme
|
||||
return o.transport.RoundTrip(req)
|
||||
}
|
||||
|
||||
func (o *URL) staticHost() string {
|
||||
func (o *localService) staticHost() string {
|
||||
|
||||
addPortIfMissing := func(uri *url.URL, port int) string {
|
||||
if uri.Port() != "" {
|
||||
|
@ -143,21 +176,24 @@ func (o *URL) staticHost() string {
|
|||
|
||||
}
|
||||
|
||||
// HelloWorld is the built-in Hello World service. Used for testing and experimenting with cloudflared.
|
||||
type HelloWorld struct {
|
||||
// HelloWorld is an OriginService for the built-in Hello World server.
|
||||
// Users only use this for testing and experimenting with cloudflared.
|
||||
type helloWorld struct {
|
||||
server net.Listener
|
||||
transport *http.Transport
|
||||
}
|
||||
|
||||
func (o *HelloWorld) Address() string {
|
||||
return o.server.Addr().String()
|
||||
}
|
||||
|
||||
func (o *HelloWorld) String() string {
|
||||
return "Hello World static HTML service"
|
||||
func (o *helloWorld) String() string {
|
||||
return "Hello World test origin"
|
||||
}
|
||||
|
||||
// Start starts a HelloWorld server and stores its address in the Service receiver.
|
||||
func (o *HelloWorld) Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
func (o *helloWorld) start(wg *sync.WaitGroup, log logger.Service, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
|
||||
transport, err := newHTTPTransport(o, cfg)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
o.transport = transport
|
||||
helloListener, err := hello.CreateTLSListener("127.0.0.1:")
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "Cannot start Hello World Server")
|
||||
|
@ -171,11 +207,63 @@ func (o *HelloWorld) Start(wg *sync.WaitGroup, log logger.Service, shutdownC <-c
|
|||
return nil
|
||||
}
|
||||
|
||||
func (o *HelloWorld) RewriteOriginURL(u *url.URL) {
|
||||
u.Host = o.Address()
|
||||
u.Scheme = "https"
|
||||
func (o *helloWorld) RoundTrip(req *http.Request) (*http.Response, error) {
|
||||
// Rewrite the request URL so that it goes to the Hello World server.
|
||||
req.URL.Host = o.server.Addr().String()
|
||||
req.URL.Scheme = "https"
|
||||
return o.transport.RoundTrip(req)
|
||||
}
|
||||
|
||||
func (o *helloWorld) Dial(url string, headers http.Header) (*gws.Conn, *http.Response, error) {
|
||||
d := &gws.Dialer{TLSClientConfig: o.transport.TLSClientConfig}
|
||||
return d.Dial(url, headers)
|
||||
}
|
||||
|
||||
func originRequiresProxy(staticHost string, cfg OriginRequestConfig) bool {
|
||||
return staticHost != "" || cfg.BastionMode
|
||||
}
|
||||
|
||||
func newHTTPTransport(service OriginService, cfg OriginRequestConfig) (*http.Transport, error) {
|
||||
originCertPool, err := tlsconfig.LoadOriginCA(cfg.CAPool, nil)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error loading cert pool")
|
||||
}
|
||||
|
||||
httpTransport := http.Transport{
|
||||
Proxy: http.ProxyFromEnvironment,
|
||||
MaxIdleConns: cfg.KeepAliveConnections,
|
||||
MaxIdleConnsPerHost: cfg.KeepAliveConnections,
|
||||
IdleConnTimeout: cfg.KeepAliveTimeout,
|
||||
TLSHandshakeTimeout: cfg.TLSTimeout,
|
||||
ExpectContinueTimeout: 1 * time.Second,
|
||||
TLSClientConfig: &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: cfg.NoTLSVerify},
|
||||
}
|
||||
if _, isHelloWorld := service.(*helloWorld); !isHelloWorld && cfg.OriginServerName != "" {
|
||||
httpTransport.TLSClientConfig.ServerName = cfg.OriginServerName
|
||||
}
|
||||
|
||||
dialer := &net.Dialer{
|
||||
Timeout: cfg.ConnectTimeout,
|
||||
KeepAlive: cfg.TCPKeepAlive,
|
||||
}
|
||||
if cfg.NoHappyEyeballs {
|
||||
dialer.FallbackDelay = -1 // As of Golang 1.12, a negative delay disables "happy eyeballs"
|
||||
}
|
||||
|
||||
// DialContext depends on which kind of origin is being used.
|
||||
dialContext := dialer.DialContext
|
||||
switch service := service.(type) {
|
||||
|
||||
// If this origin is a unix socket, enforce network type "unix".
