TUN-8701: Add metrics and adjust logs for datagram v3

Closes TUN-8701
TUN-8709: Add session migration for datagram v3
2024-11-07 11:02:55 -08:00 · 2024-11-06 12:06:07 -08:00 · 2024-11-06 07:09:41 +00:00 · 2024-11-05 23:00:35 -08:00 · 2024-11-04 15:23:36 -08:00 · 2024-11-04 13:59:32 -08:00
3833 changed files with 730563 additions and 353111 deletions
--- a/.docker-images
+++ b/.docker-images
@ -0,0 +1,12 @@
 images:
  - name: cloudflared
    dockerfile: Dockerfile.$ARCH
    context: .
    version_file: versions
    registries:
    - name: docker.io/cloudflare
      user: env:DOCKER_USER
      password: env:DOCKER_PASSWORD
    architectures:
    - amd64
    - arm64
--- a/.dockerignore
+++ b/.dockerignore
--- a/.github/ISSUE_TEMPLATE/---bug-report.md
+++ b/.github/ISSUE_TEMPLATE/---bug-report.md
@ -0,0 +1,34 @@
 ---
 name: "\U0001F41B Bug report"
 about: Create a report to help us improve cloudflared
 title: "\U0001F41B"
 labels: 'Priority: Normal, Type: Bug'
 ---
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Configure '...'
 2. Run '....'
 3. See error
 If it's an issue with Cloudflare Tunnel:
 4. Tunnel ID : 
 5. cloudflared config: 
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Environment and versions**
 - OS: [e.g. MacOS]
 - Architecture: [e.g. AMD, ARM]
 - Version: [e.g. 2022.02.0]
 **Logs and errors**
 If applicable, add logs or errors to help explain your problem.
 **Additional context**
 Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/---documentation.md
+++ b/.github/ISSUE_TEMPLATE/---documentation.md
@ -0,0 +1,16 @@
 ---
 name: "\U0001F4DD Documentation"
 about: Request new or updated documentation for cloudflared
 title: "\U0001F4DD"
 labels: 'Priority: Normal, Type: Documentation'
 ---
 **Available Documentation**
 A link to the documentation that is available today and the areas which could be improved. 
 **Suggested Documentation**
 A clear and concise description of the documentation, tutorial, or guide that should be added. 
 **Additional context**
 Add any other context or screenshots about the documentation request here.
--- a/.github/ISSUE_TEMPLATE/---feature-request.md
+++ b/.github/ISSUE_TEMPLATE/---feature-request.md
@ -0,0 +1,16 @@
 ---
 name: "\U0001F4A1 Feature request"
 about: Suggest a feature or enhancement for cloudflared
 title: "\U0001F4A1"
 labels: 'Priority: Normal, Type: Feature Request'
 ---
 **Describe the feature you'd like**
 A clear and concise description of the feature. What problem does it solve for you?
 **Describe alternatives you've considered**
 Are there any alternatives to solving this problem? If so, what was your experience with them?
 **Additional context**
 Add any other context or screenshots about the feature request here.
--- a/.github/workflows/check.yaml
+++ b/.github/workflows/check.yaml
@ -0,0 +1,18 @@
 on: [push, pull_request]
 name: Check
 jobs:
  check:
    strategy:
      matrix:
        go-version: [1.22.x]
        os: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.os }}
    steps:
    - name: Install Go
      uses: actions/setup-go@v5
      with:
        go-version: ${{ matrix.go-version }}
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Test
      run: make test
--- a/.github/workflows/semgrep.yml
+++ b/.github/workflows/semgrep.yml
@ -0,0 +1,25 @@
 on:
  pull_request: {}
  workflow_dispatch: {}
  push: 
    branches:
      - main
      - master
  schedule:
    - cron: '0 0 * * *'
 name: Semgrep config
 jobs:
  semgrep:
    name: semgrep/ci
    runs-on: ubuntu-20.04
    env:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
      SEMGREP_URL: https://cloudflare.semgrep.dev
      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
    container:
      image: returntocorp/semgrep
    steps:
      - uses: actions/checkout@v3
      - run: semgrep ci
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1,20 @@
-.GOPATH/
+/tmp
 bin/
 tmp/
 guide/public
 /.GOPATH
 /bin
 .idea
 .build
 .vscode
 \#*\#
 cscope.*
 /cloudflared
 /cloudflared.pkg
 /cloudflared.exe
 /cloudflared.msi
 /cloudflared-x86-64*
 /cloudflared.1
 /packaging
 .DS_Store
 *-session.log
 ssh_server_tests/.env
 /.cover
 built_artifacts/
 component-tests/.venv
--- a/.mac_resources/scripts/postinstall
+++ b/.mac_resources/scripts/postinstall
@ -0,0 +1,7 @@
 #!/bin/bash
 # uninstall first in case this is an upgrade
 /usr/local/bin/cloudflared service uninstall
 # install the new service using launchctl
 /usr/local/bin/cloudflared service install
--- a/.mac_resources/uninstall.sh
+++ b/.mac_resources/uninstall.sh
@ -0,0 +1,5 @@
 #!/bin/bash
 /usr/local/bin/cloudflared service uninstall
 rm /usr/local/bin/cloudflared
 pkgutil --forget com.cloudflare.cloudflared
--- a/.teamcity/install-cloudflare-go.sh
+++ b/.teamcity/install-cloudflare-go.sh
@ -0,0 +1,8 @@
 # !/usr/bin/env bash
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
 # https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
 git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
 ./make.bash
--- a/.teamcity/mac/build.sh
+++ b/.teamcity/mac/build.sh
@ -0,0 +1,195 @@
 #!/bin/bash
 set -exo pipefail
 if [[ "$(uname)" != "Darwin" ]] ; then
    echo "This should be run on macOS"
    exit 1
 fi
 if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
 then
  echo "TARGET_ARCH must be amd64 or arm64"
  exit 1
 fi
 go version
 export GO111MODULE=on
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
 INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
 FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
 PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
 # Add code signing private key to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
    # write private key to disk and then import it keychain
    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
    # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error 
    # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
    exitcode=$?
    if [ -n "$out" ]; then
      if [ $exitcode -eq 0 ]; then
          echo "$out"
      else
          if [ "$out" != "${SEC_DUP_MSG}" ]; then
              echo "$out" >&2
              exit $exitcode
          fi
      fi
    fi
    rm ${CODE_SIGN_PRIV}
  fi
 fi
 # Add code signing certificate to the key chain
 if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
  exitcode1=$?
  if [ -n "$out1" ]; then
    if [ $exitcode1 -eq 0 ]; then
        echo "$out1"
    else
        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
            echo "$out1" >&2
            exit $exitcode1
        else 
            echo "already imported code signing certificate"
        fi
    fi
  fi
  rm ${CODE_SIGN_CERT}
 fi
 # Add package signing private key to the key chain
 if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
    # write private key to disk and then import it into the keychain
    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
    exitcode2=$?
    if [ -n "$out2" ]; then
      if [ $exitcode2 -eq 0 ]; then
          echo "$out2"
      else
          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
              echo "$out2" >&2
              exit $exitcode2
          fi
      fi
    fi
    rm ${INSTALLER_PRIV}
  fi
 fi
 # Add package signing certificate to the key chain
 if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
  # write certificate to disk and then import it keychain
  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
  exitcode3=$?
  if [ -n "$out3" ]; then
    if [ $exitcode3 -eq 0 ]; then
        echo "$out3"
    else
        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
            echo "$out3" >&2
            exit $exitcode3
        else 
            echo "already imported installer certificate"
        fi
    fi
  fi
  rm ${INSTALLER_CERT}
 fi
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
  else
    CODE_SIGN_NAME=""
  fi
 fi
 # get the package signing certificate name
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
  else
    PKG_SIGN_NAME=""
  fi
 fi
 # cleanup the build directory because the previous execution might have failed without cleaning up.
 rm -rf "${TARGET_DIRECTORY}"
 export TARGET_OS="darwin"
 GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
 # notarize the binary
 # TODO: TUN-5789
 fi
 ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
 rm -rf $ARCH_TARGET_DIRECTORY
 mkdir -p "${ARCH_TARGET_DIRECTORY}"
 mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
 cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 # copy cloudflared into the build directory
 cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
  pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      --sign "${PKG_SIGN_NAME}" \
      ${PKGNAME}
      # notarize the package
      # TODO: TUN-5789
 else
    pkgbuild --identifier com.cloudflare.${PRODUCT} \
      --version ${VERSION} \
      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
      --root ${ARCH_TARGET_DIRECTORY}/contents \
      --install-location /usr/local/bin \
      ${PKGNAME}
 fi
 # cleanup build directory because this script is not ran within containers,
 # which might lead to future issues in subsequent runs.
 rm -rf "${TARGET_DIRECTORY}"
--- a/.teamcity/mac/install-cloudflare-go.sh
+++ b/.teamcity/mac/install-cloudflare-go.sh
@ -0,0 +1,10 @@
 rm -rf /tmp/go
 export GOCACHE=/tmp/gocache
 rm -rf $GOCACHE
 ./.teamcity/install-cloudflare-go.sh
 export PATH="/tmp/go/bin:$PATH"
 go version
 which go
 go env
--- a/.teamcity/package-windows.sh
+++ b/.teamcity/package-windows.sh
@ -0,0 +1,19 @@
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
 export BUILT_ARTIFACT_DIR=built_artifacts/
 export FINAL_ARTIFACT_DIR=artifacts/
 mkdir -p $BUILT_ARTIFACT_DIR
 mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
    export TARGET_ARCH=$arch
    # Copy exe into final directory
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
    make cloudflared-msi
    # Copy msi into final directory
    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done
--- a/.teamcity/windows/builds.ps1
+++ b/.teamcity/windows/builds.ps1
@ -0,0 +1,28 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 # Relative path to working directory
 $CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
 cd $CloudflaredDirectory
 Write-Output "Building for amd64"
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 go env
 go version
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
 copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
 Write-Output "Building for 386"
 $env:CGO_ENABLED = 0
 $env:TARGET_ARCH = "386"
 make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
 copy .\cloudflared.exe .\cloudflared-windows-386.exe
--- a/.teamcity/windows/component-test.ps1
+++ b/.teamcity/windows/component-test.ps1
@ -0,0 +1,47 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 go env
 go version
 $env:TARGET_OS = "windows"
 $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 python --version
 python -m pip --version
 cd $CloudflaredDirectory
 go env
 go version
 Write-Output "Building cloudflared"
 & make cloudflared
 if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
 echo $LASTEXITCODE
 Write-Output "Running unit tests"
 # Not testing with race detector because of https://github.com/golang/go/issues/61058
 # We already test it on other platforms
 & go test -failfast -mod=vendor ./...
 if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 Write-Output "Running component tests"
 python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
 python component-tests/setup.py --type create
 python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
    python component-tests/setup.py --type cleanup
    throw "Failed component tests"
 }
 python component-tests/setup.py --type cleanup
--- a/.teamcity/windows/install-cloudflare-go.ps1
+++ b/.teamcity/windows/install-cloudflare-go.ps1
@ -0,0 +1,16 @@
 Set-StrictMode -Version Latest
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 Write-Output "Downloading cloudflare go..."
 Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
 # https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
 git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
 & ./make.bat
 Write-Output "Installed"
--- a/.teamcity/windows/install-go-msi.ps1
+++ b/.teamcity/windows/install-go-msi.ps1
@ -0,0 +1,20 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
 $GoMsiVersion = "go1.22.5.windows-amd64.msi"
 Write-Output "Downloading go installer..."
 Set-Location "$Env:Temp"
 (New-Object System.Net.WebClient).DownloadFile(
    "https://go.dev/dl/$GoMsiVersion",
    "$Env:Temp\$GoMsiVersion"
 )
 Write-Output "Installing go..."
 Install-Package "$Env:Temp\$GoMsiVersion" -Force
 # Go installer updates global $PATH
 go env
 Write-Output "Installed"
--- a/CHANGES.md
+++ b/CHANGES.md
@ -0,0 +1,360 @@
 ## 2024.10.0
 ### Bug Fixes
 - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
 ## 2023.9.0
 ### Notices
 - The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
 ## 2023.7.0
 ### New Features
 - You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
 ## 2023.4.1
 ### New Features
 - You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
 ## 2023.3.2
 ### Notices
 - Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
 ## 2023.3.1
 ### Breaking Change
 - Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
 ### Security Fixes
 - Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
 ### Bug Fixes
 - Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
 ## 2023.2.2
 ### Notices
 - Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
 - h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
 ## 2023.2.1
 ### Bug fixes
 - Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
 - cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
 - Fixed a bug introduced in the previous release where debug endpoints were removed.
 ## 2022.12.0
 ### Improvements
 - cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
 - cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
 - cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
 ## 2022.9.0
 ### New Features
 - cloudflared now rejects ingress rules with invalid http status codes for http_status.
 ## 2022.8.1
 ### New Features
 - cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
  protocol on connection failures.
 ## 2022.7.1
 ### New Features
 - It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
 ### Bug Fixes
 - Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
 ## 2022.4.0
 ### Bug Fixes
 - `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
 that allows to run the Tunnel.
 ## 2022.3.4
 ### New Features
 - It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
 achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
 Tunnels created with cloudflared version 2022.3.0 or more recent.
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
 behaviour in Windows and MacOS).
 ## 2022.3.3
 ### Bug Fixes
 - `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
 behaviour in MacOS).
 ## 2022.3.1
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
 ## 2022.3.0
 ### New Features
 - It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
 If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
 `unix+tls:/` for HTTPS.
 ## 2022.2.1
 ### New Features
 - This project now has a new LICENSE that is more compliant with open source purposes.
 ### Bug Fixes
 - Various fixes to the reliability of `quic` protocol.
 ## 2022.1.3
 ### New Features
 - New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
 can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
 made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
 ### Bug Fixes
 - Correctly handle proxying UDP datagrams with no payload.
 - Bug fix for origins that use Server-Sent Events (SSE).
 ## 2022.1.0
 ### Improvements
 - If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
 (such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
 protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
 no matter what.
 ### Bug Fixes
 - Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
 ## 2021.12.2
 ### Bug Fixes
 - Fix logging when `quic` transport is used and UDP traffic is proxied.
 - FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
 and amd64.
 ## 2021.12.1
 ### Bug Fixes
 - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
 methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
 FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
 ## 2021.12.0
 ### New Features
 - Cloudflared binary released for amd64 linux is now FIPS compliant.
 ### Improvements
 - Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
 Cloudflare edge that are active. Otherwise it logs `WARN` level.
 ### Bug Fixes
 - Fixes Github issue #501.
 ## 2021.11.0
 ### Improvements
 - Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or 
 egress rule.
 ## 2021.10.4
 ### Improvements
 - Collect quic transport metrics on RTT, packets and bytes transferred.
 ### Bug Fixes
 - Fix race condition that was writing to the connection after the http2 handler returns.
 ## 2021.9.2
 ### New features
 - `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
 run cloudflared with the `--protocol quic` flag. e.g:
    `cloudflared tunnel --protocol quic run <tunnel-name>`
 ### Bug Fixes
 - Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
 with `quic` protocol.
 - `cloudflared` docker images will now show version.
 ## 2021.8.4
 ### Improvements
 - Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels
 underneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee
 of uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update
 (to this version or more recent).
 ## 2021.8.2
 ### Improvements
 - Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).
 [Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates. 
 ## 2021.8.0
 ### Bug fixes
 - Prevents tunnel from accidentally running when only proxy-dns should run. 
 ### Improvements
 - If auto protocol transport lookup fails, we now default to a transport instead of not connecting.
 ## 2021.6.0
 ### Bug Fixes
 - Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.
 ## 2021.5.10
 ### Bug Fixes
 - Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.
 ## 2021.5.9
 ### New Features
 - Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.
 ### Bug Fixes
 - Fixes Centos-7 builds.
 ## 2021.5.8
 ### New Features
 - When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing
  DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc
  named tunnel, e.g.:
  - `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`
  - `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`
 ## 2021.5.7
 ### New Features
 - Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.
 ## 2021.5.0
 ### New Features
 - It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and
  is compatible with any client version that uses Named Tunnels.
  To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).
 - `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for
  detecting typos in your config.
 - If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
  the pod has been granted, instead of trying to use every CPU available.
 ## 2021.4.0
 ### Bug Fixes
 - Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP
  packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).
 - `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).
 ## 2021.3.6
 ### Bug Fixes
 - Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because
  it was found to break in some cases.
 ## 2021.3.5
 ### Improvements
 - HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.
   This was previously done in a best attempt manner.
 ### Bug Fixes
 - The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.
 ## 2021.3.3
 ### Improvements
 - Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite
  existing files when writing tunnel credentials.
 ### Bug Fixes
 - Tunnel create and delete commands no longer use path to credentials from the configuration file.
  If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
 - Access ssh-gen creates properly named keys for SSH short lived certs.
 ## 2021.3.2
 ### New Features
 - It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via
  `cloudflared tunnel info <name/uuid>`. It is possible to sort the output as well as output in different formats,
  such as: `cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>`.
  You can obtain more information via `cloudflared tunnel info --help`.
 ### Bug Fixes
 - Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.
 - cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.
 ## 2021.3.0
 ### New Features
 - [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
  now show up in the `cloudflared tunnel route --help` output.
 - There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
  rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
  if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
  within it:
 ```
 ingress:
  - hostname: socks.example.com
    service: socks-proxy
    originRequest:
      ipRules:
        - prefix: 192.168.1.8/32
          allow: false
        - prefix: 192.168.1.0/24
          ports: [80, 443]
          allow: true
 ```
 ### Improvements
 - Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the
  command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as
  `cloudflared tunnel --config config.yaml run`
 - Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
  `no-autoupdate` is `true`.
 - Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
  user is required to authenticate with an Access policy redundantly.
 ### Bug Fixes
 - GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
 ## 2021.2.5
 ### New Features
 - We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in
  beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the
  Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services
  made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.
 ## 2021.2.4
 ### Bug Fixes
 - Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed
  to read URLs in configuration files.
 - cloudflared now logs the reason for failed connections if the error is recoverable.
 ## 2021.2.3
 ### Backward Incompatible Changes
 - Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions
  of cloudflared that predate this release and include support for db-connect.
 ### New Features
 - Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).
 ### Improvements
 - (reverted) Nested command line argument handling.
 ### Bug Fixes
 - The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared
  exhausting CPU usage when faced with connectivity issues.
--- a/33
+++ b/33
@ -0,0 +1,33 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
 FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0 \
    TARGET_GOOS=${TARGET_GOOS} \
    TARGET_GOARCH=${TARGET_GOARCH}
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian11:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -0,0 +1,29 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian11:nonroot
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@ -0,0 +1,29 @@
 # use a builder image for building cloudflare
 FROM golang:1.22.5 as builder
 ENV GO111MODULE=on \
    CGO_ENABLED=0
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 RUN .teamcity/install-cloudflare-go.sh
 # compile cloudflared
 RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian11:nonroot-arm64
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
 # run as non-privileged user
 USER nonroot
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -1,466 +0,0 @@
 # This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
 [[projects]]
  name = "github.com/BurntSushi/toml"
  packages = ["."]
  revision = "b26d9c308763d68093482582cea63d69be07a0f0"
  version = "v0.3.0"
 [[projects]]
  branch = "master"
  name = "github.com/beorn7/perks"
  packages = ["quantile"]
  revision = "3a771d992973f24aa725d07868b467d1ddfceafb"
 [[projects]]
  name = "github.com/certifi/gocertifi"
  packages = ["."]
  revision = "deb3ae2ef2610fde3330947281941c562861188b"
  version = "2018.01.18"
 [[projects]]
  branch = "master"
  name = "github.com/cloudflare/brotli-go"
  packages = ["."]
  revision = "18c9f6c67e3dfc12e0ddaca748d2887f97a7ac28"
 [[projects]]
  branch = "master"
  name = "github.com/coredns/coredns"
  packages = [
    "core/dnsserver",
    "coremain",
    "pb",
    "plugin",
    "plugin/cache",
    "plugin/cache/freq",
    "plugin/etcd/msg",
    "plugin/metrics",
    "plugin/metrics/vars",
    "plugin/pkg/cache",
    "plugin/pkg/dnstest",
    "plugin/pkg/dnsutil",
    "plugin/pkg/doh",
    "plugin/pkg/edns",
    "plugin/pkg/fuzz",
    "plugin/pkg/log",
    "plugin/pkg/nonwriter",
    "plugin/pkg/rcode",
    "plugin/pkg/response",
    "plugin/pkg/trace",
    "plugin/pkg/uniq",
    "plugin/pkg/watch",
    "plugin/test",
    "request"
  ]
  revision = "992e7928c7c258628d2b13b769acc86781b9faea"
 [[projects]]
  branch = "master"
  name = "github.com/coreos/go-oidc"
  packages = [
    "http",
    "jose",
    "key",
    "oauth2",
    "oidc"
  ]
  revision = "a93f71fdfe73d2c0f5413c0565eea0af6523a6df"
 [[projects]]
  name = "github.com/coreos/go-systemd"
  packages = ["daemon"]
  revision = "39ca1b05acc7ad1220e09f133283b8859a8b71ab"
  version = "v17"
 [[projects]]
  name = "github.com/coreos/pkg"
  packages = [
    "health",
    "httputil",
    "timeutil"
  ]
  revision = "97fdf19511ea361ae1c100dd393cc47f8dcfa1e1"
  version = "v4"
 [[projects]]
  name = "github.com/davecgh/go-spew"
  packages = ["spew"]
  revision = "346938d642f2ec3594ed81d874461961cd0faa76"
  version = "v1.1.0"
 [[projects]]
  branch = "master"
  name = "github.com/elgs/gosqljson"
  packages = ["."]
  revision = "027aa4915315a0b2825c0f025cea347829b974fa"
 [[projects]]
  branch = "master"
  name = "github.com/equinox-io/equinox"
  packages = [
    ".",
    "internal/go-update",
    "internal/go-update/internal/binarydist",
    "internal/go-update/internal/osext",
    "internal/osext",
    "proto"
  ]
  revision = "f24972fa72facf59d05c91c848b65eac38815915"
 [[projects]]
  branch = "master"
  name = "github.com/facebookgo/grace"
  packages = ["gracenet"]
  revision = "75cf19382434e82df4dd84953f566b8ad23d6e9e"
 [[projects]]
  branch = "master"
  name = "github.com/flynn/go-shlex"
  packages = ["."]
  revision = "3f9db97f856818214da2e1057f8ad84803971cff"
 [[projects]]
  branch = "master"
  name = "github.com/getsentry/raven-go"
  packages = ["."]
  revision = "ed7bcb39ff10f39ab08e317ce16df282845852fa"
 [[projects]]
  branch = "master"
  name = "github.com/golang-collections/collections"
  packages = ["queue"]
  revision = "604e922904d35e97f98a774db7881f049cd8d970"
 [[projects]]
  name = "github.com/golang/protobuf"
  packages = [
    "proto",
    "ptypes",
    "ptypes/any",
    "ptypes/duration",
    "ptypes/timestamp"
  ]
  revision = "b4deda0973fb4c70b50d226b1af49f3da59f5265"
  version = "v1.1.0"
 [[projects]]
  name = "github.com/google/uuid"
  packages = ["."]
  revision = "064e2069ce9c359c118179501254f67d7d37ba24"
  version = "0.2"
 [[projects]]
  name = "github.com/gorilla/context"
  packages = ["."]
  revision = "08b5f424b9271eedf6f9f0ce86cb9396ed337a42"
  version = "v1.1.1"
 [[projects]]
  name = "github.com/gorilla/mux"
  packages = ["."]
  revision = "e3702bed27f0d39777b0b37b664b6280e8ef8fbf"
  version = "v1.6.2"
 [[projects]]
  name = "github.com/gorilla/websocket"
  packages = ["."]
  revision = "ea4d1f681babbce9545c9c5f3d5194a789c89f5b"
  version = "v1.2.0"
 [[projects]]
  branch = "master"
  name = "github.com/grpc-ecosystem/grpc-opentracing"
  packages = ["go/otgrpc"]
  revision = "8e809c8a86450a29b90dcc9efbf062d0fe6d9746"
 [[projects]]
  name = "github.com/jonboulle/clockwork"
  packages = ["."]
  revision = "2eee05ed794112d45db504eb05aa693efd2b8b09"
  version = "v0.1.0"
 [[projects]]
  branch = "master"
  name = "github.com/lib/pq"
  packages = [
    ".",
    "oid"
  ]
  revision = "90697d60dd844d5ef6ff15135d0203f65d2f53b8"
 [[projects]]
  name = "github.com/mattn/go-colorable"
  packages = ["."]
  revision = "167de6bfdfba052fa6b2d3664c8f5272e23c9072"
  version = "v0.0.9"
 [[projects]]
  name = "github.com/mattn/go-isatty"
  packages = ["."]
  revision = "0360b2af4f38e8d38c7fce2a9f4e702702d73a39"
  version = "v0.0.3"
 [[projects]]
  name = "github.com/matttproud/golang_protobuf_extensions"
  packages = ["pbutil"]
  revision = "c12348ce28de40eed0136aa2b644d0ee0650e56c"
  version = "v1.0.1"
 [[projects]]
  branch = "master"
  name = "github.com/mholt/caddy"
  packages = [
    ".",
    "caddyfile",
    "telemetry"
  ]
  revision = "d3b731e9255b72d4571a5aac125634cf1b6031dc"
 [[projects]]
  name = "github.com/miekg/dns"
  packages = ["."]
  revision = "5a2b9fab83ff0f8bfc99684bd5f43a37abe560f1"
  version = "v1.0.8"
 [[projects]]
  branch = "master"
  name = "github.com/mitchellh/go-homedir"
  packages = ["."]
  revision = "3864e76763d94a6df2f9960b16a20a33da9f9a66"
 [[projects]]
  name = "github.com/opentracing/opentracing-go"
  packages = [
    ".",
    "ext",
    "log"
  ]
  revision = "1949ddbfd147afd4d964a9f00b24eb291e0e7c38"
  version = "v1.0.2"
 [[projects]]
  name = "github.com/pkg/errors"
  packages = ["."]
  revision = "645ef00459ed84a119197bfb8d8205042c6df63d"
  version = "v0.8.0"
 [[projects]]
  name = "github.com/pmezard/go-difflib"
  packages = ["difflib"]
  revision = "792786c7400a136282c1664665ae0a8db921c6c2"
  version = "v1.0.0"
 [[projects]]
  name = "github.com/prometheus/client_golang"
  packages = [
    "prometheus",
    "prometheus/promhttp"
  ]
  revision = "967789050ba94deca04a5e84cce8ad472ce313c1"
  version = "v0.9.0-pre1"
 [[projects]]
  branch = "master"
  name = "github.com/prometheus/client_model"
  packages = ["go"]
  revision = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c"
 [[projects]]
  branch = "master"
  name = "github.com/prometheus/common"
  packages = [
    "expfmt",
    "internal/bitbucket.org/ww/goautoneg",
    "model"
  ]
  revision = "7600349dcfe1abd18d72d3a1770870d9800a7801"
 [[projects]]
  branch = "master"
  name = "github.com/prometheus/procfs"
  packages = [
    ".",
    "internal/util",
    "nfs",
    "xfs"
  ]
  revision = "ae68e2d4c00fed4943b5f6698d504a5fe083da8a"
 [[projects]]
  name = "github.com/rifflock/lfshook"
  packages = ["."]
  revision = "bf539943797a1f34c1f502d07de419b5238ae6c6"
  version = "v2.3"
 [[projects]]
  name = "github.com/sirupsen/logrus"
  packages = ["."]
  revision = "c155da19408a8799da419ed3eeb0cb5db0ad5dbc"
  version = "v1.0.5"
 [[projects]]
  name = "github.com/stretchr/testify"
  packages = ["assert"]
  revision = "f35b8ab0b5a2cef36673838d662e249dd9c94686"
  version = "v1.2.2"
 [[projects]]
  branch = "master"
  name = "golang.org/x/crypto"
  packages = [
    "curve25519",
    "ed25519",
    "ed25519/internal/edwards25519",
    "internal/subtle",
    "nacl/box",
    "nacl/secretbox",
    "poly1305",
    "salsa20/salsa",
    "ssh/terminal"
  ]
  revision = "a49355c7e3f8fe157a85be2f77e6e269a0f89602"
 [[projects]]
  branch = "master"
  name = "golang.org/x/net"
  packages = [
    "bpf",
    "context",
    "http/httpguts",
    "http2",
    "http2/hpack",
    "idna",
    "internal/iana",
    "internal/socket",
    "internal/timeseries",
    "ipv4",
    "ipv6",
    "trace",
    "websocket"
  ]
  revision = "32a936f46389aa10549d60bd7833e54b01685d09"
 [[projects]]
  branch = "master"
  name = "golang.org/x/sync"
  packages = ["errgroup"]
  revision = "1d60e4601c6fd243af51cc01ddf169918a5407ca"
 [[projects]]
  branch = "master"
  name = "golang.org/x/sys"
  packages = [
    "unix",
    "windows",
    "windows/registry",
    "windows/svc",
    "windows/svc/eventlog",
    "windows/svc/mgr"
  ]
  revision = "ce36f3865eeb42541ce3f87f32f8462c5687befa"
 [[projects]]
  name = "golang.org/x/text"
  packages = [
    "collate",
    "collate/build",
    "internal/colltab",
    "internal/gen",
    "internal/tag",
    "internal/triegen",
    "internal/ucd",
    "language",
    "secure/bidirule",
    "transform",
    "unicode/bidi",
    "unicode/cldr",
    "unicode/norm",
    "unicode/rangetable"
  ]
  revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0"
  version = "v0.3.0"
 [[projects]]
  branch = "master"
  name = "google.golang.org/genproto"
  packages = ["googleapis/rpc/status"]
  revision = "ff3583edef7de132f219f0efc00e097cabcc0ec0"
 [[projects]]
  name = "google.golang.org/grpc"
  packages = [
    ".",
    "balancer",
    "balancer/base",
    "balancer/roundrobin",
    "codes",
    "connectivity",
    "credentials",
    "encoding",
    "encoding/proto",
    "grpclog",
    "internal",
    "internal/backoff",
    "internal/channelz",
    "internal/grpcrand",
    "keepalive",
    "metadata",
    "naming",
    "peer",
    "resolver",
    "resolver/dns",
    "resolver/passthrough",
    "stats",
    "status",
    "tap",
    "transport"
  ]
  revision = "168a6198bcb0ef175f7dacec0b8691fc141dc9b8"
  version = "v1.13.0"
 [[projects]]
  branch = "altsrc-parse-durations"
  name = "gopkg.in/urfave/cli.v2"
  packages = [
    ".",
    "altsrc"
  ]
  revision = "d604b6ffeee878fbf084fd2761466b6649989cee"
  source = "https://github.com/cbranch/cli"
 [[projects]]
  name = "gopkg.in/yaml.v2"
  packages = ["."]
  revision = "5420a8b6744d3b0345ab293f6fcba19c978f1183"
  version = "v2.2.1"
 [[projects]]
  name = "zombiezen.com/go/capnproto2"
  packages = [
    ".",
    "encoding/text",
    "internal/fulfiller",
    "internal/nodemap",
    "internal/packed",
    "internal/queue",
    "internal/schema",
    "internal/strquote",
    "pogs",
    "rpc",
    "rpc/internal/refcount",
    "schemas",
    "server",
    "std/capnp/rpc"
  ]
  revision = "7cfd211c19c7f5783c695f3654efa46f0df259c3"
  source = "https://github.com/zombiezen/go-capnproto2"
  version = "v2.17.1"
 [solve-meta]
  analyzer-name = "dep"
  analyzer-version = 1
  inputs-digest = "ee681bef3527e49801c841e313f98b40116eafe8b60be21273956eeb96487486"
  solver-name = "gps-cdcl"
  solver-version = 1
--- a/Gopkg.toml
+++ b/Gopkg.toml
@ -1,75 +0,0 @@
 [prune]
  go-tests = true
  unused-packages = true
  [[prune.project]]
    name = "github.com/cloudflare/brotli-go"
    unused-packages = false
 [[constraint]]
  name = "github.com/facebookgo/grace"
  branch = "master"
 [[constraint]]
  name = "github.com/getsentry/raven-go"
  branch = "master"
 [[constraint]]
  name = "github.com/pkg/errors"
  version = "0.8.0"
 [[constraint]]
  name = "github.com/prometheus/client_golang"
  version = "0.9.0-pre1"
 [[constraint]]
  name = "github.com/sirupsen/logrus"
  version = "1.0.3"
 [[constraint]]
  name = "github.com/stretchr/testify"
  version = "1.2.1"
 [[constraint]]
  name = "golang.org/x/net"
  branch = "master"
 [[constraint]]
  name = "golang.org/x/sync"
  branch = "master"
 [[constraint]]
  name = "gopkg.in/urfave/cli.v2"
  source = "https://github.com/cbranch/cli"
  branch = "altsrc-parse-durations"
 [[constraint]]
  name = "zombiezen.com/go/capnproto2"
  source = "https://github.com/zombiezen/go-capnproto2"
  version = "2.17.1"
 [[constraint]]
  name = "github.com/gorilla/websocket"
  version = "1.2.0"
 [[constraint]]
  name = "github.com/coredns/coredns"
  branch = "master"
 [[constraint]]
  name = "github.com/cloudflare/brotli-go"
  branch = "master"
 [[override]]
  name = "github.com/mholt/caddy"
  branch = "master"
 [[constraint]]
  branch = "master"
  name = "github.com/coreos/go-oidc"
 [[constraint]]
  branch = "master"
  name = "golang.org/x/crypto"
--- a/313
+++ b/313
@ -1,155 +1,202 @@
 SERVICES AGREEMENT
-Your installation of this software is symbol of your signature indicating that
+                                 Apache License
-you accept the terms of this Services Agreement (this "Agreement").  This
+                           Version 2.0, January 2004
-Agreement is a legal agreement between you (either an individual or a single
+                        http://www.apache.org/licenses/
 entity) and CloudFlare, Inc. for the services being provided to you by
 CloudFlare or its authorized representative (the "Services"), including any
 computer software and any associated media, printed materials, and "online" or
 electronic documentation provided in connection with the Services (the
 "Software" and together with the Services are hereinafter collectively referred
 to as the "Solution").  If the user is not an individual, then "you" means your
 company, its officers, members, employees, agents, representatives, successors
 and assigns.  BY USING THE SOLUTION, YOU ARE INDICATING THAT YOU HAVE READ, AND
 AGREE TO BE BOUND BY, THE POLICIES, TERMS, AND CONDITIONS SET FORTH BELOW IN
 THEIR ENTIRETY WITHOUT LIMITATION OR QUALIFICATION, AS WELL AS BY ALL APPLICABLE
 LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN YOUR NAME ON A CONTRACT.  IF YOU
 DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT USE THE SOLUTION.
-1.    GRANT OF RIGHTS
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-1.1	Grant of License.  The Solution is licensed by CloudFlare and its
+   1. Definitions.
 licensors, not sold.  Subject to the terms and conditions of this Agreement,
 CloudFlare hereby grants you a nonexclusive, nonsublicensable, nontransferable
 license to use the Solution.  You may examine source code, if provided to you,
 solely for the limited purpose of evaluating the Software for security flaws.
 You may also use the Service to create derivative works which are exclusively
 compatible with any CloudFlare product serviceand no other product or service.
 This license applies to the parts of the Solution developed by CloudFlare.  The
 Solution may also incorporate externally maintained libraries and other open software.
 These resources may be governed by other licenses.
-1.2	Restrictions.  The license granted herein is granted solely to you and
+      "License" shall mean the terms and conditions for use, reproduction,
-not, by implication or otherwise, to any of your parents, subsidiaries or
+      and distribution as defined by Sections 1 through 9 of this document.
 affiliates.  No right is granted hereunder to use the Solution to perform
 services for third parties. All rights not expressly granted hereunder are
 reserved to CloudFlare.  You may not use the Solution except as explicitly
 permitted under this Agreement.  You are expressly prohibited from modifying,
 adapting, translating, preparing derivative works from, decompiling, reverse
 engineering, disassembling or otherwise attempting to derive source code from
 the Software used to provide the Services or any internal data files generated
 by the Solution.  You are also prohibited from removing, obscuring or altering
 any copyright notice, trademarks, or other proprietary rights notices affixed to
 or associated with the Solution.
-1.3	Ownership.  As between the parties, CloudFlare and/or its licensors own
+      "Licensor" shall mean the copyright owner or entity authorized by
-and shall retain all right, title, and interest in and to the Solution,
+      the copyright owner that is granting the License.
 including any and all technology embodied therein, including all copyrights,
 patents, trade secrets, trade dress and other proprietary rights associated
 therewith, and any derivative works created there from.
-2.	LIMITATION OF LIABILITY
+      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
-YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT DOWNLOADING THE SOFTWARE IS AT YOUR
+      "You" (or "Your") shall mean an individual or Legal Entity
-SOLE RISK.  THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND
+      exercising permissions granted by this License.
 AND CLOUDFLARE, ITS LICENSORS AND ITS AUTHORIZED REPRESENTATIVES (TOGETHER FOR
 PURPOSES HEREOF, "CLOUDFLARE") EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR
 IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  CLOUDFLARE DOES NOT
 WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR
 REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR
 ERROR-FREE, OR THAT DEFECTS IN THE SOFTWARE WILL BE CORRECTED.  FURTHERMORE,
 CLOUDFLARE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE SOFTWARE
 OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY,
 OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CLOUDFLARE SHALL
 CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY.
-3.	CONFIDENTIALITY
+      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
-It may be necessary during the set up and performance of the Solution for the
+      "Object" form shall mean any form resulting from mechanical
-parties to exchange Confidential Information. "Confidential Information" means
+      transformation or translation of a Source form, including but
-any information whether oral, or written, of a private, secret, proprietary or
+      not limited to compiled object code, generated documentation,
-confidential nature, concerning either party or its business operations,
+      and conversions to other media types.
 including without limitation: (a) your data and (b) CloudFlare's access control
 systems, specialized network equipment and techniques related to the Solution,
 use policies, which include trade secrets of CloudFlare and its licensors. Each
 party agrees to use the same degree of care to protect the confidentiality of
 the Confidential Information of the other party and to prevent its unauthorized
 use or dissemination as it uses to protect its own Confidential Information of a
 similar nature, but in no event shall exercise less than due diligence and
 reasonable care. Each party agrees to use the Confidential Information of the
 other party only for purposes related to the performance of this Agreement. All
 Confidential Information remains the property of the party disclosing the
 information and no license or other rights to Confidential Information is
 granted or implied hereby.
-4.	TERM AND TERMINATION
+      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
-4.1	Term.  This Agreement shall be effective upon download or install of the
+      "Derivative Works" shall mean any work, whether in Source or Object
-Software.
+      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
-4.2	Termination. This Agreement may be terminated by CloudFlare or its
+      "Contribution" shall mean any work of authorship, including
-authorized representative by written notice to you if any of the following
+      the original version of the Work and any modifications or additions
-events occur:  (i) you fail to pay any amounts due for the Services and the
+      to that Work or Derivative Works thereof, that is intentionally
-Solution when due and after written notice of such nonpayment has been given to
+      submitted to Licensor for inclusion in the Work by the copyright owner
-you; (ii) you are in material breach of any term, condition, or provision of
+      or by an individual or Legal Entity authorized to submit on behalf of
-this Agreement or any other agreement executed by you with CloudFlare or its
+      the copyright owner. For the purposes of this definition, "submitted"
-authorized representative in connection with the provision of the Solution and
+      means any form of electronic, verbal, or written communication sent
-Services (a "Related Agreement"); or (iii) you terminate or suspend your
+      to the Licensor or its representatives, including but not limited to
-business, becomes subject to any bankruptcy or insolvency proceeding under
+      communication on electronic mailing lists, source code control systems,
-federal or state statutes, or become insolvent or subject to direct control by a
+      and issue tracking systems that are managed by, or on behalf of, the
-trustee, receiver or similar authority.
+      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
-4.3	Effect of Termination.  Upon the termination of this Agreement for any
+      "Contributor" shall mean Licensor and any individual or Legal Entity
-reason: (1) all license rights granted hereunder shall terminate and (2) all
+      on behalf of whom a Contribution has been received by Licensor and
-Confidential Information shall be returned to the disclosing party or destroyed.
+      subsequently incorporated within the Work.
-5.	MISCELLANEOUS
+   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
-5.1	Assignment.  You may not assign any of your rights or delegate any of
+   3. Grant of Patent License. Subject to the terms and conditions of
-your obligations under this Agreement, whether by operation of law or otherwise,
+      this License, each Contributor hereby grants to You a perpetual,
-without the prior express written consent of CloudFlare or its authorized
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-representative.  Any such assignment without the prior express written consent
+      (except as stated in this section) patent license to make, have made,
-of CloudFlare or its authorized representative shall be void.  Subject to the
+      use, offer to sell, sell, import, and otherwise transfer the Work,
-foregoing, this Agreement will bind and inure to the benefit of the parties,
+      where such license applies only to those patent claims licensable
-their respective successors and permitted assigns.
+      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
-5.2	Waiver and Amendment.  No modification, amendment or waiver of any
+   4. Redistribution. You may reproduce and distribute copies of the
-provision of this Agreement shall be effective unless in writing and signed by
+      Work or Derivative Works thereof in any medium, with or without
-the party to be charged.  No failure or delay by either party in exercising any
+      modifications, and in Source or Object form, provided that You
-right, power, or remedy under this Agreement, except as specifically provided
+      meet the following conditions:
 herein, shall operate as a waiver of any such right, power or remedy.  Without
 limiting the foregoing, terms and conditions on any purchase orders or similar
 materials submitted by you to CloudFlare or its authorized representative shall
 be of no force or effect.
-5.3	Governing Law.  This Agreement shall be governed by the laws of the State
+      (a) You must give any other recipients of the Work or
-of California, USA, excluding conflict of laws and provisions, and excluding the
+          Derivative Works a copy of this License; and
 United Nations Convention on Contracts for the International Sale of Goods.
-5.4	Notices.  All notices, demands or consents required or permitted under
+      (b) You must cause any modified files to carry prominent notices
-this Agreement shall be in writing.  Notice shall be sent to you at the e-mail
+          stating that You changed the files; and
 address provided by you to CloudFlare or its authorized representative in
 connection with the Solution.
-5.5	Independent Contractors. The parties are independent contractors.
+      (c) You must retain, in the Source form of any Derivative Works
-Neither party shall be deemed to be an employee, agent, partner or legal
+          that You distribute, all copyright, patent, trademark, and
-representative of the other for any purpose and neither shall have any right,
+          attribution notices from the Source form of the Work,
-power or authority to create any obligation or responsibility on behalf of the
+          excluding those notices that do not pertain to any part of
-other.
+          the Derivative Works; and
-5.6	Severability.  If any provision of this Agreement is held by a court of
+      (d) If the Work includes a "NOTICE" text file as part of its
-competent jurisdiction to be contrary to law, such provision shall be changed
+          distribution, then any Derivative Works that You distribute must
-and interpreted so as to best accomplish the objectives of the original
+          include a readable copy of the attribution notices contained
-provision to the fullest extent allowed by law and the remaining provisions of
+          within such NOTICE file, excluding those notices that do not
-this Agreement shall remain in full force and effect.
