Commit Graph

361 Commits

Author SHA1 Message Date
Sudarsan Reddy b8e610a067 TUN-7065: Revert Ingress Rule check for named tunnel configurations
Named Tunnels can exist without Ingress rules (They would default to
8080). Moreover, having this check also prevents warp tunnels from
starting since they do not need ingress rules.
2023-02-01 10:08:10 +00:00
Devin Carr c24f275981 TUN-7065: Remove classic tunnel creation 2023-01-31 22:35:28 +00:00
João Oliveirinha bd917d294c TUN-7097: Fix bug checking proxy-dns config on tunnel cmd execution 2023-01-22 19:17:06 +00:00
Nuno Diegues 4616e9fcc2 ZTC-446: Allow to force delete a vnet 2023-01-20 11:52:56 +00:00
Sudarsan Reddy de7ca4be30 TUN-7077: Specific name in cloudflare tunnel route lb command 2023-01-17 10:10:02 +00:00
Devin Carr 794e8e622f TUN-6724: Migrate to sentry-go from raven-go 2023-01-11 15:48:03 +00:00
Sudarsan Reddy d19da6767a TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run
This PR starts a separate server for proxy-dns if the configuration is
available. This fixes a problem on cloudflared not starting in proxy-dns
mode if the url flag (which isn't necessary for proxy-dns) is not
provided. Note: This is still being supported for legacy reasons and
since proxy-dns is not a tunnel and should not be part of the
cloudflared tunnel group of commands.
2022-12-20 11:26:27 +00:00
Sudarsan Reddy 99b3736cc7 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol
This PR does two things:
It changes how we fallback to a lower protocol: The current state
is to try connecting with a protocol. If it fails, fall back to a
lower protocol. And try connecting with that and so on. With this PR,
if we fail to connect with a protocol, we will try to connect to other
edge addresses first. Only if we fail to connect to those will we
fall back to a lower protocol.
It fixes a behaviour where if we fail to connect to an edge addr,
we keep re-trying the same address over and over again.
This PR now switches between edge addresses on subsequent connecton attempts.
Note that through these switches, it still respects the backoff time.
(We are connecting to a different edge, but this helps to not bombard an edge
address with connect requests if a particular edge addresses stops working).
2022-12-14 13:17:21 +00:00
João Oliveirinha e517242194 TUN-6995: Disable quick-tunnels spin up by default
Before this change when running cloudflare tunnel command without any
subcommand and without any additional flag, we would spin up a
QuickTunnel.

This is really a strange behaviour because we can easily create unwanted
tunnels and results in bad user experience.
This also has the side effect on putting more burden in our services
that are probably just mistakes.

