Commit Graph

1390 Commits

Author SHA1 Message Date
João Oliveirinha 05b903a32e Revert "CC-796: Remove dependency on unsupported version of go-oidc"
This reverts commit 0899d6a136.
2022-03-18 10:03:58 +00:00
Igor Postelnik 398cc8b134 TUN-5893: Start windows service on install, stop on uninstall. Previously user had to manually start the service after running 'cloudflared tunnel install' and stop the service before running uninstall command. 2022-03-17 17:52:39 -05:00
Nuno Diegues e1a9e98cca Release 2022.3.2 2022-03-16 14:24:18 +00:00
Nuno Diegues 057a0cc758 TUN-5833: Send feature `allow_remote_config` if Tunnel is run with --token 2022-03-16 14:07:03 +00:00
cthuang ca43b0357f TUN-5867: Return error if service was already installed 2022-03-16 11:33:44 +00:00
Devin Carr 8cbd222e10 TUN-5703: Add prometheus metric for current configuration version 2022-03-14 16:50:23 +00:00
João Oliveirinha a50c0ca9ad TUN-5833: Create constant for allow-remote-config 2022-03-10 10:48:03 +00:00
João Oliveirinha 5352b3cf04 TUN-5801: Add custom wrapper for OriginConfig for JSON serde 2022-03-08 21:43:51 +00:00
Piper McCorkle 9552bb7bc7 TUN-5853 Add "install" make target and build package manager info into executable 2022-03-08 15:31:14 -06:00
Nuno Diegues c54e8cd8e6 TUN-5851: Update all references to point to Apache License 2.0 2022-03-08 17:35:31 +00:00
Nuno Diegues aeda35699e TUN-5850: Update CHANGES.md with latest releases 2022-03-08 17:35:11 +00:00
cthuang eee0d57ed0 TUN-5849: Remove configuration debug log 2022-03-08 11:03:46 +00:00
emmanuel 0899d6a136 CC-796: Remove dependency on unsupported version of go-oidc 2022-03-07 21:48:30 +00:00
Nuno Diegues f44e496dd9 Release 2022.3.1 2022-03-07 15:16:47 +00:00
Nuno Diegues 3aebaaad01 TUN-5836: QUIC transport no longer sets body to nil in any condition
Setting the body to nil was rendering cloudflared to crashing with
a SIGSEGV in the odd case where the hostname accessed maps to a
TCP origin (e.g. SSH/RDP/...) but the eyeball sends a plain HTTP
request that does not go through cloudflared access (thus not wrapped
in websocket as it should).

Instead, QUIC transport now sets http.noBody in that condition, which
deals with the situation gracefully.
2022-03-07 11:39:07 +00:00
Nuno Diegues 9d9627f645 TUN-5836: Avoid websocket#Stream function from crashing cloudflared with unexpected memory access 2022-03-04 18:42:41 +00:00
Sudarsan Reddy 5c6207debc TUN-5696: HTTP/2 Configuration Update 2022-03-04 12:28:55 +00:00
Nuno Diegues 7220c2c214 TUN-5837: Log panic recovery in http2 logic with debug level log 2022-03-04 11:52:45 +00:00
João Oliveirinha d17a61c15b Release 2022.3.0 2022-03-03 20:50:35 +00:00
João Oliveirinha 5431e0ca12 TUN-5680: Adapt component tests for new service install based on token 2022-03-03 19:18:59 +00:00
João Oliveirinha 706523389c TUN-5679: Add support for service install using Tunnel Token 2022-03-03 18:59:03 +00:00
Devin Carr c2a32de35f TUN-5737: Support https protocol over unix socket origin 2022-03-03 15:25:23 +00:00
Nuno Diegues a1d485eca5 TUN-5823: Warn about legacy flags that are ignored when ingress rules are used 2022-03-02 10:48:03 +00:00
Devin Carr 8a1ba1f8ca TUN-5824: Update updater no-update-in-shell link 2022-02-28 15:06:18 -06:00
João Oliveirinha b6d7076400 TUN-5681: Add support for running tunnel using Token 2022-02-23 10:09:45 +00:00
João Oliveirinha 22cd8ceb8c TUN-5682: Remove name field from credentials 2022-02-23 10:08:29 +00:00
Sudarsan Reddy 9cd2780079 Release 2022.2.2 2022-02-22 17:31:06 +00:00
Sudarsan Reddy 9909e9d63c TUN-5754: Allow ingress validate to take plaintext option
Ingress validate currently validates config from a file. This PR adds a
new --json/-j flag to provide the ingress/config data as a plaintext
command line argument.
2022-02-22 16:56:22 +00:00
João Oliveirinha 051b2cf352 TUN-5678: Cloudflared uses typed tunnel API 2022-02-21 17:11:31 +00:00
Nuno Diegues 4cf462e322 Release 2022.2.1 2022-02-18 09:19:44 +00:00
cthuang e56c4532ce TUN-5697: Listen for UpdateConfiguration RPC in quic transport 2022-02-18 09:12:39 +00:00
João Oliveirinha d78a5ba5da Revert "TUN-5678: Adapt cloudflared to use new typed APIs"
This reverts commit 630650b90e.
2022-02-17 18:56:07 +00:00
Areg Harutyunyan 1c50618f97
Merge remote-tracking branch 'upstream/master' 2022-02-17 12:16:05 -06:00
João Oliveirinha 630650b90e
TUN-5678: Adapt cloudflared to use new typed APIs 2022-02-17 12:15:21 -06:00
cthuang d68ff390ca TUN-5698: Make ingress rules and warp routing dynamically configurable 2022-02-16 09:38:28 +00:00
abelinkinbio 0571210374 TUN-5768: Update cloudflared license file 2022-02-15 10:15:52 +00:00
abe a16dee1d2a
Update issue templates 2022-02-14 14:02:45 -06:00
abe 2f6f865f92
Update issue templates 2022-02-14 14:01:17 -06:00
cthuang e22422aafb TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress
- Split origin into supervisor and proxy packages
- Create configManager to handle dynamic config
2022-02-14 15:37:09 +00:00
Nuno Diegues ff4cfeda0c TUN-5184: Handle errors in bidrectional streaming (websocket#Stream) gracefully when 1 side has ended 2022-02-10 20:00:36 +00:00
cthuang db01127191 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown 2022-02-10 09:43:52 +00:00
cthuang 1ff5fd3fdc TUN-5744: Add a test to make sure cloudflared uses scheme defined in ingress rule, not X-Forwarded-Proto header 2022-02-04 16:51:37 +00:00
Nuno Diegues 5b12e74099 Release 2022.2.0 2022-02-04 09:31:15 +00:00
cthuang b1edf5b96d TUN-5702: Allow to deserialize config from JSON 2022-02-04 08:47:59 +00:00
cthuang d07d24e5a2 TUN-5695: Define RPC method to update configuration 2022-02-03 15:05:46 +00:00
Nuno Diegues 0ab6867ae5 TUN-4947: Use http when talking to Unix sockets origins
Right now the proxying of cloudflared -> unix socket is a bit of
a no man's land, where we do not have the ability to specify the
actual protocol since the user just configures "unix:/path/"