+          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
-5.7	Force Majeure.  CloudFlare shall not be liable to the other party for any
+      You may add Your own copyright statement to Your modifications and
-failure or delay in performance caused by reasons beyond its reasonable control.
+      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
-5.8	Complete Understanding.  This Agreement and the Related Agreement
+   5. Submission of Contributions. Unless You explicitly state otherwise,
-constitute the final, complete and exclusive agreement between the parties with
+      any Contribution intentionally submitted for inclusion in the Work
-respect to the subject matter hereof, and supersedes all previous written and
+      by You to the Licensor shall be under the terms and conditions of
-oral agreements and communications related to the subject matter of this
+      this License, without any additional terms or conditions.
-Agreement.  To the extent this Agreement and the Related Agreement conflict,
+      Notwithstanding the above, nothing herein shall supersede or modify
-this Agreement shall control.
+      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/263
+++ b/263
@ -1,25 +1,123 @@
-VERSION       := $(shell git describe --tags --always --dirty="-dev")
+# The targets cannot be run in parallel
 .NOTPARALLEL:
 VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
 #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
 ifeq ($(ORIGINAL_NAME), true)
 	# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.
 	BINARY_NAME := cloudflared
 else ifeq ($(FIPS), true)
 	# Used for FIPS compliant builds that do not match the case above.
 	BINARY_NAME := cloudflared-fips
 else
 	# Used for all other (non-FIPS) builds.
 	BINARY_NAME := cloudflared
 endif
 ifeq ($(NIGHTLY), true)
 	DEB_PACKAGE_NAME := $(BINARY_NAME)-nightly
 	NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
 else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
 DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
-VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
+VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
-
+ifdef PACKAGE_MANAGER
-IMPORT_PATH   := github.com/cloudflare/cloudflared
+	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 PACKAGE_DIR   := $(CURDIR)/packaging
 INSTALL_BINDIR := usr/local/bin
 EQUINOX_FLAGS = --version="$(VERSION)" \
 				 --platforms="$(EQUINOX_BUILD_PLATFORMS)" \
 				 --app="$(EQUINOX_APP_ID)" \
 				 --token="$(EQUINOX_TOKEN)" \
 				 --channel="$(EQUINOX_CHANNEL)"
 ifeq ($(EQUINOX_IS_DRAFT), true)
 	EQUINOX_FLAGS := --draft $(EQUINOX_FLAGS)
 endif
-ifeq ($(GOARCH),)
+LINK_FLAGS :=
-	GOARCH := amd64
+ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
 	# Prevent linking with libc regardless of CGO enabled or not.
 	GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
 endif
 LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
 ifneq ($(GO_BUILD_TAGS),)
 	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
 endif
 ifeq ($(debug), 1)
 	GO_BUILD_TAGS += -gcflags="all=-N -l"
 endif
 IMPORT_PATH    := github.com/cloudflare/cloudflared
 PACKAGE_DIR    := $(CURDIR)/packaging
 PREFIX         := /usr
 INSTALL_BINDIR := $(PREFIX)/bin/
 INSTALL_MANDIR := $(PREFIX)/share/man/man1/
 CF_GO_PATH     := /tmp/go
 PATH           := $(CF_GO_PATH)/bin:$(PATH)
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
    TARGET_ARCH ?= $(GOARCH)
 else ifeq ($(LOCAL_ARCH),x86_64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),amd64)
    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),i686)
    TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
    TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),aarch64)
    TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),arm64)
    TARGET_ARCH ?= arm64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
    TARGET_ARCH ?= arm
 else ifeq ($(LOCAL_ARCH),s390x)
    TARGET_ARCH ?= s390x
 else
    $(error This system's architecture $(LOCAL_ARCH) isn't supported)
 endif
 LOCAL_OS ?= $(shell go env GOOS)
 ifeq ($(LOCAL_OS),linux)
    TARGET_OS ?= linux
 else ifeq ($(LOCAL_OS),darwin)
    TARGET_OS ?= darwin
 else ifeq ($(LOCAL_OS),windows)
    TARGET_OS ?= windows
 else ifeq ($(LOCAL_OS),freebsd)
    TARGET_OS ?= freebsd
 else ifeq ($(LOCAL_OS),openbsd)
    TARGET_OS ?= openbsd
 else
    $(error This system's OS $(LOCAL_OS) isn't supported)
 endif
 ifeq ($(TARGET_OS), windows)
 	EXECUTABLE_PATH=./$(BINARY_NAME).exe
 else
 	EXECUTABLE_PATH=./$(BINARY_NAME)
 endif
 ifeq ($(FLAVOR), centos-7)
 	TARGET_PUBLIC_REPO ?= el7
 else
 	TARGET_PUBLIC_REPO ?= $(FLAVOR)
 endif
 ifneq ($(TARGET_ARM), )
 	ARM_COMMAND := GOARM=$(TARGET_ARM)
 endif
 ifeq ($(TARGET_ARM), 7) 
 	PACKAGE_ARCH := armhf
 else
 	PACKAGE_ARCH := $(TARGET_ARCH)
 endif
 #for FIPS compliance, FPM defaults to MD5.
 RPM_DIGEST := --rpm-digest sha256
 .PHONY: all
 all: cloudflared test
@ -29,41 +127,116 @@ clean:
 .PHONY: cloudflared
 cloudflared:
-	go build -v $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
+ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
 	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
 endif
 	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
 	rm -f cmd/cloudflared/fips.go
 	./check-fips.sh cloudflared
 endif
 .PHONY: container
 container:
 	docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
 .PHONY: generate-docker-version
 generate-docker-version:
 	echo latest $(VERSION) > versions
 .PHONY: test
-test:
+test: vet
-	go test -v -race $(VERSION_FLAGS) ./...
+ifndef CI
 	go test -v -mod=vendor -race $(LDFLAGS) ./...
 else
 	@mkdir -p .cover
 	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
 endif
-.PHONY: cloudflared-deb
+.PHONY: cover
-cloudflared-deb: cloudflared
+cover:
 	@echo ""
 	@echo "=====> Total test coverage: <====="
 	@echo ""
 	# Print the overall coverage here for quick access.
 	$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
 .PHONY: install-go
 install-go:
 	rm -rf ${CF_GO_PATH}
 	./.teamcity/install-cloudflare-go.sh
 .PHONY: cleanup-go
 cleanup-go:
 	rm -rf ${CF_GO_PATH}
 cloudflared.1: cloudflared_man_template
 	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
 install: install-go cloudflared cloudflared.1 cleanup-go
 	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
 	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
 	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
 # When we build packages, the package name will be FIPS-aware.
 # But we keep the binary installed by it to be named "cloudflared" regardless.
 define build_package
 	mkdir -p $(PACKAGE_DIR)
 	cp cloudflared $(PACKAGE_DIR)/cloudflared
-	fakeroot fpm -C $(PACKAGE_DIR) -s dir -t deb --deb-compression bzip2 \
+	cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
-		-a $(GOARCH) -v $(VERSION) -n cloudflared cloudflared=/usr/local/bin/
+	fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
 		--description 'Cloudflare Tunnel daemon' \
 		--vendor 'Cloudflare' \
 		--license 'Apache License Version 2.0' \
 		--url 'https://github.com/cloudflare/cloudflared' \
 		-m 'Cloudflare <support@cloudflare.com>' \
 	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
 		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
 endef
-.PHONY: cloudflared-darwin-amd64.tgz
+.PHONY: cloudflared-deb
-cloudflared-darwin-amd64.tgz: cloudflared
+cloudflared-deb: cloudflared cloudflared.1
-	tar czf cloudflared-darwin-amd64.tgz cloudflared
+	$(call build_package,deb)
 	rm cloudflared
-.PHONY: homebrew-upload
+.PHONY: cloudflared-rpm
-homebrew-upload: cloudflared-darwin-amd64.tgz
+cloudflared-rpm: cloudflared cloudflared.1
-	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
+	$(call build_package,rpm)
 	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
 .PHONY: homebrew-release 
 homebrew-release: homebrew-upload
 	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
-.PHONY: release
+.PHONY: cloudflared-pkg
-release: bin/equinox
+cloudflared-pkg: cloudflared cloudflared.1
-	bin/equinox release $(EQUINOX_FLAGS) -- $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
+	$(call build_package,osxpkg)
-bin/equinox:
+.PHONY: cloudflared-msi
-	mkdir -p bin
+cloudflared-msi:
-	curl -s https://bin.equinox.io/c/75JtLRTsJ3n/release-tool-beta-$(EQUINOX_PLATFORM).tgz | tar xz -C bin/
+	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
-.PHONY: tunnel-deps
+.PHONY: github-release-dryrun
-tunnel-deps:
+github-release-dryrun:
-	capnp compile -ogo -I ./tunnelrpc tunnelrpc/tunnelrpc.capnp
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
 .PHONY: github-release
 github-release:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
 	python3 github_message.py --release-version $(VERSION)
 .PHONY: r2-linux-release
 r2-linux-release:
 	python3 ./release_pkgs.py
 .PHONY: capnp
 capnp:
 	which capnp  # https://capnproto.org/install.html
 	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
 	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
 .PHONY: vet
 vet:
 	go vet -mod=vendor github.com/cloudflare/cloudflared/...
 .PHONY: fmt
 fmt:
 	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
--- a/README.md
+++ b/README.md
@ -1,9 +1,58 @@
-# Argo Tunnel client
+# Cloudflare Tunnel client
-Contains the command-line client and its libraries for Argo Tunnel, a tunneling daemon that proxies any local webserver through the Cloudflare network.
+Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
 This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
 via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
 Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
 All usages related with proxying to your origins are available under `cloudflared tunnel help`.
-## Getting started
+You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
 at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
 Such usages are available under `cloudflared access help`.
-    go install github.com/cloudflare/cloudflared/cmd/cloudflared
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
 to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
-User documentation for Argo Tunnel can be found at https://developers.cloudflare.com/argo-tunnel/
+
 ## Before you get started
 Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
 website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
 routing), but for legacy reasons this requirement is still necessary:
 1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
 2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 ## Installing `cloudflared`
 Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
 * You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
 * Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
 * You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
 * To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
 User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 ## Creating Tunnels and routing traffic
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
 * Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
 * Route traffic to that Tunnel:
  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
 ## TryCloudflare
 Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
 ## Deprecated versions
 Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
--- a/1714
+++ b/1714
--- a/build-packages-fips.sh
+++ b/build-packages-fips.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 arch=("amd64")
 export TARGET_ARCH=$arch
 export TARGET_OS=linux
 export FIPS=true
 # For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
 export CGO_ENABLED=1
 make cloudflared-deb
 mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
 # rpm packages invert the - and _ and use x86_64 instead of amd64.
 RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
 RPMARCH="x86_64"
 make cloudflared-rpm
 mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
 # finally move the linux binary as well.
 mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch
--- a/build-packages.sh
+++ b/build-packages.sh
@ -0,0 +1,48 @@
 #!/bin/bash
 VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 # Disable FIPS module in go-boring
 export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 # This controls the directory the built artifacts go into
 export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
 export TARGET_OS=linux
 for arch in ${linuxArchs[@]}; do
    unset TARGET_ARM
    export TARGET_ARCH=$arch
    ## Support for arm platforms without hardware FPU enabled
    if [[ $arch == arm ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=5
    fi
    ## Support for armhf builds 
    if [[ $arch == armhf ]] ; then
        export TARGET_ARCH=arm
        export TARGET_ARM=7 
    fi
    make cloudflared-deb
    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
    # rpm packages invert the - and _ and use x86_64 instead of amd64.
    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
    RPMARCH=$arch
    if [ $arch == "amd64" ];then
        RPMARCH="x86_64"
    fi
    if [ $arch == "arm64" ]; then
        RPMARCH="aarch64"
    fi
    make cloudflared-rpm
    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
    # finally move the linux binary as well.
    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
 done
--- a/carrier/carrier.go
+++ b/carrier/carrier.go
@ -1,25 +1,47 @@
-//Package carrier provides a WebSocket proxy to carry or proxy a connection
+// Package carrier provides a WebSocket proxy to carry or proxy a connection
-//from the local client to the edge. See it as a wrapper around any protocol
+// from the local client to the edge. See it as a wrapper around any protocol
-//that it packages up in a WebSocket connection to the edge.
+// that it packages up in a WebSocket connection to the edge.
 package carrier
 import (
-	"errors"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
+	"github.com/pkg/errors"
-	"github.com/cloudflare/cloudflared/websocket"
+	"github.com/rs/zerolog"
-	"github.com/sirupsen/logrus"
+
 	"github.com/cloudflare/cloudflared/token"
 )
 const (
 	LogFieldOriginURL       = "originURL"
 	CFAccessTokenHeader     = "Cf-Access-Token"
 	cfJumpDestinationHeader = "Cf-Access-Jump-Destination"
 )
 type StartOptions struct {
 	AppInfo         *token.AppInfo
 	OriginURL       string
 	Headers         http.Header
 	Host            string
 	TLSClientConfig *tls.Config
 }
 // Connection wraps up all the needed functions to forward over the tunnel
 type Connection interface {
 	// ServeStream is used to forward data from the client to the edge
 	ServeStream(*StartOptions, io.ReadWriter) error
 }
 // StdinoutStream is empty struct for wrapping stdin/stdout
 // into a single ReadWriter
-type StdinoutStream struct {
+type StdinoutStream struct{}
 }
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
@ -32,100 +54,132 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
 	return os.Stdout.Write(p)
 }
-// StartClient will copy the data from stdin/stdout over a WebSocket connection
+// Helper to allow deferring the response close with a check that the resp is not nil
-// to the edge (originURL)
+func closeRespBody(resp *http.Response) {
-func StartClient(logger *logrus.Logger, originURL string, stream io.ReadWriter) error {
+	if resp != nil {
-	return serveStream(logger, originURL, stream)
+		_ = resp.Body.Close()
 	}
 }
-// StartServer will setup a server on a specified port and copy data over a WebSocket connection
+// StartForwarder will setup a listener on a specified address/port and then
-// to the edge (originURL)
+// forward connections to the origin by calling `Serve()`.
-func StartServer(logger *logrus.Logger, address, originURL string, shutdownC <-chan struct{}) error {
+func StartForwarder(conn Connection, address string, shutdownC <-chan struct{}, options *StartOptions) error {
 	listener, err := net.Listen("tcp", address)
 	if err != nil {
-		logger.WithError(err).Error("failed to start forwarding server")
+		return errors.Wrap(err, "failed to start forwarding server")
 		return err
 	}
 	return Serve(conn, listener, shutdownC, options)
 }
 // StartClient will copy the data from stdin/stdout over a WebSocket connection
 // to the edge (originURL)
 func StartClient(conn Connection, stream io.ReadWriter, options *StartOptions) error {
 	return conn.ServeStream(options, stream)
 }
 // Serve accepts incoming connections on the specified net.Listener.
 // Each connection is handled in a new goroutine: its data is copied over a
 // WebSocket connection to the edge (originURL).
 // `Serve` always closes `listener`.
 func Serve(remoteConn Connection, listener net.Listener, shutdownC <-chan struct{}, options *StartOptions) error {
 	defer listener.Close()
-	for {
+	errChan := make(chan error)
-		select {
+
-		case <-shutdownC:
+	go func() {
-			return nil
+		for {
 		default:
 			conn, err := listener.Accept()
 			if err != nil {
-				return err
+				// don't block if parent goroutine quit early
 				select {
 				case errChan <- err:
 				default:
 				}
 				return
 			}
-			go serveConnection(logger, conn, originURL)
+			go serveConnection(remoteConn, conn, options)
 		}
-	}
+	}()
 }
-// serveConnection handles connections for the StartServer call
+	select {
-func serveConnection(logger *logrus.Logger, c net.Conn, originURL string) {
+	case <-shutdownC:
-	defer c.Close()
+		return nil
-	serveStream(logger, originURL, c)
+	case err := <-errChan:
 }
 // serveStream will serve the data over the WebSocket stream
 func serveStream(logger *logrus.Logger, originURL string, conn io.ReadWriter) error {
 	wsConn, err := createWebsocketStream(originURL)
 	if err != nil {
 		logger.WithError(err).Error("failed to create websocket stream")
 		return err
 	}
 	defer wsConn.Close()
 	websocket.Stream(wsConn, conn)
 	return nil
 }
-// createWebsocketStream will create a WebSocket connection to stream data over
+// serveConnection handles connections for the Serve() call
-// It also handles redirects from Access and will present that flow if
+func serveConnection(remoteConn Connection, c net.Conn, options *StartOptions) {
-// the token is not present on the request
+	defer c.Close()
-func createWebsocketStream(originURL string) (*websocket.Conn, error) {
+	_ = remoteConn.ServeStream(options, c)
 	req, err := http.NewRequest(http.MethodGet, originURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	wsConn, resp, err := websocket.ClientConnect(req, nil)
 	if err != nil && resp != nil && resp.StatusCode > 300 {
 		location, err := resp.Location()
 		if err != nil {
 			return nil, err
 		}
 		if !strings.Contains(location.String(), "cdn-cgi/access/login") {
 			return nil, errors.New("not an Access redirect")
 		}
 		req, err := buildAccessRequest(originURL)
 		if err != nil {
 			return nil, err
 		}
 		wsConn, _, err = websocket.ClientConnect(req, nil)
 		if err != nil {
 			return nil, err
 		}
 	} else if err != nil {
 		return nil, err
 	}
 	return &websocket.Conn{Conn: wsConn}, nil
 }
-// buildAccessRequest builds an HTTP request with the Access token set
+// IsAccessResponse checks the http Response to see if the url location
-func buildAccessRequest(originURL string) (*http.Request, error) {
+// contains the Access structure.
-	req, err := http.NewRequest(http.MethodGet, originURL, nil)
+func IsAccessResponse(resp *http.Response) bool {
 	if resp == nil || resp.StatusCode != http.StatusFound {
 		return false
 	}
 	location, err := resp.Location()
 	if err != nil || location == nil {
 		return false
 	}
 	if strings.HasPrefix(location.Path, token.AccessLoginWorkerPath) {
 		return true
 	}
 	return false
 }
 // BuildAccessRequest builds an HTTP request with the Access token set
 func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Request, error) {
 	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
-	token, err := token.FetchToken(req.URL)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
 	if err != nil {
 		return nil, err
 	}
 	req.Header.Set("cf-access-token", token)
-	return req, nil
+	// We need to create a new request as FetchToken will modify req (boo mutable)
 	// as it has to follow redirect on the API and such, so here we init a new one
 	originRequest, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	originRequest.Header.Set(CFAccessTokenHeader, token)
 	for k, v := range options.Headers {
 		if len(v) >= 1 {
 			originRequest.Header.Set(k, v[0])
 		}
 	}
 	return originRequest, nil
 }
 func SetBastionDest(header http.Header, destination string) {
 	if destination != "" {
 		header.Set(cfJumpDestinationHeader, destination)
 	}
 }
 func ResolveBastionDest(r *http.Request) (string, error) {
 	jumpDestination := r.Header.Get(cfJumpDestinationHeader)
 	if jumpDestination == "" {
 		return "", fmt.Errorf("Did not receive final destination from client. The --destination flag is likely not set on the client side")
 	}
 	// Strip scheme and path set by client. Without a scheme
 	// Parsing a hostname and path without scheme might not return an error due to parsing ambiguities
 	if jumpURL, err := url.Parse(jumpDestination); err == nil && jumpURL.Host != "" {
 		return removePath(jumpURL.Host), nil
 	}
 	return removePath(jumpDestination), nil
 }
 func removePath(dest string) string {
 	return strings.SplitN(dest, "/", 2)[0]
 }
--- a/carrier/carrier_test.go
+++ b/carrier/carrier_test.go
@ -10,7 +10,7 @@ import (
 	"testing"
 	ws "github.com/gorilla/websocket"
-	"github.com/sirupsen/logrus"
+	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 )
@ -43,46 +43,82 @@ func (s *testStreamer) Write(p []byte) (int, error) {
 func TestStartClient(t *testing.T) {
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
-	logger := logrus.New()
+	log := zerolog.Nop()
 	wsConn := NewWSConnection(&log)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
 	buf := newTestStream()
-	err := StartClient(logger, "http://"+ts.Listener.Addr().String(), buf)
+	options := &StartOptions{
 		OriginURL: "http://" + ts.Listener.Addr().String(),
 		Headers:   nil,
 	}
 	err := StartClient(wsConn, buf, options)
 	assert.NoError(t, err)
-	buf.Write([]byte(message))
+	_, _ = buf.Write([]byte(message))
 	readBuffer := make([]byte, len(message))
-	buf.Read(readBuffer)
+	_, _ = buf.Read(readBuffer)
 	assert.Equal(t, message, string(readBuffer))
 }
 func TestStartServer(t *testing.T) {
-	listenerAddress := "localhost:1117"
+	listener, err := net.Listen("tcp", "localhost:")
 	if err != nil {
 		t.Fatalf("Error starting listener: %v", err)
 	}
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
-	logger := logrus.New()
+	log := zerolog.Nop()
 	shutdownC := make(chan struct{})
 	wsConn := NewWSConnection(&log)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
 	options := &StartOptions{
 		OriginURL: "http://" + ts.Listener.Addr().String(),
 		Headers:   nil,
 	}
 	go func() {
-		err := StartServer(logger, listenerAddress, "http://"+ts.Listener.Addr().String(), shutdownC)
+		err := Serve(wsConn, listener, shutdownC, options)
 		if err != nil {
-			t.Fatalf("Error starting server: %v", err)
+			t.Errorf("Error running server: %v", err)
 			return
 		}
 	}()
-	conn, err := net.Dial("tcp", listenerAddress)
+	conn, err := net.Dial("tcp", listener.Addr().String())
-	if err != nil {
+	_, _ = conn.Write([]byte(message))
 		t.Fatalf("Error connecting to server: %v", err)
 	}
 	conn.Write([]byte(message))
 	readBuffer := make([]byte, len(message))
-	conn.Read(readBuffer)
+	_, _ = conn.Read(readBuffer)
 	assert.Equal(t, string(readBuffer), message)
 }
 func TestIsAccessResponse(t *testing.T) {
 	validLocationHeader := http.Header{}
 	validLocationHeader.Add("location", "https://test.cloudflareaccess.com/cdn-cgi/access/login/blahblah")
 	invalidLocationHeader := http.Header{}
 	invalidLocationHeader.Add("location", "https://google.com")
 	testCases := []struct {
 		Description string
 		In          *http.Response
 		ExpectedOut bool
 	}{
 		{"nil response", nil, false},
 		{"redirect with no location", &http.Response{StatusCode: http.StatusFound}, false},
 		{"200 ok", &http.Response{StatusCode: http.StatusOK}, false},
 		{"redirect with location", &http.Response{StatusCode: http.StatusFound, Header: validLocationHeader}, true},
 		{"redirect with invalid location", &http.Response{StatusCode: http.StatusFound, Header: invalidLocationHeader}, false},
 	}
 	for i, tc := range testCases {
 		if IsAccessResponse(tc.In) != tc.ExpectedOut {
 			t.Fatalf("Failed case %d -- %s", i, tc.Description)
 		}
 	}
 }
 func newTestWebSocketServer() *httptest.Server {
 	upgrader := ws.Upgrader{
 		ReadBufferSize:  1024,
@ -120,3 +156,99 @@ func testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {
 	return req
 }
 func TestBastionDestination(t *testing.T) {
 	tests := []struct {
 		name         string
 		header       http.Header
 		expectedDest string
 		wantErr      bool
 	}{
 		{
 			name: "hostname destination",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost"},
 			},
 			expectedDest: "localhost",
 		},
 		{
 			name: "hostname destination with port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with scheme and port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://localhost:9000"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "full hostname url",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "hostname destination with port and path",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"localhost:9000/metrics"},
 			},
 			expectedDest: "localhost:9000",
 		},
 		{
 			name: "ip destination",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1"},
 			},
 			expectedDest: "127.0.0.1",
 		},
 		{
 			name: "ip destination with port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with port and path",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "ip destination with schem and port",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name: "full ip url",
 			header: http.Header{
 				cfJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
 			},
 			expectedDest: "127.0.0.1:9000",
 		},
 		{
 			name:    "no destination",
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		r := &http.Request{
 			Header: test.header,
 		}
 		dest, err := ResolveBastionDest(r)
 		if test.wantErr {
 			assert.Error(t, err, "Test %s expects error", test.name)
 		} else {
 			assert.NoError(t, err, "Test %s expects no error, got error %v", test.name, err)
 			assert.Equal(t, test.expectedDest, dest, "Test %s expect dest %s, got %s", test.name, test.expectedDest, dest)
 		}
 	}
 }
--- a/carrier/websocket.go
+++ b/carrier/websocket.go
@ -0,0 +1,206 @@
 package carrier
 import (
 	"io"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/token"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
 // Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
 // This implements the functions for glider proxy (sock5) and the carrier interface
 type Websocket struct {
 	log     *zerolog.Logger
 	isSocks bool
 }
 // NewWSConnection returns a new connection object
 func NewWSConnection(log *zerolog.Logger) Connection {
 	return &Websocket{
 		log: log,
 	}
 }
 // ServeStream will create a Websocket client stream connection to the edge
 // it blocks and writes the raw data from conn over the tunnel
 func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) error {
 	wsConn, err := createWebsocketStream(options, ws.log)
 	if err != nil {
 		ws.log.Err(err).Str(LogFieldOriginURL, options.OriginURL).Msg("failed to connect to origin")
 		return err
 	}
 	defer wsConn.Close()
 	stream.Pipe(wsConn, conn, ws.log)
 	return nil
 }
 // createWebsocketStream will create a WebSocket connection to stream data over
 // It also handles redirects from Access and will present that flow if
 // the token is not present on the request
 func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
 	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header = options.Headers
 	if options.Host != "" {
 		req.Host = options.Host
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, err
 	}
 	log.Debug().Msgf("Websocket request: %s", string(dump))
 	dialer := &websocket.Dialer{
 		TLSClientConfig: options.TLSClientConfig,
 		Proxy:           http.ProxyFromEnvironment,
 	}
 	wsConn, resp, err := clientConnect(req, dialer)
 	defer closeRespBody(resp)
 	if err != nil && IsAccessResponse(resp) {
 		// Only get Access app info if we know the origin is protected by Access
 		originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 		if err != nil {
 			return nil, err
 		}
 		appInfo, err := token.GetAppInfo(originReq.URL)
 		if err != nil {
 			return nil, err
 		}
 		options.AppInfo = appInfo
 		wsConn, err = createAccessAuthenticatedStream(options, log)
 		if err != nil {
 			return nil, err
 		}
 	} else if err != nil {
 		return nil, err
 	}
 	return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
 }
 var stripWebsocketHeaders = []string{
 	"Upgrade",
 	"Connection",
 	"Sec-Websocket-Key",
 	"Sec-Websocket-Version",
 	"Sec-Websocket-Extensions",
 }
 // the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
 // Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
 // https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
 func websocketHeaders(req *http.Request) http.Header {
 	wsHeaders := make(http.Header)
 	for key, val := range req.Header {
 		wsHeaders[key] = val
 	}
 	// Assume the header keys are in canonical format.
 	for _, header := range stripWebsocketHeaders {
 		wsHeaders.Del(header)
 	}
 	wsHeaders.Set("Host", req.Host) // See TUN-1097
 	return wsHeaders
 }
 // clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
 // the connection. The response body may not contain the entire response and does
 // not need to be closed by the application.
 func clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
 	req.URL.Scheme = changeRequestScheme(req.URL)
 	wsHeaders := websocketHeaders(req)
 	if dialler == nil {
 		dialler = &websocket.Dialer{
 			Proxy: http.ProxyFromEnvironment,
 		}
 	}
 	conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
 	if err != nil {
 		return nil, response, err
 	}
 	return conn, response, nil
 }
 // changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
 // (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
 func changeRequestScheme(reqURL *url.URL) string {
 	switch reqURL.Scheme {
 	case "https":
 		return "wss"
 	case "http":
 		return "ws"
 	case "":
 		return "ws"
 	default:
 		return reqURL.Scheme
 	}
 }
 // createAccessAuthenticatedStream will try load a token from storage and make
 // a connection with the token set on the request. If it still get redirect,
 // this probably means the token in storage is invalid (expired/revoked). If that
 // happens it deletes the token and runs the connection again, so the user can
 // login again and generate a new one.
 func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, error) {
 	wsConn, resp, err := createAccessWebSocketStream(options, log)
 	defer closeRespBody(resp)
 	if err == nil {
 		return wsConn, nil
 	}
 	if !IsAccessResponse(resp) {
 		return nil, err
 	}
 	// Access Token is invalid for some reason. Go through regen flow
 	if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
 		return nil, err
 	}
 	wsConn, resp, err = createAccessWebSocketStream(options, log)
 	defer closeRespBody(resp)
 	if err != nil {
 		return nil, err
 	}
 	return wsConn, nil
 }
 // createAccessWebSocketStream builds an Access request and makes a connection
 func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*websocket.Conn, *http.Response, error) {
 	req, err := BuildAccessRequest(options, log)
 	if err != nil {
 		return nil, nil, err
 	}
 	dump, err := httputil.DumpRequest(req, false)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Debug().Msgf("Access Websocket request: %s", string(dump))
 	conn, resp, err := clientConnect(req, nil)
 	if resp != nil {
 		r, err := httputil.DumpResponse(resp, true)
 		if r != nil {
 			log.Debug().Msgf("Websocket response: %q", r)
 		} else if err != nil {
 			log.Debug().Msgf("Websocket response error: %v", err)
 		}
 	}
 	return conn, resp, err
 }
--- a/carrier/websocket_test.go
+++ b/carrier/websocket_test.go
@ -0,0 +1,123 @@
 package carrier
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"math/rand"
 	"testing"
 	"time"
 	gws "github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/websocket"
 	"github.com/cloudflare/cloudflared/hello"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
 func websocketClientTLSConfig(t *testing.T) *tls.Config {
 	certPool := x509.NewCertPool()
 	helloCert, err := tlsconfig.GetHelloCertificateX509()
 	assert.NoError(t, err)
 	certPool.AddCert(helloCert)
 	assert.NotNil(t, certPool)
 	return &tls.Config{RootCAs: certPool}
 }
 func TestWebsocketHeaders(t *testing.T) {
 	req := testRequest(t, "http://example.com", nil)
 	wsHeaders := websocketHeaders(req)
 	for _, header := range stripWebsocketHeaders {
 		assert.Empty(t, wsHeaders[header])
 	}
 	assert.Equal(t, "curl/7.59.0", wsHeaders.Get("User-Agent"))
 }
 func TestServe(t *testing.T) {
 	log := zerolog.Nop()
 	shutdownC := make(chan struct{})
 	errC := make(chan error)
 	listener, err := hello.CreateTLSListener("localhost:1111")
 	assert.NoError(t, err)
 	defer listener.Close()
 	go func() {
 		errC <- hello.StartHelloWorldServer(&log, listener, shutdownC)
 	}()
 	req := testRequest(t, "https://localhost:1111/ws", nil)
 	tlsConfig := websocketClientTLSConfig(t)
 	assert.NotNil(t, tlsConfig)
 	d := gws.Dialer{TLSClientConfig: tlsConfig}
 	conn, resp, err := clientConnect(req, &d)
 	assert.NoError(t, err)
 	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
 	for i := 0; i < 1000; i++ {
 		messageSize := rand.Int()%2048 + 1
 		clientMessage := make([]byte, messageSize)
 		// rand.Read always returns len(clientMessage) and a nil error
 		rand.Read(clientMessage)
 		err = conn.WriteMessage(websocket.BinaryFrame, clientMessage)
 		assert.NoError(t, err)
 		messageType, message, err := conn.ReadMessage()
 		assert.NoError(t, err)
 		assert.Equal(t, websocket.BinaryFrame, messageType)
 		assert.Equal(t, clientMessage, message)
 	}
 	_ = conn.Close()
 	close(shutdownC)
 	<-errC
 }
 func TestWebsocketWrapper(t *testing.T) {
 	listener, err := hello.CreateTLSListener("localhost:0")
 	require.NoError(t, err)
 	serverErrorChan := make(chan error)
 	helloSvrCtx, cancelHelloSvr := context.WithCancel(context.Background())
 	defer func() { <-serverErrorChan }()
 	defer cancelHelloSvr()
 	go func() {
 		log := zerolog.Nop()
 		serverErrorChan <- hello.StartHelloWorldServer(&log, listener, helloSvrCtx.Done())
 	}()
 	tlsConfig := websocketClientTLSConfig(t)
 	d := gws.Dialer{TLSClientConfig: tlsConfig, HandshakeTimeout: time.Minute}
 	testAddr := fmt.Sprintf("https://%s/ws", listener.Addr().String())
 	req := testRequest(t, testAddr, nil)
 	conn, resp, err := clientConnect(req, &d)
 	require.NoError(t, err)
 	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
 	// Websocket now connected to test server so lets check our wrapper
 	wrapper := cfwebsocket.GorillaConn{Conn: conn}
 	buf := make([]byte, 100)
 	wrapper.Write([]byte("abc"))
 	n, err := wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 3)
 	require.Equal(t, "abc", string(buf[:n]))
 	// Test partial read, read 1 of 3 bytes in one read and the other 2 in another read
 	wrapper.Write([]byte("abc"))
 	buf = buf[:1]
 	n, err = wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 1)
 	require.Equal(t, "a", string(buf[:n]))
 	buf = buf[:cap(buf)]
 	n, err = wrapper.Read(buf)
 	require.NoError(t, err)
 	require.Equal(t, n, 2)
 	require.Equal(t, "bc", string(buf[:n]))
 }
--- a/catalog-info.yaml
+++ b/catalog-info.yaml
@ -0,0 +1,16 @@
 apiVersion: backstage.io/v1alpha1
 kind: Component
 metadata:
  name: cloudflared
  description: Client for Cloudflare Tunnels
  annotations:
    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
    cloudflare.com/software-excellence-opt-in: "true"
    cloudflare.com/jira-project-key: "TUN"
    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
  tags:
    - internal
 spec:
  type: "service"
  lifecycle: "Active"
  owner: "teams/tunnel-teams-routing"
--- a/cfapi/base_client.go
+++ b/cfapi/base_client.go
@ -0,0 +1,247 @@
 package cfapi
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 )
 const (
 	defaultTimeout  = 15 * time.Second
 	jsonContentType = "application/json"
 )
 var (
 	ErrUnauthorized = errors.New("unauthorized")
 	ErrBadRequest   = errors.New("incorrect request parameters")
 	ErrNotFound     = errors.New("not found")
 	ErrAPINoSuccess = errors.New("API call failed")
 )
 type RESTClient struct {
 	baseEndpoints *baseEndpoints
 	authToken     string
 	userAgent     string
 	client        http.Client
 	log           *zerolog.Logger
 }
 type baseEndpoints struct {
 	accountLevel  url.URL
 	zoneLevel     url.URL
 	accountRoutes url.URL
 	accountVnets  url.URL
 }
 var _ Client = (*RESTClient)(nil)
 func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
 	if strings.HasSuffix(baseURL, "/") {
 		baseURL = baseURL[:len(baseURL)-1]
 	}
 	accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	accountRoutesEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/routes", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create route account-level endpoint")
 	}
 	accountVnetsEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/virtual_networks", baseURL, accountTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create virtual network account-level endpoint")
 	}
 	zoneLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/zones/%s/tunnels", baseURL, zoneTag))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create account level endpoint")
 	}
 	httpTransport := http.Transport{
 		TLSHandshakeTimeout:   defaultTimeout,
 		ResponseHeaderTimeout: defaultTimeout,
 	}
 	http2.ConfigureTransport(&httpTransport)
 	return &RESTClient{
 		baseEndpoints: &baseEndpoints{
 			accountLevel:  *accountLevelEndpoint,
 			zoneLevel:     *zoneLevelEndpoint,
 			accountRoutes: *accountRoutesEndpoint,
 			accountVnets:  *accountVnetsEndpoint,
 		},
 		authToken: authToken,
 		userAgent: userAgent,
 		client: http.Client{
 			Transport: &httpTransport,
 			Timeout:   defaultTimeout,
 		},
 		log: log,
 	}, nil
 }
 func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {
 	var bodyReader io.Reader
 	if body != nil {
 		if bodyBytes, err := json.Marshal(body); err != nil {
 			return nil, errors.Wrap(err, "failed to serialize json body")
 		} else {
 			bodyReader = bytes.NewBuffer(bodyBytes)
 		}
 	}
 	req, err := http.NewRequest(method, url.String(), bodyReader)
 	if err != nil {
 		return nil, errors.Wrapf(err, "can't create %s request", method)
 	}
 	req.Header.Set("User-Agent", r.userAgent)
 	if bodyReader != nil {
 		req.Header.Set("Content-Type", jsonContentType)
 	}
 	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
 	req.Header.Add("Accept", "application/json;version=1")
 	return r.client.Do(req)
 }
 func parseResponseEnvelope(reader io.Reader) (*response, error) {
 	// Schema for Tunnelstore responses in the v1 API.
 	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
 	var result response
 	// First, parse the wrapper and check the API call succeeded
 	if err := json.NewDecoder(reader).Decode(&result); err != nil {
 		return nil, errors.Wrap(err, "failed to decode response")
 	}
 	if err := result.checkErrors(); err != nil {
 		return nil, err
 	}
 	if !result.Success {
 		return nil, ErrAPINoSuccess
 	}
 	return &result, nil
 }
 func parseResponse(reader io.Reader, data interface{}) error {
 	result, err := parseResponseEnvelope(reader)
 	if err != nil {
 		return err
 	}
 	return parseResponseBody(result, data)
 }
 func parseResponseBody(result *response, data interface{}) error {
 	// At this point we know the API call succeeded, so, parse out the inner
 	// result into the datatype provided as a parameter.
 	if err := json.Unmarshal(result.Result, &data); err != nil {
 		return errors.Wrap(err, "the Cloudflare API response was an unexpected type")
 	}
 	return nil
 }
 func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
 	page := 0
 	var fullResponse []*T
 	for {
 		page += 1
 		envelope, parsedBody, err := fetchPage[T](requestFn, page)
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
 		}
 		fullResponse = append(fullResponse, parsedBody...)
