This is a cherry-pick of 157f5d1412
followed by build/CI changes so that amd64/linux FIPS compliance is
provided by new/separate binaries/artifacts/packages.
The reasoning being that FIPS compliance places excessive requirements
in the encryption algorithms used for regular users that do not care
about that. This can cause cloudflared to reject HTTPS origins that
would otherwise be accepted without FIPS checks.
This way, by having separate binaries, existing ones remain as they
were, and only FIPS-needy users will opt-in to the new FIPS binaries.
time.Tick() does not get garbage collected because the channel
underneath never gets deleted and the underlying Ticker can never be
recovered by the garbage collector. We replace this with NewTicker() to
avoid this.
All header transformation code from h2mux has been consolidated in the connection package since it's used by both h2mux and http2 logic.
Exported headers used by proxying between edge and cloudflared so then can be shared by tunnel service on the edge.
Moved access-related headers to corresponding packages that have the code that sets/uses these headers.
Removed tunnel hostname tracking from h2mux since it wasn't used by anything. We will continue to set the tunnel hostname header from the edge for backward compatibilty, but it's no longer used by cloudflared.
Move bastion-related logic into carrier package, untangled dependencies between carrier, origin, and websocket packages.
- extracted ResponseWriter from proxyConnection
- added bastion tests over websocket
- removed HTTPResp()
- added some docstrings
- Renamed some ingress clients as proxies
- renamed instances of client to proxy in connection and origin
- Stream no longer takes a context and logger.Service
benchmark old ns/op new ns/op delta
BenchmarkSingleStreamLargeResponseBody-8 17786594 12163494 -31.61%
benchmark old allocs new allocs delta
BenchmarkSingleStreamLargeResponseBody-8 17086 15869 -7.12%
benchmark old bytes new bytes delta
BenchmarkSingleStreamLargeResponseBody-8 58215169 21604391 -62.89%
benchmark old ns/op new ns/op delta
BenchmarkH1ResponseToH2ResponseHeaders-4 10360 5048 -51.27%
benchmark old allocs new allocs delta
BenchmarkH1ResponseToH2ResponseHeaders-4 135 26 -80.74%
benchmark old bytes new bytes delta
BenchmarkH1ResponseToH2ResponseHeaders-4 8543 3667 -57.08%
Unlike other h2DictWriter methods, the Close() method does check whether
w.comp is nil.
This PR adds a check for non nil compressor before attempting to close
Bug: #141
Nuno Diegues
Dimitris Apostolou
Sudarsan Reddy
Igor Postelnik
cthuang
Areg Harutyunyan
Adam Chalmers
Dalton
Michael Borkenstein
Nick Vollmar
Tim Bart
Felix Bünemann