Commit Graph

464 Commits

Author SHA1 Message Date
Chung-Ting Huang bec683b67d TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography 2023-08-29 09:05:33 +01:00
Chung-Ting Huang 38d3c3cae5 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled 2023-08-28 14:18:05 +00:00
Devin Carr 65247b6f0f TUN-7584: Bump go 1.20.6
Pins all docker and cfsetup builds to a specific go patch version.
Also ran go fix on repo.
2023-07-26 13:52:40 -07:00
Devin Carr 81fe0bd12b TUN-7628: Correct Host parsing for Access
Will no longer provide full hostname with path from provided
`--hostname` flag for cloudflared access to the Host header field.
This addresses certain issues caught from a security fix in go
1.19.11 and 1.20.6 in the net/http URL parsing.
2023-07-25 09:33:11 -07:00
João "Pisco" Fernandes af3a66d60e TUN-7597: Add flag to disable auto-update services to be installed
Summary:
This commit adds a new flag "no-update-service" to the `cloudflared service install` command.

Previously, when installing cloudflared as a linux service it would always get auto-updates, now with this new flag it is possible to disable the auto updates of the service.

This flag allows to define whether we want cloudflared service to **perform auto updates or not**.
For **systemd this is done by removing the installation of the update service and timer**, for **sysv** this is done by **setting the cloudflared autoupdate flag**.
2023-07-19 11:06:11 +00:00
Devin Carr 42e0540395 TUN-7588: Update package coreos/go-systemd 2023-07-18 18:57:32 +00:00
Devin Carr b500e556bf TUN-7590: Remove usages of ioutil 2023-07-17 19:08:38 +00:00
Devin Carr 1b0b6bf7a8 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage
Package has been moved to golang.org/x/term
2023-07-17 19:02:15 +00:00
João Oliveirinha 0c8bc56930 TUN-7575: Add option to disable PTMU discovery over QUIC
This commit implements the option to disable PTMU discovery for QUIC
connections.
QUIC finds the PMTU during startup by increasing Ping packet frames
until Ping responses are not received anymore, and it seems to stick
with that PMTU forever.

This is no problem if the PTMU doesn't change over time, but if it does
it may case packet drops.
We add this hidden flag for debugging purposes in such situations as a
quick way to validate if problems that are being seen can be solved by
reducing the packet size to the edge.

Note however, that this option may impact UDP proxying since we expect
being able to send UDP packets of 1280 bytes over QUIC.
So, this option should not be used when tunnel is being used for UDP
proxying.
2023-07-13 10:24:24 +01:00
Devin Carr ccad59dfab TUN-7564: Support cf-trace-id for cloudflared access 2023-07-06 19:03:40 +00:00
Devin Carr 8a3eade6d3 TUN-7553: Add flag to enable management diagnostic services
With the new flag --management-diagnostics (an opt-in flag)
cloudflared's will be able to report additional diagnostic information
over the management.argotunnel.com request path.
Additions include the /metrics prometheus endpoint; which is already
bound to a local port via --metrics.
/debug/pprof/(goroutine|heap) are also provided to allow for remotely
retrieving heap information from a running cloudflared connector.
2023-07-06 17:31:11 +00:00
Devin Carr 2b4815a9f5 TUN-7543: Add --debug-stream flag to cloudflared access ssh
Allows for debugging the payloads that are sent in client mode to
the ssh server. Required to be run with --log-directory to capture
logging output. Additionally has maximum limit that is provided with
the flag that will only capture the first N number of reads plus
writes through the WebSocket stream. These reads/writes are not directly
captured at the packet boundary so some reconstruction from the
log messages will be required.

Added User-Agent for all out-going cloudflared access
tcp requests in client mode.
Added check to not run terminal logging in cloudflared access tcp
client mode to not obstruct the stdin and stdout.
2023-06-29 10:29:15 -07:00
EduardoGomes 31f424d589 AUTH-5328 Pass cloudflared_token_check param when running cloudflared access login 2023-06-20 11:48:38 +01:00
Sudarsan Reddy 1abd22ef0a TUN-7480: Added a timeout for unregisterUDP.
I deliberately kept this as an unregistertimeout because that was the
intent. In the future we could change this to a UDPConnConfig if we want
to pass multiple values here.

