- TestParseUnixSocketTCP: standalone parse test verifying the
unixSocketTCPService type and path extraction
- TestParseIngress/Unix+TCP_service: table-driven parse test alongside
existing ssh://, tcp://, unix://, etc. entries
- TestUnixSocketTCPServiceEstablishConnection: verifies successful dial
to a real unix socket and error on closed listener; uses /tmp to stay
within the macOS 104-char unix socket path limit
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Introduce unixSocketTCPService, a new OriginService that dials a unix
socket and forwards raw bytes bidirectionally via WebSocket, without any
HTTP wrapping. This is the unix-socket analogue of tcpOverWSService.
A new ingress URL scheme unix+tcp:<path> is recognised during ingress
validation and maps to this service type. Example config:
ingress:
- hostname: ssh.example.com
service: unix+tcp:/run/sshd.sock
The scheme name unix+tcp mirrors the existing unix+tls modifier pattern:
the suffix describes the transport style, not the application protocol,
so the service works equally well for SSH, RDP, or any other stream-based
protocol whose daemon listens on a unix socket.
The implementation reuses the existing tcpOverWSConnection and
DefaultStreamHandler machinery; the only difference from ssh:// (TCP) is
that the underlying net.Conn is obtained via net.Dial("unix", path).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Create new management token command to support different resource
permissions (logs, admin, host_details). This fixes failing component
tests that need admin-level tokens to access management endpoints.
- Add ManagementResource enum values: Admin, HostDetails
- Create cmd/cloudflared/management package with token command
- Extract shared utilities to cliutil/management.go (GetManagementToken, CreateStderrLogger)
- Refactor tail/cmd.go to use shared utilities
- Update component tests to use new command with admin resource
Closes TUN-10292
* TUN-10247: Update tail command to use /management/logs endpoint
The /management endpoint will be deprecated in favor of new /management/resource endpoints. Because of that, we'll need cloudflared to use the new endpoint.
Closes TUN-10247
Remove the DNS over HTTPS (DoH) proxy feature built on CoreDNS due to
security vulnerabilities (GO-2025-3942, GO-2026-4289).
This removes:
- Standalone proxy-dns command (cloudflared proxy-dns)
- Tunnel subcommand (cloudflared tunnel proxy-dns)
- Proxy-dns flags for tunnel run (--proxy-dns, --proxy-dns-port, etc.)
- Config file resolver section support
- tunneldns/ package (CoreDNS-based implementation)
- Related component tests
BREAKING CHANGE: The proxy-dns feature is no longer available.
Users should migrate to alternative DNS over HTTPS solutions.
* TUN-9863: Introduce Code Signing for Windows Builds
This commit adds a signing step to the build script for windows binaries.
Since we package the MSI on Linux, this commit adds another CI step that depends on package-windows and signs all of the windows packages.
To do so, we use azuresigntool which relies on a certificate stored in Azure Vault.
Closes TUN-9863
* chore: Update cloudflared signing key name in index.html
We want to preserve the old key name so that we don't have to update the dev docs.
We will have the same key under this name and the v2 name to account for everyone who has already updated.
* Fix systemd service installation hanging
---
This kills the hanging when there is a network issue (port blocking or no Internet) and the installation cannot be completed with no error sent to the output.
Before (killed manually since it hangs forever):
{width=817 height=69}
After:
{width=825 height=78}
---
* TUN-9919: Make RPM postinstall scriplet idempotent
Before this commit the postinstall scriptlet isn't idempotent, meaning the users see this error in their upgrade logs:
`ln: failed to create symbolic link '/usr/local/bin/cloudflared': File exists
warning: %post(cloudflared-2025.10.0-1.x86_64) scriptlet failed, exit status 1`
This doesn't break the upgrade (which is why we haven't touched this in 5 years), but adding the -f (force) flag to the symlink command prevents this issue from happening
Closes TUN-9919
Ivan Kruglov
Ivan Kruglov
GoncaloGarcia
João "Pisco" Fernandes
Luis Neto
Andi Anderson
chungthuang
GitLab Maintenance Bot
Christopher Meng
Devin Carr