 		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
 			break
 		}
 	}
 	return fullResponse, nil
 }
 func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
 	pageResp, err := requestFn(page)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "REST request failed")
 	}
 	defer pageResp.Body.Close()
 	if pageResp.StatusCode == http.StatusOK {
 		envelope, err := parseResponseEnvelope(pageResp.Body)
 		if err != nil {
 			return nil, nil, err
 		}
 		var parsedRspBody []*T
 		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
 	}
 	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
 }
 type response struct {
 	Success    bool            `json:"success,omitempty"`
 	Errors     []apiErr        `json:"errors,omitempty"`
 	Messages   []string        `json:"messages,omitempty"`
 	Result     json.RawMessage `json:"result,omitempty"`
 	Pagination Pagination      `json:"result_info,omitempty"`
 }
 type Pagination struct {
 	Count      int `json:"count,omitempty"`
 	Page       int `json:"page,omitempty"`
 	PerPage    int `json:"per_page,omitempty"`
 	TotalCount int `json:"total_count,omitempty"`
 }
 func (r *response) checkErrors() error {
 	if len(r.Errors) == 0 {
 		return nil
 	}
 	if len(r.Errors) == 1 {
 		return r.Errors[0]
 	}
 	var messages string
 	for _, e := range r.Errors {
 		messages += fmt.Sprintf("%s; ", e)
 	}
 	return fmt.Errorf("API errors: %s", messages)
 }
 type apiErr struct {
 	Code    json.Number `json:"code,omitempty"`
 	Message string      `json:"message,omitempty"`
 }
 func (e apiErr) Error() string {
 	return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
 }
 func (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {
 	if resp.Header.Get("Content-Type") == "application/json" {
 		var errorsResp response
 		if json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {
 			if err := errorsResp.checkErrors(); err != nil {
 				return errors.Errorf("Failed to %s: %s", op, err)
 			}
 		}
 	}
 	switch resp.StatusCode {
 	case http.StatusOK:
 		return nil
 	case http.StatusBadRequest:
 		return ErrBadRequest
 	case http.StatusUnauthorized, http.StatusForbidden:
 		return ErrUnauthorized
 	case http.StatusNotFound:
 		return ErrNotFound
 	}
 	return errors.Errorf("API call to %s failed with status %d: %s", op,
 		resp.StatusCode, http.StatusText(resp.StatusCode))
 }
--- a/cfapi/client.go
+++ b/cfapi/client.go
@ -0,0 +1,41 @@
 package cfapi
 import (
 	"github.com/google/uuid"
 )
 type TunnelClient interface {
 	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
 	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
 	GetTunnelToken(tunnelID uuid.UUID) (string, error)
 	GetManagementToken(tunnelID uuid.UUID) (string, error)
 	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
 	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
 	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
 	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
 }
 type HostnameClient interface {
 	RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)
 }
 type IPRouteClient interface {
 	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
 	AddRoute(newRoute NewRoute) (Route, error)
 	DeleteRoute(id uuid.UUID) error
 	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
 }
 type VnetClient interface {
 	CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
 	ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
 	DeleteVirtualNetwork(id uuid.UUID, force bool) error
 	UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
 }
 type Client interface {
 	TunnelClient
 	HostnameClient
 	IPRouteClient
 	VnetClient
 }
--- a/cfapi/hostname.go
+++ b/cfapi/hostname.go
@ -0,0 +1,192 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"path"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type Change = string
 const (
 	ChangeNew       = "new"
 	ChangeUpdated   = "updated"
 	ChangeUnchanged = "unchanged"
 )
 // HostnameRoute represents a record type that can route to a tunnel
 type HostnameRoute interface {
 	json.Marshaler
 	RecordType() string
 	UnmarshalResult(body io.Reader) (HostnameRouteResult, error)
 	String() string
 }
 type HostnameRouteResult interface {
 	// SuccessSummary explains what will route to this tunnel when it's provisioned successfully
 	SuccessSummary() string
 }
 type DNSRoute struct {
 	userHostname      string
 	overwriteExisting bool
 }
 type DNSRouteResult struct {
 	route *DNSRoute
 	CName Change `json:"cname"`
 	Name  string `json:"name"`
 }
 func NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {
 	return &DNSRoute{
 		userHostname:      userHostname,
 		overwriteExisting: overwriteExisting,
 	}
 }
 func (dr *DNSRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type              string `json:"type"`
 		UserHostname      string `json:"user_hostname"`
 		OverwriteExisting bool   `json:"overwrite_existing"`
 	}{
 		Type:              dr.RecordType(),
 		UserHostname:      dr.userHostname,
 		OverwriteExisting: dr.overwriteExisting,
 	}
 	return json.Marshal(&s)
 }
 func (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result DNSRouteResult
 	err := parseResponse(body, &result)
 	result.route = dr
 	return &result, err
 }
 func (dr *DNSRoute) RecordType() string {
 	return "dns"
 }
 func (dr *DNSRoute) String() string {
 	return fmt.Sprintf("%s %s", dr.RecordType(), dr.userHostname)
 }
 func (res *DNSRouteResult) SuccessSummary() string {
 	var msgFmt string
 	switch res.CName {
 	case ChangeNew:
 		msgFmt = "Added CNAME %s which will route to this tunnel"
 	case ChangeUpdated: // this is not currently returned by tunnelsore
 		msgFmt = "%s updated to route to your tunnel"
 	case ChangeUnchanged:
 		msgFmt = "%s is already configured to route to your tunnel"
 	}
 	return fmt.Sprintf(msgFmt, res.hostname())
 }
 // hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the
 // requested name is returned instead (should not be the common path, it is just a fall-back).
 func (res *DNSRouteResult) hostname() string {
 	if res.Name != "" {
 		return res.Name
 	}
 	return res.route.userHostname
 }
 type LBRoute struct {
 	lbName string
 	lbPool string
 }
 type LBRouteResult struct {
 	route        *LBRoute
 	LoadBalancer Change `json:"load_balancer"`
 	Pool         Change `json:"pool"`
 }
 func NewLBRoute(lbName, lbPool string) HostnameRoute {
 	return &LBRoute{
 		lbName: lbName,
 		lbPool: lbPool,
 	}
 }
 func (lr *LBRoute) MarshalJSON() ([]byte, error) {
 	s := struct {
 		Type   string `json:"type"`
 		LBName string `json:"lb_name"`
 		LBPool string `json:"lb_pool"`
 	}{
 		Type:   lr.RecordType(),
 		LBName: lr.lbName,
 		LBPool: lr.lbPool,
 	}
 	return json.Marshal(&s)
 }
 func (lr *LBRoute) RecordType() string {
 	return "lb"
 }
 func (lb *LBRoute) String() string {
 	return fmt.Sprintf("%s %s %s", lb.RecordType(), lb.lbName, lb.lbPool)
 }
 func (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
 	var result LBRouteResult
 	err := parseResponse(body, &result)
 	result.route = lr
 	return &result, err
 }
 func (res *LBRouteResult) SuccessSummary() string {
 	var msg string
 	switch res.LoadBalancer + "," + res.Pool {
 	case "new,new":
 		msg = "Created load balancer %s and added a new pool %s with this tunnel as an origin"
 	case "new,updated":
 		msg = "Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin"
 	case "new,unchanged":
 		msg = "Created load balancer %s with an existing pool %s which already has this tunnel as an origin"
 	case "updated,new":
 		msg = "Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s"
 	case "updated,updated":
 		msg = "Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s"
 	case "updated,unchanged":
 		msg = "Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s"
 	case "unchanged,updated":
 		msg = "Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s"
 	case "unchanged,unchanged":
 		msg = "Load balancer %s already uses pool %s which has this tunnel as an origin"
 	case "unchanged,new":
 		// this state is not possible
 		fallthrough
 	default:
 		msg = "Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard"
 	}
 	return fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)
 }
 func (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {
 	endpoint := r.baseEndpoints.zoneLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/routes", tunnelID))
 	resp, err := r.sendRequest("PUT", endpoint, route)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return route.UnmarshalResult(resp.Body)
 	}
 	return nil, r.statusCodeToError("add route", resp)
 }
--- a/cfapi/hostname_test.go
+++ b/cfapi/hostname_test.go
@ -0,0 +1,99 @@
 package cfapi
 import (
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestDNSRouteUnmarshalResult(t *testing.T) {
 	route := &DNSRoute{
 		userHostname: "example.com",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"cname": "new"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &DNSRouteResult{
 		route: route,
 		CName: ChangeNew,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"cname": "new"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 		`{"result": {"cname": "new"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteUnmarshalResult(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "pool",
 	}
 	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"pool": "unchanged", "load_balancer": "updated"}}`))
 	assert.NoError(t, err)
 	assert.Equal(t, &LBRouteResult{
 		route:        route,
 		LoadBalancer: ChangeUpdated,
 		Pool:         ChangeUnchanged,
 	}, result)
 	badJSON := []string{
 		`abc`,
 		`{"success": false, "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 		`{"result": {"pool": "unchanged", "load_balancer": "updated"}}`,
 	}
 	for _, j := range badJSON {
 		_, err = route.UnmarshalResult(strings.NewReader(j))
 		assert.NotNil(t, err)
 	}
 }
 func TestLBRouteResultSuccessSummary(t *testing.T) {
 	route := &LBRoute{
 		lbName: "lb.example.com",
 		lbPool: "POOL",
 	}
 	tests := []struct {
 		lb       Change
 		pool     Change
 		expected string
 	}{
 		{ChangeNew, ChangeNew, "Created load balancer lb.example.com and added a new pool POOL with this tunnel as an origin"},
 		{ChangeNew, ChangeUpdated, "Created load balancer lb.example.com with an existing pool POOL which was updated to use this tunnel as an origin"},
 		{ChangeNew, ChangeUnchanged, "Created load balancer lb.example.com with an existing pool POOL which already has this tunnel as an origin"},
 		{ChangeUpdated, ChangeNew, "Added new pool POOL with this tunnel as an origin to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUpdated, "Updated pool POOL to use this tunnel as an origin and added it to load balancer lb.example.com"},
 		{ChangeUpdated, ChangeUnchanged, "Added pool POOL, which already has this tunnel as an origin, to load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeNew, "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{ChangeUnchanged, ChangeUpdated, "Added this tunnel as an origin in pool POOL which is already used by load balancer lb.example.com"},
 		{ChangeUnchanged, ChangeUnchanged, "Load balancer lb.example.com already uses pool POOL which has this tunnel as an origin"},
 		{"", "", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 		{"a", "b", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
 	}
 	for i, tt := range tests {
 		res := &LBRouteResult{
 			route:        route,
 			LoadBalancer: tt.lb,
 			Pool:         tt.pool,
 		}
 		actual := res.SuccessSummary()
 		assert.Equal(t, tt.expected, actual, "case %d", i+1)
 	}
 }
--- a/cfapi/ip_route.go
+++ b/cfapi/ip_route.go
@ -0,0 +1,235 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 // Route is a mapping from customer's IP space to a tunnel.
 // Each route allows the customer to route eyeballs in their corporate network
 // to certain private IP ranges. Each Route represents an IP range in their
 // network, and says that eyeballs can reach that route using the corresponding
 // tunnel.
 type Route struct {
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the Route belongs to the default virtual network.
 	VNetID    *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment   string     `json:"comment"`
 	CreatedAt time.Time  `json:"created_at"`
 	DeletedAt time.Time  `json:"deleted_at"`
 }
 // CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.
 type CIDR net.IPNet
 func (c CIDR) String() string {
 	n := net.IPNet(c)
 	return n.String()
 }
 func (c CIDR) MarshalJSON() ([]byte, error) {
 	str := c.String()
 	json, err := json.Marshal(str)
 	if err != nil {
 		return nil, errors.Wrap(err, "error serializing CIDR into JSON")
 	}
 	return json, nil
 }
 // UnmarshalJSON parses a JSON string into net.IPNet
 func (c *CIDR) UnmarshalJSON(data []byte) error {
 	var s string
 	if err := json.Unmarshal(data, &s); err != nil {
 		return errors.Wrap(err, "error parsing cidr string")
 	}
 	_, network, err := net.ParseCIDR(s)
 	if err != nil {
 		return errors.Wrap(err, "error parsing invalid network from backend")
 	}
 	if network == nil {
 		return fmt.Errorf("backend returned invalid network %s", s)
 	}
 	*c = CIDR(*network)
 	return nil
 }
 // NewRoute has all the parameters necessary to add a new route to the table.
 type NewRoute struct {
 	Network  net.IPNet
 	TunnelID uuid.UUID
 	Comment  string
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
 func (r NewRoute) MarshalJSON() ([]byte, error) {
 	return json.Marshal(&struct {
 		Network  string     `json:"network"`
 		TunnelID uuid.UUID  `json:"tunnel_id"`
 		Comment  string     `json:"comment"`
 		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
 	}{
 		Network:  r.Network.String(),
 		TunnelID: r.TunnelID,
 		Comment:  r.Comment,
 		VNetID:   r.VNetID,
 	})
 }
 // DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
 type DetailedRoute struct {
 	ID       uuid.UUID `json:"id"`
 	Network  CIDR      `json:"network"`
 	TunnelID uuid.UUID `json:"tunnel_id"`
 	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
 	VNetID     *uuid.UUID `json:"virtual_network_id,omitempty"`
 	Comment    string     `json:"comment"`
 	CreatedAt  time.Time  `json:"created_at"`
 	DeletedAt  time.Time  `json:"deleted_at"`
 	TunnelName string     `json:"tunnel_name"`
 }
 // IsZero checks if DetailedRoute is the zero value.
 func (r *DetailedRoute) IsZero() bool {
 	return r.TunnelID == uuid.Nil
 }
 // TableString outputs a table row summarizing the route, to be used
 // when showing the user their routing table.
 func (r DetailedRoute) TableString() string {
 	deletedColumn := "-"
 	if !r.DeletedAt.IsZero() {
 		deletedColumn = r.DeletedAt.Format(time.RFC3339)
 	}
 	vnetColumn := "default"
 	if r.VNetID != nil {
 		vnetColumn = r.VNetID.String()
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
 		r.ID,
 		r.Network.String(),
 		vnetColumn,
 		r.Comment,
 		r.TunnelID,
 		r.TunnelName,
 		r.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 type GetRouteByIpParams struct {
 	Ip net.IP
 	// Optional field. If unset, backend will assume the default vnet for the account.
 	VNetID *uuid.UUID
 }
 // ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
 // Due to pagination on the server side it will call the endpoint multiple times if needed.
 func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountRoutes
 		filter.Page(page)
 		endpoint.RawQuery = filter.Encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list routes", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[DetailedRoute](fetchFn)
 }
 // AddRoute calls the Tunnelstore POST endpoint for a given route.
 func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path)
 	resp, err := r.sendRequest("POST", endpoint, newRoute)
 	if err != nil {
 		return Route{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseRoute(resp.Body)
 	}
 	return Route{}, r.statusCodeToError("add route", resp)
 }
 // DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
 func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseRoute(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete route", resp)
 }
 // GetByIP checks which route will proxy a given IP.
 func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
 	endpoint := r.baseEndpoints.accountRoutes
 	endpoint.Path = path.Join(endpoint.Path, "ip", url.PathEscape(params.Ip.String()))
 	setVnetParam(&endpoint, params.VNetID)
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return DetailedRoute{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseDetailedRoute(resp.Body)
 	}
 	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
 }
 func parseRoute(body io.ReadCloser) (Route, error) {
 	var route Route
 	err := parseResponse(body, &route)
 	return route, err
 }
 func parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {
 	var route DetailedRoute
 	err := parseResponse(body, &route)
 	return route, err
 }
 // setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain
 // virtual network (if one is provided).
 func setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {
 	queryParams := url.Values{}
 	if vnetID != nil {
 		queryParams.Set("virtual_network_id", vnetID.String())
 	}
 	endpoint.RawQuery = queryParams.Encode()
 }
--- a/cfapi/ip_route_filter.go
+++ b/cfapi/ip_route_filter.go
@ -0,0 +1,176 @@
 package cfapi
 import (
 	"fmt"
 	"net"
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterIpRouteDeleted = cli.BoolFlag{
 		Name:  "filter-is-deleted",
 		Usage: "If false (default), only show non-deleted routes. If true, only show deleted routes.",
 	}
 	filterIpRouteTunnelID = cli.StringFlag{
 		Name:  "filter-tunnel-id",
 		Usage: "Show only routes with the given tunnel ID.",
 	}
 	filterSubsetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-subset-of",
 		Aliases: []string{"nsub"},
 		Usage:   "Show only routes whose network is a subset of the given network.",
 	}
 	filterSupersetIpRoute = cli.StringFlag{
 		Name:    "filter-network-is-superset-of",
 		Aliases: []string{"nsup"},
 		Usage:   "Show only routes whose network is a superset of the given network.",
 	}
 	filterIpRouteComment = cli.StringFlag{
 		Name:  "filter-comment-is",
 		Usage: "Show only routes with this comment.",
 	}
 	filterIpRouteByVnet = cli.StringFlag{
 		Name:  "filter-vnet-id",
 		Usage: "Show only routes that are attached to the given virtual network ID.",
 	}
 	// Flags contains all filter flags.
 	IpRouteFilterFlags = []cli.Flag{
 		&filterIpRouteDeleted,
 		&filterIpRouteTunnelID,
 		&filterSubsetIpRoute,
 		&filterSupersetIpRoute,
 		&filterIpRouteComment,
 		&filterIpRouteByVnet,
 	}
 )
 // IpRouteFilter which routes get queried.
 type IpRouteFilter struct {
 	queryParams url.Values
 }
 // NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
 func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
 	f := NewIPRouteFilter()
 	// Set deletion filter
 	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
 		f.Deleted()
 	} else {
 		f.NotDeleted()
 	}
 	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
 		return nil, err
 	} else if subset != nil {
 		f.NetworkIsSupersetOf(*subset)
 	}
 	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
 		return nil, err
 	} else if superset != nil {
 		f.NetworkIsSupersetOf(*superset)
 	}
 	if comment := c.String(filterIpRouteComment.Name); comment != "" {
 		f.CommentIs(comment)
 	}
 	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
 		u, err := uuid.Parse(tunnelID)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
 		}
 		f.TunnelID(u)
 	}
 	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
 		u, err := uuid.Parse(vnetId)
 		if err != nil {
 			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
 		}
 		f.VNetID(u)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
 // Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).
 func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
 	if !c.IsSet(flag.Name) {
 		return nil, nil
 	}
 	_, subset, err := net.ParseCIDR(c.String(flag.Name))
 	if err != nil {
 		return nil, err
 	} else if subset == nil {
 		return nil, fmt.Errorf("Invalid CIDR supplied for %s", flag.Name)
 	}
 	return subset, nil
 }
 func NewIPRouteFilter() *IpRouteFilter {
 	values := &IpRouteFilter{queryParams: url.Values{}}
 	// always list cfd_tunnel routes only
 	values.queryParams.Set("tun_types", "cfd_tunnel")
 	return values
 }
 func (f *IpRouteFilter) CommentIs(comment string) {
 	f.queryParams.Set("comment", comment)
 }
 func (f *IpRouteFilter) NotDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *IpRouteFilter) Deleted() {
 	f.queryParams.Set("is_deleted", "true")
 }
 func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
 	f.queryParams.Set("network_subset", superset.String())
 }
 func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
 	f.queryParams.Set("network_superset", subset.String())
 }
 func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
 }
 func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
 	f.queryParams.Set("tunnel_id", id.String())
 }
 func (f *IpRouteFilter) VNetID(id uuid.UUID) {
 	f.queryParams.Set("virtual_network_id", id.String())
 }
 func (f *IpRouteFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *IpRouteFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f IpRouteFilter) Encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/ip_route_test.go
+++ b/cfapi/ip_route_test.go
@ -0,0 +1,178 @@
 package cfapi
 import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"strings"
 	"testing"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestUnmarshalRoute(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null
 			}`,
 			false,
 		},
 		{
 			`{
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":null,
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r Route
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 	}
 }
 func TestDetailedRouteJsonRoundtrip(t *testing.T) {
 	testCases := []struct {
 		Json    string
 		HasVnet bool
 	}{
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			false,
 		},
 		{
 			`{
 				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
 				"network":"10.1.2.40/29",
 				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
 				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
 				"comment":"test",
 				"created_at":"2020-12-22T02:00:15.587008Z",
 				"deleted_at":"2021-01-14T05:01:42.183002Z",
 				"tunnel_name":"Mr. Tun"
 			}`,
 			true,
 		},
 	}
 	for _, testCase := range testCases {
 		data := testCase.Json
 		var r DetailedRoute
 		err := json.Unmarshal([]byte(data), &r)
 		// Check everything worked
 		require.NoError(t, err)
 		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
 		require.Equal(t, "test", r.Comment)
 		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
 		require.NoError(t, err)
 		require.Equal(t, CIDR(*cidr), r.Network)
 		require.Equal(t, "test", r.Comment)
 		require.Equal(t, "Mr. Tun", r.TunnelName)
 		if testCase.HasVnet {
 			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
 		} else {
 			require.Nil(t, r.VNetID)
 		}
 		bytes, err := json.Marshal(r)
 		require.NoError(t, err)
 		obtainedJson := string(bytes)
 		data = strings.Replace(data, "\t", "", -1)
 		data = strings.Replace(data, "\n", "", -1)
 		require.Equal(t, data, obtainedJson)
 	}
 }
 func TestMarshalNewRoute(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	vnetId := uuid.New()
 	newRoutes := []NewRoute{
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 		},
 		{
 			Network:  *network,
 			TunnelID: uuid.New(),
 			Comment:  "hi",
 			VNetID:   &vnetId,
 		},
 	}
 	for _, newRoute := range newRoutes {
 		// Test where receiver is struct
 		serialized, err := json.Marshal(newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		// Test where receiver is pointer to struct
 		serialized, err = json.Marshal(&newRoute)
 		require.NoError(t, err)
 		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
 		if newRoute.VNetID == nil {
 			require.False(t, strings.Contains(string(serialized), "virtual_network_id"))
 		} else {
 			require.True(t, strings.Contains(string(serialized), "virtual_network_id"))
 		}
 	}
 }
 func TestRouteTableString(t *testing.T) {
 	_, network, err := net.ParseCIDR("1.2.3.4/32")
 	require.NoError(t, err)
 	require.NotNil(t, network)
 	r := DetailedRoute{
 		ID:      uuid.Nil,
 		Network: CIDR(*network),
 	}
 	row := r.TableString()
 	fmt.Println(row)
 	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
 }
--- a/cfapi/tunnel.go
+++ b/cfapi/tunnel.go
@ -0,0 +1,237 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
 type Tunnel struct {
 	ID          uuid.UUID    `json:"id"`
 	Name        string       `json:"name"`
 	CreatedAt   time.Time    `json:"created_at"`
 	DeletedAt   time.Time    `json:"deleted_at"`
 	Connections []Connection `json:"connections"`
 }
 type TunnelWithToken struct {
 	Tunnel
 	Token string `json:"token"`
 }
 type Connection struct {
 	ColoName           string    `json:"colo_name"`
 	ID                 uuid.UUID `json:"id"`
 	IsPendingReconnect bool      `json:"is_pending_reconnect"`
 	OriginIP           net.IP    `json:"origin_ip"`
 	OpenedAt           time.Time `json:"opened_at"`
 }
 type ActiveClient struct {
 	ID          uuid.UUID    `json:"id"`
 	Features    []string     `json:"features"`
 	Version     string       `json:"version"`
 	Arch        string       `json:"arch"`
 	RunAt       time.Time    `json:"run_at"`
 	Connections []Connection `json:"conns"`
 }
 type newTunnel struct {
 	Name         string `json:"name"`
 	TunnelSecret []byte `json:"tunnel_secret"`
 }
 type managementRequest struct {
 	Resources []string `json:"resources"`
 }
 type CleanupParams struct {
 	queryParams url.Values
 }
 func NewCleanupParams() *CleanupParams {
 	return &CleanupParams{
 		queryParams: url.Values{},
 	}
 }
 func (cp *CleanupParams) ForClient(clientID uuid.UUID) {
 	cp.queryParams.Set("client_id", clientID.String())
 }
 func (cp CleanupParams) encode() string {
 	return cp.queryParams.Encode()
 }
 func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {
 	if name == "" {
 		return nil, errors.New("tunnel name required")
 	}
 	if _, err := uuid.Parse(name); err == nil {
 		return nil, errors.New("you cannot use UUIDs as tunnel names")
 	}
 	body := &newTunnel{
 		Name:         name,
 		TunnelSecret: tunnelSecret,
 	}
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountLevel, body)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	switch resp.StatusCode {
 	case http.StatusOK:
 		var tunnel TunnelWithToken
 		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
 			return nil, serdeErr
 		}
 		return &tunnel, nil
 	case http.StatusConflict:
 		return nil, ErrTunnelNameConflict
 	}
 	return nil, r.statusCodeToError("create tunnel", resp)
 }
 func (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return unmarshalTunnel(resp.Body)
 	}
 	return nil, r.statusCodeToError("get tunnel", resp)
 }
 func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/token", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
 	body := &managementRequest{
 		Resources: []string{"logs"},
 	}
 	resp, err := r.sendRequest("POST", endpoint, body)
 	if err != nil {
 		return "", errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		err = parseResponse(resp.Body, &token)
 		return token, err
 	}
 	return "", r.statusCodeToError("get tunnel token", resp)
 }
 func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
 	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
 	// are linked to the deleted tunnel.
 	if cascade {
 		endpoint.RawQuery = "cascade=true"
 	}
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("delete tunnel", resp)
 }
 func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
 	fetchFn := func(page int) (*http.Response, error) {
 		endpoint := r.baseEndpoints.accountLevel
 		filter.Page(page)
 		endpoint.RawQuery = filter.encode()
 		rsp, err := r.sendRequest("GET", endpoint, nil)
 		if err != nil {
 			return nil, errors.Wrap(err, "REST request failed")
 		}
 		if rsp.StatusCode != http.StatusOK {
 			rsp.Body.Close()
 			return nil, r.statusCodeToError("list tunnels", rsp)
 		}
 		return rsp, nil
 	}
 	return fetchExhaustively[Tunnel](fetchFn)
 }
 func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseConnectionsDetails(resp.Body)
 	}
 	return nil, r.statusCodeToError("list connection details", resp)
 }
 func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
 	var clients []*ActiveClient
 	err := parseResponse(reader, &clients)
 	return clients, err
 }
 func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
 	endpoint := r.baseEndpoints.accountLevel
 	endpoint.RawQuery = params.encode()
 	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	return r.statusCodeToError("cleanup connections", resp)
 }
 func unmarshalTunnel(reader io.Reader) (*Tunnel, error) {
 	var tunnel Tunnel
 	err := parseResponse(reader, &tunnel)
 	return &tunnel, err
 }
--- a/cfapi/tunnel_filter.go
+++ b/cfapi/tunnel_filter.go
@ -0,0 +1,59 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 )
 const (
 	TimeLayout = time.RFC3339
 )
 type TunnelFilter struct {
 	queryParams url.Values
 }
 func NewTunnelFilter() *TunnelFilter {
 	return &TunnelFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *TunnelFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *TunnelFilter) ByNamePrefix(namePrefix string) {
 	f.queryParams.Set("name_prefix", namePrefix)
 }
 func (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {
 	f.queryParams.Set("exclude_prefix", excludePrefix)
 }
 func (f *TunnelFilter) NoDeleted() {
 	f.queryParams.Set("is_deleted", "false")
 }
 func (f *TunnelFilter) ByExistedAt(existedAt time.Time) {
 	f.queryParams.Set("existed_at", existedAt.Format(TimeLayout))
 }
 func (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {
 	f.queryParams.Set("uuid", tunnelID.String())
 }
 func (f *TunnelFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f *TunnelFilter) Page(page int) {
 	f.queryParams.Set("page", strconv.Itoa(page))
 }
 func (f TunnelFilter) encode() string {
 	return f.queryParams.Encode()
 }
--- a/cfapi/tunnel_test.go
+++ b/cfapi/tunnel_test.go
@ -0,0 +1,102 @@
 package cfapi
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"reflect"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 var loc, _ = time.LoadLocation("UTC")
 func Test_unmarshalTunnel(t *testing.T) {
 	type args struct {
 		body string
 	}
 	tests := []struct {
 		name    string
 		args    args
 		want    *Tunnel
 		wantErr bool
 	}{
 		{
 			name: "empty list",
 			args: args{body: `{"success": true, "result": {"id":"b34cc7ce-925b-46ee-bc23-4cb5c18d8292","created_at":"2021-07-29T13:46:14.090955Z","deleted_at":"2021-07-29T14:07:27.559047Z","name":"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV","account_id":6946212,"account_tag":"5ab4e9dfbd435d24068829fda0077963","conns_active_at":null,"conns_inactive_at":"2021-07-29T13:47:22.548482Z","tun_type":"cfd_tunnel","metadata":{"qtid":"a6fJROgkXutNruBGaJjD"}}}`},
 			want: &Tunnel{
 				ID:          uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292"),
 				Name:        "qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV",
 				CreatedAt:   time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),
 				DeletedAt:   time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),
 				Connections: nil,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := unmarshalTunnel(strings.NewReader(tt.args.body))
 			if (err != nil) != tt.wantErr {
 				t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func TestUnmarshalTunnelOk(t *testing.T) {
 	jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
 	expected := Tunnel{
 		ID:          uuid.Nil,
 		Name:        "test",
 		CreatedAt:   time.Time{},
 		Connections: []Connection{},
 	}
 	actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, &expected, actual)
 }
 func TestUnmarshalTunnelErr(t *testing.T) {
 	tests := []string{
 		`abc`,
 		`{"success": true, "result": abc}`,
 		`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
 	}
 	for i, test := range tests {
 		_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
 		assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
 	}
 }
 func TestUnmarshalConnections(t *testing.T) {
 	jsonBody := `{"success":true,"messages":[],"errors":[],"result":[{"id":"d4041254-91e3-4deb-bd94-b46e11680b1e","features":["ha-origin"],"version":"2021.2.5","arch":"darwin_amd64","conns":[{"colo_name":"LIS","id":"ac2286e5-c708-4588-a6a0-ba6b51940019","is_pending_reconnect":false,"origin_ip":"148.38.28.2","opened_at":"0001-01-01T00:00:00Z"}],"run_at":"0001-01-01T00:00:00Z"}]}`
 	expected := ActiveClient{
 		ID:       uuid.MustParse("d4041254-91e3-4deb-bd94-b46e11680b1e"),
 		Features: []string{"ha-origin"},
 		Version:  "2021.2.5",
 		Arch:     "darwin_amd64",
 		RunAt:    time.Time{},
 		Connections: []Connection{{
 			ID:                 uuid.MustParse("ac2286e5-c708-4588-a6a0-ba6b51940019"),
 			ColoName:           "LIS",
 			IsPendingReconnect: false,
 			OriginIP:           net.ParseIP("148.38.28.2"),
 			OpenedAt:           time.Time{},
 		}},
 	}
 	actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
 	assert.NoError(t, err)
 	assert.Equal(t, []*ActiveClient{&expected}, actual)
 }
--- a/cfapi/virtual_network.go
+++ b/cfapi/virtual_network.go
@ -0,0 +1,134 @@
 package cfapi
 import (
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"path"
 	"strconv"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 )
 type NewVirtualNetwork struct {
 	Name      string `json:"name"`
 	Comment   string `json:"comment"`
 	IsDefault bool   `json:"is_default"`
 }
 type VirtualNetwork struct {
 	ID        uuid.UUID `json:"id"`
 	Comment   string    `json:"comment"`
 	Name      string    `json:"name"`
 	IsDefault bool      `json:"is_default_network"`
 	CreatedAt time.Time `json:"created_at"`
 	DeletedAt time.Time `json:"deleted_at"`
 }
 type UpdateVirtualNetwork struct {
 	Name      *string `json:"name,omitempty"`
 	Comment   *string `json:"comment,omitempty"`
 	IsDefault *bool   `json:"is_default_network,omitempty"`
 }
 func (virtualNetwork VirtualNetwork) TableString() string {
 	deletedColumn := "-"
 	if !virtualNetwork.DeletedAt.IsZero() {
 		deletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)
 	}
 	return fmt.Sprintf(
 		"%s\t%s\t%s\t%s\t%s\t%s\t",
 		virtualNetwork.ID,
 		virtualNetwork.Name,
 		strconv.FormatBool(virtualNetwork.IsDefault),
 		virtualNetwork.Comment,
 		virtualNetwork.CreatedAt.Format(time.RFC3339),
 		deletedColumn,
 	)
 }
 func (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {
 	resp, err := r.sendRequest("POST", r.baseEndpoints.accountVnets, newVnet)
 	if err != nil {
 		return VirtualNetwork{}, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseVnet(resp.Body)
 	}
 	return VirtualNetwork{}, r.statusCodeToError("add virtual network", resp)
 }
 func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.RawQuery = filter.Encode()
 	resp, err := r.sendRequest("GET", endpoint, nil)
 	if err != nil {
 		return nil, errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		return parseListVnets(resp.Body)
 	}
 	return nil, r.statusCodeToError("list virtual networks", resp)
 }
 func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	queryParams := url.Values{}
 	if force {
 		queryParams.Set("force", strconv.FormatBool(force))
 	}
 	endpoint.RawQuery = queryParams.Encode()
 	resp, err := r.sendRequest("DELETE", endpoint, nil)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("delete virtual network", resp)
 }
 func (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {
 	endpoint := r.baseEndpoints.accountVnets
 	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
 	resp, err := r.sendRequest("PATCH", endpoint, updates)
 	if err != nil {
 		return errors.Wrap(err, "REST request failed")
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode == http.StatusOK {
 		_, err := parseVnet(resp.Body)
 		return err
 	}
 	return r.statusCodeToError("update virtual network", resp)
 }
 func parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {
 	var vnets []*VirtualNetwork
 	err := parseResponse(body, &vnets)
 	return vnets, err
 }
 func parseVnet(body io.ReadCloser) (VirtualNetwork, error) {
 	var vnet VirtualNetwork
 	err := parseResponse(body, &vnet)
 	return vnet, err
 }
--- a/cfapi/virtual_network_filter.go
+++ b/cfapi/virtual_network_filter.go
@ -0,0 +1,99 @@
 package cfapi
 import (
 	"net/url"
 	"strconv"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 var (
 	filterVnetId = cli.StringFlag{
 		Name:  "id",
 		Usage: "List virtual networks with the given `ID`",
 	}
 	filterVnetByName = cli.StringFlag{
 		Name:  "name",
 		Usage: "List virtual networks with the given `NAME`",
 	}
 	filterDefaultVnet = cli.BoolFlag{
 		Name:  "is-default",
 		Usage: "If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.",
 	}
 	filterDeletedVnet = cli.BoolFlag{
 		Name:  "show-deleted",
 		Usage: "If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.",
 	}
 	VnetFilterFlags = []cli.Flag{
 		&filterVnetId,
 		&filterVnetByName,
 		&filterDefaultVnet,
 		&filterDeletedVnet,
 	}
 )
 // VnetFilter which virtual networks get queried.
 type VnetFilter struct {
 	queryParams url.Values
 }
 func NewVnetFilter() *VnetFilter {
 	return &VnetFilter{
 		queryParams: url.Values{},
 	}
 }
 func (f *VnetFilter) ById(vnetId uuid.UUID) {
 	f.queryParams.Set("id", vnetId.String())
 }
 func (f *VnetFilter) ByName(name string) {
 	f.queryParams.Set("name", name)
 }
 func (f *VnetFilter) ByDefaultStatus(isDefault bool) {
 	f.queryParams.Set("is_default", strconv.FormatBool(isDefault))
 }
 func (f *VnetFilter) WithDeleted(isDeleted bool) {
 	f.queryParams.Set("is_deleted", strconv.FormatBool(isDeleted))
 }
 func (f *VnetFilter) MaxFetchSize(max uint) {
 	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
 }
 func (f VnetFilter) Encode() string {
 	return f.queryParams.Encode()
 }
 // NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.
 func NewFromCLI(c *cli.Context) (*VnetFilter, error) {
 	f := NewVnetFilter()
 	if id := c.String("id"); id != "" {
 		vnetId, err := uuid.Parse(id)
 		if err != nil {
 			return nil, errors.Wrapf(err, "%s is not a valid virtual network ID", id)
 		}
 		f.ById(vnetId)
 	}
 	if name := c.String("name"); name != "" {
 		f.ByName(name)
 	}
 	if c.IsSet("is-default") {
 		f.ByDefaultStatus(c.Bool("is-default"))
 	}
 	f.WithDeleted(c.Bool("show-deleted"))
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		f.MaxFetchSize(uint(maxFetch))
 	}
 	return f, nil
 }
--- a/cfapi/virtual_network_test.go
+++ b/cfapi/virtual_network_test.go
@ -0,0 +1,79 @@
 package cfapi
 import (
 	"encoding/json"
 	"strings"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 )
 func TestVirtualNetworkJsonRoundtrip(t *testing.T) {
 	data := `{
 		"id":"74fce949-351b-4752-b261-81a56cfd3130",
 		"comment":"New York DC1",
 		"name":"us-east-1",
 		"is_default_network":true,
 		"created_at":"2021-11-26T14:40:02.600673Z",
 		"deleted_at":"2021-12-01T10:23:13.102645Z"
 	}`
 	var v VirtualNetwork
 	err := json.Unmarshal([]byte(data), &v)
 	require.NoError(t, err)
 	require.Equal(t, uuid.MustParse("74fce949-351b-4752-b261-81a56cfd3130"), v.ID)
 	require.Equal(t, "us-east-1", v.Name)
 	require.Equal(t, "New York DC1", v.Comment)
 	require.Equal(t, true, v.IsDefault)
 	bytes, err := json.Marshal(v)
 	require.NoError(t, err)
 	obtainedJson := string(bytes)
 	data = strings.Replace(data, "\t", "", -1)
 	data = strings.Replace(data, "\n", "", -1)
 	require.Equal(t, data, obtainedJson)
 }
 func TestMarshalNewVnet(t *testing.T) {
 	newVnet := NewVirtualNetwork{
 		Name:      "eu-west-1",
 		Comment:   "London office",
 		IsDefault: true,
 	}
 	serialized, err := json.Marshal(newVnet)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newVnet.Name))
 }
 func TestMarshalUpdateVnet(t *testing.T) {
 	newName := "bulgaria-1"
 	updates := UpdateVirtualNetwork{
 		Name: &newName,
 	}
 	// Test where receiver is struct
 	serialized, err := json.Marshal(updates)
 	require.NoError(t, err)
 	require.True(t, strings.Contains(string(serialized), newName))
 }
 func TestVnetTableString(t *testing.T) {
 	virtualNet := VirtualNetwork{
 		ID:        uuid.New(),
 		Name:      "us-east-1",
 		Comment:   "New York DC1",
 		IsDefault: true,
 		CreatedAt: time.Now(),
 		DeletedAt: time.Time{},
 	}
 	row := virtualNet.TableString()
 	require.True(t, strings.HasPrefix(row, virtualNet.ID.String()))
 	require.True(t, strings.Contains(row, virtualNet.Name))
 	require.True(t, strings.Contains(row, virtualNet.Comment))
 	require.True(t, strings.Contains(row, "true"))
 	require.True(t, strings.HasSuffix(row, "-\t"))
 }
--- a/cfio/copy.go
+++ b/cfio/copy.go
@ -0,0 +1,27 @@
 package cfio
 import (
 	"io"
 	"sync"
 )
 const defaultBufferSize = 16 * 1024
 var bufferPool = sync.Pool{
 	New: func() interface{} {
 		return make([]byte, defaultBufferSize)
 	},
 }
 func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
 	_, okWriteTo := src.(io.WriterTo)
 	_, okReadFrom := dst.(io.ReaderFrom)
 	var buffer []byte = nil
 	if !(okWriteTo || okReadFrom) {
 		buffer = bufferPool.Get().([]byte)
 		defer bufferPool.Put(buffer)
 	}
 	return io.CopyBuffer(dst, src, buffer)
 }
--- a/cfsetup.yaml
+++ b/cfsetup.yaml
@ -1,91 +1,250 @@
-pinned_go: &pinned_go go=1.9.3-1
+pinned_go: &pinned_go go-boring=1.22.5-1
-build_dir: &build_dir /cfsetup_build/src/github.com/cloudflare/cloudflared/
+
-stretch: &stretch
+build_dir: &build_dir /cfsetup_build
-  build:
+default-flavor: bullseye
 buster: &buster
  build-linux:
    build_dir: *build_dir
    builddeps: &build_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
    pre-cache: &build_pre_cache
      - export GOCACHE=/cfsetup_build/.cache/go-build
      - go install golang.org/x/tools/cmd/goimports@latest
    post-cache:
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  build-linux-fips:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
      - export FIPS=true
      # Build binary for component test
      - GOOS=linux GOARCH=amd64 make cloudflared
  cover:
    build_dir: *build_dir
    builddeps: *build_deps
    pre-cache: *build_pre_cache
    post-cache:
     - make cover
  # except FIPS and macos 
  build-linux-release:
    build_dir: *build_dir
    builddeps: &build_deps_release
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - python3-dev
      - python3-pip
      - python3-setuptools
      - wget
    pre-cache: &build_release_pre_cache
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
      - ./build-packages.sh
  # handle FIPS separately so that we built with gofips compiler
  build-linux-fips-release:
    build_dir: *build_dir
    builddeps: *build_deps_release
    pre-cache: *build_release_pre_cache
    post-cache:
      # same logic as above, but for FIPS packages only
      - ./build-packages-fips.sh
  generate-versions-file:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
-      - export GOPATH=/cfsetup_build/
+      - make generate-docker-version
  build-deb:
    build_dir: *build_dir
    builddeps: &build_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
-      - make cloudflared
+      - make cloudflared-deb
-  build-deb:
+  build-fips-internal-deb:
    build_dir: *build_dir
    builddeps: &build_fips_deb_deps
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-amd64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export NIGHTLY=true
      - export FIPS=true
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-internal-deb-nightly-arm64:
    build_dir: *build_dir
    builddeps: *build_fips_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - export NIGHTLY=true
      #- export FIPS=true # TUN-7595
      - export ORIGINAL_NAME=true
      - make cloudflared-deb
  build-deb-arm64:
    build_dir: *build_dir
    builddeps: *build_deb_deps
    post-cache:
      - export GOOS=linux
      - export GOARCH=arm64
      - make cloudflared-deb
  package-windows:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - wget
      # libmsi and libgcab are libraries the wixl binary depends on.
      - libmsi-dev
      - libgcab-dev
    pre-cache:
      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
      - chmod a+x /usr/local/bin/wixl
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - .teamcity/package-windows.sh
  test:
    build_dir: *build_dir
    builddeps: &build_deps_tests
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - libffi-dev
      - gotest-to-teamcity
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_tests
    pre-cache: *build_pre_cache
    post-cache:
      - export GOOS=linux
      - export GOARCH=amd64
      - export FIPS=true
      - export PATH="$HOME/go/bin:$PATH"
      - ./fmt-check.sh
      - make test | gotest-to-teamcity
  component-test:
    build_dir: *build_dir
    builddeps: &build_deps_component_test
      - *pinned_go
      - python3.7
      - python3-pip
      - python3-setuptools
      # procps installs the ps command which is needed in test_sysv_service because the init script
      # uses ps pid to determine if the agent is running
      - procps
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: &component_test_pre_cache
      - sudo pip3 install --upgrade -r component-tests/requirements.txt
    post-cache: &component_test_post_cache
      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
      - python3 component-tests/setup.py --type create
      - pytest component-tests -o log_cli=true --log-cli-level=INFO
      # The Named Tunnel is deleted and its route unprovisioned here.
      - python3 component-tests/setup.py --type cleanup
  component-test-fips:
    build_dir: *build_dir
    builddeps: *build_deps_component_test
    pre-cache-copy-paths:
      - component-tests/requirements.txt
    pre-cache: *component_test_pre_cache
    post-cache: *component_test_post_cache
  github-release-dryrun:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - make github-release-dryrun
  github-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
    post-cache:
      - make github-release
  r2-linux-release:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
      - fakeroot
      - rubygem-fpm
      - rpm
      - wget
      - python3-dev
      - libffi-dev
      - python3-setuptools
      - python3-pip
      - reprepro
      - createrepo
    pre-cache:
      - pip3 install pynacl==1.4.0
      - pip3 install pygithub==1.55
      - pip3 install boto3==1.22.9
      - pip3 install python-gnupg==0.4.9
    post-cache:
-      - export GOPATH=/cfsetup_build/
+      - make r2-linux-release
      - export GOOS=linux
      - export GOARCH=amd64
      - make cloudflared-deb
  release-linux-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - export GOPATH=/cfsetup_build/
      - export GOOS=linux
      - export GOARCH=amd64
      - make release
  release-linux-armv6:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - crossbuild-essential-armhf
      - gcc-arm-linux-gnueabihf
    post-cache:
      - export GOPATH=/cfsetup_build/
      - export GOOS=linux
      - export GOARCH=arm
      - export CC=arm-linux-gnueabihf-gcc
      - make release
  release-linux-386:
      build_dir: *build_dir
      builddeps:
        - *pinned_go
        - gcc-multilib
      post-cache:
        - export GOPATH=/cfsetup_build/
        - export GOOS=linux
        - export GOARCH=386
        - make release
  release-windows-amd64:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
    post-cache:
      - export GOPATH=/cfsetup_build/
      - export GOOS=windows
      - export GOARCH=amd64
      - export CC=x86_64-w64-mingw32-gcc
      - make release
  release-windows-386:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - gcc-mingw-w64
    post-cache:
      - export GOPATH=/cfsetup_build/
      - export GOOS=windows
      - export GOARCH=386
      - export CC=i686-w64-mingw32-gcc-win32
      - make release
  test:
    build_dir: *build_dir
    builddeps:
      - *pinned_go
      - build-essential
    post-cache:
      - export GOPATH=/cfsetup_build/
      - export GOOS=linux
      - export GOARCH=amd64
      - make test
-jessie: *stretch
+bullseye: *buster
 bookworm: *buster
--- a/check-fips.sh
+++ b/check-fips.sh
@ -0,0 +1,15 @@
 # Pass the path to the executable to check for FIPS compliance
 exe=$1
 if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
    # Asserts that executable is using FIPS-compliant boringcrypto
    echo "${exe}: missing goboring symbols" >&2
    exit 1
 fi
 if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
    # Asserts that executable is using FIPS-only schemes
    echo "${exe}: missing fipsonly symbols" >&2
    exit 1
 fi
 echo "${exe} is FIPS-compliant"
--- a/cloudflared.wxs
+++ b/cloudflared.wxs
@ -0,0 +1,64 @@
 <?xml version="1.0"?>
 <?if $(var.Platform)="x64" ?>
    <?define Program_Files="ProgramFiles64Folder"?>
 <?else ?>
    <?define Program_Files="ProgramFilesFolder"?>
 <?endif ?>
 <?ifndef var.Version?>
    <?error Undefined Version variable?>
 <?endif ?>
 <?ifndef var.Path?>
    <?error Undefined Path variable?>
 <?endif ?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
    <Product Id="*"
        UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
        Name="cloudflared"
        Version="$(var.Version)"
        Manufacturer="cloudflare"
        Language="1033">
        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
        <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
            <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
                Property="OLDERVERSIONBEINGUPGRADED" />
        </Upgrade>
        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
        <Directory Id="TARGETDIR" Name="SourceDir">
            <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
            <Directory Id="$(var.Program_Files)">
                <Directory Id="INSTALLDIR" Name="cloudflared">
                    <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
                        <File Id="ApplicationFile0" Source="$(var.Path)" />
                    </Component>
                </Directory>
            </Directory>
            <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
                <!--Set the cloudflared bin location to the Path Environment Variable-->
                <Environment Id="ENV0"
                    Name="PATH"
                    Value="[INSTALLDIR]"
                    Permanent="no"
                    Part="last"
                    Action="create"
                    System="yes" />
            </Component>
        </Directory>
        <Feature Id='Complete' Level='1'>
            <ComponentRef Id="ENVS" />
            <ComponentRef Id='ApplicationFiles' />
        </Feature>
    </Product>
 </Wix>
--- a/6
+++ b/6
@ -0,0 +1,6 @@
 .\" Manpage for cloudflared.
