Commit Graph

357 Commits

Author SHA1 Message Date
Roman 981702ffcb change cloudflare one domain 2024-08-07 08:17:46 +00:00
Devin Carr d875839e5e TUN-8487: Add user-agent for quick-tunnel requests 2024-07-02 11:52:41 -07:00
chungthuang 354a5bb8af TUN-8452: Add flag to control QUIC stream-level flow control limit 2024-06-06 11:50:46 -05:00
chungthuang e0b1899e97 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB 2024-06-05 17:34:41 -05:00
Devin Carr 654a326098 TUN-8424: Refactor capnp registration server
Move RegistrationServer and RegistrationClient into tunnelrpc module
to properly abstract out the capnp aspects internal to the module only.
2024-05-24 11:40:10 -07:00
Devin Carr 43446bc692 TUN-8423: Deprecate older legacy tunnel capnp interfaces
Since legacy tunnels have been removed for a while now, we can remove
many of the capnp rpc interfaces that are no longer leveraged by the
legacy tunnel registration and authentication mechanisms.
2024-05-23 11:17:49 -07:00
Devin Carr e9f010111d TUN-8425: Remove ICMP binding for quick tunnels 2024-05-23 18:16:30 +00:00
Devin Carr eb2e4349e8 TUN-8415: Refactor capnp rpc into a single module
Combines the tunnelrpc and quic/schema capnp files into the same module.

To help reduce future issues with capnp id generation, capnpids are
provided in the capnp files from the existing capnp struct ids generated
in the go files.

Reduces the overall interface of the Capnp methods to the rest of
the code by providing an interface that will handle the quic protocol
selection.

Introduces a new `rpc-timeout` config that will allow all of the
SessionManager and ConfigurationManager RPC requests to have a timeout.
The timeout for these values is set to 5 seconds as non of these operations
for the managers should take a long time to complete.

Removed the RPC-specific logger as it never provided good debugging value
as the RPC method names were not visible in the logs.
2024-05-17 11:22:07 -07:00
João Oliveirinha 5344a0bc6a TUN-8242: Enable remote diagnostics by default
This commit makes the remote diagnostics enabled by default, which is
a useful feature when debugging cloudflared issues without manual intervention from users.
Users can still opt-out by disabling the feature flag.
2024-02-20 11:31:16 +00:00
João "Pisco" Fernandes 76badfa01b TUN-8236: Add write timeout to quic and tcp connections
## Summary
To prevent bad eyeballs and severs to be able to exhaust the quic
control flows we are adding the possibility of having a timeout
for a write operation to be acknowledged. This will prevent hanging
connections from exhausting the quic control flows, creating a DDoS.
2024-02-15 17:54:52 +00:00
chungthuang 9c1f5c33a8 TUN-8158: Bring back commit e653741885 and fixes infinite loop on linux when the socket is closed 2024-01-22 13:46:33 +00:00
Honahuku b901d73d9b
configuration.go: fix developerPortal link (#960) 2023-12-14 16:34:00 +00:00
Kyle Carberry 61a16538a1
Use CLI context when running tunnel (#597)
When embedding the tunnel command inside another CLI, it
became difficult to test shutdown behavior due to this leaking
tunnel. By using the command context, we're able to shutdown
gracefully.
2023-12-14 16:33:41 +00:00
Devin Carr e0a55f9c0e TUN-7965: Remove legacy incident status page check 2023-11-13 17:10:59 -08:00
João Oliveirinha adb7d40084 CUSTESC-33731: Make rule match test report rule in 0-index base
This changes guarantees that the coommand to report rule matches when
testing local config reports the rule number using the 0-based indexing.
This is to be consistent with the 0-based indexing on the log lines when
proxying requests.
2023-10-03 12:18:49 +01:00
João "Pisco" Fernandes 958b6f1d24 TUN-7813: Improve tunnel delete command to use cascade delete
## Summary
Previously the force flag in the tunnel delete command was only explicitly deleting the
connections of a tunnel. Therefore, we are changing it to use the cascade query parameter
supported by the API. That parameter will delegate to the server the deletion of the tunnel
dependencies implicitly instead of the client doing it explicitly. This means that not only
the connections will get deleted, but also the tunnel routes, ensuring that no dependencies
are left without a non-deleted tunnel.
2023-09-20 12:35:43 +01:00
João Oliveirinha 6d1d91d9f9 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs
This commits makes sure that cloudflared starts using the new API
endpoints for managing routes.