In practice, we proxy using an HTTP client.
But it could be that the origin expects HTTP or HTTPS. However,
we have no way of knowing.

So how are we proxying to it? We are configuring the http.Request
in ways that depend on the transport and edge implementation, and
it so happens that for h2mux and http2 we are using a http.Request
whose Scheme is HTTP, whereas for quic we are generating a http.Request
whose scheme is HTTPS.

Since it does not make sense to have different behaviours depending
on the transport, we are making a (hopefully temporary) change so
that proxied requests to Unix sockets are systematically HTTP.

In practice we should do https://github.com/cloudflare/cloudflared/issues/502
to make this configurable.
2022-02-02 19:33:30 +00:00
Nuno Diegues ed2bac026d TUN-5621: Correctly manage QUIC stream closing
Until this PR, we were naively closing the quic.Stream whenever
the callstack for handling the request (HTTP or TCP) finished.
However, our proxy handler may still be reading or writing from
the quic.Stream at that point, because we return the callstack if
either side finishes, but not necessarily both.

This is a problem for quic-go library because quic.Stream#Close
cannot be called concurrently with quic.Stream#Write

Furthermore, we also noticed that quic.Stream#Close does nothing
to do receiving stream (since, underneath, quic.Stream has 2 streams,
1 for each direction), thus leaking memory, as explained in:
https://github.com/lucas-clemente/quic-go/issues/3322

This PR addresses both problems by wrapping the quic.Stream that
is passed down to the proxying logic and handle all these concerns.
2022-02-01 22:01:57 +00:00
João Oliveirinha e09dcf6d60 Release 2022.1.3 2022-01-28 15:10:37 +00:00
João Oliveirinha 76fb329a65 TUN-5724: Fix SSE streaming by guaranteeing we write everything we read 2022-01-28 14:48:54 +00:00
Nuno Diegues 7bac4b15b0 TUN-5719: Re-attempt connection to edge with QUIC despite network error when there is no fallback
We have made 2 changes in the past that caused an unexpected edge case:
 1. when faced with QUIC "no network activity", give up re-attempts and fall-back
 2. when a protocol is chosen explicitly, rather than using auto (the default), do not fallback

The reasoning for 1. was to fallback quickly in situations where the user may not
have chosen QUIC, and simply got it because we auto-chose it (with the TXT DNS record),
but the users' environment does not allow egress via UDP.

The reasoning for 2. was to avoid falling back if the user explicitly chooses a
protocol. E.g., if the user chooses QUIC, she may want to do UDP proxying, so if
we fallback to HTTP2 protocol that will be unexpected since it does not support
UDP (and same applies for HTTP2 falling back to h2mux and TCP proxying).

This PR fixes the edge case that happens when both those changes 1. and 2. are
put together: when faced with a QUIC "no network activity", we should only try
to fallback if there is a possible fallback. Otherwise, we should exhaust the
retries as normal.
2022-01-27 22:12:25 +00:00