|
||||
case *unixSocketPath:
|
||||
httpTransport.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
|
||||
return dialContext(ctx, "unix", service.path)
|
||||
}
|
||||
|
||||
// Otherwise, use the regular network config.
|
||||
default:
|
||||
httpTransport.DialContext = dialContext
|
||||
}
|
||||
|
||||
return &httpTransport, nil
|
||||
}
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
package ingress
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"strings"
|
||||
)
|
||||
|
@ -23,11 +21,6 @@ type Rule struct {
|
|||
|
||||
// Configure the request cloudflared sends to this specific origin.
|
||||
Config OriginRequestConfig
|
||||
|
||||
// Configures TLS for the cloudflared -> origin request
|
||||
ClientTLSConfig *tls.Config
|
||||
// Configures HTTP for the cloudflared -> origin request
|
||||
HTTPTransport http.RoundTripper
|
||||
}
|
||||
|
||||
// MultiLineString is for outputting rules in a human-friendly way when Cloudflared
|
||||
|
|
|
@ -698,7 +698,6 @@ func (h *TunnelHandler) createRequest(stream *h2mux.MuxedStream) (*http.Request,
|
|||
}
|
||||
h.AppendTagHeaders(req)
|
||||
rule, _ := h.ingressRules.FindMatchingRule(req.Host, req.URL.Path)
|
||||
rule.Service.RewriteOriginURL(req.URL)
|
||||
return req, rule, nil
|
||||
}
|
||||
|
||||
|
@ -708,7 +707,11 @@ func (h *TunnelHandler) serveWebsocket(stream *h2mux.MuxedStream, req *http.Requ
|
|||
req.Host = hostHeader
|
||||
}
|
||||
|
||||
conn, response, err := websocket.ClientConnect(req, rule.ClientTLSConfig)
|
||||
dialler, ok := rule.Service.(websocket.Dialler)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("Websockets aren't supported by the origin service '%s'", rule.Service)
|
||||
}
|
||||
conn, response, err := websocket.ClientConnect(req, dialler)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -742,7 +745,7 @@ func (h *TunnelHandler) serveHTTP(stream *h2mux.MuxedStream, req *http.Request,
|
|||
req.Host = hostHeader
|
||||
}
|
||||
|
||||
response, err := rule.HTTPTransport.RoundTrip(req)
|
||||
response, err := rule.Service.RoundTrip(req)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "Error proxying request to origin")
|
||||
}
|
||||
|
|
|
@ -69,15 +69,31 @@ func IsWebSocketUpgrade(req *http.Request) bool {
|
|||
return websocket.IsWebSocketUpgrade(req)
|
||||
}
|
||||
|
||||
// Dialler is something that can proxy websocket requests.
|
||||
type Dialler interface {
|
||||
Dial(url string, headers http.Header) (*websocket.Conn, *http.Response, error)
|
||||
}
|
||||
|
||||
type defaultDialler struct {
|
||||
tlsConfig *tls.Config
|
||||
}
|
||||
|
||||
func (dd *defaultDialler) Dial(url string, header http.Header) (*websocket.Conn, *http.Response, error) {
|
||||
d := &websocket.Dialer{TLSClientConfig: dd.tlsConfig}
|
||||
return d.Dial(url, header)
|
||||
}
|
||||
|
||||
// ClientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
|
||||
// the connection. The response body may not contain the entire response and does
|
||||
// not need to be closed by the application.
|
||||
func ClientConnect(req *http.Request, tlsClientConfig *tls.Config) (*websocket.Conn, *http.Response, error) {
|
||||
func ClientConnect(req *http.Request, dialler Dialler) (*websocket.Conn, *http.Response, error) {
|
||||
req.URL.Scheme = changeRequestScheme(req)
|
||||
wsHeaders := websocketHeaders(req)
|
||||
|
||||
d := &websocket.Dialer{TLSClientConfig: tlsClientConfig}
|
||||
conn, response, err := d.Dial(req.URL.String(), wsHeaders)
|
||||
if dialler == nil {
|
||||
dialler = new(defaultDialler)
|
||||
}
|
||||
conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
|
||||
if err != nil {
|
||||
return nil, response, err
|
||||
}
|
||||
|
|
|
@ -77,7 +77,8 @@ func TestServe(t *testing.T) {
|
|||
|
||||
tlsConfig := websocketClientTLSConfig(t)
|
||||
assert.NotNil(t, tlsConfig)
|
||||
conn, resp, err := ClientConnect(req, tlsConfig)
|
||||
d := defaultDialler{tlsConfig: tlsConfig}
|
||||
conn, resp, err := ClientConnect(req, &d)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, testSecWebsocketAccept, resp.Header.Get("Sec-WebSocket-Accept"))
|
||||
|
||||
|
|
Loading…
Reference in New Issue