The idea of this PR is simply to add a configurable unregister UDP
timeout.
2023-06-20 06:20:09 +00:00
João "Pisco" Fernandes 925ec100d6 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration 2023-06-12 15:11:42 +01:00
Devin Carr 76391434c2 TUN-7393: Add json output for cloudflared tail
cloudflared tail now has a `--output=json` that will allow it to easily pipe into tools like jq for a more structured view of the streaming logs.
2023-04-26 15:41:00 +00:00
Devin Carr 88c25d2c67 TUN-7133: Add sampling support for streaming logs
In addition to supporting sampling support for streaming logs,
cloudflared tail also supports this via `--sample 0.5` to sample 50%
of your log events.
2023-04-24 09:39:26 -07:00
Jesse Li 39b7aed24e AUTH-4887 Add aud parameter to token transfer url 2023-04-19 21:01:24 +00:00
Sudarsan Reddy e426693330 TUN-7361: Add a label to override hostname
It might make sense for users to sometimes name their cloudflared
connectors to make identification easier than relying on hostnames that
TUN-7360 provides. This PR provides a new --label option to cloudflared
tunnel that a user could provide to give custom names to their
connectors.
2023-04-19 13:56:32 +00:00
James Royal 171d4ac77c AUTH-3122 Verify that Access tokens are still valid in curl command
Before this change, the only sure fire way to make sure you had a valid
Access token was to run `cloudflared access login <your domain>`. That
was because that command would actually make a preflight request to ensure
that the edge considered that token valid. The most common reasons a token
was no longer valid was expiration and revocation. Expiration is easy to
check client side, but revocation can only be checked at the edge.

This change adds the same flow that cfd access login did to the curl command.
It will preflight the request with the token and ensure that the edge thinks
its valid before making the real request.
2023-04-18 13:38:50 +00:00
Sudarsan Reddy 5e212a6bf3 TUN-7360: Add Get Host Details handler in management service
With the management tunnels work, we allow calls to our edge service
   using an access JWT provided by Tunnelstore. Given a connector ID,
   this request is then proxied to the appropriate Cloudflare Tunnel.

   This PR takes advantage of this flow and adds a new host_details
   endpoint. Calls to this endpoint will result in cloudflared gathering
   some details about the host: hostname (os.hostname()) and ip address
   (localAddr in a dial).

   Note that the mini spec lists 4 alternatives and this picks alternative
   3 because:

   1. Ease of implementation: This is quick and non-intrusive to any of our
      code path. We expect to change how connection tracking works and
      regardless of the direction we take, it may be easy to keep, morph
      or throw this away.

   2. The cloudflared part of this round trip takes some time with a
      hostname call and a dial. But note that this is off the critical path
      and not an API that will be exercised often.
2023-04-18 09:54:54 +00:00
Devin Carr b89c092c1b TUN-7134: Acquire token for cloudflared tail
cloudflared tail will now fetch the management token from by making
a request to the Cloudflare API using the cert.pem (acquired from
cloudflared login).

Refactored some of the credentials code into it's own package as
to allow for easier use between subcommands outside of
`cloudflared tunnel`.
2023-04-12 09:43:38 -07:00
Devin Carr 8dc0697a8f TUN-7132 TUN-7136: Add filter support for streaming logs
Additionally adds similar support in cloudflared tail to provide
filters for events and log level.
2023-04-11 20:20:52 +00:00
Sudarsan Reddy 5dbf76a7aa TUN-7335: Fix cloudflared update not working in windows
This PR fixes some long standing bugs in the windows update
paths. We previously did not surface the errors at all leading to
this function failing silently.

This PR:

1. Now returns the ExitError if the bat run for update fails.
2. Fixes the errors surfaced by that return:
    a. The batch file doesnt play well with spaces. This is fixed by
    using PROGRA~1/2 which are aliases windows uses.
    b. The existing script also seemed to be irregular about where batch
    files were put and looked for. This is also fixed in this script.
2023-04-11 08:54:38 +00:00
Devin Carr 3fd571063e TUN-7128: Categorize logs from public hostname locations
Updates the HTTP ingress request log events to have more structured
fields to adapt to streaming logs reporting.
2023-04-10 22:14:12 +00:00
Devin Carr 820a201603 TUN-7135: Add cloudflared tail 2023-04-05 10:20:53 -07:00
João Oliveirinha 5972540efa TUN-7332: Remove legacy tunnel force flag 2023-04-05 16:13:59 +01:00
Han Li 5e37a65dac
Fix typo (#918)
UUID not UUUD
2023-04-04 16:15:12 +01:00
Devin Carr 39ed5dc182 TUN-7126: Add Management logger io.Writer 2023-03-30 14:12:00 -07:00
Devin Carr bbc8d9431b TUN-7333: Default features checkable at runtime across all packages 2023-03-30 17:42:54 +00:00
Devin Carr be64362fdb TUN-7124: Add intercept ingress rule for management requests 2023-03-21 11:42:25 -07:00
João Oliveirinha f686da832f TUN-7275: Make QuickTunnels only use a single connection to the edge 2023-03-13 15:32:46 +00:00
Devin Carr 7b8b3f73e7 TUN-7259: Add warning for missing ingress rules
Providing no ingress rules in the configuration file or via the CLI will now provide a warning and return 502 for all incoming HTTP requests.
2023-03-10 01:49:54 +00:00
Devin Carr 93f8f6b55c TUN-7245: Add bastion flag to origin service check 2023-03-09 17:09:21 +00:00
Devin Carr 27f88ae209 TUN-7252: Remove h2mux connection 2023-03-07 13:51:37 -08:00
iBug fed60ae4c3
GH-352: Add Tunnel CLI option "edge-bind-address" (#870)
* Add Tunnel CLI option "edge-bind-address"
2023-02-28 16:11:42 +00:00
Devin Carr 0f95f8bae5 TUN-6938: Force h2mux protocol to http2 for named tunnels
Going forward, the only protocols supported will be QUIC and HTTP2,
defaulting to QUIC for "auto". Selecting h2mux protocol will be forcibly
upgraded to http2 internally.
2023-02-06 11:06:02 -08:00
Devin Carr ae46af9236 TUN-7065: Remove classic tunnel creation 2023-02-06 18:19:22 +00:00
João Oliveirinha 62dcb8a1d1 Revert "TUN-7065: Remove classic tunnel creation"
This reverts commit c24f275981.
2023-02-01 14:01:59 +00:00
João Oliveirinha 90d710e3ec Revert "TUN-7065: Revert Ingress Rule check for named tunnel configurations"
This reverts commit b8e610a067.
2023-02-01 14:01:46 +00:00
Sudarsan Reddy b8e610a067 TUN-7065: Revert Ingress Rule check for named tunnel configurations
Named Tunnels can exist without Ingress rules (They would default to
8080). Moreover, having this check also prevents warp tunnels from
starting since they do not need ingress rules.
2023-02-01 10:08:10 +00:00
Devin Carr c24f275981 TUN-7065: Remove classic tunnel creation 2023-01-31 22:35:28 +00:00
João Oliveirinha bd917d294c TUN-7097: Fix bug checking proxy-dns config on tunnel cmd execution 2023-01-22 19:17:06 +00:00
Nuno Diegues 4616e9fcc2 ZTC-446: Allow to force delete a vnet 2023-01-20 11:52:56 +00:00
Sudarsan Reddy de7ca4be30 TUN-7077: Specific name in cloudflare tunnel route lb command 2023-01-17 10:10:02 +00:00
Devin Carr 794e8e622f TUN-6724: Migrate to sentry-go from raven-go 2023-01-11 15:48:03 +00:00
Sudarsan Reddy d19da6767a TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run
This PR starts a separate server for proxy-dns if the configuration is
available. This fixes a problem on cloudflared not starting in proxy-dns
mode if the url flag (which isn't necessary for proxy-dns) is not
provided. Note: This is still being supported for legacy reasons and
since proxy-dns is not a tunnel and should not be part of the
cloudflared tunnel group of commands.
2022-12-20 11:26:27 +00:00
Sudarsan Reddy 99b3736cc7 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol
This PR does two things:
It changes how we fallback to a lower protocol: The current state
is to try connecting with a protocol. If it fails, fall back to a
lower protocol. And try connecting with that and so on. With this PR,
if we fail to connect with a protocol, we will try to connect to other
edge addresses first. Only if we fail to connect to those will we
fall back to a lower protocol.
It fixes a behaviour where if we fail to connect to an edge addr,
we keep re-trying the same address over and over again.
This PR now switches between edge addresses on subsequent connecton attempts.
Note that through these switches, it still respects the backoff time.
(We are connecting to a different edge, but this helps to not bombard an edge
address with connect requests if a particular edge addresses stops working).
2022-12-14 13:17:21 +00:00
João Oliveirinha e517242194 TUN-6995: Disable quick-tunnels spin up by default
Before this change when running cloudflare tunnel command without any
subcommand and without any additional flag, we would spin up a
QuickTunnel.

This is really a strange behaviour because we can easily create unwanted
tunnels and results in bad user experience.
This also has the side effect on putting more burden in our services
that are probably just mistakes.

This commit fixes that by requiring  user to specify the url command
flag.
Running cloudflared tunnel alone will result in an error message
instead.
2022-12-13 12:03:32 +00:00
Sudarsan Reddy 7dee179652 TUN-7004: Dont show local config dirs for remotely configured tuns
cloudflared shows possible directories for config files to be present if
it doesn't see one when starting up. For remotely configured files, it
may not be necessary to have a config file present. This PR looks to see
if a token flag was provided, and if yes, does not log this message.
2022-12-13 11:03:00 +00:00