Commit Graph

1397 Commits

Author SHA1 Message Date
cthuang cbf8c71fab TUN-6716: Document limitation of Windows ICMP proxy 2022-09-29 14:51:53 +01:00
cthuang 870193c064 TUN-6811: Ping group range should be parsed as int32 2022-09-29 12:59:38 +01:00
cthuang fdddd86380 TUN-6715: Provide suggestion to add cloudflared to ping_group_range if it failed to open ICMP socket 2022-09-28 17:30:13 +01:00
Devin Carr b3e26420c0 TUN-6801: Add punycode alternatives for ingress rules 2022-09-26 17:59:45 +00:00
cthuang be0305ec58 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible
If it cannot determine the correct interface IP, it will fallback to all interfaces.
This commit also introduces the icmpv4-src and icmpv6-src flags
2022-09-26 11:37:08 +01:00
cthuang 3449ea35f2 TUN-6791: Calculate ICMPv6 checksum 2022-09-22 15:18:53 +00:00
Sudarsan Reddy 7f487c2651 TUN-6775: Add middleware.Handler verification to ProxyHTTP
ProxyHTTP now processes middleware Handler before executing the request.
A chain of handlers is now executed and appropriate response status
codes are sent.
2022-09-22 15:11:59 +01:00
Sudarsan Reddy 9bb7628fbc TUN-6772: Add a JWT Validator as an ingress verifier
This adds a new verifier interface that can be attached to ingress.Rule.
This would act as a middleware layer that gets executed at the start of
proxy.ProxyHTTP.

A jwt validator implementation for this verifier is also provided. The
validator downloads the public key from the access teams endpoint and
uses it to verify the JWT sent to cloudflared with the audtag (clientID)
information provided in the config.
2022-09-22 14:44:03 +01:00
Sudarsan Reddy eb36716ba4 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
We take advantage of the JWTValidator middleware and attach it to an
ingress rule based on Access configurations. We attach the Validator
directly to the ingress rules because we want to take advantage of
caching and token revert/handling that comes with go-oidc.
2022-09-22 14:44:03 +01:00
Sudarsan Reddy 5d6b0642db TUN-6772: Add a JWT Validator as an ingress verifier
This adds a new verifier interface that can be attached to ingress.Rule.
This would act as a middleware layer that gets executed at the start of
proxy.ProxyHTTP.

A jwt validator implementation for this verifier is also provided. The
validator downloads the public key from the access teams endpoint and
uses it to verify the JWT sent to cloudflared with the audtag (clientID)
information provided in the config.
2022-09-22 14:44:03 +01:00
Sudarsan Reddy 462d2f87df TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
We take advantage of the JWTValidator middleware and attach it to an
ingress rule based on Access configurations. We attach the Validator
directly to the ingress rules because we want to take advantage of
caching and token revert/handling that comes with go-oidc.
2022-09-22 13:43:15 +00:00
Nuno Diegues 0aa21f302e TUN-6792: Fix brew core release by not auditing the formula 2022-09-22 11:58:17 +01:00
Sudarsan Reddy de07da02cd TUN-6772: Add a JWT Validator as an ingress verifier
This adds a new verifier interface that can be attached to ingress.Rule.
This would act as a middleware layer that gets executed at the start of
proxy.ProxyHTTP.