 .TH man 1 ${DATE} "${VERSION}" "cloudflared man page"
 .SH NAME
 cloudflared \- creates a connection to the cloudflare edge network
 .SH DESCRIPTION
 cloudflared creates a persistent connection between a local service and the Cloudflare network. Once the daemon is running and the Tunnel has been configured, the local service can be locked down to only allow connections from Cloudflare.
--- a/cmd/cloudflared/access/carrier.go
+++ b/cmd/cloudflared/access/carrier.go
@ -1,38 +1,146 @@
 package access
 import (
-	"net/url"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/carrier"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/validation"
 	"github.com/pkg/errors"
 	cli "gopkg.in/urfave/cli.v2"
 )
 const (
 	LogFieldHost               = "host"
 	cfAccessClientIDHeader     = "Cf-Access-Client-Id"
 	cfAccessClientSecretHeader = "Cf-Access-Client-Secret"
 )
 // StartForwarder starts a client side websocket forward
 func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *zerolog.Logger) error {
 	validURL, err := validation.ValidateUrl(forwarder.Listener)
 	if err != nil {
 		return errors.Wrap(err, "error validating origin URL")
 	}
 	// get the headers from the config file and add to the request
 	headers := make(http.Header)
 	if forwarder.TokenClientID != "" {
 		headers.Set(cfAccessClientIDHeader, forwarder.TokenClientID)
 	}
 	if forwarder.TokenSecret != "" {
 		headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
 	}
 	headers.Set("User-Agent", userAgent)
 	carrier.SetBastionDest(headers, forwarder.Destination)
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
 		Headers:   headers, //TODO: TUN-2688 support custom headers from config file
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
 	wsConn := carrier.NewWSConnection(log)
 	log.Info().Str(LogFieldHost, validURL.Host).Msg("Start Websocket listener")
 	return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
 }
 // ssh will start a WS proxy server for server mode
 // or copy from stdin/stdout for client mode
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	hostname, err := validation.ValidateHostname(c.String("hostname"))
+	// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
-	if err != nil || c.String("hostname") == "" {
+	outputTerminal := logger.DisableTerminalLog
 	if c.IsSet(sshURLFlag) {
 		outputTerminal = logger.EnableTerminalLog
 	}
 	log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
 	url, err := parseURL(rawHostName)
 	if err != nil {
 		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
-	if c.NArg() > 0 || c.IsSet("url") {
+	// get the headers from the cmdline and add them
-		localForwarder, err := config.ValidateUrl(c)
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
-		if err != nil {
+	if c.IsSet(sshTokenIDFlag) {
-			logger.WithError(err).Error("Error validating origin URL")
+		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
-			return errors.Wrap(err, "error validating origin URL")
+	}
-		}
+	if c.IsSet(sshTokenSecretFlag) {
-		forwarder, err := url.Parse(localForwarder)
+		headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
-		if err != nil {
+	}
-			logger.WithError(err).Error("Error validating origin URL")
+	headers.Set("User-Agent", userAgent)
-			return errors.Wrap(err, "error validating origin URL")
+
-		}
+	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
-		return carrier.StartServer(logger, forwarder.Host, "https://"+hostname, shutdownC)
+
 	options := &carrier.StartOptions{
 		OriginURL: url.String(),
 		Headers:   headers,
 		Host:      url.Host,
 	}
-	return carrier.StartClient(logger, "https://"+hostname, &carrier.StdinoutStream{})
+	if connectTo := c.String(sshConnectTo); connectTo != "" {
 		parts := strings.Split(connectTo, ":")
 		switch len(parts) {
 		case 1:
 			options.OriginURL = fmt.Sprintf("https://%s", parts[0])
 		case 2:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1])
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
 				InsecureSkipVerify: true,
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
 		default:
 			return fmt.Errorf("invalid connection override: %s", connectTo)
 		}
 	}
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
 	wsConn := carrier.NewWSConnection(log)
 	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
 		forwarder, err := config.ValidateUrl(c, true)
 		if err != nil {
 			log.Err(err).Msg("Error validating origin URL")
 			return errors.Wrap(err, "error validating origin URL")
 		}
 		log.Info().Str(LogFieldHost, forwarder.Host).Msg("Start Websocket listener")
 		err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
 		if err != nil {
 			log.Err(err).Msg("Error on Websocket listener")
 		}
 		return err
 	}
 	var s io.ReadWriter
 	s = &carrier.StdinoutStream{}
 	if c.IsSet(sshDebugStream) {
 		maxMessages := c.Uint64(sshDebugStream)
 		if maxMessages == 0 {
 			// default to 10 if provided but unset
 			maxMessages = 10
 		}
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
 	carrier.StartClient(wsConn, s, options)
 	return nil
 }
--- a/cmd/cloudflared/access/cmd.go
+++ b/cmd/cloudflared/access/cmd.go
@ -1,31 +1,68 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"strings"
 	"text/template"
 	"time"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
+	"github.com/getsentry/sentry-go"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"golang.org/x/net/idna"
-	"github.com/cloudflare/cloudflared/log"
+	"github.com/cloudflare/cloudflared/carrier"
-	raven "github.com/getsentry/raven-go"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	cli "gopkg.in/urfave/cli.v2"
+	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
 	"github.com/cloudflare/cloudflared/validation"
 )
 const (
 	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
 	sshHeaderFlag      = "header"
 	sshTokenIDFlag     = "service-token-id"
 	sshTokenSecretFlag = "service-token-secret"
 	sshGenCertFlag     = "short-lived-cert"
 	sshConnectTo       = "connect-to"
 	sshDebugStream     = "debug-stream"
 	sshConfigTemplate  = `
 Add to your {{.Home}}/.ssh/config:
 {{- if .ShortLivedCerts}}
 Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
  IdentityFile ~/.cloudflared/%h-cf_key
  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
 {{- else}}
 Host {{.Hostname}}
  ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
 )
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 var (
-	logger         = log.CreateLogger()
+	shutdownC chan struct{}
-	shutdownC      chan struct{}
+	userAgent = "DEV"
 	graceShutdownC chan struct{}
 )
 // Init will initialize and store vars from the main program
-func Init(s, g chan struct{}) {
+func Init(shutdown chan struct{}, version string) {
-	shutdownC, graceShutdownC = s, g
+	shutdownC = shutdown
 	userAgent = fmt.Sprintf("cloudflared/%s", version)
 }
 // Flags return the global flags for Access related commands (hopefully none)
@ -38,34 +75,43 @@ func Commands() []*cli.Command {
 	return []*cli.Command{
 		{
 			Name:     "access",
-			Category: "Access (BETA)",
+			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
-			Description: `(BETA) Cloudflare Access protects internal resources by securing, authenticating and monitoring access 
+			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
-			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are 
+			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
-			able to reach sensitive resources. The commands provided here allow you to interact with Access protected 
+			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
-			applications from the command line. This feature is considered beta. Your feedback is greatly appreciated!
+			applications from the command line.`,
 			https://cfl.re/CLIAuthBeta`,
 			Subcommands: []*cli.Command{
 				{
-					Name:   "login",
+					Name:      "login",
-					Action: login,
+					Action:    cliutil.Action(login),
-					Usage:  "login <url of access application>",
+					Usage:     "login <url of access application>",
 					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
-					scoped to your identity, the application you intend to reach, and valid for a session duration set by your 
+					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
 						&cli.BoolFlag{
 							Name:    loginQuietFlag,
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
 						&cli.BoolFlag{
 							Name:  "no-verbose",
 							Usage: "print only the jwt to stdout",
 						},
 						&cli.StringFlag{
-							Name:   "url",
+							Name: appURLFlag,
 							Hidden: true,
 						},
 					},
 				},
 				{
 					Name:   "curl",
-					Action: curl,
+					Action: cliutil.Action(curl),
-					Usage:  "curl <args>",
+					Usage:  "curl [--allow-request, -ar] <url> [<curl args>...]",
 					Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
 					header when using curl to reach an application behind Access.`,
 					ArgsUsage:       "allow-request will allow the curl request to continue even if the jwt is not present.",
@ -73,39 +119,110 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "token",
-					Action:      generateToken,
+					Action:      cliutil.Action(generateToken),
-					Usage:       "token -app=<url of access application>",
+					Usage:       "token <url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "app",
+							Name: appURLFlag,
 						},
 					},
 				},
 				{
-					Name:        "ssh",
+					Name:        "tcp",
-					Action:      ssh,
+					Action:      cliutil.Action(ssh),
 					Aliases:     []string{"rdp", "ssh", "smb"},
 					Usage:       "",
 					ArgsUsage:   "",
-					Description: `The ssh subcommand sends data over a proxy to the Cloudflare edge.`,
+					Description: `The tcp subcommand sends data over a proxy to the Cloudflare edge.`,
 					Hidden:      true,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "hostname",
+							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
 							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:   "url",
+							Name:    sshDestinationFlag,
 							Usage:   "specify the destination address of your SSH server.",
 							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
 							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
 							Aliases: []string{"H"},
 							Usage:   "specify additional headers you wish to send.",
 						},
 						&cli.StringFlag{
 							Name:    sshTokenIDFlag,
 							Aliases: []string{"id"},
 							Usage:   "specify an Access service token ID you wish to use.",
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_ID"},
 						},
 						&cli.StringFlag{
 							Name:    sshTokenSecretFlag,
 							Aliases: []string{"secret"},
 							Usage:   "specify an Access service token secret you wish to use.",
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
 							Name:  logger.LogFileFlag,
 							Usage: "Save application log to this file for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:  logger.LogSSHDirectoryFlag,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:    logger.LogSSHLevelFlag,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
 							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
 						},
 						&cli.StringFlag{
 							Name:   sshConnectTo,
 							Hidden: true,
 							Usage:  "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
 						},
 						&cli.Uint64Flag{
 							Name:   sshDebugStream,
 							Hidden: true,
 							Usage:  "Writes up-to the max provided stream payloads to the logger as debug statements.",
 						},
 					},
 				},
 				{
 					Name:        "ssh-config",
-					Action:      sshConfig,
+					Action:      cliutil.Action(sshConfig),
-					Usage:       "ssh-config",
+					Usage:       "",
 					Description: `Prints an example configuration ~/.ssh/config`,
-					Hidden:      true,
+					Flags: []cli.Flag{
 						&cli.StringFlag{
 							Name:  sshHostnameFlag,
 							Usage: "specify the hostname of your application.",
 						},
 						&cli.BoolFlag{
 							Name:  sshGenCertFlag,
 							Usage: "specify if you wish to generate short lived certs.",
 						},
 					},
 				},
 				{
 					Name:        "ssh-gen",
 					Action:      cliutil.Action(sshGen),
 					Usage:       "",
 					Description: `Generates a short lived certificate for given hostname`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
 							Name:  sshHostnameFlag,
 							Usage: "specify the hostname of your application.",
 						},
 					},
 				},
 			},
 		},
@ -114,68 +231,163 @@ func Commands() []*cli.Command {
 // login pops up the browser window to do the actual login and JWT generation
 func login(c *cli.Context) error {
-	raven.SetDSN(sentryDSN)
+	err := sentry.Init(sentry.ClientOptions{
-	logger := log.CreateLogger()
+		Dsn:     sentryDSN,
-	args := c.Args()
+		Release: c.App.Version,
-	appURL, err := url.Parse(args.First())
+	})
 	if args.Len() < 1 || err != nil {
 		logger.Errorf("Please provide the url of the Access application\n")
 		return err
 	}
 	token, err := token.FetchToken(appURL)
 	if err != nil {
 		logger.Errorf("Failed to fetch token: %s\n", err)
 		return err
 	}
-	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", string(token))
+
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	appURL, err := getAppURLFromArgs(c)
 	if err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
 	appInfo, err := token.GetAppInfo(appURL)
 	if err != nil {
 		return err
 	}
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 	cfdToken, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Unable to find token for provided application.")
 		return err
 	} else if cfdToken == "" {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
 	// Chatty by default for backward compat. The new --app flag
 	// is an implicit opt-out of the backwards-compatible chatty output.
 	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
 		fmt.Fprint(os.Stdout, cfdToken)
 	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 	}
 	return nil
 }
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
-	raven.SetDSN(sentryDSN)
+	err := sentry.Init(sentry.ClientOptions{
-	logger := log.CreateLogger()
+		Dsn:     sentryDSN,
 		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	args := c.Args()
 	if args.Len() < 1 {
-		logger.Error("Please provide the access app and command you wish to run.")
+		log.Error().Msg("Please provide the access app and command you wish to run.")
 		return errors.New("incorrect args")
 	}
-	cmdArgs, appURL, allowRequest, err := buildCurlCmdArgs(args.Slice())
+	cmdArgs, allowRequest := parseAllowRequest(args.Slice())
 	appURL, err := getAppURL(cmdArgs, log)
 	if err != nil {
 		return err
 	}
-	tok, err := token.GetTokenIfExists(appURL)
+	appInfo, err := token.GetAppInfo(appURL)
 	if err != nil {
 		return err
 	}
 	// Verify that the existing token is still good; if not fetch a new one
 	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		if allowRequest {
-			logger.Warn("You don't have an Access token set. Please run access token <access application> to fetch one.")
+			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
-			return shell.Run("curl", cmdArgs...)
+			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL)
+		tok, err = token.FetchToken(appURL, appInfo, log)
 		if err != nil {
-			logger.Error("Failed to refresh token: ", err)
+			log.Err(err).Msg("Failed to refresh token")
 			return err
 		}
 	}
 	cmdArgs = append(cmdArgs, "-H")
-	cmdArgs = append(cmdArgs, fmt.Sprintf("cf-access-token: %s", tok))
+	cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", carrier.CFAccessTokenHeader, tok))
-	return shell.Run("curl", cmdArgs...)
+	return run("curl", cmdArgs...)
 }
 // run kicks off a shell task and pipe the results to the respective std pipes
 func run(cmd string, args ...string) error {
 	c := exec.Command(cmd, args...)
 	c.Stdin = os.Stdin
 	stderr, err := c.StderrPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
 	var appURLStr string
 	args := c.Args()
 	if args.Len() < 1 {
 		appURLStr = c.String(appURLFlag)
 	} else {
 		appURLStr = args.First()
 	}
 	return parseURL(appURLStr)
 }
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
-	raven.SetDSN(sentryDSN)
+	err := sentry.Init(sentry.ClientOptions{
-	appURL, err := url.Parse(c.String("app"))
+		Dsn:     sentryDSN,
-	if err != nil || c.NumFlags() < 1 {
+		Release: c.App.Version,
 	})
 	if err != nil {
 		return err
 	}
 	appURL, err := getAppURLFromArgs(c)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
-	tok, err := token.GetTokenIfExists(appURL)
+
 	appInfo, err := token.GetAppInfo(appURL)
 	if err != nil {
 		return err
 	}
 	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
-		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run token command to generate token.")
+		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run login command to generate token.")
 		return err
 	}
@ -188,10 +400,85 @@ func generateToken(c *cli.Context) error {
 // sshConfig prints an example SSH config to stdout
 func sshConfig(c *cli.Context) error {
-	_, err := os.Stdout.Write([]byte(`Add this configuration block to your $HOME/.ssh/config
+	genCertBool := c.Bool(sshGenCertFlag)
-		Host <your hostname>
+	hostname := c.String(sshHostnameFlag)
-		    ProxyCommand cloudflared access ssh --hostname %h` + "\n"))
+	if hostname == "" {
-	return err
+		hostname = "[your hostname]"
 	}
 	type config struct {
 		Home            string
 		ShortLivedCerts bool
 		Hostname        string
 		Cloudflared     string
 	}
 	t := template.Must(template.New("sshConfig").Parse(sshConfigTemplate))
 	return t.Execute(os.Stdout, config{Home: os.Getenv("HOME"), ShortLivedCerts: genCertBool, Hostname: hostname, Cloudflared: cloudflaredPath()})
 }
 // sshGen generates a short lived certificate for provided hostname
 func sshGen(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
 	hostname, err := validation.ValidateHostname(rawHostName)
 	if err != nil || rawHostName == "" {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
 	originURL, err := parseURL(hostname)
 	if err != nil {
 		return err
 	}
 	// this fetchToken function mutates the appURL param. We should refactor that
 	fetchTokenURL := &url.URL{}
 	*fetchTokenURL = *originURL
 	appInfo, err := token.GetAppInfo(fetchTokenURL)
 	if err != nil {
 		return err
 	}
 	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
 	if err != nil {
 		return err
 	}
 	if err := sshgen.GenerateShortLivedCertificate(originURL, cfdToken); err != nil {
 		return err
 	}
 	return nil
 }
 // getAppURL will pull the request URL needed for fetching a user's Access token
 func getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {
 	if len(cmdArgs) < 1 {
 		log.Error().Msg("Please provide a valid URL as the first argument to curl.")
 		return nil, errors.New("not a valid url")
 	}
 	u, err := processURL(cmdArgs[0])
 	if err != nil {
 		log.Error().Msg("Please provide a valid URL as the first argument to curl.")
 		return nil, err
 	}
 	return u, err
 }
 // parseAllowRequest will parse cmdArgs and return a copy of the args and result
 // of the allow request was present
 func parseAllowRequest(cmdArgs []string) ([]string, bool) {
 	if len(cmdArgs) > 1 {
 		if cmdArgs[0] == "--allow-request" || cmdArgs[0] == "-ar" {
 			return cmdArgs[1:], true
 		}
 	}
 	return cmdArgs, false
 }
 // processURL will preprocess the string (parse to a url, convert to punycode, etc).
@ -200,6 +487,11 @@ func processURL(s string) (*url.URL, error) {
 	if err != nil {
 		return nil, err
 	}
 	if u.Host == "" {
 		return nil, errors.New("not a valid host")
 	}
 	host, err := idna.ToASCII(u.Hostname())
 	if err != nil { // we fail to convert to punycode, just return the url we parsed.
 		return u, nil
@ -213,33 +505,88 @@ func processURL(s string) (*url.URL, error) {
 	return u, nil
 }
-// buildCurlCmdArgs will build the curl cmd args
+// cloudflaredPath pulls the full path of cloudflared on disk
-func buildCurlCmdArgs(cmdArgs []string) ([]string, *url.URL, bool, error) {
+func cloudflaredPath() string {
-	allowRequest, iAllowRequest := false, 0
+	path, err := os.Executable()
-	var appURL *url.URL
+	if err == nil && isFileThere(path) {
-	for i, arg := range cmdArgs {
+		return path
-		if arg == "-allow-request" || arg == "-ar" {
+	}
 			iAllowRequest = i
 			allowRequest = true
 		}
-		u, err := processURL(arg)
+	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
-		if err == nil {
+		path := fmt.Sprintf("%s/%s", p, "cloudflared")
-			appURL = u
+		if isFileThere(path) {
-			cmdArgs[i] = appURL.String()
+			return path
 		}
 	}
-
+	return "cloudflared"
-	if appURL == nil {
+}
-		logger.Error("Please provide a valid URL.")
+
-		return cmdArgs, appURL, allowRequest, errors.New("invalid url")
+// isFileThere will check for the presence of candidate path
-	}
+func isFileThere(candidate string) bool {
-
+	fi, err := os.Stat(candidate)
-	if allowRequest {
+	if err != nil || fi.IsDir() || !fi.Mode().IsRegular() {
-		// remove from cmdArgs
+		return false
-		cmdArgs[iAllowRequest] = cmdArgs[len(cmdArgs)-1]
+	}
-		cmdArgs = cmdArgs[:len(cmdArgs)-1]
+	return true
-	}
+}
-
+
-	return cmdArgs, appURL, allowRequest, nil
+// verifyTokenAtEdge checks for a token on disk, or generates a new one.
 // Then makes a request to to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
 	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
 		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
 		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
 	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
 	} else if valid {
 		return nil
 	}
 	if err := token.RemoveTokenIfExists(appInfo); err != nil {
 		return err
 	}
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
 	} else if !valid {
 		return errors.New("failed to verify token")
 	}
 	return nil
 }
 // isTokenValid makes a request to the origin and returns true if the response was not a 302.
 func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, error) {
 	req, err := carrier.BuildAccessRequest(options, log)
 	if err != nil {
 		return false, errors.Wrap(err, "Could not create access request")
 	}
 	req.Header.Set("User-Agent", userAgent)
 	query := req.URL.Query()
 	query.Set("cloudflared_token_check", "true")
 	req.URL.RawQuery = query.Encode()
 	// Do not follow redirects
 	client := &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 		Timeout: time.Second * 5,
 	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return false, err
 	}
 	defer resp.Body.Close()
 	// A redirect to login means the token was invalid.
 	return !carrier.IsAccessResponse(resp), nil
 }
--- a/cmd/cloudflared/access/validation.go
+++ b/cmd/cloudflared/access/validation.go
@ -0,0 +1,55 @@
 package access
 import (
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"golang.org/x/net/http/httpguts"
 )
 // parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
 // a http.Header object.
 func parseRequestHeaders(values []string) http.Header {
 	headers := make(http.Header)
 	for _, valuePair := range values {
 		header, value, found := strings.Cut(valuePair, ":")
 		if found {
 			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
 		}
 	}
 	return headers
 }
 // parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
 // certain expectations from the URL.
 // Will convert all HTTP URLs to HTTPS
 func parseURL(input string) (*url.URL, error) {
 	if input == "" {
 		return nil, errors.New("no input provided")
 	}
 	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
 		input = fmt.Sprintf("https://%s", input)
 	}
 	url, err := url.ParseRequestURI(input)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse as URL: %w", err)
 	}
 	if url.Scheme != "https" {
 		url.Scheme = "https"
 	}
 	if url.Host == "" {
 		return nil, errors.New("failed to parse Host")
 	}
 	host, err := httpguts.PunycodeHostPort(url.Host)
 	if err != nil || host == "" {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("invalid Host provided")
 	}
 	url.Host = host
 	return url, nil
 }
--- a/cmd/cloudflared/access/validation_test.go
+++ b/cmd/cloudflared/access/validation_test.go
@ -0,0 +1,80 @@
 package access
 import (
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestParseRequestHeaders(t *testing.T) {
 	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
 	assert.Len(t, values, 3)
 	assert.Equal(t, "value", values.Get("client"))
 	assert.Equal(t, "safe-value", values.Get("secret"))
 	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
 }
 func TestParseURL(t *testing.T) {
 	schemes := []string{
 		"http://",
 		"https://",
 		"",
 	}
 	hosts := []struct {
 		input    string
 		expected string
 	}{
 		{"localhost", "localhost"},
 		{"127.0.0.1", "127.0.0.1"},
 		{"127.0.0.1:9090", "127.0.0.1:9090"},
 		{"::1", "::1"},
 		{"::1:8080", "::1:8080"},
 		{"[::1]", "[::1]"},
 		{"[::1]:8080", "[::1]:8080"},
 		{":8080", ":8080"},
 		{"example.com", "example.com"},
 		{"hello.example.com", "hello.example.com"},
 		{"bücher.example.com", "xn--bcher-kva.example.com"},
 	}
 	paths := []string{
 		"",
 		"/test",
 		"/example.com?qwe=123",
 	}
 	for i, scheme := range schemes {
 		for j, host := range hosts {
 			for k, path := range paths {
 				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
 					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
 					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
 					url, err := parseURL(input)
 					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
 					assert.Equal(t, expected, url.String())
 					assert.Equal(t, host.expected, url.Host)
 					assert.Equal(t, "https", url.Scheme)
 				})
 			}
 		}
 	}
 	t.Run("no input", func(t *testing.T) {
 		_, err := parseURL("")
 		assert.ErrorContains(t, err, "no input provided")
 	})
 	t.Run("missing host", func(t *testing.T) {
 		_, err := parseURL("https:///host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid path only", func(t *testing.T) {
 		_, err := parseURL("/host")
 		assert.ErrorContains(t, err, "failed to parse Host")
 	})
 	t.Run("invalid parse URL", func(t *testing.T) {
 		_, err := parseURL("https://host\\host")
 		assert.ErrorContains(t, err, "failed to parse as URL")
 	})
 }
--- a/cmd/cloudflared/app_forward_service.go
+++ b/cmd/cloudflared/app_forward_service.go
@ -0,0 +1,51 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/config"
 )
 // ForwardServiceType is used to identify what kind of overwatch service this is
 const ForwardServiceType = "forward"
 // ForwarderService is used to wrap the access package websocket forwarders
 // into a service model for the overwatch package.
 // it also holds a reference to the config object that represents its state
 type ForwarderService struct {
 	forwarder config.Forwarder
 	shutdown  chan struct{}
 	log       *zerolog.Logger
 }
 // NewForwardService creates a new forwarder service
 func NewForwardService(f config.Forwarder, log *zerolog.Logger) *ForwarderService {
 	return &ForwarderService{forwarder: f, shutdown: make(chan struct{}, 1), log: log}
 }
 // Name is used to figure out this service is related to the others (normally the addr it binds to)
 // e.g. localhost:78641 or 127.0.0.1:2222 since this is a websocket forwarder
 func (s *ForwarderService) Name() string {
 	return s.forwarder.Listener
 }
 // Type is used to identify what kind of overwatch service this is
 func (s *ForwarderService) Type() string {
 	return ForwardServiceType
 }
 // Hash is used to figure out if this forwarder is the unchanged or not from the config file updates
 func (s *ForwarderService) Hash() string {
 	return s.forwarder.Hash()
 }
 // Shutdown stops the websocket listener
 func (s *ForwarderService) Shutdown() {
 	s.shutdown <- struct{}{}
 }
 // Run is the run loop that is started by the overwatch service
 func (s *ForwarderService) Run() error {
 	return access.StartForwarder(s.forwarder, s.shutdown, s.log)
 }
--- a/cmd/cloudflared/app_resolver_service.go
+++ b/cmd/cloudflared/app_resolver_service.go
@ -0,0 +1,87 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
 const (
 	// ResolverServiceType is used to identify what kind of overwatch service this is
 	ResolverServiceType = "resolver"
 	LogFieldResolverAddress          = "resolverAddress"
 	LogFieldResolverPort             = "resolverPort"
 	LogFieldResolverMaxUpstreamConns = "resolverMaxUpstreamConns"
 )
 // ResolverService is used to wrap the tunneldns package's DNS over HTTP
 // into a service model for the overwatch package.
 // it also holds a reference to the config object that represents its state
 type ResolverService struct {
 	resolver config.DNSResolver
 	shutdown chan struct{}
 	log      *zerolog.Logger
 }
 // NewResolverService creates a new resolver service
 func NewResolverService(r config.DNSResolver, log *zerolog.Logger) *ResolverService {
 	return &ResolverService{resolver: r,
 		shutdown: make(chan struct{}),
 		log:      log,
 	}
 }
 // Name is used to figure out this service is related to the others (normally the addr it binds to)
 // this is just "resolver" since there can only be one DNS resolver running
 func (s *ResolverService) Name() string {
 	return ResolverServiceType
 }
 // Type is used to identify what kind of overwatch service this is
 func (s *ResolverService) Type() string {
 	return ResolverServiceType
 }
 // Hash is used to figure out if this forwarder is the unchanged or not from the config file updates
 func (s *ResolverService) Hash() string {
 	return s.resolver.Hash()
 }
 // Shutdown stops the tunneldns listener
 func (s *ResolverService) Shutdown() {
 	s.shutdown <- struct{}{}
 }
 // Run is the run loop that is started by the overwatch service
 func (s *ResolverService) Run() error {
 	// create a listener
 	l, err := tunneldns.CreateListener(s.resolver.AddressOrDefault(), s.resolver.PortOrDefault(),
 		s.resolver.UpstreamsOrDefault(), s.resolver.BootstrapsOrDefault(), s.resolver.MaxUpstreamConnectionsOrDefault(), s.log)
 	if err != nil {
 		return err
 	}
 	// start the listener.
 	readySignal := make(chan struct{})
 	err = l.Start(readySignal)
 	if err != nil {
 		_ = l.Stop()
 		return err
 	}
 	<-readySignal
 	resolverLog := s.log.With().
 		Str(LogFieldResolverAddress, s.resolver.AddressOrDefault()).
 		Uint16(LogFieldResolverPort, s.resolver.PortOrDefault()).
 		Int(LogFieldResolverMaxUpstreamConns, s.resolver.MaxUpstreamConnectionsOrDefault()).
 		Logger()
 	resolverLog.Info().Msg("Starting resolver")
 	// wait for shutdown signal
 	<-s.shutdown
 	resolverLog.Info().Msg("Shutting down resolver")
 	return l.Stop()
 }
--- a/cmd/cloudflared/app_service.go
+++ b/cmd/cloudflared/app_service.go
@ -0,0 +1,92 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/overwatch"
 )
 // AppService is the main service that runs when no command lines flags are passed to cloudflared
 // it manages all the running services such as tunnels, forwarders, DNS resolver, etc
 type AppService struct {
 	configManager    config.Manager
 	serviceManager   overwatch.Manager
 	shutdownC        chan struct{}
 	configUpdateChan chan config.Root
 	log              *zerolog.Logger
 }
 // NewAppService creates a new AppService with needed supporting services
 func NewAppService(configManager config.Manager, serviceManager overwatch.Manager, shutdownC chan struct{}, log *zerolog.Logger) *AppService {
 	return &AppService{
 		configManager:    configManager,
 		serviceManager:   serviceManager,
 		shutdownC:        shutdownC,
 		configUpdateChan: make(chan config.Root),
 		log:              log,
 	}
 }
 // Run starts the run loop to handle config updates and run forwarders, tunnels, etc
 func (s *AppService) Run() error {
 	go s.actionLoop()
 	return s.configManager.Start(s)
 }
 // Shutdown kills all the running services
 func (s *AppService) Shutdown() error {
 	s.configManager.Shutdown()
 	s.shutdownC <- struct{}{}
 	return nil
 }
 // ConfigDidUpdate is a delegate notification from the config manager
 // it is trigger when the config file has been updated and now the service needs
 // to update its services accordingly
 func (s *AppService) ConfigDidUpdate(c config.Root) {
 	s.configUpdateChan <- c
 }
 // actionLoop handles the actions from running processes
 func (s *AppService) actionLoop() {
 	for {
 		select {
 		case c := <-s.configUpdateChan:
 			s.handleConfigUpdate(c)
 		case <-s.shutdownC:
 			for _, service := range s.serviceManager.Services() {
 				service.Shutdown()
 			}
 			return
 		}
 	}
 }
 func (s *AppService) handleConfigUpdate(c config.Root) {
 	// handle the client forward listeners
 	activeServices := map[string]struct{}{}
 	for _, f := range c.Forwarders {
 		service := NewForwardService(f, s.log)
 		s.serviceManager.Add(service)
 		activeServices[service.Name()] = struct{}{}
 	}
 	// handle resolver changes
 	if c.Resolver.Enabled {
 		service := NewResolverService(c.Resolver, s.log)
 		s.serviceManager.Add(service)
 		activeServices[service.Name()] = struct{}{}
 	}
 	// TODO: TUN-1451 - tunnels
 	// remove any services that are no longer active
 	for _, service := range s.serviceManager.Services() {
 		if _, ok := activeServices[service.Name()]; !ok {
 			s.serviceManager.Remove(service.Name())
 		}
 	}
 }
--- a/cmd/cloudflared/cliutil/build_info.go
+++ b/cmd/cloudflared/cliutil/build_info.go
@ -0,0 +1,83 @@
 package cliutil
 import (
 	"crypto/sha256"
 	"fmt"
 	"io"
 	"os"
 	"runtime"
 	"github.com/rs/zerolog"
 )
 type BuildInfo struct {
 	GoOS               string `json:"go_os"`
 	GoVersion          string `json:"go_version"`
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
 	Checksum           string `json:"checksum"`
 }
 func GetBuildInfo(buildType, version string) *BuildInfo {
 	return &BuildInfo{
 		GoOS:               runtime.GOOS,
 		GoVersion:          runtime.Version(),
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
 		Checksum:           currentBinaryChecksum(),
 	}
 }
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
 	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
 	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
 }
 func (bi *BuildInfo) OSArch() string {
 	return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
 }
 func (bi *BuildInfo) Version() string {
 	return bi.CloudflaredVersion
 }
 func (bi *BuildInfo) GetBuildTypeMsg() string {
 	if bi.BuildType == "" {
 		return ""
 	}
 	return fmt.Sprintf(" with %s", bi.BuildType)
 }
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
 // FileChecksum opens a file and returns the SHA256 checksum.
 func FileChecksum(filePath string) (string, error) {
 	f, err := os.Open(filePath)
 	if err != nil {
 		return "", err
 	}
 	defer f.Close()
 	h := sha256.New()
 	if _, err := io.Copy(h, f); err != nil {
 		return "", err
 	}
 	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 func currentBinaryChecksum() string {
 	currentPath, err := os.Executable()
 	if err != nil {
 		return ""
 	}
 	sum, _ := FileChecksum(currentPath)
 	return sum
 }
--- a/cmd/cloudflared/cliutil/deprecated.go
+++ b/cmd/cloudflared/cliutil/deprecated.go
@ -0,0 +1,21 @@
 package cliutil
 import (
 	"fmt"
 	"github.com/urfave/cli/v2"
 )
 func RemovedCommand(name string) *cli.Command {
 	return &cli.Command{
 		Name: name,
 		Action: func(context *cli.Context) error {
 			return cli.Exit(
 				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.", name),
 				-1,
 			)
 		},
 		Description: fmt.Sprintf("%s is deprecated", name),
 		Hidden:      true,
 	}
 }
--- a/cmd/cloudflared/cliutil/errors.go
+++ b/cmd/cloudflared/cliutil/errors.go
@ -0,0 +1,38 @@
 package cliutil
 import (
 	"fmt"
 	"github.com/urfave/cli/v2"
 )
 type usageError string
 func (ue usageError) Error() string {
 	return string(ue)
 }
 func UsageError(format string, args ...interface{}) error {
 	if len(args) == 0 {
 		return usageError(format)
 	} else {
 		msg := fmt.Sprintf(format, args...)
 		return usageError(msg)
 	}
 }
 // Ensures exit with error code if actionFunc returns an error
 func WithErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
 	return func(ctx *cli.Context) error {
 		err := actionFunc(ctx)
 		if err != nil {
 			if _, ok := err.(usageError); ok {
 				msg := fmt.Sprintf("%s\nSee 'cloudflared %s --help'.", err.Error(), ctx.Command.FullName())
 				err = cli.Exit(msg, -1)
 			} else if _, ok := err.(cli.ExitCoder); !ok {
 				err = cli.Exit(err.Error(), 1)
 			}
 		}
 		return err
 	}
 }
--- a/cmd/cloudflared/cliutil/handler.go
+++ b/cmd/cloudflared/cliutil/handler.go
@ -0,0 +1,50 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 func Action(actionFunc cli.ActionFunc) cli.ActionFunc {
 	return WithErrorHandler(actionFunc)
 }
 func ConfiguredAction(actionFunc cli.ActionFunc) cli.ActionFunc {
 	// Adapt actionFunc to the type signature required by ConfiguredActionWithWarnings
 	f := func(context *cli.Context, _ string) error {
 		return actionFunc(context)
 	}
 	return ConfiguredActionWithWarnings(f)
 }
 // Just like ConfiguredAction, but accepts a second parameter with configuration warnings.
 func ConfiguredActionWithWarnings(actionFunc func(*cli.Context, string) error) cli.ActionFunc {
 	return WithErrorHandler(func(c *cli.Context) error {
 		warnings, err := setFlagsFromConfigFile(c)
 		if err != nil {
 			return err
 		}
 		return actionFunc(c, warnings)
 	})
 }
 func setFlagsFromConfigFile(c *cli.Context) (configWarnings string, err error) {
 	const errorExitCode = 1
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	inputSource, warnings, err := config.ReadConfigFile(c, log)
 	if err != nil {
 		if err == config.ErrNoConfigFile {
 			return "", nil
 		}
 		return "", cli.Exit(err, errorExitCode)
 	}
 	if err := altsrc.ApplyInputSource(c, inputSource); err != nil {
 		return "", cli.Exit(err, errorExitCode)
 	}
 	return warnings, nil
 }
--- a/cmd/cloudflared/cliutil/logger.go
+++ b/cmd/cloudflared/cliutil/logger.go
@ -0,0 +1,51 @@
 package cliutil
 import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"github.com/cloudflare/cloudflared/logger"
 )
 var (
 	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
 		"This can expose sensitive information in your logs."
 )
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogLevelFlag,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogTransportLevelFlag,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
 			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogFileFlag,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    logger.LogDirectoryFlag,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
 			Name:    "trace-output",
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,
 		}),
 	}
 }
--- a/cmd/cloudflared/common_service.go
+++ b/cmd/cloudflared/common_service.go
@ -0,0 +1,30 @@
 package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 )
 func buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	token := c.Args().First()
 	if _, err := tunnel.ParseToken(token); err != nil {
 		return nil, cliutil.UsageError("Provided tunnel token is not valid (%s).", err)
 	}
 	return []string{
 		"tunnel", "run", "--token", token,
 	}, nil
 }
 func getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	if c.NArg() > 0 {
 		// currently, we only support extra args for token
 		return buildArgsForToken(c, log)
 	} else {
 		// empty extra args
 		return make([]string, 0), nil
 	}
 }
--- a/cmd/cloudflared/config/configuration.go
+++ b/cmd/cloudflared/config/configuration.go
@ -1,77 +0,0 @@
 package config
 import (
 	"errors"
 	"os"
 	"path/filepath"
 	"github.com/cloudflare/cloudflared/validation"
 	homedir "github.com/mitchellh/go-homedir"
 	"gopkg.in/urfave/cli.v2"
 	"gopkg.in/urfave/cli.v2/altsrc"
 )
 var (
 	// File names from which we attempt to read configuration.
 	DefaultConfigFiles = []string{"config.yml", "config.yaml"}
 	// Launchd doesn't set root env variables, so there is default
 	// Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible
 	DefaultConfigDirs = []string{"~/.cloudflared", "~/.cloudflare-warp", "~/cloudflare-warp", "/usr/local/etc/cloudflared", "/etc/cloudflared"}
 )
 const DefaultCredentialFile = "cert.pem"
 // FileExists checks to see if a file exist at the provided path.
 func FileExists(path string) (bool, error) {
 	f, err := os.Open(path)
 	if err != nil {
 		if os.IsNotExist(err) {
 			// ignore missing files
 			return false, nil
 		}
 		return false, err
 	}
 	f.Close()
 	return true, nil
 }
 // FindInputSourceContext pulls the input source from the config flag.
 func FindInputSourceContext(context *cli.Context) (altsrc.InputSourceContext, error) {
 	if context.String("config") != "" {
 		return altsrc.NewYamlSourceFromFile(context.String("config"))
 	}
 	return nil, nil
 }
 // FindDefaultConfigPath returns the first path that contains a config file.
 // If none of the combination of DefaultConfigDirs and DefaultConfigFiles
 // contains a config file, return empty string.
 func FindDefaultConfigPath() string {
 	for _, configDir := range DefaultConfigDirs {
 		for _, configFile := range DefaultConfigFiles {
 			dirPath, err := homedir.Expand(configDir)
 			if err != nil {
 				continue
 			}
 			path := filepath.Join(dirPath, configFile)
 			if ok, _ := FileExists(path); ok {
 				return path
 			}
 		}
 	}
 	return ""
 }
 // ValidateUrl will validate url flag correctness. It can be either from --url or argument
 func ValidateUrl(c *cli.Context) (string, error) {
 	var url = c.String("url")
 	if c.NArg() > 0 {
 		if c.IsSet("url") {
 			return "", errors.New("Specified origin urls using both --url and argument. Decide which one you want, I can only support one.")
 		}
 		url = c.Args().Get(0)
 	}
 	validUrl, err := validation.ValidateUrl(url)
 	return validUrl, err
 }
--- a/cmd/cloudflared/generic_service.go
+++ b/cmd/cloudflared/generic_service.go
@ -1,13 +1,13 @@
-// +build !windows,!darwin,!linux
+//go:build !windows && !darwin && !linux
 package main
 import (
 	"os"
-	cli "gopkg.in/urfave/cli.v2"
+	cli "github.com/urfave/cli/v2"
 )
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Run(os.Args)
 }
--- a/cmd/cloudflared/linux_service.go
+++ b/cmd/cloudflared/linux_service.go
@ -1,30 +1,37 @@
-// +build linux
+//go:build linux
 package main
 import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/rs/zerolog"
-	cli "gopkg.in/urfave/cli.v2"
+	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the Argo Tunnel system service",
+		Usage: "Manages the cloudflared system service",
 		Subcommands: []*cli.Command{
-			&cli.Command{
+			{
 				Name:   "install",
-				Usage:  "Install Argo Tunnel as a system service",
+				Usage:  "Install cloudflared as a system service",
-				Action: installLinuxService,
+				Action: cliutil.ConfiguredAction(installLinuxService),
 				Flags: []cli.Flag{
 					noUpdateServiceFlag,
 				},
 			},
-			&cli.Command{
+			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the Argo Tunnel service",
+				Usage:  "Uninstall the cloudflared service",
-				Action: uninstallLinuxService,
+				Action: cliutil.ConfiguredAction(uninstallLinuxService),
 			},
 		},
 	})
@ -34,22 +41,27 @@ func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
 // The directory and files that are used by the service.