Additionally, the delete route operation still allows deleting by CIDR
and VNet but it is being marked as deprecated in favor of specifying the
route ID.

The goal of this change is to make it simpler for the user to delete
routes without specifying Vnet.
2023-09-19 09:56:02 +00:00
Chung-Ting Huang bec683b67d TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography 2023-08-29 09:05:33 +01:00
Chung-Ting Huang 38d3c3cae5 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled 2023-08-28 14:18:05 +00:00
Devin Carr 65247b6f0f TUN-7584: Bump go 1.20.6
Pins all docker and cfsetup builds to a specific go patch version.
Also ran go fix on repo.
2023-07-26 13:52:40 -07:00
Devin Carr 42e0540395 TUN-7588: Update package coreos/go-systemd 2023-07-18 18:57:32 +00:00
Devin Carr b500e556bf TUN-7590: Remove usages of ioutil 2023-07-17 19:08:38 +00:00
Devin Carr 1b0b6bf7a8 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage
Package has been moved to golang.org/x/term
2023-07-17 19:02:15 +00:00
João Oliveirinha 0c8bc56930 TUN-7575: Add option to disable PTMU discovery over QUIC
This commit implements the option to disable PTMU discovery for QUIC
connections.
QUIC finds the PMTU during startup by increasing Ping packet frames
until Ping responses are not received anymore, and it seems to stick
with that PMTU forever.

This is no problem if the PTMU doesn't change over time, but if it does
it may case packet drops.
We add this hidden flag for debugging purposes in such situations as a
quick way to validate if problems that are being seen can be solved by
reducing the packet size to the edge.

Note however, that this option may impact UDP proxying since we expect
being able to send UDP packets of 1280 bytes over QUIC.
So, this option should not be used when tunnel is being used for UDP
proxying.
2023-07-13 10:24:24 +01:00
Devin Carr 8a3eade6d3 TUN-7553: Add flag to enable management diagnostic services
With the new flag --management-diagnostics (an opt-in flag)
cloudflared's will be able to report additional diagnostic information
over the management.argotunnel.com request path.
Additions include the /metrics prometheus endpoint; which is already
bound to a local port via --metrics.
/debug/pprof/(goroutine|heap) are also provided to allow for remotely
retrieving heap information from a running cloudflared connector.
2023-07-06 17:31:11 +00:00
Sudarsan Reddy 1abd22ef0a TUN-7480: Added a timeout for unregisterUDP.
I deliberately kept this as an unregistertimeout because that was the
intent. In the future we could change this to a UDPConnConfig if we want
to pass multiple values here.

The idea of this PR is simply to add a configurable unregister UDP
timeout.
2023-06-20 06:20:09 +00:00
João "Pisco" Fernandes 925ec100d6 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration 2023-06-12 15:11:42 +01:00
Jesse Li 39b7aed24e AUTH-4887 Add aud parameter to token transfer url 2023-04-19 21:01:24 +00:00
Sudarsan Reddy e426693330 TUN-7361: Add a label to override hostname
It might make sense for users to sometimes name their cloudflared
connectors to make identification easier than relying on hostnames that
TUN-7360 provides. This PR provides a new --label option to cloudflared
tunnel that a user could provide to give custom names to their
connectors.
2023-04-19 13:56:32 +00:00
Sudarsan Reddy 5e212a6bf3 TUN-7360: Add Get Host Details handler in management service
With the management tunnels work, we allow calls to our edge service
   using an access JWT provided by Tunnelstore. Given a connector ID,
   this request is then proxied to the appropriate Cloudflare Tunnel.

   This PR takes advantage of this flow and adds a new host_details
   endpoint. Calls to this endpoint will result in cloudflared gathering
   some details about the host: hostname (os.hostname()) and ip address
   (localAddr in a dial).