This commit fixes that by requiring  user to specify the url command
flag.
Running cloudflared tunnel alone will result in an error message
instead.
2022-12-13 12:03:32 +00:00
Sudarsan Reddy 7dee179652 TUN-7004: Dont show local config dirs for remotely configured tuns
cloudflared shows possible directories for config files to be present if
it doesn't see one when starting up. For remotely configured files, it
may not be necessary to have a config file present. This PR looks to see
if a token flag was provided, and if yes, does not log this message.
2022-12-13 11:03:00 +00:00
João Oliveirinha b0663dce33 TUN-6970: Print newline when printing tunnel token 2022-11-24 16:03:47 +00:00
João Oliveirinha af59851f33 TUN-6963: Refactor Metrics service setup 2022-11-22 11:35:48 +00:00
João Oliveirinha 19106cd609 TUN-6935: Cloudflared should use APIToken instead of serviceKey
This commit makes cloudflared use the API token provided during login
instead of service key.
In addition, it eliminates some of the old formats since those are
legacy and we only support cloudflared versions newer than 6 months.
2022-11-16 17:07:16 +00:00
João Oliveirinha b50f172bdb Revert "TUN-6935: Cloudflared should use APIToken instead of serviceKey"
This reverts commit 1c6316c1c9.
2022-11-16 12:05:09 +00:00
João Oliveirinha 1c6316c1c9 TUN-6935: Cloudflared should use APIToken instead of serviceKey
This commit makes cloudflared use the API token provided during login
instead of service key.
In addition, it eliminates some of the old formats since those are
legacy and we only support cloudflared versions newer than 6 months.
2022-11-16 10:04:17 +00:00
João Oliveirinha e6c9ec0b39 TUN-6871: Add default feature to cloudflared to support EOF on QUIC connections 2022-10-24 13:14:47 +01:00
cthuang 495f9fb8bd TUN-6856: Refactor to lay foundation for tracing ICMP
Remove send and return methods from Funnel interface. Users of Funnel can provide their own send and return methods without wrapper to comply with the interface.
Move packet router to ingress package to avoid circular dependency
2022-10-17 19:48:35 +01:00
Jamie Nguyen 9904929b83 Fix typo in help text for `cloudflared tunnel route lb` 2022-10-12 11:45:13 +01:00
Bas Westerbaan f4ae8d1446 Add post-quantum flag to quick tunnel
Github 
2022-10-05 01:33:17 +02:00
cthuang be0305ec58 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible
If it cannot determine the correct interface IP, it will fallback to all interfaces.
This commit also introduces the icmpv4-src and icmpv6-src flags
2022-09-26 11:37:08 +01:00
cthuang 3d345d3748 TUN-6595: Enable datagramv2 and icmp proxy by default 2022-09-20 14:02:02 +00:00
Bas Westerbaan 11cbff4ff7 RTG-1339 Support post-quantum hybrid key exchange
Func spec: https://wiki.cfops.it/x/ZcBKHw
2022-09-07 19:32:53 +00:00
Devin Carr cfef0e737f TUN-6720: Remove forcibly closing connection during reconnect signal
Previously allowing the reconnect signal forcibly close the connection
caused a race condition on which error was returned by the errgroup
in the tunnel connection. Allowing the signal to return and provide
a context cancel to the connection provides a safer shutdown of the
tunnel for this test-only scenario.
2022-08-31 21:50:02 +00:00
Devin Carr 2a177e0fc4 TUN-6583: Remove legacy --ui flag 2022-07-20 16:17:29 -07:00
Nuno Diegues 7607ead143 TUN-6503: Fix transport fallback from QUIC in face of dial error "no network activity" 2022-07-06 13:05:45 +01:00
Devin Carr ae7fbc14f3 TUN-6373: Add edge-ip-version to remotely pushed configuration
(cherry picked from commit 8e9091cc48)
2022-06-23 16:55:03 +00:00
Silver ee87c43eb9
Merge pull request from nikr-canva/http2-origins
Add Http2Origin option to force HTTP/2 origin connections
2022-06-16 12:23:07 -05:00
Devin Carr b9453b84bb Revert "TUN-6373: Add edge-ip-version to remotely pushed configuration"
This reverts commit 8e9091cc48.
2022-06-14 16:07:37 -07:00
Igor Postelnik f2339a7244 TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy.
For WARP routing the defaults for these new settings are 5 seconds for connect timeout and 30 seconds for keep-alive timeout. These values can be configured either remotely or locally. Local config lives under "warp-routing" section in config.yaml.

For websocket-based proxy, the defaults come from originConfig settings (either global or per-service) and use the same defaults as HTTP proxying.
2022-06-14 21:36:40 +00:00
Devin Carr 8e9091cc48 TUN-6373: Add edge-ip-version to remotely pushed configuration 2022-06-14 15:41:16 +00:00
Devin Carr e3aad7799e TUN-6357: Add connector id to ready check endpoint 2022-06-08 17:35:23 +00:00
Devin Carr 2b0d704777 TUN-6341: Fix default config value for edge-ip-version 2022-06-02 20:12:15 -07:00
Devin Carr ee80e55833 TUN-6339: Add config for IPv6 support 2022-06-02 16:04:26 -07:00
Niklas Rehfeld 7d4afd4ae0 Add Http2Origin option to force HTTP/2 origin connections
If `http2Origin` is set, it will set `ForceAttemptHTTP2` in the transport config of the `OriginService`.
2022-06-01 12:57:29 +12:00
Nuno Diegues 5e6f606f4e TUN-6293: Update yaml v3 to latest hotfix
This addresses https://security.snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
by updating yaml v3 to latest version.