 // These are hard-coded in the templates below.
 const (
-	serviceConfigDir      = "/etc/cloudflared"
+	serviceConfigDir         = "/etc/cloudflared"
-	serviceConfigFile     = "config.yml"
+	serviceConfigFile        = "config.yml"
-	serviceCredentialFile = "cert.pem"
+	serviceCredentialFile    = "cert.pem"
 	serviceConfigPath        = serviceConfigDir + "/" + serviceConfigFile
 	cloudflaredService       = "cloudflared.service"
 	cloudflaredUpdateService = "cloudflared-update.service"
 	cloudflaredUpdateTimer   = "cloudflared-update.timer"
 )
-var systemdTemplates = []ServiceTemplate{
+var systemdAllTemplates = map[string]ServiceTemplate{
-	{
+	cloudflaredService: {
-		Path: "/etc/systemd/system/cloudflared.service",
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
 		Content: `[Unit]
-Description=Argo Tunnel
+Description=cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
 TimeoutStartSec=0
 Type=notify
-ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
+ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
 RestartSec=5s
@ -57,23 +69,24 @@ RestartSec=5s
 WantedBy=multi-user.target
 `,
 	},
-	{
+	cloudflaredUpdateService: {
-		Path: "/etc/systemd/system/cloudflared-update.service",
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
 		Content: `[Unit]
-Description=Update Argo Tunnel
+Description=Update cloudflared
-After=network.target
+After=network-online.target
 Wants=network-online.target
 [Service]
-ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 64 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
+ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
 `,
 	},
-	{
+	cloudflaredUpdateTimer: {
-		Path: "/etc/systemd/system/cloudflared-update.timer",
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateTimer),
 		Content: `[Unit]
-Description=Update Argo Tunnel
+Description=Update cloudflared
 [Timer]
-OnUnitActiveSec=1d
+OnCalendar=daily
 [Install]
 WantedBy=timers.target
@ -84,9 +97,10 @@ WantedBy=timers.target
 var sysvTemplate = ServiceTemplate{
 	Path:     "/etc/init.d/cloudflared",
 	FileMode: 0755,
-	Content: `# For RedHat and cousins:
+	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
-# description: Argo Tunnel agent
+# description: cloudflared
 # processname: {{.Path}}
 ### BEGIN INIT INFO
 # Provides:          {{.Path}}
@ -94,11 +108,11 @@ var sysvTemplate = ServiceTemplate{
 # Required-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: Argo Tunnel
+# Short-Description: cloudflared
-# Description:       Argo Tunnel agent
+# Description:       cloudflared agent
 ### END INIT INFO
 name=$(basename $(readlink -f $0))
-cmd="{{.Path}} --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s"
+cmd="{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}"
 pid_file="/var/run/$name.pid"
 stdout_log="/var/log/$name.log"
 stderr_log="/var/log/$name.err"
@ -117,10 +131,6 @@ case "$1" in
            echo "Starting $name"
            $cmd >> "$stdout_log" 2>> "$stderr_log" &
            echo $! > "$pid_file"
            if ! is_running; then
                echo "Unable to start, see $stdout_log and $stderr_log"
                exit 1
            fi
        fi
    ;;
    stop)
@ -174,6 +184,14 @@ exit 0
 `,
 }
 var (
 	noUpdateServiceFlag = &cli.BoolFlag{
 		Name:  "no-update-service",
 		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
 		Value: false,
 	}
 )
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
 		return true
@ -181,77 +199,140 @@ func isSystemd() bool {
 	return false
 }
 func copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile string) error {
 	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
 		return err
 	}
 	srcCredentialPath := filepath.Join(userConfigDir, userCredentialFile)
 	destCredentialPath := filepath.Join(serviceConfigDir, serviceCredentialFile)
 	if err := copyCredential(srcCredentialPath, destCredentialPath); err != nil {
 		return err
 	}
 	srcConfigPath := filepath.Join(userConfigDir, userConfigFile)
 	destConfigPath := filepath.Join(serviceConfigDir, serviceConfigFile)
 	if err := copyConfig(srcConfigPath, destConfigPath); err != nil {
 		return err
 	}
 	return nil
 }
 func installLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	etPath, err := os.Executable()
 	if err != nil {
 		return fmt.Errorf("error determining executable path: %v", err)
 	}
-	templateArgs := ServiceTemplateArgs{Path: etPath}
+	templateArgs := ServiceTemplateArgs{
 		Path: etPath,
 	}
-	userConfigDir := filepath.Dir(c.String("config"))
+	// Check if the "no update flag" is set
-	userConfigFile := filepath.Base(c.String("config"))
+	autoUpdate := !c.IsSet(noUpdateServiceFlag.Name)
-	userCredentialFile := config.DefaultCredentialFile
+
-	if err = copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile); err != nil {
+	var extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)
-		logger.WithError(err).Infof("Failed to copy user configuration. Before running the service, ensure that %s contains two files, %s and %s",
+	if c.NArg() == 0 {
-			serviceConfigDir, serviceCredentialFile, serviceConfigFile)
+		extraArgsFunc = buildArgsForConfig
 	} else {
 		extraArgsFunc = buildArgsForToken
 	}
 	extraArgs, err := extraArgsFunc(c, log)
 	if err != nil {
 		return err
 	}
 	templateArgs.ExtraArgs = extraArgs
 	switch {
 	case isSystemd():
-		logger.Infof("Using Systemd")
+		log.Info().Msgf("Using Systemd")
-		return installSystemd(&templateArgs)
+		err = installSystemd(&templateArgs, autoUpdate, log)
 	default:
-		logger.Infof("Using Sysv")
+		log.Info().Msgf("Using SysV")
-		return installSysv(&templateArgs)
+		err = installSysv(&templateArgs, autoUpdate, log)
 	}
 	if err == nil {
 		log.Info().Msg("Linux service for cloudflared installed successfully")
 	}
 	return err
 }
-func installSystemd(templateArgs *ServiceTemplateArgs) error {
+func buildArgsForConfig(c *cli.Context, log *zerolog.Logger) ([]string, error) {
 	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
 		return nil, err
 	}
 	src, _, err := config.ReadConfigFile(c, log)
 	if err != nil {
 		return nil, err
 	}
 	// can't use context because this command doesn't define "credentials-file" flag
 	configPresent := func(s string) bool {
 		val, err := src.String(s)
 		return err == nil && val != ""
 	}
 	if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
 		return nil, fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
 tunnel: TUNNEL-UUID
 credentials-file: CREDENTIALS-FILE
 `, src.Source())
 	}
 	if src.Source() != serviceConfigPath {
 		if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
 			return nil, fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
 		}
 		if err := copyFile(src.Source(), serviceConfigPath); err != nil {
 			return nil, fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
 		}
 	}
 	return []string{
 		"--config", "/etc/cloudflared/config.yml", "tunnel", "run",
 	}, nil
 }
 func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	var systemdTemplates []ServiceTemplate
 	if autoUpdate {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 			systemdAllTemplates[cloudflaredUpdateService],
 			systemdAllTemplates[cloudflaredUpdateTimer],
 		}
 	} else {
 		systemdTemplates = []ServiceTemplate{
 			systemdAllTemplates[cloudflaredService],
 		}
 	}
 	for _, serviceTemplate := range systemdTemplates {
 		err := serviceTemplate.Generate(templateArgs)
 		if err != nil {
-			logger.WithError(err).Infof("error generating service template")
+			log.Err(err).Msg("error generating service template")
 			return err
 		}
 	}
-	if err := runCommand("systemctl", "enable", "cloudflared.service"); err != nil {
+	if err := runCommand("systemctl", "enable", cloudflaredService); err != nil {
-		logger.WithError(err).Infof("systemctl enable cloudflared.service error")
+		log.Err(err).Msgf("systemctl enable %s error", cloudflaredService)
 		return err
 	}
-	if err := runCommand("systemctl", "start", "cloudflared-update.timer"); err != nil {
+
-		logger.WithError(err).Infof("systemctl start cloudflared-update.timer error")
+	if autoUpdate {
 		if err := runCommand("systemctl", "start", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl start %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
 	if err := runCommand("systemctl", "daemon-reload"); err != nil {
 		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
 	}
-	logger.Infof("systemctl daemon-reload")
+	return runCommand("systemctl", "start", cloudflaredService)
 	return runCommand("systemctl", "daemon-reload")
 }
-func installSysv(templateArgs *ServiceTemplateArgs) error {
+func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	confPath, err := sysvTemplate.ResolvePath()
 	if err != nil {
-		logger.WithError(err).Infof("error resolving system path")
+		log.Err(err).Msg("error resolving system path")
 		return err
 	}
 	if autoUpdate {
 		templateArgs.ExtraArgs = append([]string{"--autoupdate-freq 24h0m0s"}, templateArgs.ExtraArgs...)
 	} else {
 		templateArgs.ExtraArgs = append([]string{"--no-autoupdate"}, templateArgs.ExtraArgs...)
 	}
 	if err := sysvTemplate.Generate(templateArgs); err != nil {
-		logger.WithError(err).Infof("error generating system template")
+		log.Err(err).Msg("error generating system template")
 		return err
 	}
 	for _, i := range [...]string{"2", "3", "4", "5"} {
@ -264,42 +345,77 @@ func installSysv(templateArgs *ServiceTemplateArgs) error {
 			continue
 		}
 	}
-	return nil
+	return runCommand("service", "cloudflared", "start")
 }
 func uninstallLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	var err error
 	switch {
 	case isSystemd():
-		logger.Infof("Using Systemd")
+		log.Info().Msg("Using Systemd")
-		return uninstallSystemd()
+		err = uninstallSystemd(log)
 	default:
-		logger.Infof("Using Sysv")
+		log.Info().Msg("Using SysV")
-		return uninstallSysv()
+		err = uninstallSysv(log)
 	}
 	if err == nil {
 		log.Info().Msg("Linux service for cloudflared uninstalled successfully")
 	}
 	return err
 }
-func uninstallSystemd() error {
+func uninstallSystemd(log *zerolog.Logger) error {
-	if err := runCommand("systemctl", "disable", "cloudflared.service"); err != nil {
+	// Get only the installed services
-		logger.WithError(err).Infof("systemctl disable cloudflared.service error")
+	installedServices := make(map[string]ServiceTemplate)
-		return err
+	for serviceName, serviceTemplate := range systemdAllTemplates {
 		if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
 			installedServices[serviceName] = serviceTemplate
 		} else {
 			log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
 		}
 	}
-	if err := runCommand("systemctl", "stop", "cloudflared-update.timer"); err != nil {
+
-		logger.WithError(err).Infof("systemctl stop cloudflared-update.timer error")
+	if _, exists := installedServices[cloudflaredService]; exists {
-		return err
+		if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
-	}
+			log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
-	for _, serviceTemplate := range systemdTemplates {
+			return err
-		if err := serviceTemplate.Remove(); err != nil {
+		}
-			logger.WithError(err).Infof("error removing service template")
+		if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
 			return err
 		}
 	}
-	logger.Infof("Successfully uninstall cloudflared service")
+
 	if _, exists := installedServices[cloudflaredUpdateTimer]; exists {
 		if err := runCommand("systemctl", "stop", cloudflaredUpdateTimer); err != nil {
 			log.Err(err).Msgf("systemctl stop %s error", cloudflaredUpdateTimer)
 			return err
 		}
 	}
 	for _, serviceTemplate := range installedServices {
 		if err := serviceTemplate.Remove(); err != nil {
 			log.Err(err).Msg("error removing service template")
 			return err
 		}
 	}
 	if err := runCommand("systemctl", "daemon-reload"); err != nil {
 		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
 	}
 	return nil
 }
-func uninstallSysv() error {
+func uninstallSysv(log *zerolog.Logger) error {
 	if err := runCommand("service", "cloudflared", "stop"); err != nil {
 		log.Err(err).Msg("service cloudflared stop error")
 		return err
 	}
 	if err := sysvTemplate.Remove(); err != nil {
-		logger.WithError(err).Infof("error removing service template")
+		log.Err(err).Msg("error removing service template")
 		return err
 	}
 	for _, i := range [...]string{"2", "3", "4", "5"} {
@ -312,6 +428,5 @@ func uninstallSysv() error {
 			continue
 		}
 	}
 	logger.Infof("Successfully uninstall cloudflared service")
 	return nil
 }
--- a/cmd/cloudflared/macos_service.go
+++ b/cmd/cloudflared/macos_service.go
@ -1,4 +1,4 @@
-// +build darwin
+//go:build darwin
 package main
@ -6,33 +6,35 @@ import (
 	"fmt"
 	"os"
 	"gopkg.in/urfave/cli.v2"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/logger"
 )
 const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the Argo Tunnel launch agent",
+		Usage: "Manages the cloudflared launch agent",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
-				Usage:  "Install Argo Tunnel as an user launch agent",
+				Usage:  "Install cloudflared as an user launch agent",
-				Action: installLaunchd,
+				Action: cliutil.ConfiguredAction(installLaunchd),
 			},
 			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the Argo Tunnel launch agent",
+				Usage:  "Uninstall the cloudflared launch agent",
-				Action: uninstallLaunchd,
+				Action: cliutil.ConfiguredAction(uninstallLaunchd),
 			},
 		},
 	})
-	app.Run(os.Args)
+	_ = app.Run(os.Args)
 }
 func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemplate {
@ -47,6 +49,9 @@ func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemp
 		<key>ProgramArguments</key>
 		<array>
 			<string>{{ .Path }}</string>
 			{{- range $i, $item := .ExtraArgs}}
 			<string>{{ $item }}</string>
 			{{- end}}
 		</array>
 		<key>RunAtLoad</key>
 		<true/>
@ -60,7 +65,7 @@ func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemp
 			<false/>
 		</dict>
 		<key>ThrottleInterval</key>
-		<integer>20</integer>
+		<integer>5</integer>
 	</dict>
 </plist>`, launchdIdentifier, stdoutPath, stderrPath),
 	}
@ -105,58 +110,72 @@ func stderrPath() (string, error) {
 }
 func installLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	if isRootUser() {
-		logger.Infof("Installing Argo Tunnel client as a system launch daemon. " +
+		log.Info().Msg("Installing cloudflared client as a system launch daemon. " +
-			"Argo Tunnel client will run at boot")
+			"cloudflared client will run at boot")
 	} else {
-		logger.Infof("Installing Argo Tunnel client as an user launch agent. " +
+		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
-			"Note that Argo Tunnel client will only run when the user is logged in. " +
+			"Note that cloudflared client will only run when the user is logged in. " +
-			"If you want to run Argo Tunnel client at boot, install with root permission. " +
+			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/argo-tunnel/reference/service/")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
-		logger.WithError(err).Errorf("Error determining executable path")
+		log.Err(err).Msg("Error determining executable path")
 		return fmt.Errorf("Error determining executable path: %v", err)
 	}
 	installPath, err := installPath()
 	if err != nil {
 		log.Err(err).Msg("Error determining install path")
 		return errors.Wrap(err, "Error determining install path")
 	}
 	extraArgs, err := getServiceExtraArgsFromCliArgs(c, log)
 	if err != nil {
 		errMsg := "Unable to determine extra arguments for launch daemon"
 		log.Err(err).Msg(errMsg)
 		return errors.Wrap(err, errMsg)
 	}
 	stdoutPath, err := stdoutPath()
 	if err != nil {
 		log.Err(err).Msg("error determining stdout path")
 		return errors.Wrap(err, "error determining stdout path")
 	}
 	stderrPath, err := stderrPath()
 	if err != nil {
 		log.Err(err).Msg("error determining stderr path")
 		return errors.Wrap(err, "error determining stderr path")
 	}
 	launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
-	if err != nil {
+	templateArgs := ServiceTemplateArgs{Path: etPath, ExtraArgs: extraArgs}
 		logger.WithError(err).Errorf("error creating launchd template")
 		return errors.Wrap(err, "error creating launchd template")
 	}
 	templateArgs := ServiceTemplateArgs{Path: etPath}
 	err = launchdTemplate.Generate(&templateArgs)
 	if err != nil {
-		logger.WithError(err).Errorf("error generating launchd template")
+		log.Err(err).Msg("error generating launchd template")
 		return err
 	}
 	plistPath, err := launchdTemplate.ResolvePath()
 	if err != nil {
-		logger.WithError(err).Infof("error resolving launchd template path")
+		log.Err(err).Msg("error resolving launchd template path")
 		return err
 	}
-	logger.Infof("Outputs are logged to %s and %s", stderrPath, stdoutPath)
+	log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
-	return runCommand("launchctl", "load", plistPath)
+	err = runCommand("launchctl", "load", plistPath)
 	if err == nil {
 		log.Info().Msg("MacOS service for cloudflared installed successfully")
 	}
 	return err
 }
 func uninstallLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	if isRootUser() {
-		logger.Infof("Uninstalling Argo Tunnel as a system launch daemon")
+		log.Info().Msg("Uninstalling cloudflared as a system launch daemon")
 	} else {
-		logger.Infof("Uninstalling Argo Tunnel as an user launch agent")
+		log.Info().Msg("Uninstalling cloudflared as a user launch agent")
 	}
 	installPath, err := installPath()
 	if err != nil {
@ -171,20 +190,20 @@ func uninstallLaunchd(c *cli.Context) error {
 		return errors.Wrap(err, "error determining stderr path")
 	}
 	launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
 	if err != nil {
 		return errors.Wrap(err, "error creating launchd template")
 	}
 	plistPath, err := launchdTemplate.ResolvePath()
 	if err != nil {
-		logger.WithError(err).Infof("error resolving launchd template path")
+		log.Err(err).Msg("error resolving launchd template path")
 		return err
 	}
 	err = runCommand("launchctl", "unload", plistPath)
 	if err != nil {
-		logger.WithError(err).Infof("error unloading")
+		log.Err(err).Msg("error unloading launchd")
 		return err
 	}
-	logger.Infof("Outputs are logged to %s and %s", stderrPath, stdoutPath)
+	err = launchdTemplate.Remove()
-	return launchdTemplate.Remove()
+	if err == nil {
 		log.Info().Msg("Launchd for cloudflared was uninstalled successfully")
 	}
 	return err
 }
--- a/cmd/cloudflared/main.go
+++ b/cmd/cloudflared/main.go
@ -2,79 +2,160 @@ package main
 import (
 	"fmt"
 	"math/rand"
 	"os"
 	"strings"
 	"time"
 	"github.com/getsentry/sentry-go"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"go.uber.org/automaxprocs/maxprocs"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
-	"github.com/cloudflare/cloudflared/log"
+	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/metrics"
-
+	"github.com/cloudflare/cloudflared/overwatch"
-	"github.com/getsentry/raven-go"
+	"github.com/cloudflare/cloudflared/token"
-	"github.com/mitchellh/go-homedir"
+	"github.com/cloudflare/cloudflared/tracing"
-	"gopkg.in/urfave/cli.v2"
+	"github.com/cloudflare/cloudflared/watcher"
 	"github.com/pkg/errors"
 )
 const (
-	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
+	versionText = "Print the version"
 	licenseUrl      = developerPortal + "/licence/"
 )
 var (
 	Version   = "DEV"
 	BuildTime = "unknown"
-	logger    = log.CreateLogger()
+	BuildType = ""
 	// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.
 	ignoredErrors = []string{
 		"connection reset by peer",
 		"An existing connection was forcibly closed by the remote host.",
 		"use of closed connection",
 		"You need to enable Argo Smart Routing",
 		"3001 connection closed",
 		"3002 connection dropped",
 		"rpc exception: dial tcp",
 		"rpc exception: EOF",
 	}
 )
 func main() {
-	metrics.RegisterBuildInfo(BuildTime, Version)
+	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
-	raven.SetRelease(Version)
+	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
-	// Force shutdown channel used by the app. When closed, app must terminate.
+	rand.Seed(time.Now().UnixNano())
-	// Windows service manager closes this channel when it receives shutdown command.
+	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
-	shutdownC := make(chan struct{})
+	maxprocs.Set()
-	// Graceful shutdown channel used by the app. When closed, app must terminate.
+	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
 	// Windows service manager closes this channel when it receives stop command.
 	graceShutdownC := make(chan struct{})
 	cli.VersionFlag = &cli.BoolFlag{
 		Name:    "version",
 		Aliases: []string{"v", "V"},
 		Usage:   versionText,
 	}
 	app := &cli.App{}
 	app.Name = "cloudflared"
 	app.Usage = "Cloudflare's command-line tool and agent"
-	app.ArgsUsage = "origin-url"
+	app.UsageText = "cloudflared [global options] [command] [command options]"
-	app.Copyright = fmt.Sprintf(`(c) %d Cloudflare Inc.
+	app.Copyright = fmt.Sprintf(
-   Use is subject to the license agreement at %s`, time.Now().Year(), licenseUrl)
+		`(c) %d Cloudflare Inc.
-	app.Version = fmt.Sprintf("%s (built %s)", Version, BuildTime)
+   Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
-	app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network. 
+   the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
   Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,
 		time.Now().Year(),
 	)
 	app.Version = fmt.Sprintf("%s (built %s%s)", Version, BuildTime, bInfo.GetBuildTypeMsg())
 	app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.
 	You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
-	and configure access control.`
+	and configure access control.
 	app.Flags = flags()
 	app.Action = action(Version, shutdownC, graceShutdownC)
 	app.Before = tunnel.Before
 	app.Commands = commands()
-	tunnel.Init(Version, shutdownC, graceShutdownC) // we need this to support the tunnel sub command...
+	See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.`
-	access.Init(shutdownC, graceShutdownC)
+	app.Flags = flags()
-	runApp(app, shutdownC, graceShutdownC)
+	app.Action = action(graceShutdownC)
 	app.Commands = commands(cli.ShowVersion)
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
 	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
 	runApp(app, graceShutdownC)
 }
-func commands() []*cli.Command {
+func commands(version func(c *cli.Context)) []*cli.Command {
 	cmds := []*cli.Command{
 		{
-			Name:      "update",
+			Name:   "update",
-			Action:    updater.Update,
+			Action: cliutil.ConfiguredAction(updater.Update),
-			Usage:     "Update the agent if a new version exists",
+			Usage:  "Update the agent if a new version exists",
-			ArgsUsage: " ",
+			Flags: []cli.Flag{
 				&cli.BoolFlag{
 					Name:  "beta",
 					Usage: "specify if you wish to update to the latest beta version",
 				},
 				&cli.BoolFlag{
 					Name:   "force",
 					Usage:  "specify if you wish to force an upgrade to the latest version regardless of the current version",
 					Hidden: true,
 				},
 				&cli.BoolFlag{
 					Name:   "staging",
 					Usage:  "specify if you wish to use the staging url for updating",
 					Hidden: true,
 				},
 				&cli.StringFlag{
 					Name:   "version",
 					Usage:  "specify a version you wish to upgrade or downgrade to",
 					Hidden: false,
 				},
 			},
 			Description: `Looks for a new version on the official download server.
 If a new version exists, updates the agent binary and quits.
 Otherwise, does nothing.
-To determine if an update happened in a script, check for error code 64.`,
+To determine if an update happened in a script, check for error code 11.`,
 		},
 		{
 			Name: "version",
 			Action: func(c *cli.Context) (err error) {
 				if c.Bool("short") {
 					fmt.Println(strings.Split(c.App.Version, " ")[0])
 					return nil
 				}
 				version(c)
 				return nil
 			},
 			Usage:       versionText,
 			Description: versionText,
 			Flags: []cli.Flag{
 				&cli.BoolFlag{
 					Name:    "short",
 					Aliases: []string{"s"},
 					Usage:   "print just the version number",
 				},
 			},
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
 	cmds = append(cmds, proxydns.Command(false))
 	cmds = append(cmds, access.Commands()...)
 	cmds = append(cmds, tail.Command())
 	return cmds
 }
@ -83,17 +164,24 @@ func flags() []cli.Flag {
 	return append(flags, access.Flags()...)
 }
-func action(version string, shutdownC, graceShutdownC chan struct{}) cli.ActionFunc {
+func isEmptyInvocation(c *cli.Context) bool {
-	return func(c *cli.Context) (err error) {
+	return c.NArg() == 0 && c.NumFlags() == 0
-		tags := make(map[string]string)
+}
-		tags["hostname"] = c.String("hostname")
+
-		raven.SetTagsContext(tags)
+func action(graceShutdownC chan struct{}) cli.ActionFunc {
-		raven.CapturePanic(func() { err = tunnel.StartServer(c, version, shutdownC, graceShutdownC) }, nil)
+	return cliutil.ConfiguredAction(func(c *cli.Context) (err error) {
 		if isEmptyInvocation(c) {
 			return handleServiceMode(c, graceShutdownC)
 		}
 		func() {
 			defer sentry.Recover()
 			err = tunnel.TunnelCommand(c)
 		}()
 		if err != nil {
-			raven.CaptureError(err, nil)
+			captureError(err)
 		}
 		return err
-	}
+	})
 }
 func userHomeDir() (string, error) {
@ -103,8 +191,52 @@ func userHomeDir() (string, error) {
 	// use with sudo.
 	homeDir, err := homedir.Dir()
 	if err != nil {
 		logger.WithError(err).Error("Cannot determine home directory for the user")
 		return "", errors.Wrap(err, "Cannot determine home directory for the user")
 	}
 	return homeDir, nil
 }
 // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
 func captureError(err error) {
 	errorMessage := err.Error()
 	for _, ignoredErrorMessage := range ignoredErrors {
 		if strings.Contains(errorMessage, ignoredErrorMessage) {
 			return
 		}
 	}
 	sentry.CaptureException(err)
 }
 // cloudflared was started without any flags
 func handleServiceMode(c *cli.Context, shutdownC chan struct{}) error {
 	log := logger.CreateLoggerFromContext(c, logger.DisableTerminalLog)
 	// start the main run loop that reads from the config file
 	f, err := watcher.NewFile()
 	if err != nil {
 		log.Err(err).Msg("Cannot load config file")
 		return err
 	}
 	configPath := config.FindOrCreateConfigPath()
 	configManager, err := config.NewFileManager(f, configPath, log)
 	if err != nil {
 		log.Err(err).Msg("Cannot setup config file for monitoring")
 		return err
 	}
 	log.Info().Msgf("monitoring config file at: %s", configPath)
 	serviceCallback := func(t string, name string, err error) {
 		if err != nil {
 			log.Err(err).Msgf("%s service: %s encountered an error", t, name)
 		}
 	}
 	serviceManager := overwatch.NewAppManager(serviceCallback)
 	appService := NewAppService(configManager, serviceManager, shutdownC, log)
 	if err := appService.Run(); err != nil {
 		log.Err(err).Msg("Failed to start app service")
 		return err
 	}
 	return nil
 }
--- a/cmd/cloudflared/proxydns/cmd.go
+++ b/cmd/cloudflared/proxydns/cmd.go
@ -0,0 +1,115 @@
 package proxydns
 import (
 	"context"
 	"net"
 	"os"
 	"os/signal"
 	"syscall"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/tunneldns"
 )
 func Command(hidden bool) *cli.Command {
 	return &cli.Command{
 		Name:   "proxy-dns",
 		Action: cliutil.ConfiguredAction(Run),
 		Usage: "Run a DNS over HTTPS proxy server.",
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "metrics",
 				Value:   "localhost:",
 				Usage:   "Listen address for metrics reporting.",
 				EnvVars: []string{"TUNNEL_METRICS"},
 			},
 			&cli.StringFlag{
 				Name:    "address",
 				Usage:   "Listen address for the DNS over HTTPS proxy server.",
 				Value:   "localhost",
 				EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
 			},
 			// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 			&cli.IntFlag{
 				Name:    "port",
 				Usage:   "Listen on given port for the DNS over HTTPS proxy server.",
 				Value:   53,
 				EnvVars: []string{"TUNNEL_DNS_PORT"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "upstream",
 				Usage:   "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
 				Value:   cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
 				EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "bootstrap",
 				Usage:   "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
 				Value:   cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
 				EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
 			},
 			&cli.IntFlag{
 				Name:    "max-upstream-conns",
 				Usage:   "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
 				Value:   tunneldns.MaxUpstreamConnsDefault,
 				EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
 			},
 		},
 		ArgsUsage: " ", // can't be the empty string or we get the default output
 		Hidden:    hidden,
 	}
 }
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	metricsListener, err := net.Listen("tcp", c.String("metrics"))
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to open the metrics listener")
 	}
 	go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
 	listener, err := tunneldns.CreateListener(
 		c.String("address"),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		uint16(c.Int("port")),
 		c.StringSlice("upstream"),
 		c.StringSlice("bootstrap"),
 		c.Int("max-upstream-conns"),
 		log,
 	)
 	if err != nil {
 		log.Err(err).Msg("Failed to create the listeners")
 		return err
 	}
 	// Try to start the server
 	readySignal := make(chan struct{})
 	err = listener.Start(readySignal)
 	if err != nil {
 		log.Err(err).Msg("Failed to start the listeners")
 		return listener.Stop()
 	}
 	<-readySignal
 	// Wait for signal
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	<-signals
 	// Shut down server
 	err = listener.Stop()
 	if err != nil {
 		log.Err(err).Msg("failed to stop")
 	}
 	return err
 }
--- a/cmd/cloudflared/service_template.go
+++ b/cmd/cloudflared/service_template.go
@ -5,13 +5,14 @@ import (
 	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
 	"text/template"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	homedir "github.com/mitchellh/go-homedir"
-	"github.com/mitchellh/go-homedir"
+
 	"github.com/cloudflare/cloudflared/config"
 )
 type ServiceTemplate struct {
@ -21,7 +22,8 @@ type ServiceTemplate struct {
 }
 type ServiceTemplateArgs struct {
-	Path string
+	Path      string
 	ExtraArgs []string
 }
 func (st *ServiceTemplate) ResolvePath() (string, error) {
@ -41,16 +43,27 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 	if err != nil {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
 		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
 	}
 	var buffer bytes.Buffer
 	err = tmpl.Execute(&buffer, args)
 	if err != nil {
 		return fmt.Errorf("error generating %s: %v", st.Path, err)
 	}
-	fileMode := os.FileMode(0644)
+	fileMode := os.FileMode(0o644)
 	if st.FileMode != 0 {
 		fileMode = st.FileMode
 	}
-	err = ioutil.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
+
 	plistFolder := path.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
 	}
 	err = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
 	if err != nil {
 		return fmt.Errorf("error writing %s: %v", resolvedPath, err)
 	}
@ -69,26 +82,30 @@ func (st *ServiceTemplate) Remove() error {
 	return nil
 }
 func serviceAlreadyExistsWarn(service string) string {
 	return fmt.Sprintf("cloudflared service is already installed at %s; if you are running a cloudflared tunnel, you "+
 		"can point it to multiple origins, avoiding the need to run more than one cloudflared service in the "+
 		"same machine; otherwise if you are really sure, you can do `cloudflared service uninstall` to clean "+
 		"up the existing service and then try again this command",
 		service,
 	)
 }
 func runCommand(command string, args ...string) error {
 	cmd := exec.Command(command, args...)
 	stderr, err := cmd.StderrPipe()
 	if err != nil {
 		logger.WithError(err).Infof("error getting stderr pipe")
 		return fmt.Errorf("error getting stderr pipe: %v", err)
 	}
 	err = cmd.Start()
 	if err != nil {
 		logger.WithError(err).Infof("error starting %s", command)
 		return fmt.Errorf("error starting %s: %v", command, err)
 	}
-	commandErr, _ := ioutil.ReadAll(stderr)
+
-	if len(commandErr) > 0 {
+	output, _ := io.ReadAll(stderr)
 		logger.Errorf("%s: %s", command, commandErr)
 	}
 	err = cmd.Wait()
 	if err != nil {
-		logger.WithError(err).Infof("%s returned error", command)
+		return fmt.Errorf("%s %v returned with error code %v due to: %v", command, args, err, string(output))
 		return fmt.Errorf("%s returned with error: %v", command, err)
 	}
 	return nil
 }
@ -96,7 +113,7 @@ func runCommand(command string, args ...string) error {
 func ensureConfigDirExists(configDir string) error {
 	ok, err := config.FileExists(configDir)
 	if !ok && err == nil {
-		err = os.Mkdir(configDir, 0700)
+		err = os.Mkdir(configDir, 0755)
 	}
 	return err
 }
@ -144,12 +161,38 @@ func copyCredential(srcCredentialPath, destCredentialPath string) error {
 	return nil
 }
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
 		return err
 	}
 	defer srcFile.Close()
 	destFile, err := os.Create(dest)
 	if err != nil {
 		return err
 	}
 	ok := false
 	defer func() {
 		destFile.Close()
 		if !ok {
 			_ = os.Remove(dest)
 		}
 	}()
 	if _, err := io.Copy(destFile, srcFile); err != nil {
 		return err
 	}
 	ok = true
 	return nil
 }
 func copyConfig(srcConfigPath, destConfigPath string) error {
 	// Copy or create config
 	destFile, exists, err := openFile(destConfigPath, true)
 	if err != nil {
-		logger.WithError(err).Infof("cannot open %s", destConfigPath)
+		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
 		return err
 	} else if exists {
 		// config already exists, do nothing
 		return nil
@ -173,7 +216,6 @@ func copyConfig(srcConfigPath, destConfigPath string) error {
 		if err != nil {
 			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
 		}
 		logger.Infof("Copied %s to %s", srcConfigPath, destConfigPath)
 	}
 	return nil
--- a/cmd/cloudflared/shell/shell.go
+++ b/cmd/cloudflared/shell/shell.go
@ -1,47 +0,0 @@
 package shell
 import (
 	"io"
 	"os"
 	"os/exec"
 	"runtime"
 )
 // OpenBrowser opens the specified URL in the default browser of the user
 func OpenBrowser(url string) error {
 	var cmd string
 	var args []string
 	switch runtime.GOOS {
 	case "windows":
 		cmd = "cmd"
 		args = []string{"/c", "start"}
 	case "darwin":
 		cmd = "open"
 	default: // "linux", "freebsd", "openbsd", "netbsd"
 		cmd = "xdg-open"
 	}
 	args = append(args, url)
 	return exec.Command(cmd, args...).Start()
 }
 // Run will kick off a shell task and pipe the results to the respective std pipes
 func Run(cmd string, args ...string) error {
 	c := exec.Command(cmd, args...)
 	stderr, err := c.StderrPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		io.Copy(os.Stderr, stderr)
 	}()
 	stdout, err := c.StdoutPipe()
 	if err != nil {
 		return err
 	}
 	go func() {
 		io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
--- a/cmd/cloudflared/tail/cmd.go
+++ b/cmd/cloudflared/tail/cmd.go
@ -0,0 +1,428 @@
 package tail
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 	"github.com/google/uuid"
 	"github.com/mattn/go-colorable"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"nhooyr.io/websocket"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
 var (
 	buildInfo *cliutil.BuildInfo
 )
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
 }
 func Command() *cli.Command {
 	subcommands := []*cli.Command{
 		buildTailManagementTokenSubcommand(),
 	}
 	return buildTailCommand(subcommands)
 }
 func buildTailManagementTokenSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:        "token",
 		Action:      cliutil.ConfiguredAction(managementTokenCommand),
 		Usage:       "Get management access jwt",
 		UsageText:   "cloudflared tail token TUNNEL_ID",
 		Description: `Get management access jwt for a tunnel`,
 		Hidden:      true,
 	}
 }
 func managementTokenCommand(c *cli.Context) error {
 	log := createLogger(c)
 	token, err := getManagementToken(c, log)
 	if err != nil {
 		return err
 	}
 	var tokenResponse = struct {
 		Token string `json:"token"`
 	}{Token: token}
 	return json.NewEncoder(os.Stdout).Encode(tokenResponse)
 }
 func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 	return &cli.Command{
 		Name:      "tail",
 		Action:    Run,
 		Usage:     "Stream logs from a remote cloudflared",
 		UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
 		Flags: []cli.Flag{
 			&cli.StringFlag{
 				Name:    "connector-id",
 				Usage:   "Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_CONNECTOR"},
 			},
 			&cli.StringSliceFlag{
 				Name:    "event",
 				Usage:   "Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_EVENTS"},
 			},
 			&cli.StringFlag{
 				Name:    "level",
 				Usage:   "Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_LEVEL"},
 				Value:   "debug",
 			},
 			&cli.Float64Flag{
 				Name:    "sample",
 				Usage:   "Sample log events by percentage (0.0 .. 1.0). No sampling by default.",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_SAMPLE"},
 				Value:   1.0,
 			},
 			&cli.StringFlag{
 				Name:    "token",
 				Usage:   "Access token for a specific tunnel",
 				Value:   "",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
 			},
 			&cli.StringFlag{
 				Name:    "output",
 				Usage:   "Output format for the logs (default, json)",
 				Value:   "default",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
 			},
 			&cli.StringFlag{
 				Name:    "management-hostname",
 				Usage:   "Management hostname to signify incoming management requests",
 				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
 				Hidden:  true,
 				Value:   "management.argotunnel.com",
 			},
 			&cli.StringFlag{
 				Name:   "trace",
 				Usage:  "Set a cf-trace-id for the request",
 				Hidden: true,
 				Value:  "",
 			},
 			&cli.StringFlag{
 				Name:    logger.LogLevelFlag,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
 				Name:    credentials.OriginCertFlag,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
 			},
 		},
 		Subcommands: subcommands,
 	}
 }
 // Middleware validation error struct for returning to the eyeball
 type managementError struct {
 	Code    int    `json:"code,omitempty"`
 	Message string `json:"message,omitempty"`
 }
 // Middleware validation error HTTP response JSON for returning to the eyeball
 type managementErrorResponse struct {
 	Success bool              `json:"success,omitempty"`
 	Errors  []managementError `json:"errors,omitempty"`
 }
 func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 	if resp.StatusCode == 530 {
 		log.Error().Msgf("no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)")
 	}
 	var managementErr managementErrorResponse
 	err := json.NewDecoder(resp.Body).Decode(&managementErr)
 	if err != nil {
 		log.Error().Msgf("unable to start management log streaming session: http response code returned %d", resp.StatusCode)
 		return
 	}
 	if managementErr.Success || len(managementErr.Errors) == 0 {
 		log.Error().Msgf("management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request")
 		return
 	}
 	for _, e := range managementErr.Errors {
 		log.Error().Msgf("management request failed validation: (%d) %s", e.Code, e.Message)
 	}
 }
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
 	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
 	log := zerolog.New(zerolog.ConsoleWriter{
 		Out:        colorable.NewColorable(os.Stderr),
 		TimeFormat: time.RFC3339,
 	}).With().Timestamp().Logger().Level(level)
 	return &log
 }
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
 	var events []management.LogEventType
 	var sample float64
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
 	if argLevel != "" {
 		l, ok := management.ParseLogLevel(argLevel)
 		if !ok {
 			return nil, fmt.Errorf("invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error")
 		}
 		level = &l
 	}
 	for _, v := range argEvents {
 		t, ok := management.ParseLogEventType(v)
 		if !ok {
 			return nil, fmt.Errorf("invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp")
 		}
 		events = append(events, t)
 	}
 	if argSample <= 0.0 || argSample > 1.0 {
 		return nil, fmt.Errorf("invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)")
 	}
 	sample = argSample
 	if level == nil && len(events) == 0 && argSample != 1.0 {
 		// When no filters are provided, do not return a StreamingFilters struct
 		return nil, nil
 	}
 	return &management.StreamingFilters{
 		Level:    level,
 		Events:   events,
 		Sampling: sample,
 	}, nil
 }
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
 	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
 	if err != nil {
 		return "", err
 	}
 	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
 	tunnelIDString := c.Args().First()
 	if tunnelIDString == "" {
 		return "", errors.New("no tunnel ID provided")
 	}
 	tunnelID, err := uuid.Parse(tunnelIDString)
 	if err != nil {
 		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
 	}
 	token, err := client.GetManagementToken(tunnelID)
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 // buildURL will build the management url to contain the required query parameters to authenticate the request.
 func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
 	var err error
 	managementHostname := c.String("management-hostname")
 	token := c.String("token")
 	if token == "" {
 		token, err = getManagementToken(c, log)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
 		}
 	}
 	query := url.Values{}
 	query.Add("access_token", token)
 	connector := c.String("connector-id")
 	if connector != "" {
 		connectorID, err := uuid.Parse(connector)
 		if err != nil {
 			return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
 		}
 		query.Add("connector_id", connectorID.String())
 	}
 	return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
 }
 func printLine(log *management.Log, logger *zerolog.Logger) {
 	fields, err := json.Marshal(log.Fields)
 	if err != nil {
 		fields = []byte("unable to parse fields")
 		logger.Debug().Msgf("unable to parse fields from event %+v", log)
 	}
 	fmt.Printf("%s %s %s %s %s\n", log.Time, log.Level, log.Event, log.Message, fields)
 }
 func printJSON(log *management.Log, logger *zerolog.Logger) {
 	output, err := json.Marshal(log)
 	if err != nil {
 		logger.Debug().Msgf("unable to parse event to json %+v", log)
 	} else {
 		fmt.Println(string(output))
 	}
 }
 // Run implements a foreground runner
 func Run(c *cli.Context) error {
 	log := createLogger(c)
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	output := "default"
 	switch c.String("output") {
 	case "default", "":
 		output = "default"
 	case "json":
 		output = "json"
 	default:
 		log.Err(errors.New("invalid --output value provided, please make sure it is one of: default, json")).Send()
 	}
 	filters, err := parseFilters(c)
 	if err != nil {
 		log.Error().Err(err).Msgf("invalid filters provided")
 		return nil
 	}
 	u, err := buildURL(c, log)
 	if err != nil {
 		log.Err(err).Msg("unable to construct management request URL")
 		return nil
 	}
 	header := make(http.Header)
 	header.Add("User-Agent", buildInfo.UserAgent())
 	trace := c.String("trace")
 	if trace != "" {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})
 	if err != nil {
 		if resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {
 			handleValidationError(resp, log)
 			return nil
 		}
 		log.Error().Err(err).Msgf("unable to start management log streaming session")
 		return nil
 	}
 	defer conn.Close(websocket.StatusInternalError, "management connection was closed abruptly")
 	// Once connection is established, send start_streaming event to begin receiving logs
 	err = management.WriteEvent(conn, ctx, &management.EventStartStreaming{
 		ClientEvent: management.ClientEvent{Type: management.StartStreaming},
 		Filters:     filters,
 	})
 	if err != nil {
 		log.Error().Err(err).Msg("unable to request logs from management tunnel")
 		return nil
 	}
 	log.Debug().
 		Str("tunnel-id", c.Args().First()).
 		Str("connector-id", c.String("connector-id")).
 		Interface("filters", filters).