   Note that the mini spec lists 4 alternatives and this picks alternative
   3 because:

   1. Ease of implementation: This is quick and non-intrusive to any of our
      code path. We expect to change how connection tracking works and
      regardless of the direction we take, it may be easy to keep, morph
      or throw this away.

   2. The cloudflared part of this round trip takes some time with a
      hostname call and a dial. But note that this is off the critical path
      and not an API that will be exercised often.
2023-04-18 09:54:54 +00:00
Devin Carr b89c092c1b TUN-7134: Acquire token for cloudflared tail
cloudflared tail will now fetch the management token from by making
a request to the Cloudflare API using the cert.pem (acquired from
cloudflared login).

Refactored some of the credentials code into it's own package as
to allow for easier use between subcommands outside of
`cloudflared tunnel`.
2023-04-12 09:43:38 -07:00
Devin Carr 820a201603 TUN-7135: Add cloudflared tail 2023-04-05 10:20:53 -07:00
João Oliveirinha 5972540efa TUN-7332: Remove legacy tunnel force flag 2023-04-05 16:13:59 +01:00
Han Li 5e37a65dac
Fix typo (#918)
UUID not UUUD
2023-04-04 16:15:12 +01:00
Devin Carr 39ed5dc182 TUN-7126: Add Management logger io.Writer 2023-03-30 14:12:00 -07:00
Devin Carr bbc8d9431b TUN-7333: Default features checkable at runtime across all packages 2023-03-30 17:42:54 +00:00
Devin Carr be64362fdb TUN-7124: Add intercept ingress rule for management requests 2023-03-21 11:42:25 -07:00
João Oliveirinha f686da832f TUN-7275: Make QuickTunnels only use a single connection to the edge 2023-03-13 15:32:46 +00:00
Devin Carr 7b8b3f73e7 TUN-7259: Add warning for missing ingress rules
Providing no ingress rules in the configuration file or via the CLI will now provide a warning and return 502 for all incoming HTTP requests.
2023-03-10 01:49:54 +00:00
Devin Carr 93f8f6b55c TUN-7245: Add bastion flag to origin service check 2023-03-09 17:09:21 +00:00
Devin Carr 27f88ae209 TUN-7252: Remove h2mux connection 2023-03-07 13:51:37 -08:00
iBug fed60ae4c3
GH-352: Add Tunnel CLI option "edge-bind-address" (#870)
* Add Tunnel CLI option "edge-bind-address"
2023-02-28 16:11:42 +00:00
Devin Carr 0f95f8bae5 TUN-6938: Force h2mux protocol to http2 for named tunnels
Going forward, the only protocols supported will be QUIC and HTTP2,
defaulting to QUIC for "auto". Selecting h2mux protocol will be forcibly
upgraded to http2 internally.
2023-02-06 11:06:02 -08:00
Devin Carr ae46af9236 TUN-7065: Remove classic tunnel creation 2023-02-06 18:19:22 +00:00
João Oliveirinha 62dcb8a1d1 Revert "TUN-7065: Remove classic tunnel creation"
This reverts commit c24f275981.
2023-02-01 14:01:59 +00:00
João Oliveirinha 90d710e3ec Revert "TUN-7065: Revert Ingress Rule check for named tunnel configurations"
This reverts commit b8e610a067.
2023-02-01 14:01:46 +00:00
Sudarsan Reddy b8e610a067 TUN-7065: Revert Ingress Rule check for named tunnel configurations
Named Tunnels can exist without Ingress rules (They would default to
8080). Moreover, having this check also prevents warp tunnels from
starting since they do not need ingress rules.
2023-02-01 10:08:10 +00:00
Devin Carr c24f275981 TUN-7065: Remove classic tunnel creation 2023-01-31 22:35:28 +00:00
João Oliveirinha bd917d294c TUN-7097: Fix bug checking proxy-dns config on tunnel cmd execution 2023-01-22 19:17:06 +00:00
Nuno Diegues 4616e9fcc2 ZTC-446: Allow to force delete a vnet 2023-01-20 11:52:56 +00:00