It also stops using yaml v2 directly (we were using both v2 and v3 mixed).
We still rely on yaml v2 indirectly, via urfave cli, though.

Note that the security vulnerability does not affect v2.
2022-05-30 17:38:55 +00:00
João Oliveirinha 99d4e48656 TUN-6016: Push local managed tunnels configuration to the edge 2022-05-06 15:43:24 +00:00
João Oliveirinha 3254d08173 TUN-6014: Add remote config flag as default feature 2022-04-28 12:00:47 +01:00
Nuno Diegues 7a6ab54fcb TUN-6043: Allow UI-managed Tunnels to fallback from QUIC but warn about that 2022-04-12 09:46:07 +01:00
Nuno Diegues a0f6eb9d5e TUN-5992: Use QUIC protocol for remotely managed tunnels when protocol is unspecified 2022-04-05 23:07:10 +01:00
Nuno Diegues c5d1662244 TUN-5960: Do not log the tunnel token or json credentials 2022-03-28 10:54:39 +01:00
Nuno Diegues 98736a03e1 TUN-5915: New cloudflared command to allow to retrieve the token credentials for a Tunnel 2022-03-23 10:35:16 +00:00
Nuno Diegues 470e6c35c5 TUN-5918: Clean up text in cloudflared tunnel --help 2022-03-22 18:52:28 +00:00
Devin Carr e2a8302bbc TUN-5869: Add configuration endpoint in metrics server 2022-03-22 08:11:59 -07:00
Nuno Diegues 057a0cc758 TUN-5833: Send feature `allow_remote_config` if Tunnel is run with --token 2022-03-16 14:07:03 +00:00
João Oliveirinha 706523389c TUN-5679: Add support for service install using Tunnel Token 2022-03-03 18:59:03 +00:00
Nuno Diegues a1d485eca5 TUN-5823: Warn about legacy flags that are ignored when ingress rules are used 2022-03-02 10:48:03 +00:00
João Oliveirinha b6d7076400 TUN-5681: Add support for running tunnel using Token 2022-02-23 10:09:45 +00:00
João Oliveirinha 22cd8ceb8c TUN-5682: Remove name field from credentials 2022-02-23 10:08:29 +00:00
Sudarsan Reddy 9909e9d63c TUN-5754: Allow ingress validate to take plaintext option
Ingress validate currently validates config from a file. This PR adds a
new --json/-j flag to provide the ingress/config data as a plaintext
command line argument.
2022-02-22 16:56:22 +00:00
cthuang d68ff390ca TUN-5698: Make ingress rules and warp routing dynamically configurable 2022-02-16 09:38:28 +00:00
cthuang e22422aafb TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress
- Split origin into supervisor and proxy packages
- Create configManager to handle dynamic config
2022-02-14 15:37:09 +00:00
Sudarsan Reddy a84cbcde7e TUN-5669: Change network command to vnet 2022-01-24 11:26:16 +00:00
Sudarsan Reddy 1a92f1acfe TUN-5477: Unhide vnet commands 2022-01-21 12:41:58 +00:00
Nuno Diegues a39d95d5f7 TUN-5551: Show whether the binary was built for FIPS compliance
This is shown in 3 ways:
 - the version output with `cloudflared version` and alike commands
 - the build_info prometheus metric
 - a logging message
2021-12-28 19:03:16 +00:00
Nuno Diegues 6822e4f8ab TUN-5482: Refactor tunnelstore client related packages for more coherent package 2021-12-28 17:17:49 +00:00
Nuno Diegues 70e675f42c TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries
This is a cherry-pick of 157f5d1412
followed by build/CI changes so that amd64/linux FIPS compliance is
provided by new/separate binaries/artifacts/packages.

The reasoning being that FIPS compliance places excessive requirements
in the encryption algorithms used for regular users that do not care
about that. This can cause cloudflared to reject HTTPS origins that
would otherwise be accepted without FIPS checks.