 		Msg("connected")
 	readerDone := make(chan struct{})
 	go func() {
 		defer close(readerDone)
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			default:
 				event, err := management.ReadServerEvent(conn, ctx)
 				if err != nil {
 					if closeErr := management.AsClosed(err); closeErr != nil {
 						// If the client (or the server) already closed the connection, don't continue to
 						// attempt to read from the client.
 						if closeErr.Code == websocket.StatusNormalClosure {
 							return
 						}
 						// Only log abnormal closures
 						log.Error().Msgf("received remote closure: (%d) %s", closeErr.Code, closeErr.Reason)
 						return
 					}
 					log.Err(err).Msg("unable to read event from server")
 					return
 				}
 				switch event.Type {
 				case management.Logs:
 					logs, ok := management.IntoServerEvent(event, management.Logs)
 					if !ok {
 						log.Error().Msgf("invalid logs event")
 						continue
 					}
 					// Output all the logs received to stdout
 					for _, l := range logs.Logs {
 						if output == "json" {
 							printJSON(l, log)
 						} else {
 							printLine(l, log)
 						}
 					}
 				case management.UnknownServerEventType:
 					fallthrough
 				default:
 					log.Debug().Msgf("unexpected log event type: %s", event.Type)
 				}
 			}
 		}
 	}()
 	for {
 		select {
 		case <-ctx.Done():
 			return nil
 		case <-readerDone:
 			return nil
 		case <-signals:
 			log.Debug().Msg("closing management connection")
 			// Cleanly close the connection by sending a close message and then
 			// waiting (with timeout) for the server to close the connection.
 			conn.Close(websocket.StatusNormalClosure, "")
 			select {
 			case <-readerDone:
 			case <-time.After(time.Second):
 			}
 			return nil
 		}
 	}
 }
--- a/cmd/cloudflared/token/token.go
+++ b/cmd/cloudflared/token/token.go
@ -1,87 +0,0 @@
 package token
 import (
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
 	"github.com/cloudflare/cloudflared/log"
 	"github.com/coreos/go-oidc/jose"
 	"github.com/coreos/go-oidc/oidc"
 	homedir "github.com/mitchellh/go-homedir"
 )
 var logger = log.CreateLogger()
 // FetchToken will either load a stored token or generate a new one
 func FetchToken(appURL *url.URL) (string, error) {
 	if token, err := GetTokenIfExists(appURL); token != "" && err == nil {
 		return token, nil
 	}
 	path, err := generateFilePathForTokenURL(appURL)
 	if err != nil {
 		return "", err
 	}
 	// this weird parameter is the resource name (token) and the key/value
 	// we want to send to the transfer service. the key is token and the value
 	// is blank (basically just the id generated in the transfer service)
 	const resourceName, key, value = "token", "token", ""
 	token, err := transfer.Run(appURL, resourceName, key, value, path, true)
 	if err != nil {
 		return "", err
 	}
 	return string(token), nil
 }
 // GetTokenIfExists will return the token from local storage if it exists
 func GetTokenIfExists(url *url.URL) (string, error) {
 	path, err := generateFilePathForTokenURL(url)
 	if err != nil {
 		return "", err
 	}
 	content, err := ioutil.ReadFile(path)
 	if err != nil {
 		return "", err
 	}
 	token, err := jose.ParseJWT(string(content))
 	if err != nil {
 		return "", err
 	}
 	claims, err := token.Claims()
 	if err != nil {
 		return "", err
 	}
 	ident, err := oidc.IdentityFromClaims(claims)
 	if err == nil && ident.ExpiresAt.After(time.Now()) {
 		return token.Encode(), nil
 	}
 	return "", err
 }
 // generateFilePathForTokenURL will return a filepath for given access application url
 func generateFilePathForTokenURL(url *url.URL) (string, error) {
 	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
 	if err != nil {
 		return "", err
 	}
 	ok, err := config.FileExists(configPath)
 	if !ok && err == nil {
 		// create config directory if doesn't already exist
 		err = os.Mkdir(configPath, 0700)
 	}
 	if err != nil {
 		return "", err
 	}
 	name := strings.Replace(fmt.Sprintf("%s%s-token", url.Hostname(), url.EscapedPath()), "/", "-", -1)
 	return filepath.Join(configPath, name), nil
 }
--- a/cmd/cloudflared/transfer/transfer.go
+++ b/cmd/cloudflared/transfer/transfer.go
@ -1,164 +0,0 @@
 package transfer
 import (
 	"bytes"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/encrypter"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
 	"github.com/cloudflare/cloudflared/log"
 )
 const (
 	baseStoreURL  = "https://login.cloudflarewarp.com/"
 	clientTimeout = time.Second * 60
 )
 var logger = log.CreateLogger()
 // Run does the transfer "dance" with the end result downloading the supported resource.
 // The expanded description is run is encapsulation of shared business logic needed
 // to request a resource (token/cert/etc) from the transfer service (loginhelper).
 // The "dance" we refer to is building a HTTP request, opening that in a browser waiting for
 // the user to complete an action, while it long polls in the background waiting for an
 // action to be completed to download the resource.
 func Run(transferURL *url.URL, resourceName, key, value, path string, shouldEncrypt bool) ([]byte, error) {
 	encrypterClient, err := encrypter.New("cloudflared_priv.pem", "cloudflared_pub.pem")
 	if err != nil {
 		return nil, err
 	}
 	requestURL, err := buildRequestURL(transferURL, key, value+encrypterClient.PublicKey(), shouldEncrypt)
 	if err != nil {
 		return nil, err
 	}
 	err = shell.OpenBrowser(requestURL)
 	if err != nil {
 		fmt.Fprintf(os.Stdout, "Please open the following URL and log in with your Cloudflare account:\n\n%s\n\nLeave cloudflared running to download the %s automatically.\n", resourceName, requestURL)
 	} else {
 		fmt.Fprintf(os.Stdout, "A browser window should have opened at the following URL:\n\n%s\n\nIf the browser failed to open, open it yourself and visit the URL above.\n", requestURL)
 	}
 	var resourceData []byte
 	if shouldEncrypt {
 		buf, key, err := transferRequest(baseStoreURL + filepath.Join("transfer", encrypterClient.PublicKey()))
 		if err != nil {
 			return nil, err
 		}
 		decodedBuf, err := base64.StdEncoding.DecodeString(string(buf))
 		if err != nil {
 			return nil, err
 		}
 		decrypted, err := encrypterClient.Decrypt(decodedBuf, key)
 		if err != nil {
 			return nil, err
 		}
 		resourceData = decrypted
 	} else {
 		buf, _, err := transferRequest(baseStoreURL + filepath.Join(encrypterClient.PublicKey()))
 		if err != nil {
 			return nil, err
 		}
 		resourceData = buf
 	}
 	if err := ioutil.WriteFile(path, resourceData, 0600); err != nil {
 		return nil, err
 	}
 	return resourceData, nil
 }
 // BuildRequestURL creates a request suitable for a resource transfer.
 // it will return a constructed url based off the base url and query key/value provided.
 // follow will follow redirects.
 func buildRequestURL(baseURL *url.URL, key, value string, follow bool) (string, error) {
 	q := baseURL.Query()
 	q.Set(key, value)
 	baseURL.RawQuery = q.Encode()
 	if !follow {
 		return baseURL.String(), nil
 	}
 	response, err := http.Get(baseURL.String())
 	if err != nil {
 		return "", err
 	}
 	return response.Request.URL.String(), nil
 }
 // transferRequest downloads the requested resource from the request URL
 func transferRequest(requestURL string) ([]byte, string, error) {
 	client := &http.Client{Timeout: clientTimeout}
 	const pollAttempts = 10
 	// we do "long polling" on the endpoint to get the resource.
 	for i := 0; i < pollAttempts; i++ {
 		buf, key, err := poll(client, requestURL)
 		if err != nil {
 			return nil, "", err
 		} else if len(buf) > 0 {
 			if err := putSuccess(client, requestURL); err != nil {
 				logger.WithError(err).Error("Failed to update resource success")
 			}
 			return buf, key, nil
 		}
 	}
 	return nil, "", errors.New("Failed to fetch resource")
 }
 // poll the endpoint for the request resource, waiting for the user interaction
 func poll(client *http.Client, requestURL string) ([]byte, string, error) {
 	resp, err := client.Get(requestURL)
 	if err != nil {
 		return nil, "", err
 	}
 	defer resp.Body.Close()
 	// ignore everything other than server errors as the resource
 	// may not exist until the user does the interaction
 	if resp.StatusCode >= 500 {
 		return nil, "", fmt.Errorf("error on request %d", resp.StatusCode)
 	}
 	if resp.StatusCode != 200 {
 		logger.Info("Waiting for login...")
 		return nil, "", nil
 	}
 	buf := new(bytes.Buffer)
 	if _, err := io.Copy(buf, resp.Body); err != nil {
 		return nil, "", err
 	}
 	return buf.Bytes(), resp.Header.Get("service-public-key"), nil
 }
 // putSuccess tells the server we successfully downloaded the resource
 func putSuccess(client *http.Client, requestURL string) error {
 	req, err := http.NewRequest("PUT", requestURL+"/ok", nil)
 	if err != nil {
 		return err
 	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return err
 	}
 	resp.Body.Close()
 	if resp.StatusCode != 200 {
 		return fmt.Errorf("HTTP Response Status Code: %d", resp.StatusCode)
 	}
 	return nil
 }
--- a/cmd/cloudflared/tunnel/cmd.go
+++ b/cmd/cloudflared/tunnel/cmd.go
--- a/cmd/cloudflared/tunnel/cmd_test.go
+++ b/cmd/cloudflared/tunnel/cmd_test.go
@ -0,0 +1,17 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestHostnameFromURI(t *testing.T) {
 	assert.Equal(t, "awesome.warptunnels.horse:22", hostnameFromURI("ssh://awesome.warptunnels.horse:22"))
 	assert.Equal(t, "awesome.warptunnels.horse:22", hostnameFromURI("ssh://awesome.warptunnels.horse"))
 	assert.Equal(t, "awesome.warptunnels.horse:2222", hostnameFromURI("ssh://awesome.warptunnels.horse:2222"))
 	assert.Equal(t, "localhost:3389", hostnameFromURI("rdp://localhost"))
 	assert.Equal(t, "localhost:3390", hostnameFromURI("rdp://localhost:3390"))
 	assert.Equal(t, "", hostnameFromURI("trash"))
 	assert.Equal(t, "", hostnameFromURI("https://awesomesauce.com"))
 }
--- a/cmd/cloudflared/tunnel/config_test.go
+++ b/cmd/cloudflared/tunnel/config_test.go
@ -0,0 +1,15 @@
 package tunnel
 import (
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/features"
 )
 func TestDedup(t *testing.T) {
 	expected := []string{"a", "b"}
 	actual := features.Dedup([]string{"a", "b", "a"})
 	require.ElementsMatch(t, expected, actual)
 }
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -1,76 +1,71 @@
 package tunnel
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
 	"io/ioutil"
 	"math/rand"
 	"net"
-	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"time"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/google/uuid"
 	"github.com/cloudflare/cloudflared/origin"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 	"github.com/cloudflare/cloudflared/validation"
 	"golang.org/x/crypto/ssh/terminal"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/urfave/cli.v2"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/term"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
 	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
 )
 var (
-	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
+	developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
-	quickStartUrl   = developerPortal + "/quickstart/quickstart/"
+	serviceUrl      = developerPortal + "/tunnel-guide/local/as-a-service/"
-	serviceUrl      = developerPortal + "/reference/service/"
+	argumentsUrl    = developerPortal + "/tunnel-guide/local/local-management/arguments/"
-	argumentsUrl    = developerPortal + "/reference/arguments/"
+
 	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
 	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
 )
-// returns the first path that contains a cert.pem file. If none of the DefaultConfigDirs
+func generateRandomClientID(log *zerolog.Logger) (string, error) {
-// contains a cert.pem file, return empty string
+	u, err := uuid.NewRandom()
-func findDefaultOriginCertPath() string {
+	if err != nil {
-	for _, defaultConfigDir := range config.DefaultConfigDirs {
+		log.Error().Msgf("couldn't create UUID for client ID %s", err)
-		originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, config.DefaultCredentialFile))
+		return "", err
-		if ok, _ := config.FileExists(originCertPath); ok {
+	}
-			return originCertPath
+	return u.String(), nil
 }
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
 	for _, flag := range c.FlagNames() {
 		if isSecretFlag(flag) {
 			flags[flag] = secretValue
 		} else {
 			flags[flag] = c.Generic(flag)
 		}
 	}
 	return ""
 }
 func generateRandomClientID() string {
 	r := rand.New(rand.NewSource(time.Now().UnixNano()))
 	id := make([]byte, 32)
 	r.Read(id)
 	return hex.EncodeToString(id)
 }
 func handleDeprecatedOptions(c *cli.Context) error {
 	// Fail if the user provided an old authentication method
 	if c.IsSet("api-key") || c.IsSet("api-email") || c.IsSet("api-ca-key") {
 		logger.Error("You don't need to give us your api-key anymore. Please use the new login method. Just run cloudflared login")
 		return fmt.Errorf("Client provided deprecated options")
 	}
 	return nil
 }
 func logClientOptions(c *cli.Context) {
 	flags := make(map[string]interface{})
 	for _, flag := range c.LocalFlagNames() {
 		flags[flag] = c.Generic(flag)
 	}
 	if len(flags) > 0 {
-		logger.Infof("Flags %v", flags)
+		log.Info().Msgf("Settings: %v", flags)
 	}
 	envs := make(map[string]string)
@ -80,179 +75,422 @@ func logClientOptions(c *cli.Context) {
 		if strings.Contains(env, "TUNNEL_") {
 			vars := strings.Split(env, "=")
 			if len(vars) == 2 {
-				envs[vars[0]] = vars[1]
+				if isSecretEnvVar(vars[0]) {
 					envs[vars[0]] = secretValue
 				} else {
 					envs[vars[0]] = vars[1]
 				}
 			}
 		}
 	}
 	if len(envs) > 0 {
-		logger.Infof("Environmental variables %v", envs)
+		log.Info().Msgf("Environmental variables %v", envs)
 	}
 }
-func dnsProxyStandAlone(c *cli.Context) bool {
+func isSecretFlag(key string) bool {
-	return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world"))
+	for _, flag := range secretFlags {
-}
+		if flag.Name == key {
-
+			return true
 func getOriginCert(c *cli.Context) ([]byte, error) {
 	if c.String("origincert") == "" {
 		logger.Warnf("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigDirs)
 		if isRunningFromTerminal() {
 			logger.Errorf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl)
 			return nil, fmt.Errorf("Client didn't specify origincert path when running from terminal")
 		} else {
 			logger.Errorf("You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", serviceUrl)
 			return nil, fmt.Errorf("Client didn't specify origincert path")
 		}
 	}
-	// Check that the user has acquired a certificate using the login command
+	return false
 	originCertPath, err := homedir.Expand(c.String("origincert"))
 	if err != nil {
 		logger.WithError(err).Errorf("Cannot resolve path %s", c.String("origincert"))
 		return nil, fmt.Errorf("Cannot resolve path %s", c.String("origincert"))
 	}
 	ok, err := config.FileExists(originCertPath)
 	if err != nil {
 		logger.Errorf("Cannot check if origin cert exists at path %s", c.String("origincert"))
 		return nil, fmt.Errorf("Cannot check if origin cert exists at path %s", c.String("origincert"))
 	}
 	if !ok {
 		logger.Errorf(`Cannot find a valid certificate for your origin at the path:
    %s
 If the path above is wrong, specify the path with the -origincert option.
 If you don't have a certificate signed by Cloudflare, run the command:
 	%s login
 `, originCertPath, os.Args[0])
 		return nil, fmt.Errorf("Cannot find a valid certificate at the path %s", originCertPath)
 	}
 	// Easier to send the certificate as []byte via RPC than decoding it at this point
 	originCert, err := ioutil.ReadFile(originCertPath)
 	if err != nil {
 		logger.WithError(err).Errorf("Cannot read %s to load origin certificate", originCertPath)
 		return nil, fmt.Errorf("Cannot read %s to load origin certificate", originCertPath)
 	}
 	return originCert, nil
 }
-func prepareTunnelConfig(c *cli.Context, buildInfo *origin.BuildInfo, version string, logger, protoLogger *logrus.Logger) (*origin.TunnelConfig, error) {
+func isSecretEnvVar(key string) bool {
-	hostname, err := validation.ValidateHostname(c.String("hostname"))
+	for _, flag := range secretFlags {
-	if err != nil {
+		for _, secretEnvVar := range flag.EnvVars {
-		logger.WithError(err).Error("Invalid hostname")
+			if secretEnvVar == key {
-		return nil, errors.Wrap(err, "Invalid hostname")
+				return true
-	}
+			}
-	clientID := c.String("id")
+		}
 	if !c.IsSet("id") {
 		clientID = generateRandomClientID()
 	}
 	return false
 }
 func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
 	return c.IsSet("proxy-dns") &&
 		!(c.IsSet("name") || // adhoc-named tunnel
 			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
 			namedTunnel != nil) // named tunnel
 }
 func prepareTunnelConfig(
 	ctx context.Context,
 	c *cli.Context,
 	info *cliutil.BuildInfo,
 	log, logTransport *zerolog.Logger,
 	observer *connection.Observer,
 	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
 	clientID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 	}
 	log.Info().Msgf("Generated Connector ID: %s", clientID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
 	if err != nil {
-		logger.WithError(err).Error("Tag parse failure")
+		log.Err(err).Msg("Tag parse failure")
-		return nil, errors.Wrap(err, "Tag parse failure")
+		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
 	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
+	transportProtocol := c.String("protocol")
-	originURL, err := config.ValidateUrl(c)
+	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
 	staticFeatures := features.StaticFeatures{}
 	if c.Bool("post-quantum") {
 		if FipsEnabled {
 			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
 		}
 		pqMode := features.PostQuantumStrict
 		staticFeatures.PostQuantumMode = &pqMode
 	}
 	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
 	if err != nil {
-		logger.WithError(err).Error("Error validating origin URL")
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 		return nil, errors.Wrap(err, "Error validating origin URL")
 	}
-	logger.Infof("Proxying tunnel requests to %s", originURL)
+	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
 		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
 		}
 		transportProtocol = connection.QUIC.String()
 		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
-	originCert, err := getOriginCert(c)
+		log.Info().Msgf(
 			"Using hybrid post-quantum key agreement %s",
 			supervisor.PQKexName,
 		)
 	}
 	namedTunnel.Client = pogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
 		Arch:     info.OSArch(),
 	}
 	cfg := config.GetConfiguration()
 	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
 	if err != nil {
-		return nil, errors.Wrap(err, "Error getting origin cert")
+		return nil, nil, err
 	}
-	originCertPool, err := loadCertPool(c, logger)
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
 	if err != nil {
-		logger.WithError(err).Error("Error loading cert pool")
+		return nil, nil, err
-		return nil, errors.Wrap(err, "Error loading cert pool")
+	}
 	log.Info().Msgf("Initial protocol %s", protocolSelector.Current())
 	edgeTLSConfigs := make(map[connection.Protocol]*tls.Config, len(connection.ProtocolList))
 	for _, p := range connection.ProtocolList {
 		tlsSettings := p.TLSSettings()
 		if tlsSettings == nil {
 			return nil, nil, fmt.Errorf("%s has unknown TLS settings", p)
 		}
 		edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, tlsSettings.ServerName)
 		if err != nil {
 			return nil, nil, errors.Wrap(err, "unable to create TLS config to connect with edge")
 		}
 		if len(tlsSettings.NextProtos) > 0 {
 			edgeTLSConfig.NextProtos = tlsSettings.NextProtos
 		}
 		edgeTLSConfigs[p] = edgeTLSConfig
 	}
-	tunnelMetrics := origin.NewTunnelMetrics()
+	gracePeriod, err := gracePeriod(c)
 	httpTransport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
 			Timeout:   c.Duration("proxy-connect-timeout"),
 			KeepAlive: c.Duration("proxy-tcp-keepalive"),
 			DualStack: !c.Bool("proxy-no-happy-eyeballs"),
 		}).DialContext,
 		MaxIdleConns:          c.Int("proxy-keepalive-connections"),
 		IdleConnTimeout:       c.Duration("proxy-keepalive-timeout"),
 		TLSHandshakeTimeout:   c.Duration("proxy-tls-timeout"),
 		ExpectContinueTimeout: 1 * time.Second,
 		TLSClientConfig:       &tls.Config{RootCAs: originCertPool, InsecureSkipVerify: c.IsSet("no-tls-verify")},
 	}
 	if !c.IsSet("hello-world") && c.IsSet("origin-server-name") {
 		httpTransport.TLSClientConfig.ServerName = c.String("origin-server-name")
 	}
 	err = validation.ValidateHTTPService(originURL, hostname, httpTransport)
 	if err != nil {
-		logger.WithError(err).Error("unable to connect to the origin")
+		return nil, nil, err
-		return nil, errors.Wrap(err, "unable to connect to the origin")
+	}
 	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
 	if err != nil {
 		return nil, nil, err
 	}
 	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
 	if err != nil {
 		return nil, nil, err
 	}
 	if err := testIPBindable(edgeBindAddr); err != nil {
 		return nil, nil, fmt.Errorf("invalid edge-bind-address %s: %v", edgeBindAddr, err)
 	}
 	edgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)
 	if err != nil {
 		// This is not a fatal error, we just overrode edgeIPVersion
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
-	return &origin.TunnelConfig{
+	tunnelConfig := &supervisor.TunnelConfig{
-		EdgeAddrs:          c.StringSlice("edge"),
+		GracePeriod:     gracePeriod,
-		OriginUrl:          originURL,
+		ReplaceExisting: c.Bool("force"),
-		Hostname:           hostname,
+		OSArch:          info.OSArch(),
-		OriginCert:         originCert,
+		ClientID:        clientID.String(),
-		TlsConfig:          tlsconfig.CreateTunnelConfig(c, c.StringSlice("edge")),
+		EdgeAddrs:       c.StringSlice("edge"),
-		ClientTlsConfig:    httpTransport.TLSClientConfig,
+		Region:          c.String("region"),
-		Retries:            c.Uint("retries"),
+		EdgeIPVersion:   edgeIPVersion,
-		HeartbeatInterval:  c.Duration("heartbeat-interval"),
+		EdgeBindAddr:    edgeBindAddr,
-		MaxHeartbeats:      c.Uint64("heartbeat-count"),
+		HAConnections:   c.Int(haConnectionsFlag),
-		ClientID:           clientID,
+		IsAutoupdated:   c.Bool("is-autoupdated"),
-		BuildInfo:          buildInfo,
+		LBPool:          c.String("lb-pool"),
-		ReportedVersion:    version,
+		Tags:            tags,
-		LBPool:             c.String("lb-pool"),
+		Log:             log,
-		Tags:               tags,
+		LogTransport:    logTransport,
-		HAConnections:      c.Int("ha-connections"),
+		Observer:        observer,
-		HTTPTransport:      httpTransport,
+		ReportedVersion: info.Version(),
-		Metrics:            tunnelMetrics,
+		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		MetricsUpdateFreq:  c.Duration("metrics-update-freq"),
+		Retries:                             uint(c.Int("retries")),
-		ProtocolLogger:     protoLogger,
+		RunFromTerminal:                     isRunningFromTerminal(),
-		Logger:             logger,
+		NamedTunnel:                         namedTunnel,
-		IsAutoupdated:      c.Bool("is-autoupdated"),
+		ProtocolSelector:                    protocolSelector,
-		GracePeriod:        c.Duration("grace-period"),
+		EdgeTLSConfigs:                      edgeTLSConfigs,
-		RunFromTerminal:    isRunningFromTerminal(),
+		FeatureSelector:                     featureSelector,
-		NoChunkedEncoding:  c.Bool("no-chunked-encoding"),
+		MaxEdgeAddrRetries:                  uint8(c.Int("max-edge-addr-retries")),
-		CompressionQuality: c.Uint64("compression-quality"),
+		RPCTimeout:                          c.Duration(rpcTimeout),
-	}, nil
+		WriteStreamTimeout:                  c.Duration(writeStreamTimeout),
 		DisableQUICPathMTUDiscovery:         c.Bool(quicDisablePathMTUDiscovery),
 		QUICConnectionLevelFlowControlLimit: c.Uint64(quicConnLevelFlowControlLimit),
 		QUICStreamLevelFlowControlLimit:     c.Uint64(quicStreamLevelFlowControlLimit),
 	}
 	packetConfig, err := newPacketConfig(c, log)
 	if err != nil {
 		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
 	} else {
 		tunnelConfig.PacketConfig = packetConfig
 	}
 	orchestratorConfig := &orchestration.Config{
 		Ingress:            &ingressRules,
 		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
 		ConfigurationFlags: parseConfigFlags(c),
 		WriteTimeout:       c.Duration(writeStreamTimeout),
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
-func loadCertPool(c *cli.Context, logger *logrus.Logger) (*x509.CertPool, error) {
+func parseConfigFlags(c *cli.Context) map[string]string {
-	const originCAPoolFlag = "origin-ca-pool"
+	result := make(map[string]string)
 	originCAPoolFilename := c.String(originCAPoolFlag)
 	var originCustomCAPool []byte
-	if originCAPoolFilename != "" {
+	for _, flag := range configFlags {
-		var err error
+		if v := c.String(flag); c.IsSet(flag) && v != "" {
-		originCustomCAPool, err = ioutil.ReadFile(originCAPoolFilename)
+			result[flag] = v
 		if err != nil {
 			return nil, errors.Wrap(err, fmt.Sprintf("unable to read the file %s for --%s", originCAPoolFilename, originCAPoolFlag))
 		}
 	}
-	originCertPool, err := tlsconfig.LoadOriginCertPool(originCustomCAPool)
+	return result
-	if err != nil {
+}
 		return nil, errors.Wrap(err, "error loading the certificate pool")
 	}
-	// Windows users should be notified that they can use the flag
+func gracePeriod(c *cli.Context) (time.Duration, error) {
-	if runtime.GOOS == "windows" && originCAPoolFilename == "" {
+	period := c.Duration("grace-period")
-		logger.Infof("cloudflared does not support loading the system root certificate pool on Windows. Please use the --%s to specify it", originCAPoolFlag)
+	if period > connection.MaxGracePeriod {
 		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
 	}
-
+	return period, nil
 	return originCertPool, nil
 }
 func isRunningFromTerminal() bool {
-	return terminal.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdout.Fd()))
 }
 // ParseConfigIPVersion returns the IP version from possible expected values from config
 func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {
 	switch version {
 	case "4":
 		v = allregions.IPv4Only
 	case "6":
 		v = allregions.IPv6Only
 	case "auto":
 		v = allregions.Auto
 	default: // unspecified or invalid
 		err = fmt.Errorf("invalid value for edge-ip-version: %s", version)
 	}
 	return
 }
 func parseConfigBindAddress(ipstr string) (net.IP, error) {
 	// Unspecified - it's fine
 	if ipstr == "" {
 		return nil, nil
 	}
 	ip := net.ParseIP(ipstr)
 	if ip == nil {
 		return nil, fmt.Errorf("invalid value for edge-bind-address: %s", ipstr)
 	}
 	return ip, nil
 }
 func testIPBindable(ip net.IP) error {
 	// "Unspecified" = let OS choose, so always bindable
 	if ip == nil {
 		return nil
 	}
 	addr := &net.UDPAddr{IP: ip, Port: 0}
 	listener, err := net.ListenUDP("udp", addr)
 	if err != nil {
 		return err
 	}
 	listener.Close()
 	return nil
 }
 func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {
 	if ip == nil {
 		return ipVersion, nil
 	}
 	// https://pkg.go.dev/net#IP.To4: "If ip is not an IPv4 address, To4 returns nil."
 	if ip.To4() != nil {
 		if ipVersion == allregions.IPv6Only {
 			return allregions.IPv4Only, fmt.Errorf("IPv4 bind address is specified, but edge-ip-version is IPv6")
 		}
 		return allregions.IPv4Only, nil
 	} else {
 		if ipVersion == allregions.IPv4Only {
 			return allregions.IPv6Only, fmt.Errorf("IPv6 bind address is specified, but edge-ip-version is IPv4")
 		}
 		return allregions.IPv6Only, nil
 	}
 }
 func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
 	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
 	}
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
 	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
 	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
 	if err != nil {
 		return nil, err
 	}
 	return &ingress.GlobalRouterConfig{
 		ICMPRouter: icmpRouter,
 		IPv4Src:    ipv4Src,
 		IPv6Src:    ipv6Src,
 		Zone:       zone,
 	}, nil
 }
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
 	if userDefinedSrc != "" {
 		addr, err := netip.ParseAddr(userDefinedSrc)
 		if err != nil {
 			return netip.Addr{}, err
 		}
 		if addr.Is4() {
 			return addr, nil
 		}
 		return netip.Addr{}, fmt.Errorf("expect IPv4, but %s is IPv6", userDefinedSrc)
 	}
 	addr, err := findLocalAddr(net.ParseIP("192.168.0.1"), 53)
 	if err != nil {
 		addr = netip.IPv4Unspecified()
 		logger.Debug().Err(err).Msgf("Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo", addr)
 	}
 	return addr, nil
 }
 type interfaceIP struct {
 	name string
 	ip   net.IP
 }
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
 		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
 		addr, err := netip.ParseAddr(userDefinedIP)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
 			return addr, zone, nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}
 	// Loop through all the interfaces, the preference is
 	// 1. The interface where ipv4Src is in
 	// 2. Interface with IPv6 address
 	// 3. Unspecified interface
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		return netip.IPv6Unspecified(), "", nil
 	}
 	interfacesWithIPv6 := make([]interfaceIP, 0)
 	for _, interf := range interfaces {
 		interfaceAddrs, err := interf.Addrs()
 		if err != nil {
 			continue
 		}
 		foundIPv4SrcInterface := false
 		for _, interfaceAddr := range interfaceAddrs {
 			if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 				ip := ipnet.IP
 				if ip.Equal(ipv4Src.AsSlice()) {
 					foundIPv4SrcInterface = true
 				}
 				if ip.To4() == nil {
 					interfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{
 						name: interf.Name,
 						ip:   ip,
 					})
 				}
 			}
 		}
 		// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6
 		if foundIPv4SrcInterface {
 			for _, interfaceAddr := range interfaceAddrs {
 				if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
 					ip := ipnet.IP
 					if ip.To4() == nil {
 						addr, err := netip.ParseAddr(ip.String())
 						if err == nil {
 							return addr, interf.Name, nil
 						}
 					}
 				}
 			}
 		}
 	}
 	for _, interf := range interfacesWithIPv6 {
 		addr, err := netip.ParseAddr(interf.ip.String())
 		if err == nil {
 			return addr, interf.name, nil
 		}
 	}
 	logger.Debug().Err(err).Msgf("Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo", netip.IPv6Unspecified())
 	return netip.IPv6Unspecified(), "", nil
 }
 // FindLocalAddr tries to dial UDP and returns the local address picked by the OS
 func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
 	udpConn, err := net.DialUDP("udp", nil, &net.UDPAddr{
 		IP:   dst,
 		Port: port,
 	})
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	defer udpConn.Close()
 	localAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())
 	if err != nil {
 		return netip.Addr{}, err
 	}
 	localAddr := localAddrPort.Addr()
 	return localAddr, nil
 }
--- a/cmd/cloudflared/tunnel/configuration_test.go
+++ b/cmd/cloudflared/tunnel/configuration_test.go
@ -0,0 +1,236 @@
 //go:build ignore
 // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
 package tunnel
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"net"
 	"os"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 // Generated using `openssl req -newkey rsa:512 -nodes -x509 -days 3650`
 var samplePEM = []byte(`
 -----BEGIN CERTIFICATE-----
 MIIB4DCCAYoCCQCb/H0EUrdXEjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
 UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcGA1UECgwQQ2xv
 dWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVneTERMA8GA1UE
 AwwIVGVzdCBPbmUwHhcNMTgwNDI2MTYxMDUxWhcNMjgwNDIzMTYxMDUxWjB3MQsw
 CQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcG
 A1UECgwQQ2xvdWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVn
 eTERMA8GA1UEAwwIVGVzdCBPbmUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAwVQD
 K0SJ25UFLznm2pU3zhzMEvpDEofHVNnCjk4mlDrtVop7PkKZ8pDEmuQANltUrxC8
 yHBE2wXMv+GlH+bDtwIDAQABMA0GCSqGSIb3DQEBCwUAA0EAjVYQzozIFPkt/HRY
 uUoZ8zEHIDICb0syFf5VAjm9AgTwIPzUmD+c5vl6LWDnxq7L45nLCzhhQ6YmiwDz
 X7Wcyg==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB4DCCAYoCCQDZfCdAJ+mwzDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJV
 UzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcGA1UECgwQQ2xv
 dWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVneTERMA8GA1UE
 AwwIVGVzdCBUd28wHhcNMTgwNDI2MTYxMTIwWhcNMjgwNDIzMTYxMTIwWjB3MQsw
 CQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkF1c3RpbjEZMBcG
 A1UECgwQQ2xvdWRmbGFyZSwgSW5jLjEZMBcGA1UECwwQUHJvZHVjdCBTdHJhdGVn
 eTERMA8GA1UEAwwIVGVzdCBUd28wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAoHKp
 ROVK3zCSsH7ocYeyRAML4V7SFAbZcb4WIwDnE08oMBVRkQVcW5tqEkvG3RiClfzV
 wZIJ3CfqKIeSNSDU9wIDAQABMA0GCSqGSIb3DQEBCwUAA0EAJw2gUbnPiq4C2p5b
 iWzlA9Q7aKo+VQ4H7IZS7tTccr59nVjvH/TG3eWujpnocr4TOqW9M3CK1DF9mUGP
 3pQ3Jg==
 -----END CERTIFICATE-----
 `)
 var systemCertPoolSubjects []*pkix.Name
 type certificateFixture struct {
 	ou string
 	cn string
 }
 func TestMain(m *testing.M) {
 	systemCertPool, err := x509.SystemCertPool()
 	if isUnrecoverableError(err) {
 		os.Exit(1)
 	}
 	if systemCertPool == nil {
 		// On Windows, let's just assume the system cert pool was empty
 		systemCertPool = x509.NewCertPool()
 	}
 	systemCertPoolSubjects, err = getCertPoolSubjects(systemCertPool)
 	if err != nil {
 		os.Exit(1)
 	}
 	os.Exit(m.Run())
 }
 func TestLoadOriginCertPoolJustSystemPool(t *testing.T) {
 	certPoolSubjects := loadCertPoolSubjects(t, nil)
 	extraSubjects := subjectSubtract(systemCertPoolSubjects, certPoolSubjects)
 	// Remove extra subjects from the cert pool
 	var filteredSystemCertPoolSubjects []*pkix.Name
 	t.Log(extraSubjects)
 OUTER:
 	for _, subject := range certPoolSubjects {
 		for _, extraSubject := range extraSubjects {
 			if subject == extraSubject {
 				t.Log(extraSubject)
 				continue OUTER
 			}
 		}
 		filteredSystemCertPoolSubjects = append(filteredSystemCertPoolSubjects, subject)
 	}
 	assert.Equal(t, len(filteredSystemCertPoolSubjects), len(systemCertPoolSubjects))
 	difference := subjectSubtract(systemCertPoolSubjects, filteredSystemCertPoolSubjects)
 	assert.Equal(t, 0, len(difference))
 }
 func TestLoadOriginCertPoolCFCertificates(t *testing.T) {
 	certPoolSubjects := loadCertPoolSubjects(t, nil)
 	extraSubjects := subjectSubtract(systemCertPoolSubjects, certPoolSubjects)
 	expected := []*certificateFixture{
 		{ou: "CloudFlare Origin SSL ECC Certificate Authority"},
 		{ou: "CloudFlare Origin SSL Certificate Authority"},
 		{cn: "origin-pull.cloudflare.net"},
 		{cn: "Argo Tunnel Sample Hello Server Certificate"},
 	}
 	assertFixturesMatchSubjects(t, expected, extraSubjects)
 }
 func TestLoadOriginCertPoolWithExtraPEMs(t *testing.T) {
 	certPoolWithoutPEMSubjects := loadCertPoolSubjects(t, nil)
 	certPoolWithPEMSubjects := loadCertPoolSubjects(t, samplePEM)
 	difference := subjectSubtract(certPoolWithoutPEMSubjects, certPoolWithPEMSubjects)
 	assert.Equal(t, 2, len(difference))
 	expected := []*certificateFixture{
 		{cn: "Test One"},
 		{cn: "Test Two"},
 	}
 	assertFixturesMatchSubjects(t, expected, difference)
 }
 func loadCertPoolSubjects(t *testing.T, originCAPoolPEM []byte) []*pkix.Name {
 	certPool, err := loadOriginCertPool(originCAPoolPEM)
 	if isUnrecoverableError(err) {
 		t.Fatal(err)
 	}
 	assert.NotEmpty(t, certPool.Subjects())
 	certPoolSubjects, err := getCertPoolSubjects(certPool)
 	if err != nil {
 		t.Fatal(err)
 	}
 	return certPoolSubjects
 }
 func assertFixturesMatchSubjects(t *testing.T, fixtures []*certificateFixture, subjects []*pkix.Name) {
 	assert.Equal(t, len(fixtures), len(subjects))
 	for _, fixture := range fixtures {
 		found := false
 		for _, subject := range subjects {
 			found = found || fixtureMatchesSubjectPredicate(fixture, subject)
 		}
 		if !found {
 			t.Fail()
 		}
 	}
 }
 func fixtureMatchesSubjectPredicate(fixture *certificateFixture, subject *pkix.Name) bool {
 	cnMatch := true
 	if fixture.cn != "" {
 		cnMatch = fixture.cn == subject.CommonName
 	}
 	ouMatch := true
 	if fixture.ou != "" {
 		ouMatch = len(subject.OrganizationalUnit) > 0 && fixture.ou == subject.OrganizationalUnit[0]
 	}
 	return cnMatch && ouMatch
 }
 func subjectSubtract(left []*pkix.Name, right []*pkix.Name) []*pkix.Name {
 	var difference []*pkix.Name
 	var found bool
 	for _, r := range right {
 		found = false
 		for _, l := range left {
 			if (*l).String() == (*r).String() {
 				found = true
 			}
 		}
 		if !found {
 			difference = append(difference, r)
 		}
 	}
 	return difference
 }
 func getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {
 	var subjects []*pkix.Name
 	for _, subject := range certPool.Subjects() {
 		var sequence pkix.RDNSequence
 		_, err := asn1.Unmarshal(subject, &sequence)
 		if err != nil {
 			return nil, err
 		}
 		name := pkix.Name{}
 		name.FillFromRDNSequence(&sequence)
 		subjects = append(subjects, &name)
 	}
 	return subjects, nil
 }
 func isUnrecoverableError(err error) bool {
 	return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
 }
 func TestTestIPBindable(t *testing.T) {
 	assert.Nil(t, testIPBindable(nil))
 	// Public services - if one of these IPs is on the machine, the test environment is too weird
 	assert.NotNil(t, testIPBindable(net.ParseIP("8.8.8.8")))
 	assert.NotNil(t, testIPBindable(net.ParseIP("1.1.1.1")))
 	addrs, err := net.InterfaceAddrs()
 	if err != nil {
 		t.Fatal(err)
 	}
 	for i, addr := range addrs {
 		if i >= 3 {
 			break
 		}
 		ip := addr.(*net.IPNet).IP
 		assert.Nil(t, testIPBindable(ip))
 	}
 }
--- a/cmd/cloudflared/tunnel/credential_finder.go
+++ b/cmd/cloudflared/tunnel/credential_finder.go
@ -0,0 +1,84 @@
 package tunnel
 import (
 	"fmt"
 	"path/filepath"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 )
 // CredFinder can find the tunnel credentials file.
 type CredFinder interface {
 	Path() (string, error)
 }
 // Implements CredFinder and looks for the credentials file at the given
 // filepath.
 type staticPath struct {
 	filePath string
 	fs       fileSystem
 }
 func newStaticPath(filePath string, fs fileSystem) CredFinder {
 	return staticPath{
 		filePath: filePath,
 		fs:       fs,
 	}
 }
 func (a staticPath) Path() (string, error) {
 	if a.filePath != "" && a.fs.validFilePath(a.filePath) {
 		return a.filePath, nil
 	}
 	return "", fmt.Errorf("Tunnel credentials file '%s' doesn't exist or is not a file", a.filePath)
 }
 // Implements CredFinder and looks for the credentials file in several directories
 // searching for a file named <id>.json
 type searchByID struct {
 	id  uuid.UUID
 	c   *cli.Context
 	log *zerolog.Logger
 	fs  fileSystem
 }
 func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSystem) CredFinder {
 	return searchByID{
 		id:  id,
 		c:   c,
 		log: log,
 		fs:  fs,
 	}
 }
 func (s searchByID) Path() (string, error) {
 	originCertPath := s.c.String(credentials.OriginCertFlag)
 	originCertLog := s.log.With().
 		Str("originCertPath", originCertPath).
 		Logger()
 	// Fallback to look for tunnel credentials in the origin cert directory
 	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
 		originCertDir := filepath.Dir(originCertPath)
 		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
 			if s.fs.validFilePath(filePath) {
 				return filePath, nil
 			}
 		}
 	}
 	// Last resort look under default config directories
 	for _, configDir := range config.DefaultConfigSearchDirectories() {
 		if filePath, err := tunnelFilePath(s.id, configDir); err == nil {
 			if s.fs.validFilePath(filePath) {
 				return filePath, nil
 			}
 		}
 	}
 	return "", fmt.Errorf("tunnel credentials file not found")
 }
--- a/cmd/cloudflared/tunnel/filesystem.go
+++ b/cmd/cloudflared/tunnel/filesystem.go
@ -0,0 +1,26 @@
 package tunnel
 import (
 	"os"
 )
 // Abstract away details of reading files, so that SubcommandContext can read
 // from either the real filesystem, or a mock (when running unit tests).
 type fileSystem interface {
 	readFile(filePath string) ([]byte, error)
 	validFilePath(path string) bool
 }
 type realFileSystem struct{}
 func (fs realFileSystem) validFilePath(path string) bool {
 	fileStat, err := os.Stat(path)
 	if err != nil {
 		return false
 	}
 	return !fileStat.IsDir()
 }
 func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
 	return os.ReadFile(filePath)
 }
--- a/cmd/cloudflared/tunnel/fips.go
+++ b/cmd/cloudflared/tunnel/fips.go
@ -0,0 +1,3 @@
 package tunnel
 var FipsEnabled bool
--- a/cmd/cloudflared/tunnel/hello.go
+++ b/cmd/cloudflared/tunnel/hello.go
@ -1,20 +0,0 @@
 package tunnel
 import (
 	"fmt"
 	"gopkg.in/urfave/cli.v2"
 	"github.com/cloudflare/cloudflared/hello"
 )
 func helloWorld(c *cli.Context) error {
 	address := fmt.Sprintf(":%d", c.Int("port"))
 	listener, err := hello.CreateTLSListener(address)
 	if err != nil {
 		return err
 	}
 	defer listener.Close()
 	err = hello.StartHelloWorldServer(logger, listener, nil)
 	return err
 }
--- a/cmd/cloudflared/tunnel/info.go
+++ b/cmd/cloudflared/tunnel/info.go
@ -0,0 +1,16 @@
 package tunnel
 import (
 	"time"
 	"github.com/google/uuid"
 	"github.com/cloudflare/cloudflared/cfapi"
 )
 type Info struct {
 	ID         uuid.UUID             `json:"id"`
 	Name       string                `json:"name"`
 	CreatedAt  time.Time             `json:"createdAt"`
 	Connectors []*cfapi.ActiveClient `json:"conns"`
 }
--- a/cmd/cloudflared/tunnel/ingress_subcommands.go
+++ b/cmd/cloudflared/tunnel/ingress_subcommands.go
@ -0,0 +1,145 @@
 package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"net/url"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 const ingressDataJSONFlagName = "json"
 var ingressDataJSON = &cli.StringFlag{
 	Name:    ingressDataJSONFlagName,
 	Aliases: []string{"j"},
 	Usage:   `Accepts data in the form of json as an input rather than read from a file`,
 	EnvVars: []string{"TUNNEL_INGRESS_VALIDATE_JSON"},
 }
 func buildIngressSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:      "ingress",
 		Category:  "Tunnel",
 		Usage:     "Validate and test cloudflared tunnel's ingress configuration",
 		UsageText: "cloudflared tunnel [--config FILEPATH] ingress COMMAND [arguments...]",
 		Hidden:    true,
 		Description: ` Cloudflared lets you route traffic from the internet to multiple different addresses on your
 		origin. Multiple-origin routing is configured by a set of rules. Each rule matches traffic
 		by its hostname or path, and routes it to an address. These rules are configured under the
 		'ingress' key of your config.yaml, for example:
 		ingress:
 		  - hostname: www.example.com
 		    service: https://localhost:8000
 		  - hostname: *.example.xyz
 		    path: /[a-zA-Z]+.html
 		    service: https://localhost:8001
 		  - hostname: *
 		    service: https://localhost:8002
 		To ensure cloudflared can route all incoming requests, the last rule must be a catch-all
 		rule that matches all traffic. You can validate these rules with the 'ingress validate'
 		command, and test which rule matches a particular URL with 'ingress rule <URL>'.