A jwt validator implementation for this verifier is also provided. The
validator downloads the public key from the access teams endpoint and
uses it to verify the JWT sent to cloudflared with the audtag (clientID)
information provided in the config.
2022-09-22 08:42:25 +00:00
Devin Carr e9a2c85671 Release 2022.9.1 2022-09-21 12:52:59 -07:00
Devin Carr b0f0741a9b TUN-6590: Use Windows Teamcity agent to build binary 2022-09-21 19:34:36 +00:00
Sudarsan Reddy db4564e5b9 TUN-6773: Add access based configuration to ingress.OriginRequestConfig
This PR adds some access related configurations to OriginRequestConfig.
This will eventually get validated to be part of Ingress.Rule.
2022-09-21 09:59:42 +00:00
cthuang 3d345d3748 TUN-6595: Enable datagramv2 and icmp proxy by default 2022-09-20 14:02:02 +00:00
cthuang b1995b4dd1 TUN-6777: Fix race condition in TestFunnelIdleTimeout 2022-09-20 13:17:38 +00:00
João Oliveirinha b457cca1e5 TUN-6780: Add support for certReload to also include support for client certificates 2022-09-20 08:18:59 +00:00
João Oliveirinha a0b6ba9b8d TUN-6779: cloudflared should also use the root CAs from system pool to validate edge certificate 2022-09-20 08:18:48 +00:00
cthuang de00396669 TUN-6778: Cleanup logs about ICMP 2022-09-19 15:46:34 +00:00
Devin Carr 013bdbd10c TUN-6718: Bump go and go-boring 1.18.6 2022-09-19 15:18:59 +00:00
cthuang b639b6627a TUN-6744: On posix platforms, assign unique echo ID per (src, dst, echo ID)
This also refactor FunnelTracker to provide a GetOrRegister method to prevent race condition
2022-09-19 14:39:47 +01:00
cthuang e454994e3e TUN-6767: Build ICMP proxy for Windows only when CGO is enabled 2022-09-16 10:14:05 +01:00
cthuang 8a53c1aa1d TUN-6592: Decrement TTL and return ICMP time exceed if it's 0 2022-09-15 17:53:26 +01:00
Devin Carr f5f3e6a453 TUN-6689: Utilize new RegisterUDPSession to begin tracing 2022-09-13 14:56:08 +00:00
cthuang 30c529e730 TUN-6743: Support ICMPv6 echo on Windows 2022-09-12 10:40:50 +01:00
cthuang bf3d70d1d2 TUN-6654: Support ICMPv6 on Linux and Darwin 2022-09-12 09:27:06 +01:00
cthuang a65f8bce7f TUN-6749: Fix icmp_generic build 2022-09-09 16:14:07 +01:00
cthuang 2ffff0687b TUN-6696: Refactor flow into funnel and close idle funnels
A funnel is an abstraction for 1 source to many destinations.
As part of this refactoring, shared logic between Darwin and Linux are moved into icmp_posix
2022-09-09 13:06:00 +01:00
Devin Carr e380333520 TUN-6688: Update RegisterUdpSession capnproto to include trace context 2022-09-08 21:50:58 +00:00
Bas Westerbaan 11cbff4ff7 RTG-1339 Support post-quantum hybrid key exchange
Func spec: https://wiki.cfops.it/x/ZcBKHw
2022-09-07 19:32:53 +00:00
Chung-Ting Huang 3e0ff3a771 TUN-6531: Implement ICMP proxy for Windows using IcmpSendEcho 2022-09-07 19:18:06 +00:00
Nuno Diegues 7a19798682 TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case 2022-09-07 16:32:15 +00:00
Nuno Diegues 4b75943d59 Release 2022.9.0 2022-09-07 07:58:04 +01:00
cthuang fc20a22685 TUN-6695: Implement ICMP proxy for linux 2022-09-05 14:49:42 +00:00
cthuang faa86ffeca TUN-6737: Fix datagramV2Type should be declared in its own block so it starts at 0 2022-09-05 15:09:53 +01:00
Devin Carr f7a14d9200 TUN-6728: Verify http status code ingress rule 2022-09-02 09:14:03 -07:00
Nuno Diegues 902e5beb4f TUN-6729: Fix flaky TestClosePreviousProxies
I can only reproduce the flakiness, which is the hello world still
responding when it should be shut down already, in Windows (both in
TeamCity as well as my local VM). Locally, it only happens when the
machine is under high load.

Anyway, it's valid that the proxies take some time to shut down since
they handle that via channels asynchronously with regards to the event
that updates the configuration.
Hence, nothing is wrong, as long as they eventually shut down, which the
test still verifies.
2022-09-01 21:32:59 +00:00
Nuno Diegues 7ca5f7569a TUN-6726: Fix maxDatagramPayloadSize for Windows QUIC datagrams 2022-09-01 21:32:59 +00:00
Nuno Diegues 4ac68711cd TUN-6725: Fix testProxySSEAllData
This test was failing on Windows. We did not catch it before because our
TeamCity Windows builds were ignoring failed unit tests: TUN-6727

 - the fix is implementing WriteString for mockSSERespWriter
 - reason is because cfio.Copy was calling that, and not Write method,
   thus not triggering the usage of the channel for the test to continue
 - mockSSERespWriter was providing a valid implementation of WriteString
   via ResponseRecorder, which it implements via the embedded mockHTTPRespWriter
 - it is not clear why this only happened on Windows
 - changed it to be a top-level test since it did not share any code
   with other sub-tests in the same top-level test
2022-09-01 21:32:59 +00:00
Devin Carr 075ac1acf1 Release 2022.8.4 2022-08-31 15:19:40 -07:00
Devin Carr cfef0e737f TUN-6720: Remove forcibly closing connection during reconnect signal
Previously allowing the reconnect signal forcibly close the connection
caused a race condition on which error was returned by the errgroup
in the tunnel connection. Allowing the signal to return and provide
a context cancel to the connection provides a safer shutdown of the
tunnel for this test-only scenario.
2022-08-31 21:50:02 +00:00
Devin Carr 8ec0f7746b Release 2022.8.3 2022-08-31 20:54:54 +00:00
cthuang 2b3707e2b9 TUN-6717: Update Github action to run with Go 1.19 2022-08-31 12:22:57 +01:00
cthuang 7e760f9fcc TUN-6586: Change ICMP proxy to only build for Darwin and use echo ID to track flows 2022-08-27 22:37:08 +01:00
cthuang efb99d90d7 TUN-6708: Fix replace flow logic 2022-08-26 17:52:06 +01:00
João Oliveirinha e131125558 TUN-6699: Add metric for packet too big dropped 2022-08-26 16:02:43 +00:00
Devin Carr af6bf5c4e5 TUN-6704: Honor protocol flag when edge discovery is unreachable 2022-08-26 15:31:19 +00:00
Sudarsan Reddy e3390fcb15 TUN-6705: Tunnel should retry connections forever
Protocolbackoff arrays now have Retryforever flag set to true to enable
cloudflared to keep trying to reconnect perpetually.
2022-08-26 08:27:15 +00:00