This way, by having separate binaries, existing ones remain as they
were, and only FIPS-needy users will opt-in to the new FIPS binaries.
2021-12-20 21:50:42 +00:00
Nuno Diegues 571380b3f5 TUN-5362: Adjust route ip commands to be aware of virtual networks 2021-12-03 09:10:20 +00:00
Nuno Diegues eec6b87eea TUN-5361: Commands for managing virtual networks 2021-12-03 08:48:52 +00:00
Silver 36479ef11f
Merge pull request from echtish/secret-flag
Add flag to 'tunnel create' subcommand to specify a base64-encoded secret
2021-11-02 16:21:01 -05:00
Nuno Diegues 958650be1f TUN-5262: Improvements to `max-fetch-size` that allow to deal with large number of tunnels in account
* `max-fetch-size` can now be set up in the config YAML
 * we no longer pass that to filter commands that filter by name
 * flag changed to signed int since altsrc does not support UInt flags
 * we now look up each non UUID (to convert it to a UUID) when needed, separately
2021-10-19 18:28:29 +01:00
Nuno Diegues eb51ff0a6d TUN-5262: Allow to configure max fetch size for listing queries
This can be useful/important for accounts with many tunnels that exceed
the 1000 default page size.

There are various tunnel subcommands that use listing underneath, so we make
that flag a tunnel one, rather than adding it to each subcommand.
2021-10-18 11:07:02 +01:00
Nuno Diegues 6cbf90883d TUN-5255: Fix potential panic if Cloudflare API fails to respond to GetTunnel(id) during delete command 2021-10-14 15:18:34 +00:00
Sudarsan Reddy ceb509ee98 TUN-5138: Switch to QUIC on auto protocol based on threshold 2021-10-14 09:18:20 +01:00
Sudarsan Reddy 2822fbe3db TUN-5249: Revert "TUN-5138: Switch to QUIC on auto protocol based on threshold"
This reverts commit e445fd92f7
2021-10-13 19:06:31 +01:00
Sudarsan Reddy 5148d00516 TUN-5246: Use protocol: quic for Quick tunnels if one is not already set 2021-10-13 08:04:21 +00:00
Sudarsan Reddy e445fd92f7 TUN-5138: Switch to QUIC on auto protocol based on threshold 2021-10-11 11:05:20 +00:00
Jeremy Teale 1239006e96 Add flag to 'tunnel create' subcommand to specify a base64-encoded secret 2021-09-29 18:56:38 -05:00
Nuno Diegues cbdf88ea28 TUN-5164: Update README and clean up references to Argo Tunnel (using Cloudflare Tunnel instead) 2021-09-29 08:27:47 +00:00
Nuno Diegues f985ed567f TUN-5128: Enforce maximum grace period
This maximum grace period will be honored by Cloudflare edge such that
either side will close the connection after unregistration at most
by this time (3min as of this commit):
 - If the connection is unused, it is already closed as soon as possible.
 - If the connection is still used, it is closed on the cloudflared configured grace-period.