 		Multiple-origin routing is incompatible with the --url flag.`,
 		Subcommands: []*cli.Command{buildValidateIngressCommand(), buildTestURLCommand()},
 	}
 }
 func buildValidateIngressCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "validate",
 		Action:      cliutil.ConfiguredActionWithWarnings(validateIngressCommand),
 		Usage:       "Validate the ingress configuration ",
 		UsageText:   "cloudflared tunnel [--config FILEPATH] ingress validate",
 		Description: "Validates the configuration file, ensuring your ingress rules are OK.",
 		Flags:       []cli.Flag{ingressDataJSON},
 	}
 }
 func buildTestURLCommand() *cli.Command {
 	return &cli.Command{
 		Name:      "rule",
 		Action:    cliutil.ConfiguredAction(testURLCommand),
 		Usage:     "Check which ingress rule matches a given request URL",
 		UsageText: "cloudflared tunnel [--config FILEPATH] ingress rule URL",
 		ArgsUsage: "URL",
 		Description: "Check which ingress rule matches a given request URL. " +
 			"Ingress rules match a request's hostname and path. Hostname is " +
 			"optional and is either a full hostname like `www.example.com` or a " +
 			"hostname with a `*` for its subdomains, e.g. `*.example.com`. Path " +
 			"is optional and matches a regular expression, like `/[a-zA-Z0-9_]+.html`",
 	}
 }
 // validateIngressCommand check the syntax of the ingress rules in the cloudflared config file
 func validateIngressCommand(c *cli.Context, warnings string) error {
 	conf, err := getConfiguration(c)
 	if err != nil {
 		return err
 	}
 	if _, err := ingress.ParseIngress(conf); err != nil {
 		return errors.Wrap(err, "Validation failed")
 	}
 	if c.IsSet("url") {
 		return ingress.ErrURLIncompatibleWithIngress
 	}
 	if warnings != "" {
 		fmt.Println("Warning: unused keys detected in your config file. Here is a list of unused keys:")
 		fmt.Println(warnings)
 		return nil
 	}
 	fmt.Println("OK")
 	return nil
 }
 func getConfiguration(c *cli.Context) (*config.Configuration, error) {
 	var conf *config.Configuration
 	if c.IsSet(ingressDataJSONFlagName) {
 		ingressJSON := c.String(ingressDataJSONFlagName)
 		fmt.Println("Validating rules from cmdline flag --json")
 		err := json.Unmarshal([]byte(ingressJSON), &conf)
 		return conf, err
 	}
 	conf = config.GetConfiguration()
 	if conf.Source() == "" {
 		return nil, errors.New("No configuration file was found. Please create one, or use the --config flag to specify its filepath. You can use the help command to learn more about configuration files")
 	}
 	fmt.Println("Validating rules from", conf.Source())
 	return conf, nil
 }
 // testURLCommand checks which ingress rule matches the given URL.
 func testURLCommand(c *cli.Context) error {
 	requestArg := c.Args().First()
 	if requestArg == "" {
 		return errors.New("cloudflared tunnel rule expects a single argument, the URL to test")
 	}
 	requestURL, err := url.Parse(requestArg)
 	if err != nil {
 		return fmt.Errorf("%s is not a valid URL", requestArg)
 	}
 	if requestURL.Hostname() == "" && requestURL.Scheme == "" {
 		return fmt.Errorf("%s doesn't have a hostname, consider adding a scheme", requestArg)
 	}
 	conf := config.GetConfiguration()
 	fmt.Println("Using rules from", conf.Source())
 	ing, err := ingress.ParseIngress(conf)
 	if err != nil {
 		return errors.Wrap(err, "Validation failed")
 	}
 	_, i := ing.FindMatchingRule(requestURL.Hostname(), requestURL.Path)
 	fmt.Printf("Matched rule #%d\n", i)
 	fmt.Println(ing.Rules[i].MultiLineString())
 	return nil
 }
--- a/cmd/cloudflared/tunnel/logger.go
+++ b/cmd/cloudflared/tunnel/logger.go
@ -1,67 +0,0 @@
 package tunnel
 import (
 	"fmt"
 	"os"
 	"github.com/cloudflare/cloudflared/log"
 	"github.com/rifflock/lfshook"
 	"github.com/sirupsen/logrus"
 	"gopkg.in/urfave/cli.v2"
 	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 )
 var logger = log.CreateLogger()
 func configMainLogger(c *cli.Context) error {
 	logLevel, err := logrus.ParseLevel(c.String("loglevel"))
 	if err != nil {
 		logger.WithError(err).Error("Unknown logging level specified")
 		return errors.Wrap(err, "Unknown logging level specified")
 	}
 	logger.SetLevel(logLevel)
 	return nil
 }
 func configProtoLogger(c *cli.Context) (*logrus.Logger, error) {
 	protoLogLevel, err := logrus.ParseLevel(c.String("proto-loglevel"))
 	if err != nil {
 		logger.WithError(err).Fatal("Unknown protocol logging level specified")
 		return nil, errors.Wrap(err, "Unknown protocol logging level specified")
 	}
 	protoLogger := logrus.New()
 	protoLogger.Level = protoLogLevel
 	return protoLogger, nil
 }
 func initLogFile(c *cli.Context, loggers ...*logrus.Logger) error {
 	filePath, err := homedir.Expand(c.String("logfile"))
 	if err != nil {
 		return errors.Wrap(err, "Cannot resolve logfile path")
 	}
 	fileMode := os.O_WRONLY | os.O_APPEND | os.O_CREATE | os.O_TRUNC
 	// do not truncate log file if the client has been autoupdated
 	if c.Bool("is-autoupdated") {
 		fileMode = os.O_WRONLY | os.O_APPEND | os.O_CREATE
 	}
 	f, err := os.OpenFile(filePath, fileMode, 0664)
 	if err != nil {
 		errors.Wrap(err, fmt.Sprintf("Cannot open file %s", filePath))
 	}
 	defer f.Close()
 	pathMap := lfshook.PathMap{
 		logrus.InfoLevel:  filePath,
 		logrus.ErrorLevel: filePath,
 		logrus.FatalLevel: filePath,
 		logrus.PanicLevel: filePath,
 	}
 	for _, l := range loggers {
 		l.Hooks.Add(lfshook.NewHook(pathMap, &logrus.JSONFormatter{}))
 	}
 	return nil
 }
--- a/cmd/cloudflared/tunnel/login.go
+++ b/cmd/cloudflared/tunnel/login.go
@ -7,18 +7,35 @@ import (
 	"path/filepath"
 	"syscall"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
 	homedir "github.com/mitchellh/go-homedir"
-	cli "gopkg.in/urfave/cli.v2"
+	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/token"
 )
 const (
 	baseLoginURL     = "https://dash.cloudflare.com/argotunnel"
-	callbackStoreURL = "https://login.cloudflarewarp.com/"
+	callbackStoreURL = "https://login.cloudflareaccess.org/"
 )
 func buildLoginSubcommand(hidden bool) *cli.Command {
 	return &cli.Command{
 		Name:      "login",
 		Action:    cliutil.ConfiguredAction(login),
 		Usage:     "Generate a configuration file with your login details",
 		ArgsUsage: " ",
 		Hidden:    hidden,
 	}
 }
 func login(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 	path, ok, err := checkForExistingCert()
 	if ok {
 		fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
@ -33,18 +50,31 @@ func login(c *cli.Context) error {
 		return err
 	}
-	_, err = transfer.Run(loginURL, "cert", "callback", callbackStoreURL, path, false)
+	resourceData, err := token.RunTransfer(
 		loginURL,
 		"",
 		"cert",
 		"callback",
 		callbackStoreURL,
 		false,
 		false,
 		log,
 	)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
 		return err
 	}
 	if err := os.WriteFile(path, resourceData, 0600); err != nil {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
 	fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
 	return nil
 }
 func checkForExistingCert() (string, bool, error) {
-	configPath, err := homedir.Expand(config.DefaultConfigDirs[0])
+	configPath, err := homedir.Expand(config.DefaultConfigSearchDirectories()[0])
 	if err != nil {
 		return "", false, err
 	}
@ -56,7 +86,7 @@ func checkForExistingCert() (string, bool, error) {
 	if err != nil {
 		return "", false, err
 	}
-	path := filepath.Join(configPath, config.DefaultCredentialFile)
+	path := filepath.Join(configPath, credentials.DefaultCredentialFile)
 	fileInfo, err := os.Stat(path)
 	if err == nil && fileInfo.Size() > 0 {
 		return path, true, nil
--- a/cmd/cloudflared/tunnel/quick_tunnel.go
+++ b/cmd/cloudflared/tunnel/quick_tunnel.go
@ -0,0 +1,140 @@
 package tunnel
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/connection"
 )
 const httpTimeout = 15 * time.Second
 const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 // RunQuickTunnel requests a tunnel from the specified service.
 // We use this to power quick tunnels on trycloudflare.com, but the
 // service is open-source and could be used by anyone.
 func RunQuickTunnel(sc *subcommandContext) error {
 	sc.log.Info().Msg(disclaimer)
 	sc.log.Info().Msg("Requesting new quick Tunnel on trycloudflare.com...")
 	client := http.Client{
 		Transport: &http.Transport{
 			TLSHandshakeTimeout:   httpTimeout,
 			ResponseHeaderTimeout: httpTimeout,
 		},
 		Timeout: httpTimeout,
 	}
 	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
 	if err != nil {
 		return errors.Wrap(err, "failed to build quick tunnel request")
 	}
 	req.Header.Add("Content-Type", "application/json")
 	req.Header.Add("User-Agent", buildInfo.UserAgent())
 	resp, err := client.Do(req)
 	if err != nil {
 		return errors.Wrap(err, "failed to request quick Tunnel")
 	}
 	defer resp.Body.Close()
 	// This will read the entire response into memory so we can print it in case of error
 	rsp_body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return errors.Wrap(err, "failed to read quick-tunnel response")
 	}
 	var data QuickTunnelResponse
 	if err := json.Unmarshal(rsp_body, &data); err != nil {
 		rsp_string := string(rsp_body)
 		fields := map[string]interface{}{"status_code": resp.Status}
 		sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
 		return errors.Wrap(err, "failed to unmarshal quick Tunnel")
 	}
 	tunnelID, err := uuid.Parse(data.Result.ID)
 	if err != nil {
 		return errors.Wrap(err, "failed to parse quick Tunnel ID")
 	}
 	credentials := connection.Credentials{
 		AccountTag:   data.Result.AccountTag,
 		TunnelSecret: data.Result.Secret,
 		TunnelID:     tunnelID,
 	}
 	url := data.Result.Hostname
 	if !strings.HasPrefix(url, "https://") {
 		url = "https://" + url
 	}
 	for _, line := range AsciiBox([]string{
 		"Your quick Tunnel has been created! Visit it at (it may take some time to be reachable):",
 		url,
 	}, 2) {
 		sc.log.Info().Msg(line)
 	}
 	if !sc.c.IsSet("protocol") {
 		sc.c.Set("protocol", "quic")
 	}
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
 	sc.c.Set(haConnectionsFlag, "1")
 	return StartServer(
 		sc.c,
 		buildInfo,
 		&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
 		sc.log,
 	)
 }
 type QuickTunnelResponse struct {
 	Success bool
 	Result  QuickTunnel
 	Errors  []QuickTunnelError
 }
 type QuickTunnelError struct {
 	Code    int
 	Message string
 }
 type QuickTunnel struct {
 	ID         string `json:"id"`
 	Name       string `json:"name"`
 	Hostname   string `json:"hostname"`
 	AccountTag string `json:"account_tag"`
 	Secret     []byte `json:"secret"`
 }
 // Print out the given lines in a nice ASCII box.
 func AsciiBox(lines []string, padding int) (box []string) {
 	maxLen := maxLen(lines)
 	spacer := strings.Repeat(" ", padding)
 	border := "+" + strings.Repeat("-", maxLen+(padding*2)) + "+"
 	box = append(box, border)
 	for _, line := range lines {
 		box = append(box, "|"+spacer+line+strings.Repeat(" ", maxLen-len(line))+spacer+"|")
 	}
 	box = append(box, border)
 	return
 }
 func maxLen(lines []string) int {
 	max := 0
 	for _, line := range lines {
 		if len(line) > max {
 			max = len(line)
 		}
 	}
 	return max
 }
--- a/cmd/cloudflared/tunnel/server.go
+++ b/cmd/cloudflared/tunnel/server.go
@ -1,33 +1,37 @@
 package tunnel
 import (
 	"fmt"
 	"github.com/cloudflare/cloudflared/tunneldns"
 	"gopkg.in/urfave/cli.v2"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 )
-func runDNSProxyServer(c *cli.Context, dnsReadySignal, shutdownC chan struct{}) error {
+func runDNSProxyServer(c *cli.Context, dnsReadySignal chan struct{}, shutdownC <-chan struct{}, log *zerolog.Logger) error {
 	port := c.Int("proxy-dns-port")
 	if port <= 0 || port > 65535 {
 		logger.Errorf("The 'proxy-dns-port' must be a valid port number in <1, 65535> range.")
 		return errors.New("The 'proxy-dns-port' must be a valid port number in <1, 65535> range.")
 	}
-	listener, err := tunneldns.CreateListener(c.String("proxy-dns-address"), uint16(port), c.StringSlice("proxy-dns-upstream"))
+	maxUpstreamConnections := c.Int("proxy-dns-max-upstream-conns")
 	if maxUpstreamConnections < 0 {
 		return fmt.Errorf("'%s' must be 0 or higher", "proxy-dns-max-upstream-conns")
 	}
 	listener, err := tunneldns.CreateListener(c.String("proxy-dns-address"), uint16(port), c.StringSlice("proxy-dns-upstream"), c.StringSlice("proxy-dns-bootstrap"), maxUpstreamConnections, log)
 	if err != nil {
 		close(dnsReadySignal)
 		listener.Stop()
 		logger.WithError(err).Error("Cannot create the DNS over HTTPS proxy server")
 		return errors.Wrap(err, "Cannot create the DNS over HTTPS proxy server")
 	}
 	err = listener.Start(dnsReadySignal)
 	if err != nil {
 		logger.WithError(err).Error("Cannot start the DNS over HTTPS proxy server")
 		return errors.Wrap(err, "Cannot start the DNS over HTTPS proxy server")
 	}
 	<-shutdownC
-	listener.Stop()
+	_ = listener.Stop()
 	log.Info().Msg("DNS server stopped")
 	return nil
 }
--- a/cmd/cloudflared/tunnel/signal.go
+++ b/cmd/cloudflared/tunnel/signal.go
@ -4,76 +4,20 @@ import (
 	"os"
 	"os/signal"
 	"syscall"
-	"time"
+
 	"github.com/rs/zerolog"
 )
-// waitForSignal notifies all routines to shutdownC immediately by closing the
+// waitForSignal closes graceShutdownC to indicate that we should start graceful shutdown sequence
-// shutdownC when one of the routines in main exits, or when this process receives
+func waitForSignal(graceShutdownC chan struct{}, logger *zerolog.Logger) {
 // SIGTERM/SIGINT
 func waitForSignal(errC chan error, shutdownC chan struct{}) error {
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	select {
-	case err := <-errC:
+	case s := <-signals:
-		close(shutdownC)
+		logger.Info().Msgf("Initiating graceful shutdown due to signal %s ...", s)
 		return err
 	case <-signals:
 		close(shutdownC)
 	case <-shutdownC:
 	}
 	return nil
 }
 // waitForSignalWithGraceShutdown notifies all routines to shutdown immediately
 // by closing the shutdownC when one of the routines in main exits.
 // When this process recieves SIGTERM/SIGINT, it closes the graceShutdownC to
 // notify certain routines to start graceful shutdown. When grace period is over,
 // or when some routine exits, it notifies the rest of the routines to shutdown
 // immediately by closing shutdownC.
 // In the case of handling commands from Windows Service Manager, closing graceShutdownC
 // initiate graceful shutdown.
 func waitForSignalWithGraceShutdown(errC chan error,
 	shutdownC, graceShutdownC chan struct{},
 	gracePeriod time.Duration,
 ) error {
 	signals := make(chan os.Signal, 10)
 	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
 	defer signal.Stop(signals)
 	select {
 	case err := <-errC:
 		close(graceShutdownC)
 		close(shutdownC)
 		return err
 	case <-signals:
 		close(graceShutdownC)
 		waitForGracePeriod(signals, errC, shutdownC, gracePeriod)
 	case <-graceShutdownC:
 		waitForGracePeriod(signals, errC, shutdownC, gracePeriod)
 	case <-shutdownC:
 		close(graceShutdownC)
 	}
 	return nil
 }
 func waitForGracePeriod(signals chan os.Signal,
 	errC chan error,
 	shutdownC chan struct{},
 	gracePeriod time.Duration,
 ) {
 	logger.Infof("Initiating graceful shutdown...")
 	// Unregister signal handler early, so the client can send a second SIGTERM/SIGINT
 	// to force shutdown cloudflared
 	signal.Stop(signals)
 	graceTimerTick := time.Tick(gracePeriod)
 	// send close signal via shutdownC when grace period expires or when an
 	// error is encountered.
 	select {
 	case <-graceTimerTick:
 	case <-errC:
 	}
 	close(shutdownC)
 }
--- a/cmd/cloudflared/tunnel/signal_test.go
+++ b/cmd/cloudflared/tunnel/signal_test.go
@ -1,11 +1,15 @@
 //go:build !windows
 package tunnel
 import (
 	"fmt"
 	"sync"
 	"syscall"
 	"testing"
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 )
@ -17,136 +21,85 @@ var (
 	graceShutdownErr = fmt.Errorf("receive grace shutdown")
 )
-func testChannelClosed(t *testing.T, c chan struct{}) {
+func channelClosed(c chan struct{}) bool {
 	select {
 	case <-c:
-		return
+		return true
 	default:
-		t.Fatal("Channel should be closed")
+		return false
 	}
 }
-func TestWaitForSignal(t *testing.T) {
+func TestSignalShutdown(t *testing.T) {
-	// Test handling server error
+	log := zerolog.Nop()
 	errC := make(chan error)
 	shutdownC := make(chan struct{})
 	go func() {
 		errC <- serverErr
 	}()
 	// received error, shutdownC should be closed
 	err := waitForSignal(errC, shutdownC)
 	assert.Equal(t, serverErr, err)
 	testChannelClosed(t, shutdownC)
 	// Test handling SIGTERM & SIGINT
 	for _, sig := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {
-		errC = make(chan error)
+		graceShutdownC := make(chan struct{})
 		shutdownC = make(chan struct{})
 		go func(shutdownC chan struct{}) {
 			<-shutdownC
 			errC <- shutdownErr
 		}(shutdownC)
 		go func(sig syscall.Signal) {
 			// sleep for a tick to prevent sending signal before calling waitForSignal
 			time.Sleep(tick)
-			syscall.Kill(syscall.Getpid(), sig)
+			_ = syscall.Kill(syscall.Getpid(), sig)
 		}(sig)
-		err = waitForSignal(errC, shutdownC)
+		time.AfterFunc(time.Second, func() {
-		assert.Equal(t, nil, err)
+			select {
-		assert.Equal(t, shutdownErr, <-errC)
+			case <-graceShutdownC:
-		testChannelClosed(t, shutdownC)
+			default:
 				close(graceShutdownC)
 				t.Fatal("waitForSignal timed out")
 			}
 		})
 		waitForSignal(graceShutdownC, &log)
 		assert.True(t, channelClosed(graceShutdownC))
 	}
 }
-func TestWaitForSignalWithGraceShutdown(t *testing.T) {
+func TestWaitForShutdown(t *testing.T) {
-	// Test server returning error
+	log := zerolog.Nop()
 	errC := make(chan error)
 	shutdownC := make(chan struct{})
 	graceshutdownC := make(chan struct{})
 	errC := make(chan error)
 	graceShutdownC := make(chan struct{})
 	const gracePeriod = 5 * time.Second
 	contextCancelled := false
 	cancel := func() {
 		contextCancelled = true
 	}
 	var wg sync.WaitGroup
 	// on, error stop immediately
 	contextCancelled = false
 	startTime := time.Now()
 	go func() {
 		errC <- serverErr
 	}()
-
+	err := waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, &log)
 	// received error, both shutdownC and graceshutdownC should be closed
 	err := waitForSignalWithGraceShutdown(errC, shutdownC, graceshutdownC, tick)
 	assert.Equal(t, serverErr, err)
-	testChannelClosed(t, shutdownC)
+	assert.True(t, contextCancelled)
-	testChannelClosed(t, graceshutdownC)
+	assert.False(t, channelClosed(graceShutdownC))
 	assert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early
-	// shutdownC closed, graceshutdownC should also be closed and no error
+	// on graceful shutdown, ignore error but stop as soon as an error arrives
-	errC = make(chan error)
+	contextCancelled = false
-	shutdownC = make(chan struct{})
+	startTime = time.Now()
-	graceshutdownC = make(chan struct{})
+	go func() {
-	close(shutdownC)
+		close(graceShutdownC)
-	err = waitForSignalWithGraceShutdown(errC, shutdownC, graceshutdownC, tick)
+		time.Sleep(tick)
-	assert.NoError(t, err)
+		errC <- serverErr
-	testChannelClosed(t, shutdownC)
+	}()
-	testChannelClosed(t, graceshutdownC)
+	err = waitToShutdown(&wg, cancel, errC, graceShutdownC, gracePeriod, &log)
 	assert.Nil(t, err)
 	assert.True(t, contextCancelled)
 	assert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early
-	// graceshutdownC closed, shutdownC should also be closed and no error
+	// with graceShutdownC closed stop right away without grace period
-	errC = make(chan error)
+	contextCancelled = false
-	shutdownC = make(chan struct{})
+	startTime = time.Now()
-	graceshutdownC = make(chan struct{})
+	err = waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, &log)
-	close(graceshutdownC)
+	assert.Nil(t, err)
-	err = waitForSignalWithGraceShutdown(errC, shutdownC, graceshutdownC, tick)
+	assert.True(t, contextCancelled)
-	assert.NoError(t, err)
+	assert.True(t, time.Now().Sub(startTime) < time.Second) // check that wait ended early
 	testChannelClosed(t, shutdownC)
 	testChannelClosed(t, graceshutdownC)
 	// Test handling SIGTERM & SIGINT
 	for _, sig := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {
 		errC := make(chan error)
 		shutdownC = make(chan struct{})
 		graceshutdownC = make(chan struct{})
 		go func(shutdownC, graceshutdownC chan struct{}) {
 			<-graceshutdownC
 			<-shutdownC
 			errC <- graceShutdownErr
 		}(shutdownC, graceshutdownC)
 		go func(sig syscall.Signal) {
 			// sleep for a tick to prevent sending signal before calling waitForSignalWithGraceShutdown
 			time.Sleep(tick)
 			syscall.Kill(syscall.Getpid(), sig)
 		}(sig)
 		err = waitForSignalWithGraceShutdown(errC, shutdownC, graceshutdownC, tick)
 		assert.Equal(t, nil, err)
 		assert.Equal(t, graceShutdownErr, <-errC)
 		testChannelClosed(t, shutdownC)
 		testChannelClosed(t, graceshutdownC)
 	}
 	// Test handling SIGTERM & SIGINT, server send error before end of grace period
 	for _, sig := range []syscall.Signal{syscall.SIGTERM, syscall.SIGINT} {
 		errC := make(chan error)
 		shutdownC = make(chan struct{})
 		graceshutdownC = make(chan struct{})
 		go func(shutdownC, graceshutdownC chan struct{}) {
 			<-graceshutdownC
 			errC <- graceShutdownErr
 			<-shutdownC
 			errC <- shutdownErr
 		}(shutdownC, graceshutdownC)
 		go func(sig syscall.Signal) {
 			// sleep for a tick to prevent sending signal before calling waitForSignalWithGraceShutdown
 			time.Sleep(tick)
 			syscall.Kill(syscall.Getpid(), sig)
 		}(sig)
 		err = waitForSignalWithGraceShutdown(errC, shutdownC, graceshutdownC, tick)
 		assert.Equal(t, nil, err)
 		assert.Equal(t, shutdownErr, <-errC)
 		testChannelClosed(t, shutdownC)
 		testChannelClosed(t, graceshutdownC)
 	}
 }
--- a/cmd/cloudflared/tunnel/subcommand_context.go
+++ b/cmd/cloudflared/tunnel/subcommand_context.go
@ -0,0 +1,398 @@
 package tunnel
 import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 )
 type errInvalidJSONCredential struct {
 	err  error
 	path string
 }
 func (e errInvalidJSONCredential) Error() string {
 	return "Invalid JSON when parsing tunnel credentials file"
 }
 // subcommandContext carries structs shared between subcommands, to reduce number of arguments needed to
 // pass between subcommands, and make sure they are only initialized once
 type subcommandContext struct {
 	c   *cli.Context
 	log *zerolog.Logger
 	fs  fileSystem
 	// These fields should be accessed using their respective Getter
 	tunnelstoreClient cfapi.Client
 	userCredential    *credentials.User
 }
 func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 	return &subcommandContext{
 		c:   c,
 		log: logger.CreateLoggerFromContext(c, logger.EnableTerminalLog),
 		fs:  realFileSystem{},
 	}, nil
 }
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
 		return newStaticPath(path, sc.fs)
 	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
 func (sc *subcommandContext) client() (cfapi.Client, error) {
 	if sc.tunnelstoreClient != nil {
 		return sc.tunnelstoreClient, nil
 	}
 	cred, err := sc.credential()
 	if err != nil {
 		return nil, err
 	}
 	sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
 	if err != nil {
 		return nil, err
 	}
 	return sc.tunnelstoreClient, nil
 }
 func (sc *subcommandContext) credential() (*credentials.User, error) {
 	if sc.userCredential == nil {
 		uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
 		if err != nil {
 			return nil, err
 		}
 		sc.userCredential = uc
 	}
 	return sc.userCredential, nil
 }
 func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (connection.Credentials, error) {
 	filePath, err := credFinder.Path()
 	if err != nil {
 		return connection.Credentials{}, err
 	}
 	body, err := sc.fs.readFile(filePath)
 	if err != nil {
 		return connection.Credentials{}, errors.Wrapf(err, "couldn't read tunnel credentials from %v", filePath)
 	}
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
 		if strings.HasSuffix(filePath, ".pem") {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
 				"login`.")
 		}
 		return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
 	}
 	return credentials, nil
 }
 func (sc *subcommandContext) create(name string, credentialsFilePath string, secret string) (*cfapi.Tunnel, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, errors.Wrap(err, "couldn't create client to talk to Cloudflare Tunnel backend")
 	}
 	var tunnelSecret []byte
 	if secret == "" {
 		tunnelSecret, err = generateTunnelSecret()
 		if err != nil {
 			return nil, errors.Wrap(err, "couldn't generate the secret for your new tunnel")
 		}
 	} else {
 		decodedSecret, err := base64.StdEncoding.DecodeString(secret)
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
 		tunnelSecret = []byte(decodedSecret)
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
 	}
 	tunnel, err := client.CreateTunnel(name, tunnelSecret)
 	if err != nil {
 		return nil, errors.Wrap(err, "Create Tunnel API call failed")
 	}
 	credential, err := sc.credential()
 	if err != nil {
 		return nil, err
 	}
 	tunnelCredentials := connection.Credentials{
 		AccountTag:   credential.AccountID(),
 		TunnelSecret: tunnelSecret,
 		TunnelID:     tunnel.ID,
 	}
 	usedCertPath := false
 	if credentialsFilePath == "" {
 		originCertDir := filepath.Dir(credential.CertPath())
 		credentialsFilePath, err = tunnelFilePath(tunnelCredentials.TunnelID, originCertDir)
 		if err != nil {
 			return nil, err
 		}
 		usedCertPath = true
 	}
 	writeFileErr := writeTunnelCredentials(credentialsFilePath, &tunnelCredentials)
 	if writeFileErr != nil {
 		var errorLines []string
 		errorLines = append(errorLines, fmt.Sprintf("Your tunnel '%v' was created with ID %v. However, cloudflared couldn't write tunnel credentials to %s.", tunnel.Name, tunnel.ID, credentialsFilePath))
 		errorLines = append(errorLines, fmt.Sprintf("The file-writing error is: %v", writeFileErr))
 		if deleteErr := client.DeleteTunnel(tunnel.ID, true); deleteErr != nil {
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
 			errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
 		}
 		errorMsg := strings.Join(errorLines, "\n")
 		return nil, errors.New(errorMsg)
 	}
 	if outputFormat := sc.c.String(outputFormatFlag.Name); outputFormat != "" {
 		return nil, renderOutput(outputFormat, &tunnel)
 	}
 	fmt.Printf("Tunnel credentials written to %v.", credentialsFilePath)
 	if usedCertPath {
 		fmt.Print(" cloudflared chose this file based on where your origin certificate was found.")
 	}
 	fmt.Println(" Keep this file secret. To revoke these credentials, delete the tunnel.")
 	fmt.Printf("\nCreated tunnel %s with id %s\n", tunnel.Name, tunnel.ID)
 	return &tunnel.Tunnel, nil
 }
 func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
 	}
 	return client.ListTunnels(filter)
 }
 func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
 	forceFlagSet := sc.c.Bool("force")
 	client, err := sc.client()
 	if err != nil {
 		return err
 	}
 	for _, id := range tunnelIDs {
 		tunnel, err := client.GetTunnel(id)
 		if err != nil {
 			return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", id)
 		}
 		// Check if tunnel DeletedAt field has already been set
 		if !tunnel.DeletedAt.IsZero() {
 			return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
 		}
 		if err := client.DeleteTunnel(tunnel.ID, forceFlagSet); err != nil {
 			return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
 		}
 		credFinder := sc.credentialFinder(id)
 		if tunnelCredentialsPath, err := credFinder.Path(); err == nil {
 			if err = os.Remove(tunnelCredentialsPath); err != nil {
 				sc.log.Info().Msgf("Tunnel %v was deleted, but we could not remove its credentials file  %s: %s. Consider deleting this file manually.", id, tunnelCredentialsPath, err)
 			}
 		}
 	}
 	return nil
 }
 // findCredentials will choose the right way to find the credentials file, find it,
 // and add the TunnelID into any old credentials (generated before TUN-3581 added the `TunnelID`
 // field to credentials files)
 func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Credentials, error) {
 	var credentials connection.Credentials
 	var err error
 	if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
 		if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
 			err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
 		}
 	} else {
 		credFinder := sc.credentialFinder(tunnelID)
 		credentials, err = sc.readTunnelCredentials(credFinder)
 	}
 	// This line ensures backwards compatibility with credentials files generated before
 	// TUN-3581. Those old credentials files don't have a TunnelID field, so we enrich the struct
 	// with the ID, which we have already resolved from the user input.
 	credentials.TunnelID = tunnelID
 	return credentials, err
 }
 func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 	credentials, err := sc.findCredentials(tunnelID)
 	if err != nil {
 		if e, ok := err.(errInvalidJSONCredential); ok {
 			sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
 			sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
 		}
 		return err
 	}
 	return sc.runWithCredentials(credentials)
 }
 func (sc *subcommandContext) runWithCredentials(credentials connection.Credentials) error {
 	sc.log.Info().Str(LogFieldTunnelID, credentials.TunnelID.String()).Msg("Starting tunnel")
 	return StartServer(
 		sc.c,
 		buildInfo,
 		&connection.TunnelProperties{Credentials: credentials},
 		sc.log,
 	)
 }
 func (sc *subcommandContext) cleanupConnections(tunnelIDs []uuid.UUID) error {
 	params := cfapi.NewCleanupParams()
 	extraLog := ""
 	if connector := sc.c.String("connector-id"); connector != "" {
 		connectorID, err := uuid.Parse(connector)
 		if err != nil {
 			return errors.Wrapf(err, "%s is not a valid client ID (must be a UUID)", connector)
 		}
 		params.ForClient(connectorID)
 		extraLog = fmt.Sprintf(" for connector-id %s", connectorID.String())
 	}
 	client, err := sc.client()
 	if err != nil {
 		return err
 	}
 	for _, tunnelID := range tunnelIDs {
 		sc.log.Info().Msgf("Cleanup connection for tunnel %s%s", tunnelID, extraLog)
 		if err := client.CleanupConnections(tunnelID, params); err != nil {
 			sc.log.Error().Msgf("Error cleaning up connections for tunnel %v, error :%v", tunnelID, err)
 		}
 	}
 	return nil
 }
 func (sc *subcommandContext) getTunnelTokenCredentials(tunnelID uuid.UUID) (*connection.TunnelToken, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
 	}
 	token, err := client.GetTunnelToken(tunnelID)
 	if err != nil {
 		sc.log.Err(err).Msgf("Could not get the Token for the given Tunnel %v", tunnelID)
 		return nil, err
 	}
 	return ParseToken(token)
 }
 func (sc *subcommandContext) route(tunnelID uuid.UUID, r cfapi.HostnameRoute) (cfapi.HostnameRouteResult, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, err
 	}
 	return client.RouteTunnel(tunnelID, r)
 }
 // Query Tunnelstore to find the active tunnel with the given name.
 func (sc *subcommandContext) tunnelActive(name string) (*cfapi.Tunnel, bool, error) {
 	filter := cfapi.NewTunnelFilter()
 	filter.NoDeleted()
 	filter.ByName(name)
 	tunnels, err := sc.list(filter)
 	if err != nil {
 		return nil, false, err
 	}
 	if len(tunnels) == 0 {
 		return nil, false, nil
 	}
 	// There should only be 1 active tunnel for a given name
 	return tunnels[0], true, nil
 }
 // findID parses the input. If it's a UUID, return the UUID.
 // Otherwise, assume it's a name, and look up the ID of that tunnel.
 func (sc *subcommandContext) findID(input string) (uuid.UUID, error) {
 	if u, err := uuid.Parse(input); err == nil {
 		return u, nil
 	}
 	// Look up name in the credentials file.
 	credFinder := newStaticPath(sc.c.String(CredFileFlag), sc.fs)
 	if credentials, err := sc.readTunnelCredentials(credFinder); err == nil {
 		if credentials.TunnelID != uuid.Nil {
 			return credentials.TunnelID, nil
 		}
 	}
 	// Fall back to querying Tunnelstore.
 	if tunnel, found, err := sc.tunnelActive(input); err != nil {
 		return uuid.Nil, err
 	} else if found {
 		return tunnel.ID, nil
 	}
 	return uuid.Nil, fmt.Errorf("%s is neither the ID nor the name of any of your tunnels", input)
 }
 // findIDs is just like mapping `findID` over a slice, but it only uses
 // one Tunnelstore API call per non-UUID input provided.
 func (sc *subcommandContext) findIDs(inputs []string) ([]uuid.UUID, error) {
 	uuids, names := splitUuids(inputs)
 	for _, name := range names {
 		filter := cfapi.NewTunnelFilter()
 		filter.NoDeleted()
 		filter.ByName(name)
 		tunnels, err := sc.list(filter)
 		if err != nil {
 			return nil, err
 		}
 		if len(tunnels) != 1 {
 			return nil, fmt.Errorf("there should only be 1 non-deleted Tunnel named %s", name)
 		}
 		uuids = append(uuids, tunnels[0].ID)
 	}
 	return uuids, nil
 }
 func splitUuids(inputs []string) ([]uuid.UUID, []string) {
 	uuids := make([]uuid.UUID, 0)
 	names := make([]string, 0)
 	for _, input := range inputs {
 		id, err := uuid.Parse(input)
 		if err != nil {
 			names = append(names, input)
 		} else {
 			uuids = append(uuids, id)
 		}
 	}
 	return uuids, names
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
@ -0,0 +1,66 @@
 package tunnel
 import (
 	"net"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cfapi"
 )
 const noClientMsg = "error while creating backend client"
 func (sc *subcommandContext) listRoutes(filter *cfapi.IpRouteFilter) ([]*cfapi.DetailedRoute, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, errors.Wrap(err, noClientMsg)
 	}
 	return client.ListRoutes(filter)
 }
 func (sc *subcommandContext) addRoute(newRoute cfapi.NewRoute) (cfapi.Route, error) {
 	client, err := sc.client()
 	if err != nil {
 		return cfapi.Route{}, errors.Wrap(err, noClientMsg)
 	}
 	return client.AddRoute(newRoute)
 }
 func (sc *subcommandContext) deleteRoute(id uuid.UUID) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
 	return client.DeleteRoute(id)
 }
 func (sc *subcommandContext) getRouteByIP(params cfapi.GetRouteByIpParams) (cfapi.DetailedRoute, error) {
 	client, err := sc.client()
 	if err != nil {
 		return cfapi.DetailedRoute{}, errors.Wrap(err, noClientMsg)
 	}
 	return client.GetByIP(params)
 }
 func (sc *subcommandContext) getRouteId(network net.IPNet, vnetId *uuid.UUID) (uuid.UUID, error) {
 	filters := cfapi.NewIPRouteFilter()
 	filters.NotDeleted()
 	filters.NetworkIsSubsetOf(network)
 	filters.NetworkIsSupersetOf(network)
 	if vnetId != nil {
 		filters.VNetID(*vnetId)
 	}
 	result, err := sc.listRoutes(filters)
 	if err != nil {
 		return uuid.Nil, err
 	}
 	if len(result) != 1 {
 		return uuid.Nil, errors.New("unable to find route for provided network and vnet")
 	}
 	return result[0].ID, nil
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_test.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_test.go
@ -0,0 +1,370 @@
 package tunnel
 import (
 	"encoding/base64"
 	"flag"
 	"fmt"
 	"reflect"
 	"testing"
 	"time"
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 )
 type mockFileSystem struct {
 	rf  func(string) ([]byte, error)
 	vfp func(string) bool
 }
 func (fs mockFileSystem) validFilePath(path string) bool {
 	return fs.vfp(path)
 }
 func (fs mockFileSystem) readFile(filePath string) ([]byte, error) {
 	return fs.rf(filePath)
 }
 func Test_subcommandContext_findCredentials(t *testing.T) {
 	type fields struct {
 		c                 *cli.Context
 		log               *zerolog.Logger
 		fs                fileSystem
 		tunnelstoreClient cfapi.Client
 		userCredential    *credentials.User
 	}
 	type args struct {
 		tunnelID uuid.UUID
 	}
 	oldCertPath := "old_cert.json"
 	newCertPath := "new_cert.json"
 	accountTag := "0000d4d14e84bd4ae5a6a02e0000ac63"
 	secret := []byte{211, 79, 177, 245, 179, 194, 152, 127, 140, 71, 18, 46, 183, 209, 10, 24, 192, 150, 55, 249, 211, 16, 167, 30, 113, 51, 152, 168, 72, 100, 205, 144}
 	secretB64 := base64.StdEncoding.EncodeToString(secret)
 	tunnelID := uuid.MustParse("df5ed608-b8b4-4109-89f3-9f2cf199df64")
 	name := "mytunnel"
 	fs := mockFileSystem{
 		rf: func(filePath string) ([]byte, error) {
 			if filePath == oldCertPath {
 				// An old credentials file created before TUN-3581 added the new fields
 				return []byte(fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s"}`, accountTag, secretB64)), nil
 			}
 			if filePath == newCertPath {
 				// A new credentials file created after TUN-3581 with its new fields.
 				return []byte(fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s","TunnelID":"%s","TunnelName":"%s"}`, accountTag, secretB64, tunnelID, name)), nil
 			}
 			return nil, errors.New("file not found")
 		},
 		vfp: func(string) bool { return true },
 	}
 	log := zerolog.Nop()
 	tests := []struct {
 		name    string
 		fields  fields
 		args    args
 		want    connection.Credentials
 		wantErr bool
 	}{
 		{
 			name: "Filepath given leads to old credentials file",
 			fields: fields{
 				log: &log,
 				fs:  fs,
 				c: func() *cli.Context {
 					flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
 					flagSet.String(CredFileFlag, oldCertPath, "")
 					c := cli.NewContext(cli.NewApp(), flagSet, nil)
 					_ = c.Set(CredFileFlag, oldCertPath)
 					return c
 				}(),
 			},
 			args: args{
 				tunnelID: tunnelID,
 			},
 			want: connection.Credentials{
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 			},
 		},
 		{
 			name: "Filepath given leads to new credentials file",
 			fields: fields{
 				log: &log,
 				fs:  fs,
 				c: func() *cli.Context {
 					flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
 					flagSet.String(CredFileFlag, newCertPath, "")
 					c := cli.NewContext(cli.NewApp(), flagSet, nil)
 					_ = c.Set(CredFileFlag, newCertPath)
 					return c
 				}(),
 			},
 			args: args{
 				tunnelID: tunnelID,
 			},
 			want: connection.Credentials{
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 			},
 		},
 		{
 			name: "TUNNEL_CRED_CONTENTS given contains old credentials contents",
 			fields: fields{
 				log: &log,
 				fs:  fs,
 				c: func() *cli.Context {
 					flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
 					flagSet.String(CredContentsFlag, "", "")
 					c := cli.NewContext(cli.NewApp(), flagSet, nil)
 					_ = c.Set(CredContentsFlag, fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s"}`, accountTag, secretB64))
 					return c
 				}(),
 			},
 			args: args{
 				tunnelID: tunnelID,
 			},
 			want: connection.Credentials{
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 			},
 		},
 		{
 			name: "TUNNEL_CRED_CONTENTS given contains new credentials contents",
 			fields: fields{
 				log: &log,
 				fs:  fs,
 				c: func() *cli.Context {
 					flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
 					flagSet.String(CredContentsFlag, "", "")
 					c := cli.NewContext(cli.NewApp(), flagSet, nil)
 					_ = c.Set(CredContentsFlag, fmt.Sprintf(`{"AccountTag":"%s","TunnelSecret":"%s","TunnelID":"%s","TunnelName":"%s"}`, accountTag, secretB64, tunnelID, name))
 					return c
 				}(),
 			},
 			args: args{
 				tunnelID: tunnelID,
 			},
 			want: connection.Credentials{
 				AccountTag:   accountTag,
 				TunnelID:     tunnelID,
 				TunnelSecret: secret,
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
 			}
 			got, err := sc.findCredentials(tt.args.tunnelID)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("subcommandContext.findCredentials() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("subcommandContext.findCredentials() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 type deleteMockTunnelStore struct {
 	cfapi.Client
 	mockTunnels      map[uuid.UUID]mockTunnelBehaviour
 	deletedTunnelIDs []uuid.UUID
 }
 type mockTunnelBehaviour struct {
 	tunnel     cfapi.Tunnel
 	deleteErr  error
 	cleanupErr error
 }
 func newDeleteMockTunnelStore(tunnels ...mockTunnelBehaviour) *deleteMockTunnelStore {
 	mockTunnels := make(map[uuid.UUID]mockTunnelBehaviour)
 	for _, tunnel := range tunnels {
 		mockTunnels[tunnel.tunnel.ID] = tunnel
 	}
 	return &deleteMockTunnelStore{
 		mockTunnels:      mockTunnels,
 		deletedTunnelIDs: make([]uuid.UUID, 0),
 	}
 }
 func (d *deleteMockTunnelStore) GetTunnel(tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return nil, fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
 	}
 	return &tunnel.tunnel, nil
 }
 func (d *deleteMockTunnelStore) GetTunnelToken(tunnelID uuid.UUID) (string, error) {
 	return "token", nil
 }
 func (d *deleteMockTunnelStore) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
 	}
 	if tunnel.deleteErr != nil {
 		return tunnel.deleteErr
 	}
 	d.deletedTunnelIDs = append(d.deletedTunnelIDs, tunnelID)
 	tunnel.tunnel.DeletedAt = time.Now()
 	delete(d.mockTunnels, tunnelID)
 	return nil
 }
 func (d *deleteMockTunnelStore) CleanupConnections(tunnelID uuid.UUID, _ *cfapi.CleanupParams) error {
 	tunnel, ok := d.mockTunnels[tunnelID]
 	if !ok {
 		return fmt.Errorf("Couldn't find tunnel: %v", tunnelID)
 	}
 	return tunnel.cleanupErr
 }
 func Test_subcommandContext_Delete(t *testing.T) {
 	type fields struct {
 		c                 *cli.Context
 		log               *zerolog.Logger
 		isUIEnabled       bool
 		fs                fileSystem
 		tunnelstoreClient *deleteMockTunnelStore
 		userCredential    *credentials.User
 	}
 	type args struct {
 		tunnelIDs []uuid.UUID
 	}
 	newCertPath := "new_cert.json"
 	tunnelID1 := uuid.MustParse("df5ed608-b8b4-4109-89f3-9f2cf199df64")
 	tunnelID2 := uuid.MustParse("af5ed608-b8b4-4109-89f3-9f2cf199df64")
 	log := zerolog.Nop()
 	var tests = []struct {
 		name    string
 		fields  fields
 		args    args
 		want    []uuid.UUID
 		wantErr bool
 	}{
 		{
 			name: "clean up continues if credentials are not found",
 			fields: fields{
 				log: &log,
 				fs: mockFileSystem{
 					rf: func(filePath string) ([]byte, error) {
 						return nil, errors.New("file not found")
 					},
 					vfp: func(string) bool { return true },
 				},
 				c: func() *cli.Context {
 					flagSet := flag.NewFlagSet("test0", flag.PanicOnError)
 					flagSet.String(CredFileFlag, newCertPath, "")
 					c := cli.NewContext(cli.NewApp(), flagSet, nil)
 					_ = c.Set(CredFileFlag, newCertPath)
 					return c
 				}(),
 				tunnelstoreClient: newDeleteMockTunnelStore(
 					mockTunnelBehaviour{
 						tunnel: cfapi.Tunnel{ID: tunnelID1},
 					},
 					mockTunnelBehaviour{
 						tunnel: cfapi.Tunnel{ID: tunnelID2},
 					},
 				),
 			},
 			args: args{
 				tunnelIDs: []uuid.UUID{tunnelID1, tunnelID2},
 			},
 			want: []uuid.UUID{tunnelID1, tunnelID2},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			sc := &subcommandContext{
 				c:                 tt.fields.c,
 				log:               tt.fields.log,
 				fs:                tt.fields.fs,
 				tunnelstoreClient: tt.fields.tunnelstoreClient,
 				userCredential:    tt.fields.userCredential,
 			}
 			err := sc.delete(tt.args.tunnelIDs)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("subcommandContext.findCredentials() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			got := tt.fields.tunnelstoreClient.deletedTunnelIDs
 			if !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("subcommandContext.findCredentials() = %v, want %v", got, tt.want)
 				return
 			}
 		})
 	}
 }
 func Test_subcommandContext_ValidateIngressCommand(t *testing.T) {
 	var tests = []struct {
 		name        string
 		c           *cli.Context
 		wantErr     bool
 		expectedErr error
 	}{
 		{
 			name: "read a valid configuration from data",
 			c: func() *cli.Context {
 				data := `{ "warp-routing": {"enabled": true},  "originRequest" : {"connectTimeout": 10}, "ingress" : [ {"hostname": "test", "service": "https://localhost:8000" } , {"service": "http_status:404"} ]}`
 				flagSet := flag.NewFlagSet("json", flag.PanicOnError)
 				flagSet.String(ingressDataJSONFlagName, data, "")
 				c := cli.NewContext(cli.NewApp(), flagSet, nil)
 				_ = c.Set(ingressDataJSONFlagName, data)
 				return c
 			}(),
 		},
 		{
 			name: "read an invalid configuration with multiple mistakes",
 			c: func() *cli.Context {
 				data := `{ "ingress" : [ {"hostname": "test", "service": "localhost:8000" } , {"service": "http_status:invalid_status"} ]}`
 				flagSet := flag.NewFlagSet("json", flag.PanicOnError)
 				flagSet.String(ingressDataJSONFlagName, data, "")
 				c := cli.NewContext(cli.NewApp(), flagSet, nil)
 				_ = c.Set(ingressDataJSONFlagName, data)
 				return c
 			}(),
 			wantErr:     true,
 			expectedErr: errors.New("Validation failed: localhost:8000 is an invalid address, please make sure it has a scheme and a hostname"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := validateIngressCommand(tt.c, "")
 			if tt.wantErr {
 				assert.Equal(t, tt.expectedErr.Error(), err.Error())
 			} else {
 				assert.Nil(t, err)
 			}
 		})
 	}
 }
--- a/cmd/cloudflared/tunnel/subcommand_context_vnets.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_vnets.go
@ -0,0 +1,40 @@
 package tunnel
 import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 	"github.com/cloudflare/cloudflared/cfapi"
 )
 func (sc *subcommandContext) addVirtualNetwork(newVnet cfapi.NewVirtualNetwork) (cfapi.VirtualNetwork, error) {
 	client, err := sc.client()
 	if err != nil {
 		return cfapi.VirtualNetwork{}, errors.Wrap(err, noClientMsg)
 	}
 	return client.CreateVirtualNetwork(newVnet)
 }
 func (sc *subcommandContext) listVirtualNetworks(filter *cfapi.VnetFilter) ([]*cfapi.VirtualNetwork, error) {
 	client, err := sc.client()
 	if err != nil {
 		return nil, errors.Wrap(err, noClientMsg)
 	}
 	return client.ListVirtualNetworks(filter)
 }
 func (sc *subcommandContext) deleteVirtualNetwork(vnetId uuid.UUID, force bool) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
 	return client.DeleteVirtualNetwork(vnetId, force)
 }
 func (sc *subcommandContext) updateVirtualNetwork(vnetId uuid.UUID, updates cfapi.UpdateVirtualNetwork) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
 	return client.UpdateVirtualNetwork(vnetId, updates)
 }
--- a/cmd/cloudflared/tunnel/subcommands.go
+++ b/cmd/cloudflared/tunnel/subcommands.go
@ -0,0 +1,953 @@
 package tunnel
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"regexp"
 	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
 	yaml "gopkg.in/yaml.v3"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 )
 const (
 	allSortByOptions     = "name, id, createdAt, deletedAt, numConnections"
 	connsSortByOptions   = "id, startedAt, numConnections, version"
 	CredFileFlagAlias    = "cred-file"
 	CredFileFlag         = "credentials-file"
 	CredContentsFlag     = "credentials-contents"
 	TunnelTokenFlag      = "token"
 	overwriteDNSFlagName = "overwrite-dns"
 	LogFieldTunnelID = "tunnelID"
 )
 var (
 	showDeletedFlag = &cli.BoolFlag{
 		Name:    "show-deleted",
 		Aliases: []string{"d"},
 		Usage:   "Include deleted tunnels in the list",
 	}
 	listNameFlag = &cli.StringFlag{
 		Name:    "name",
 		Aliases: []string{"n"},
 		Usage:   "List tunnels with the given `NAME`",
 	}
 	listNamePrefixFlag = &cli.StringFlag{
 		Name:    "name-prefix",
 		Aliases: []string{"np"},
 		Usage:   "List tunnels that start with the give `NAME` prefix",
 	}
 	listExcludeNamePrefixFlag = &cli.StringFlag{
 		Name:    "exclude-name-prefix",
 		Aliases: []string{"enp"},
 		Usage:   "List tunnels whose `NAME` does not start with the given prefix",
 	}
 	listExistedAtFlag = &cli.TimestampFlag{
 		Name:        "when",
 		Aliases:     []string{"w"},
 		Usage:       "List tunnels that are active at the given `TIME` in RFC3339 format",
 		Layout:      cfapi.TimeLayout,
 		DefaultText: fmt.Sprintf("current time, %s", time.Now().Format(cfapi.TimeLayout)),
 	}
 	listIDFlag = &cli.StringFlag{
 		Name:    "id",
 		Aliases: []string{"i"},
 		Usage:   "List tunnel by `ID`",
 	}
 	showRecentlyDisconnected = &cli.BoolFlag{
 		Name:    "show-recently-disconnected",
 		Aliases: []string{"rd"},
 		Usage:   "Include connections that have recently disconnected in the list",
 	}
 	outputFormatFlag = &cli.StringFlag{
 		Name:    "output",
 		Aliases: []string{"o"},
 		Usage:   "Render output using given `FORMAT`. Valid options are 'json' or 'yaml'",
 	}
 	sortByFlag = &cli.StringFlag{
 		Name:    "sort-by",
 		Value:   "name",
 		Usage:   fmt.Sprintf("Sorts the list of tunnels by the given field. Valid options are {%s}", allSortByOptions),
 		EnvVars: []string{"TUNNEL_LIST_SORT_BY"},
 	}
 	invertSortFlag = &cli.BoolFlag{
 		Name:    "invert-sort",
 		Usage:   "Inverts the sort order of the tunnel list.",
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
 		Name:    "features",
 		Aliases: []string{"F"},
 		Usage:   "Opt into various features that are still being developed or tested.",
 	})
 	credentialsFileFlagCLIOnly = &cli.StringFlag{
 		Name:    CredFileFlag,
 		Aliases: []string{CredFileFlagAlias},
 		Usage:   "Filepath at which to read/write the tunnel credentials",
 		EnvVars: []string{"TUNNEL_CRED_FILE"},
 	}
 	credentialsFileFlag     = altsrc.NewStringFlag(credentialsFileFlagCLIOnly)
 	credentialsContentsFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    CredContentsFlag,
 		Usage:   "Contents of the tunnel credentials JSON file to use. When provided along with credentials-file, this will take precedence.",
 		EnvVars: []string{"TUNNEL_CRED_CONTENTS"},
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
 		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
 	forceDeleteFlag = &cli.BoolFlag{
 		Name:    "force",
 		Aliases: []string{"f"},
 		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
 			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    "protocol",
 		Value:   connection.AutoSelectFlag,
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
 		EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
 		Name:    "post-quantum",
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
 		Hidden:  FipsEnabled,
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
 		Value:   "createdAt",
 		Usage:   fmt.Sprintf("Sorts the list of connections of a tunnel by the given field. Valid options are {%s}", connsSortByOptions),
 		EnvVars: []string{"TUNNEL_INFO_SORT_BY"},
 	}
 	invertInfoSortFlag = &cli.BoolFlag{
 		Name:    "invert-sort",
 		Usage:   "Inverts the sort order of the tunnel info.",
 		EnvVars: []string{"TUNNEL_INFO_INVERT_SORT"},
 	}
 	cleanupClientFlag = &cli.StringFlag{
 		Name:    "connector-id",
 		Aliases: []string{"c"},
 		Usage:   `Constraints the cleanup to stop the connections of a single Connector (by its ID). You can find the various Connectors (and their IDs) currently connected to your tunnel via 'cloudflared tunnel info <name>'.`,
 		EnvVars: []string{"TUNNEL_CLEANUP_CONNECTOR"},
 	}
 	overwriteDNSFlag = &cli.BoolFlag{
 		Name:    overwriteDNSFlagName,
 		Aliases: []string{"f"},
 		Usage:   `Overwrites existing DNS records with this hostname`,
 		EnvVars: []string{"TUNNEL_FORCE_PROVISIONING_DNS"},
 	}
 	createSecretFlag = &cli.StringFlag{
 		Name:    "secret",
 		Aliases: []string{"s"},
 		Usage:   "Base64 encoded secret to set for the tunnel. The decoded secret must be at least 32 bytes long. If not specified, a random 32-byte secret will be generated.",
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
 		Name:    "icmpv4-src",
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
 		Name:    "icmpv6-src",
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
 )
 func buildCreateCommand() *cli.Command {
 	return &cli.Command{
 		Name:      "create",
 		Action:    cliutil.ConfiguredAction(createCommand),
 		Usage:     "Create a new tunnel with given name",
 		UsageText: "cloudflared tunnel [tunnel command options] create [subcommand options] NAME",
 		Description: `Creates a tunnel, registers it with Cloudflare edge and generates credential file used to run this tunnel.
  Use "cloudflared tunnel route" subcommand to map a DNS name to this tunnel and "cloudflared tunnel run" to start the connection.
  For example, to create a tunnel named 'my-tunnel' run:
  $ cloudflared tunnel create my-tunnel`,
 		Flags:              []cli.Flag{outputFormatFlag, credentialsFileFlagCLIOnly, createSecretFlag},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 // generateTunnelSecret as an array of 32 bytes using secure random number generator
 func generateTunnelSecret() ([]byte, error) {
 	randomBytes := make([]byte, 32)
 	_, err := rand.Read(randomBytes)
 	return randomBytes, err
 }
 func createCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return errors.Wrap(err, "error setting up logger")
 	}
 	if c.NArg() != 1 {
 		return cliutil.UsageError(`"cloudflared tunnel create" requires exactly 1 argument, the name of tunnel to create.`)
 	}
 	name := c.Args().First()
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	_, err = sc.create(name, c.String(CredFileFlag), c.String(createSecretFlag.Name))
 	return errors.Wrap(err, "failed to create tunnel")
 }
 func tunnelFilePath(tunnelID uuid.UUID, directory string) (string, error) {
 	fileName := fmt.Sprintf("%v.json", tunnelID)
 	filePath := filepath.Clean(fmt.Sprintf("%s/%s", directory, fileName))
 	return homedir.Expand(filePath)
 }
 // writeTunnelCredentials saves `credentials` as a JSON into `filePath`, only if
 // the file does not exist already
 func writeTunnelCredentials(filePath string, credentials *connection.Credentials) error {
 	if _, err := os.Stat(filePath); !os.IsNotExist(err) {
 		if err == nil {
 			return fmt.Errorf("%s already exists", filePath)
 		}
 		return err
 	}
 	body, err := json.Marshal(credentials)
 	if err != nil {
 		return errors.Wrap(err, "Unable to marshal tunnel credentials to JSON")
 	}
 	return os.WriteFile(filePath, body, 0400)
 }
 func buildListCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "list",
 		Action:      cliutil.ConfiguredAction(listCommand),
 		Usage:       "List existing tunnels",
 		UsageText:   "cloudflared tunnel [tunnel command options] list [subcommand options]",
 		Description: "cloudflared tunnel list will display all active tunnels, their created time and associated connections. Use -d flag to include deleted tunnels. See the list of options to filter the list",
 		Flags: []cli.Flag{
 			outputFormatFlag,
 			showDeletedFlag,
 			listNameFlag,
 			listNamePrefixFlag,
 			listExcludeNamePrefixFlag,
 			listExistedAtFlag,
 			listIDFlag,
 			showRecentlyDisconnected,
 			sortByFlag,
 			invertSortFlag,
 		},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func listCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	filter := cfapi.NewTunnelFilter()
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
 	if name := c.String("name"); name != "" {
 		filter.ByName(name)
 	}
 	if namePrefix := c.String("name-prefix"); namePrefix != "" {
 		filter.ByNamePrefix(namePrefix)
 	}
 	if excludePrefix := c.String("exclude-name-prefix"); excludePrefix != "" {
 		filter.ExcludeNameWithPrefix(excludePrefix)
 	}
 	if existedAt := c.Timestamp("time"); existedAt != nil {
 		filter.ByExistedAt(*existedAt)
 	}
 	if id := c.String("id"); id != "" {
 		tunnelID, err := uuid.Parse(id)
 		if err != nil {
 			return errors.Wrapf(err, "%s is not a valid tunnel ID", id)
 		}
 		filter.ByTunnelID(tunnelID)
 	}
 	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
 		filter.MaxFetchSize(uint(maxFetch))
 	}
 	tunnels, err := sc.list(filter)
 	if err != nil {
 		return err
 	}
 	// Sort the tunnels
 	sortBy := c.String("sort-by")
 	invalidSortField := false
 	sort.Slice(tunnels, func(i, j int) bool {
 		cmp := func() bool {
 			switch sortBy {
 			case "name":
 				return tunnels[i].Name < tunnels[j].Name
 			case "id":
 				return tunnels[i].ID.String() < tunnels[j].ID.String()
 			case "createdAt":
 				return tunnels[i].CreatedAt.Unix() < tunnels[j].CreatedAt.Unix()
 			case "deletedAt":
 				return tunnels[i].DeletedAt.Unix() < tunnels[j].DeletedAt.Unix()
 			case "numConnections":
 				return len(tunnels[i].Connections) < len(tunnels[j].Connections)
 			default:
 				invalidSortField = true
 				return tunnels[i].Name < tunnels[j].Name
 			}
 		}()
 		if c.Bool("invert-sort") {
 			return !cmp
 		}
 		return cmp
 	})
 	if invalidSortField {
 		sc.log.Error().Msgf("%s is not a valid sort field. Valid sort fields are %s. Defaulting to 'name'.", sortBy, allSortByOptions)
 	}
 	if outputFormat := c.String(outputFormatFlag.Name); outputFormat != "" {
 		return renderOutput(outputFormat, tunnels)
 	}
 	if len(tunnels) > 0 {
 		formatAndPrintTunnelList(tunnels, c.Bool("show-recently-disconnected"))
 	} else {
 		fmt.Println("No tunnels were found for the given filter flags. You can use 'cloudflared tunnel create' to create a tunnel.")
 	}
 	return nil
 }
 func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected bool) {
 	writer := tabWriter()
 	defer writer.Flush()
 	_, _ = fmt.Fprintln(writer, "You can obtain more detailed information for each tunnel with `cloudflared tunnel info <name/uuid>`")
 	// Print column headers with tabbed columns
 	_, _ = fmt.Fprintln(writer, "ID\tNAME\tCREATED\tCONNECTIONS\t")
 	// Loop through tunnels, create formatted string for each, and print using tabwriter
 	for _, t := range tunnels {
 		formattedStr := fmt.Sprintf(
 			"%s\t%s\t%s\t%s\t",
 			t.ID,
 			t.Name,
 			t.CreatedAt.Format(time.RFC3339),
 			fmtConnections(t.Connections, showRecentlyDisconnected),
 		)
 		_, _ = fmt.Fprintln(writer, formattedStr)
 	}
 }
 func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
 	for _, connection := range connections {
 		if !connection.IsPendingReconnect || showRecentlyDisconnected {
 			numConnsPerColo[connection.ColoName]++
 		}
 	}
 	// Get sorted list of colos
 	sortedColos := []string{}
 	for coloName := range numConnsPerColo {
 		sortedColos = append(sortedColos, coloName)
 	}
 	sort.Strings(sortedColos)
 	// Map each colo to its frequency, combine into output string.
 	var output []string
 	for _, coloName := range sortedColos {
 		output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
 	}
 	return strings.Join(output, ", ")
 }
 func buildInfoCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "info",
 		Action:      cliutil.ConfiguredAction(tunnelInfo),
 		Usage:       "List details about the active connectors for a tunnel",
 		UsageText:   "cloudflared tunnel [tunnel command options] info [subcommand options] [TUNNEL]",
 		Description: "cloudflared tunnel info displays details about the active connectors for a given tunnel (identified by name or uuid).",
 		Flags: []cli.Flag{
 			outputFormatFlag,
 			showRecentlyDisconnected,
 			sortInfoByFlag,
 			invertInfoSortFlag,
 		},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func tunnelInfo(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	if c.NArg() != 1 {
 		return cliutil.UsageError(`"cloudflared tunnel info" accepts exactly one argument, the ID or name of the tunnel to get info about.`)
 	}
 	tunnelID, err := sc.findID(c.Args().First())
 	if err != nil {
 		return errors.Wrap(err, "error parsing tunnel ID")
 	}
 	client, err := sc.client()
 	if err != nil {
 		return err
 	}
 	clients, err := client.ListActiveClients(tunnelID)
 	if err != nil {
 		return err
 	}
 	sortBy := c.String("sort-by")
 	invalidSortField := false
 	sort.Slice(clients, func(i, j int) bool {
 		cmp := func() bool {
 			switch sortBy {
 			case "id":
 				return clients[i].ID.String() < clients[j].ID.String()
 			case "createdAt":
 				return clients[i].RunAt.Unix() < clients[j].RunAt.Unix()
 			case "numConnections":
 				return len(clients[i].Connections) < len(clients[j].Connections)
 			case "version":
 				return clients[i].Version < clients[j].Version
 			default:
 				invalidSortField = true
 				return clients[i].RunAt.Unix() < clients[j].RunAt.Unix()
 			}
 		}()
 		if c.Bool("invert-sort") {
 			return !cmp
 		}
 		return cmp
 	})
 	if invalidSortField {
 		sc.log.Error().Msgf("%s is not a valid sort field. Valid sort fields are %s. Defaulting to 'name'.", sortBy, connsSortByOptions)
 	}
 	tunnel, err := getTunnel(sc, tunnelID)
 	if err != nil {
 		return err
 	}
 	info := Info{
 		tunnel.ID,
 		tunnel.Name,
 		tunnel.CreatedAt,
 		clients,
 	}
 	if outputFormat := c.String(outputFormatFlag.Name); outputFormat != "" {
 		return renderOutput(outputFormat, info)
 	}
 	if len(clients) > 0 {
 		formatAndPrintConnectionsList(info, c.Bool("show-recently-disconnected"))
 	} else {
 		fmt.Printf("Your tunnel %s does not have any active connection.\n", tunnelID)
 	}
 	return nil
 }
 func getTunnel(sc *subcommandContext, tunnelID uuid.UUID) (*cfapi.Tunnel, error) {
 	filter := cfapi.NewTunnelFilter()
 	filter.ByTunnelID(tunnelID)
 	tunnels, err := sc.list(filter)
 	if err != nil {
 		return nil, err
 	}
 	if len(tunnels) != 1 {
 		return nil, errors.Errorf("Expected to find a single tunnel with uuid %v but found %d tunnels.", tunnelID, len(tunnels))
 	}
 	return tunnels[0], nil
 }
 func formatAndPrintConnectionsList(tunnelInfo Info, showRecentlyDisconnected bool) {
 	writer := tabWriter()
 	defer writer.Flush()
 	// Print the general tunnel info table
 	_, _ = fmt.Fprintf(writer, "NAME:     %s\nID:       %s\nCREATED:  %s\n\n", tunnelInfo.Name, tunnelInfo.ID, tunnelInfo.CreatedAt)
 	// Determine whether to print the connector table
 	shouldDisplayTable := false
 	for _, c := range tunnelInfo.Connectors {
 		conns := fmtConnections(c.Connections, showRecentlyDisconnected)
 		if len(conns) > 0 {
 			shouldDisplayTable = true
 		}
 	}
 	if !shouldDisplayTable {
 		fmt.Println("This tunnel has no active connectors.")
 		return
 	}
 	// Print the connector table
 	_, _ = fmt.Fprintln(writer, "CONNECTOR ID\tCREATED\tARCHITECTURE\tVERSION\tORIGIN IP\tEDGE\t")
 	for _, c := range tunnelInfo.Connectors {
 		conns := fmtConnections(c.Connections, showRecentlyDisconnected)
 		if len(conns) == 0 {
 			continue
 		}
 		originIp := c.Connections[0].OriginIP.String()
 		formattedStr := fmt.Sprintf(
 			"%s\t%s\t%s\t%s\t%s\t%s\t",
 			c.ID,
 			c.RunAt.Format(time.RFC3339),
 			c.Arch,
 			c.Version,
 			originIp,
 			conns,
 		)
 		_, _ = fmt.Fprintln(writer, formattedStr)
 	}
 }
 func tabWriter() *tabwriter.Writer {
 	const (
 		minWidth = 0
 		tabWidth = 8
 		padding  = 1
 		padChar  = ' '
 		flags    = 0
 	)
 	writer := tabwriter.NewWriter(os.Stdout, minWidth, tabWidth, padding, padChar, flags)
 	return writer
 }
 func buildDeleteCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "delete",
 		Action:             cliutil.ConfiguredAction(deleteCommand),
 		Usage:              "Delete existing tunnel by UUID or name",
 		UsageText:          "cloudflared tunnel [tunnel command options] delete [subcommand options] TUNNEL",
 		Description:        "cloudflared tunnel delete will delete tunnels with the given tunnel UUIDs or names. A tunnel cannot be deleted if it has active connections. To delete the tunnel unconditionally, use -f flag.",
 		Flags:              []cli.Flag{credentialsFileFlagCLIOnly, forceDeleteFlag},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func deleteCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	if c.NArg() < 1 {
 		return cliutil.UsageError(`"cloudflared tunnel delete" requires at least 1 argument, the ID or name of the tunnel to delete.`)
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	tunnelIDs, err := sc.findIDs(c.Args().Slice())
 	if err != nil {
 		return err
 	}
 	return sc.delete(tunnelIDs)
 }
 func renderOutput(format string, v interface{}) error {
 	switch format {
 	case "json":
 		encoder := json.NewEncoder(os.Stdout)
 		encoder.SetIndent("", "  ")
 		return encoder.Encode(v)
 	case "yaml":
 		return yaml.NewEncoder(os.Stdout).Encode(v)
 	default:
 		return errors.Errorf("Unknown output format '%s'", format)
 	}
 }
 func buildRunCommand() *cli.Command {
 	flags := []cli.Flag{
 		credentialsFileFlag,
 		credentialsContentsFlag,
 		postQuantumFlag,
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
 		Name:      "run",
 		Action:    cliutil.ConfiguredAction(runCommand),
 		Usage:     "Proxy a local web server by running the given tunnel",
 		UsageText: "cloudflared tunnel [tunnel command options] run [subcommand options] [TUNNEL]",
 		Description: `Runs the tunnel identified by name or UUID, creating highly available connections
  between your server and the Cloudflare edge. You can provide name or UUID of tunnel to run either as the
  last command line argument or in the configuration file using "tunnel: TUNNEL".
  This command requires the tunnel credentials file created when "cloudflared tunnel create" was run,
  however it does not need access to cert.pem from "cloudflared login" if you identify the tunnel by UUID.
  If you experience other problems running the tunnel, "cloudflared tunnel cleanup" may help by removing
  any old connection records.
 `,
 		Flags:              flags,
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func runCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	if c.NArg() > 1 {
 		return cliutil.UsageError(`"cloudflared tunnel run" accepts only one argument, the ID or name of the tunnel to run.`)
 	}
 	if c.String("hostname") != "" {
 		sc.log.Warn().Msg("The property `hostname` in your configuration is ignored because you configured a Named Tunnel " +
 			"in the property `tunnel` to run. Make sure to provision the routing (e.g. via `cloudflared tunnel route dns/lb`) or else " +
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 	// Check if token is provided and if not use default tunnelID flag method
 	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
 		if tunnelRef == "" {
 			// see if tunnel id was in the config file
 			tunnelRef = config.GetConfiguration().TunnelID
 			if tunnelRef == "" {
 				return cliutil.UsageError(`"cloudflared tunnel run" requires the ID or name of the tunnel to run as the last command line argument or in the configuration file.`)
 			}
 		}
 		return runNamedTunnel(sc, tunnelRef)
 	}
 }
 func ParseToken(tokenStr string) (*connection.TunnelToken, error) {
 	content, err := base64.StdEncoding.DecodeString(tokenStr)
 	if err != nil {
 		return nil, err
 	}
 	var token connection.TunnelToken
 	if err := json.Unmarshal(content, &token); err != nil {
 		return nil, err
 	}
 	return &token, nil
 }
 func runNamedTunnel(sc *subcommandContext, tunnelRef string) error {
 	tunnelID, err := sc.findID(tunnelRef)
 	if err != nil {
 		return errors.Wrap(err, "error parsing tunnel ID")
 	}
 	return sc.run(tunnelID)
 }
 func buildCleanupCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "cleanup",
 		Action:             cliutil.ConfiguredAction(cleanupCommand),
 		Usage:              "Cleanup tunnel connections",
 		UsageText:          "cloudflared tunnel [tunnel command options] cleanup [subcommand options] TUNNEL",
 		Description:        "Delete connections for tunnels with the given UUIDs or names.",
 		Flags:              []cli.Flag{cleanupClientFlag},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func cleanupCommand(c *cli.Context) error {
 	if c.NArg() < 1 {
 		return cliutil.UsageError(`"cloudflared tunnel cleanup" requires at least 1 argument, the IDs of the tunnels to cleanup connections.`)
 	}
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	tunnelIDs, err := sc.findIDs(c.Args().Slice())
 	if err != nil {
 		return err
 	}
 	return sc.cleanupConnections(tunnelIDs)
 }
 func buildTokenCommand() *cli.Command {
 	return &cli.Command{
 		Name:               "token",
 		Action:             cliutil.ConfiguredAction(tokenCommand),
 		Usage:              "Fetch the credentials token for an existing tunnel (by name or UUID) that allows to run it",
 		UsageText:          "cloudflared tunnel [tunnel command options] token [subcommand options] TUNNEL",
 		Description:        "cloudflared tunnel token will fetch the credentials token for a given tunnel (by its name or UUID), which is then used to run the tunnel. This command fails if the tunnel does not exist or has been deleted. Use the flag `cloudflared tunnel token --cred-file /my/path/file.json TUNNEL` to output the token to the credentials JSON file. Note: this command only works for Tunnels created since cloudflared version 2022.3.0",
 		Flags:              []cli.Flag{credentialsFileFlagCLIOnly},
 		CustomHelpTemplate: commandHelpTemplate(),
 	}
 }
 func tokenCommand(c *cli.Context) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return errors.Wrap(err, "error setting up logger")
 	}
 	warningChecker := updater.StartWarningCheck(c)
 	defer warningChecker.LogWarningIfAny(sc.log)
 	if c.NArg() != 1 {
 		return cliutil.UsageError(`"cloudflared tunnel token" requires exactly 1 argument, the name or UUID of tunnel to fetch the credentials token for.`)
 	}
 	tunnelID, err := sc.findID(c.Args().First())
 	if err != nil {
 		return errors.Wrap(err, "error parsing tunnel ID")
 	}
 	token, err := sc.getTunnelTokenCredentials(tunnelID)
 	if err != nil {
 		return err
 	}
 	if path := c.String(CredFileFlag); path != "" {
 		credentials := token.Credentials()
 		err := writeTunnelCredentials(path, &credentials)
 		if err != nil {
 			return errors.Wrapf(err, "error writing token credentials to JSON file in path %s", path)
 		}
 		return nil
 	}
 	encodedToken, err := token.Encode()
 	if err != nil {
 		return err
 	}
 	fmt.Println(encodedToken)
 	return nil
 }
 func buildRouteCommand() *cli.Command {
 	return &cli.Command{
 		Name:      "route",
 		Usage:     "Define which traffic routed from Cloudflare edge to this tunnel: requests to a DNS hostname, to a Cloudflare Load Balancer, or traffic originating from Cloudflare WARP clients",
 		UsageText: "cloudflared tunnel [tunnel command options] route [subcommand options] [dns TUNNEL HOSTNAME]|[lb TUNNEL HOSTNAME LB-POOL]|[ip NETWORK TUNNEL]",
 		Description: `The route command defines how Cloudflare will proxy requests to this tunnel.
 To route a hostname by creating a DNS CNAME record to a tunnel:
   cloudflared tunnel route dns <tunnel ID or name> <hostname>
 You can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns
 To use this tunnel as a load balancer origin, creating pool and load balancer if necessary:
   cloudflared tunnel route lb <tunnel ID or name> <hostname> <load balancer pool>
 You can read more at: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb
 For Cloudflare WARP traffic to be routed to your private network, reachable from this tunnel as origins, use:
   cloudflared tunnel route ip <network CIDR> <tunnel ID or name>
 Further information about managing Cloudflare WARP traffic to your tunnel is available at:
   cloudflared tunnel route ip --help
 `,
 		CustomHelpTemplate: commandHelpTemplate(),
 		Subcommands: []*cli.Command{
 			{
 				Name:        "dns",
 				Action:      cliutil.ConfiguredAction(routeDnsCommand),
 				Usage:       "HostnameRoute a hostname by creating a DNS CNAME record to a tunnel",
 				UsageText:   "cloudflared tunnel route dns [TUNNEL] [HOSTNAME]",
 				Description: `Creates a DNS CNAME record hostname that points to the tunnel.`,
 				Flags:       []cli.Flag{overwriteDNSFlag},
 			},
 			{
 				Name:        "lb",
 				Action:      cliutil.ConfiguredAction(routeLbCommand),
 				Usage:       "Use this tunnel as a load balancer origin, creating pool and load balancer if necessary",
 				UsageText:   "cloudflared tunnel route lb [TUNNEL] [HOSTNAME] [LB-POOL-NAME]",
 				Description: `Creates Load Balancer with an origin pool that points to the tunnel.`,
 			},
 			buildRouteIPSubcommand(),
 		},
 	}
 }
 func dnsRouteFromArg(c *cli.Context, overwriteExisting bool) (cfapi.HostnameRoute, error) {
 	const (
 		userHostnameIndex = 1
 		expectedNArgs     = 2
 	)
 	if c.NArg() != expectedNArgs {
 		return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
 	}
 	userHostname := c.Args().Get(userHostnameIndex)
 	if userHostname == "" {
 		return nil, cliutil.UsageError("The third argument should be the hostname")
 	} else if !validateHostname(userHostname, true) {
 		return nil, errors.Errorf("%s is not a valid hostname", userHostname)
 	}
 	return cfapi.NewDNSRoute(userHostname, overwriteExisting), nil
 }
 func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 	const (
 		lbNameIndex   = 1
 		lbPoolIndex   = 2
 		expectedNArgs = 3
 	)
 	if c.NArg() != expectedNArgs {
 		return nil, cliutil.UsageError("Expected %d arguments, got %d", expectedNArgs, c.NArg())
 	}
 	lbName := c.Args().Get(lbNameIndex)
 	if lbName == "" {
 		return nil, cliutil.UsageError("The third argument should be the load balancer name")
 	} else if !validateHostname(lbName, true) {
 		return nil, errors.Errorf("%s is not a valid load balancer name", lbName)
 	}
 	lbPool := c.Args().Get(lbPoolIndex)
 	if lbPool == "" {
 		return nil, cliutil.UsageError("The fourth argument should be the pool name")
 	} else if !validateName(lbPool, false) {
 		return nil, errors.Errorf("%s is not a valid pool name", lbPool)
 	}
 	return cfapi.NewLBRoute(lbName, lbPool), nil
 }
 var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
 func validateName(s string, allowWildcardSubdomain bool) bool {
 	if allowWildcardSubdomain {
 		return hostNameRegex.MatchString(s)
 	}
 	return nameRegex.MatchString(s)
 }
 func validateHostname(s string, allowWildcardSubdomain bool) bool {
 	// Slightly stricter than PunyCodeProfile
 	idnaProfile := idna.New(
 		idna.ValidateLabels(true),
 		idna.VerifyDNSLength(true))
 	puny, err := idnaProfile.ToASCII(s)
 	return err == nil && validateName(puny, allowWildcardSubdomain)
 }
 func routeDnsCommand(c *cli.Context) error {
 	if c.NArg() != 2 {
 		return cliutil.UsageError(`This command expects the format "cloudflared tunnel route dns <tunnel name/id> <hostname>"`)
 	}
 	return routeCommand(c, "dns")
 }
 func routeLbCommand(c *cli.Context) error {
 	if c.NArg() != 3 {
 		return cliutil.UsageError(`This command expects the format "cloudflared tunnel route lb <tunnel name/id> <hostname> <load balancer pool>"`)
 	}
 	return routeCommand(c, "lb")
 }
 func routeCommand(c *cli.Context, routeType string) error {
 	sc, err := newSubcommandContext(c)
 	if err != nil {
 		return err
 	}
 	tunnelID, err := sc.findID(c.Args().Get(0))
 	if err != nil {
 		return err
 	}
 	var route cfapi.HostnameRoute
 	switch routeType {
 	case "dns":
 		route, err = dnsRouteFromArg(c, c.Bool(overwriteDNSFlagName))
 	case "lb":
 		route, err = lbRouteFromArg(c)
 	}
 	if err != nil {
 		return err
 	}
 	res, err := sc.route(tunnelID, route)
 	if err != nil {
 		return err
 	}
 	sc.log.Info().Str(LogFieldTunnelID, tunnelID.String()).Msg(res.SuccessSummary())
 	return nil
 }
 func commandHelpTemplate() string {
 	var parentFlagsHelp string
 	for _, f := range configureCloudflaredFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
 	for _, f := range cliutil.ConfigureLoggingFlags(false) {
 		parentFlagsHelp += fmt.Sprintf(" %s\n\t", f)
 	}
 	const template = `NAME:
 	{{.HelpName}} - {{.Usage}}
 USAGE:
 	{{.UsageText}}
 DESCRIPTION:
 	{{.Description}}
 TUNNEL COMMAND OPTIONS:
 	%s
 SUBCOMMAND OPTIONS:
 	{{range .VisibleFlags}}{{.}}
 	{{end}}
 `
 	return fmt.Sprintf(template, parentFlagsHelp)
 }
--- a/cmd/cloudflared/tunnel/subcommands_test.go
+++ b/cmd/cloudflared/tunnel/subcommands_test.go
@ -0,0 +1,204 @@
 package tunnel
 import (
 	"encoding/base64"
 	"encoding/json"
 	"path/filepath"
 	"testing"
 	"github.com/google/uuid"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/connection"
 )
 func Test_fmtConnections(t *testing.T) {
 	type args struct {
 		connections []cfapi.Connection
 	}
 	tests := []struct {
 		name string
 		args args
 		want string
 	}{
 		{
 			name: "empty",
 			args: args{
 				connections: []cfapi.Connection{},
 			},
 			want: "",
 		},
 		{
 			name: "trivial",
 			args: args{
 				connections: []cfapi.Connection{
 					{
 						ColoName: "DFW",
 						ID:       uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
 					},
 				},
 			},
 			want: "1xDFW",
 		},
 		{
 			name: "with a pending reconnect",
 			args: args{
 				connections: []cfapi.Connection{
 					{
 						ColoName:           "DFW",
 						ID:                 uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
 						IsPendingReconnect: true,
 					},
 				},
 			},
 			want: "",
 		},
 		{
 			name: "many colos",
 			args: args{
 				connections: []cfapi.Connection{
 					{
 						ColoName: "YRV",
 						ID:       uuid.MustParse("ea550130-57fd-4463-aab1-752822231ddd"),
 					},
 					{
 						ColoName: "DFW",
 						ID:       uuid.MustParse("c13c0b3b-0fbf-453c-8169-a1990fced6d0"),
 					},
 					{
 						ColoName: "ATL",
 						ID:       uuid.MustParse("70c90639-e386-4e8d-9a4e-7f046d70e63f"),
 					},
 					{
 						ColoName: "DFW",
 						ID:       uuid.MustParse("30ad6251-0305-4635-a670-d3994f474981"),
 					},
 				},
 			},
 			want: "1xATL, 2xDFW, 1xYRV",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := fmtConnections(tt.args.connections, false); got != tt.want {
 				t.Errorf("fmtConnections() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func TestTunnelfilePath(t *testing.T) {
 	tunnelID, err := uuid.Parse("f48d8918-bc23-4647-9d48-082c5b76de65")
 	assert.NoError(t, err)
 	originCertDir := filepath.Dir("~/.cloudflared/cert.pem")
 	actual, err := tunnelFilePath(tunnelID, originCertDir)
 	assert.NoError(t, err)
 	homeDir, err := homedir.Dir()
 	assert.NoError(t, err)
 	expected := filepath.Join(homeDir, ".cloudflared", tunnelID.String()+".json")
 	assert.Equal(t, expected, actual)
 }
 func TestValidateName(t *testing.T) {
 	tests := []struct {
 		name string
 		want bool
 	}{
 		{name: "", want: false},
 		{name: "-", want: false},
 		{name: ".", want: false},
 		{name: "a b", want: false},
 		{name: "a+b", want: false},
 		{name: "-ab", want: false},
 		{name: "ab", want: true},
 		{name: "ab-c", want: true},
 		{name: "abc.def", want: true},
 		{name: "_ab_c.-d-ef", want: true},
 	}
 	for _, tt := range tests {
 		if got := validateName(tt.name, false); got != tt.want {
 			t.Errorf("validateName() = %v, want %v", got, tt.want)
 		}
 	}
 }
 func Test_validateHostname(t *testing.T) {
 	type args struct {
 		s                      string
 		allowWildcardSubdomain bool
 	}
 	tests := []struct {
 		name string
 		args args
 		want bool
 	}{
 		{
 			name: "Normal",
 			args: args{
 				s:                      "example.com",
 				allowWildcardSubdomain: true,
 			},
 			want: true,
 		},
 		{
 			name: "wildcard subdomain for TUN-358",
 			args: args{
 				s:                      "*.ehrig.io",
 				allowWildcardSubdomain: true,
 			},
 			want: true,
 		},
 		{
 			name: "Misplaced wildcard",
 			args: args{
 				s:                      "subdomain.*.ehrig.io",
 				allowWildcardSubdomain: true,
 			},
 		},
 		{
 			name: "Invalid domain",
 			args: args{
 				s:                      "..",
 				allowWildcardSubdomain: true,
 			},
 		},
 		{
 			name: "Invalid domain",
 			args: args{
 				s: "..",
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if got := validateHostname(tt.args.s, tt.args.allowWildcardSubdomain); got != tt.want {
 				t.Errorf("validateHostname() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 func Test_TunnelToken(t *testing.T) {
 	token, err := ParseToken("aabc")
 	require.Error(t, err)
 	require.Nil(t, token)
 	expectedToken := &connection.TunnelToken{
 		AccountTag:   "abc",
 		TunnelSecret: []byte("secret"),
 		TunnelID:     uuid.New(),
 	}
 	tokenJsonStr, err := json.Marshal(expectedToken)
 	require.NoError(t, err)
 	token64 := base64.StdEncoding.EncodeToString(tokenJsonStr)
 	token, err = ParseToken(token64)
 	require.NoError(t, err)
 	require.Equal(t, token, expectedToken)
 }
--- a/Show More
+++ b/Show More