Even if cloudflared does not close the connection by the grace-period time,
the edge will do so.
2021-09-21 16:48:37 +00:00
Riley Flynn 6968b714d0 Add support for taking named tunnel credentials from an environment variable 2021-09-13 13:51:37 -02:30
cthuang 98c3957d30 TUN-5010: --region should be a string flag 2021-08-30 14:40:07 +00:00
cthuang 27cd83c2d3 Revert "TUN-4926: Implement --region configuration option"
This reverts commit d0a1daac3b.
2021-08-28 16:42:55 +01:00
Areg Harutyunyan d0a1daac3b TUN-4926: Implement --region configuration option 2021-08-27 09:11:10 +00:00
Nuno Diegues 2afa307765 TUN-4981: Improve readability of prepareTunnelConfig method 2021-08-26 18:15:36 +01:00
Rishabh Bector a4a9f45b0a TUN-4821: Make quick tunnels the default in cloudflared 2021-08-26 15:53:02 +00:00
Sudarsan Reddy 071d595371 TUN-4940: Fix cloudflared not picking up correct NextProtos for quic 2021-08-23 15:30:45 +00:00
Sudarsan Reddy 12ad264eb3 TUN-4866: Add Control Stream for QUIC
This commit adds support to Register and Unregister Connections via RPC
on the QUIC transport protocol
2021-08-17 14:50:32 +00:00
Nuno Diegues 8527d03a29 TUN-4847: Allow to list tunnels by prefix name or exclusion prefix name 2021-07-30 12:00:26 +01:00
Nuno Diegues aa24338225 TUN-4832: Prevent tunnel from running accidentally when only proxy-dns should run 2021-07-29 11:05:12 +00:00
Nuno Diegues 0924549efd TUN-4811: Publish quick tunnels' hostname in /metrics under `userHostname` for backwards-compatibility 2021-07-29 10:20:43 +01:00
Sudarsan Reddy ed1389ef08 TUN-4814: Revert "TUN-4699: Make quick tunnels the default in cloudflared"
This reverts commit 18992efa0c.
2021-07-28 10:02:55 +01:00
Rishabh Bector 18992efa0c TUN-4699: Make quick tunnels the default in cloudflared 2021-07-26 15:57:36 +00:00
Rishabh Bector 59cae0f622 TUN-4698: Add cloudflared metrics endpoint to serve quick tunnel hostname 2021-07-12 09:26:07 +00:00
Rishabh Bector 3eb9efd9f0 TUN-4521: Modify cloudflared to use zoneless-tunnels-worker for free tunnels 2021-06-29 09:39:18 +01:00
Nuno Diegues f88732277a TUN-4502: Make `cloudflared tunnel route` subcommands described consistently 2021-06-07 09:20:11 +01:00
Michael Borkenstein 235897ba21 AUTH-3426: Point to new transfer service URL and eliminate PUT /ok 2021-05-19 19:39:56 +00:00
Adam Chalmers 4c5ebccacc TUN-4425: --overwrite-dns flag for in adhoc and route dns cmds 2021-05-19 18:22:01 +00:00
cthuang 6526211a69 TUN-4421: Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network 2021-05-17 15:57:44 +01:00
Nuno Diegues ae460b340b
TUN-4342: Fix false positive warning about unused hostname property 2021-05-13 02:05:19 +01:00
Adam Chalmers 4bd17766a9
TUN-4359: Warn about unused keys in 'tunnel ingress validate' 2021-05-13 02:05:19 +01:00
Areg Harutyunyan 4d43a70a38 Setup a Github action for checking the cloudflared build 2021-05-04 14:31:22 +01:00
Areg Harutyunyan 1073f8db40
TUN-2853: rename STDIN-CONTROL env var to STDIN_CONTROL 2021-04-09 16:43:01 +01:00
Nuno Diegues b25d38dd72 TUN-4177: Running with proxy-dns should not prevent running Named Tunnels 2021-04-05 11:28:05 +01:00
Adam Chalmers 5afa3251dd TUN-4150: Only show the connector table in 'tunnel info' if there are connectors. Don't show rows with zero connections. 2021-03-30 20:13:00 +00:00
Adam Chalmers ebf5292bf9 TUN-4146: Unhide and document grace-period 2021-03-29 16:29:18 -05:00
Adam Chalmers f9062ab473 TUN-4141: Better error messages for tunnel info subcommand. 2021-03-26 14:45:35 -05:00
Igor Postelnik da4d0b2bae TUN-4067: Reformat code for consistent import order, grouping, and fix formatting. Added goimports target to the Makefile to make this easier in the future. 2021-03-24 10:53:29 -05:00
Igor Postelnik 50435546c5 TUN-4118: Don't overwrite existing file with tunnel credentials. For ad-hoc tunnels, this means tunnel won't start if there's a file in the way. 2021-03-24 08:26:22 -05:00
Igor Postelnik 9018ee5d5e TUN-4116: Ingore credentials-file setting in configuration file during tunnel create and delete opeations.
This change has two parts:
1. Update to newer version of the urfave/cli fork that correctly sets flag value along the context hierarchy while respecting config file overide behavior of the most specific instance of the flag.
2. Redefine --credentials-file flag so that create and delete subcommand don't use value from the config file.
2021-03-24 08:15:36 -05:00
Nuno Diegues 8250b67a9f TUN-4111: Warn the user if both properties "tunnel" and "hostname" are used 2021-03-23 20:14:29 +00:00