Release 2024.4.1

If cloudflared was unable to register the UDP session with the
edge, the socket would be left open to be eventually closed by the
OS, or garbage collected by the runtime. Considering that either of
these closes happened significantly after some delay, it was causing
cloudflared to hold open file descriptors longer than usual if continuously
unable to register sessions.

.docker-images

@@ -1,8 +1,12 @@
 images:
   - name: cloudflared
-    dockerfile: Dockerfile
+    dockerfile: Dockerfile.$ARCH
     context: .
+    version_file: versions
     registries:
     - name: docker.io/cloudflare
       user: env:DOCKER_USER
       password: env:DOCKER_PASSWORD
+    architectures:
+    - amd64
+    - arm64

.github/ISSUE_TEMPLATE/---bug-report.md

@@ -0,0 +1,34 @@
+---
+name: "\U0001F41B Bug report"
+about: Create a report to help us improve cloudflared
+title: "\U0001F41B"
+labels: 'Priority: Normal, Type: Bug'
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Configure '...'
+2. Run '....'
+3. See error
+
+If it's an issue with Cloudflare Tunnel:
+4. Tunnel ID : 
+5. cloudflared config: 
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Environment and versions**
+ - OS: [e.g. MacOS]
+ - Architecture: [e.g. AMD, ARM]
+ - Version: [e.g. 2022.02.0]
+
+**Logs and errors**
+If applicable, add logs or errors to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/---documentation.md

@@ -0,0 +1,16 @@
+---
+name: "\U0001F4DD Documentation"
+about: Request new or updated documentation for cloudflared
+title: "\U0001F4DD"
+labels: 'Priority: Normal, Type: Documentation'
+
+---
+
+**Available Documentation**
+A link to the documentation that is available today and the areas which could be improved. 
+
+**Suggested Documentation**
+A clear and concise description of the documentation, tutorial, or guide that should be added. 
+
+**Additional context**
+Add any other context or screenshots about the documentation request here.

.github/ISSUE_TEMPLATE/---feature-request.md

@@ -0,0 +1,16 @@
+---
+name: "\U0001F4A1 Feature request"
+about: Suggest a feature or enhancement for cloudflared
+title: "\U0001F4A1"
+labels: 'Priority: Normal, Type: Feature Request'
+
+---
+
+**Describe the feature you'd like**
+A clear and concise description of the feature. What problem does it solve for you?
+
+**Describe alternatives you've considered**
+Are there any alternatives to solving this problem? If so, what was your experience with them?
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/workflows/check.yaml

@@ -0,0 +1,18 @@
+on: [push, pull_request]
+name: Check
+jobs:
+  check:
+    strategy:
+      matrix:
+        go-version: [1.21.x]
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: Test
+      run: make test

.gitignore

@@ -1,20 +1,19 @@
-.GOPATH/
-bin/
-tmp/
-guide/public
-/.GOPATH
+/tmp
 /bin
 .idea
 .build
 .vscode
 \#*\#
 cscope.*
-cloudflared
-cloudflared.pkg
-cloudflared.exe
-cloudflared.msi
-cloudflared-x86-64*
-!cmd/cloudflared/
+/cloudflared
+/cloudflared.pkg
+/cloudflared.exe
+/cloudflared.msi
+/cloudflared-x86-64*
+/cloudflared.1
+/packaging
 .DS_Store
 *-session.log
 ssh_server_tests/.env
+/.cover
+built_artifacts/

.teamcity/build-macos.sh

@@ -1,187 +0,0 @@
-#!/bin/bash
-
-if [[ "$(uname)" != "Darwin" ]] ; then
-    echo "This should be run on macOS"
-    exit 1
-fi
-
-go version
-export GO111MODULE=on
-
-# build 'cloudflared-darwin-amd64.tgz'
-mkdir -p artifacts
-FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
-PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
-TARGET_DIRECTORY=".build"
-BINARY_NAME="cloudflared"
-VERSION=$(git describe --tags --always --dirty="-dev")
-PRODUCT="cloudflared"
-CODE_SIGN_PRIV="code_sign.p12"
-CODE_SIGN_CERT="code_sign.cer"
-INSTALLER_PRIV="installer.p12"
-INSTALLER_CERT="installer.cer"
-BUNDLE_ID="com.cloudflare.cloudflared"
-SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
-export PATH="$PATH:/usr/local/bin"
-mkdir -p ../src/github.com/cloudflare/    
-cp -r . ../src/github.com/cloudflare/cloudflared
-cd ../src/github.com/cloudflare/cloudflared 
-GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
-
-# Add code signing private key to the key chain
-if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
-  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
-    # write private key to disk and then import it keychain
-    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
-    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1)
-    exitcode=$?
-    if [ -n "$out" ]; then
-      if [ $exitcode -eq 0 ]; then
-          echo "$out"
-      else
-          if [ "$out" != "${SEC_DUP_MSG}" ]; then
-              echo "$out" >&2
-              exit $exitcode
-          fi
-      fi
-    fi
-    rm ${CODE_SIGN_PRIV}
-  fi
-fi
-
-# Add code signing certificate to the key chain
-if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
-  # write certificate to disk and then import it keychain
-  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
-  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1)
-  exitcode1=$?
-  if [ -n "$out1" ]; then
-    if [ $exitcode1 -eq 0 ]; then
-        echo "$out1"
-    else
-        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
-            echo "$out1" >&2
-            exit $exitcode1
-        else 
-            echo "already imported code signing certificate"
-        fi
-    fi
-  fi
-  rm ${CODE_SIGN_CERT}
-fi
-
-# Add package signing private key to the key chain
-if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
-  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
-    # write private key to disk and then import it into the keychain
-    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
-    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1)
-    exitcode2=$?
-    if [ -n "$out2" ]; then
-      if [ $exitcode2 -eq 0 ]; then
-          echo "$out2"
-      else
-          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
-              echo "$out2" >&2
-              exit $exitcode2
-          fi
-      fi
-    fi
-    rm ${INSTALLER_PRIV}
-  fi
-fi
-
-# Add package signing certificate to the key chain
-if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
-  # write certificate to disk and then import it keychain
-  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
-  out3=$(security import ${INSTALLER_CERT} -A 2>&1)
-  exitcode3=$?
-  if [ -n "$out3" ]; then
-    if [ $exitcode3 -eq 0 ]; then
-        echo "$out3"
-    else
-        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
-            echo "$out3" >&2
-            exit $exitcode3
-        else 
-            echo "already imported installer certificate"
-        fi
-    fi
-  fi
-  rm ${INSTALLER_CERT}
-fi
-
-# get the code signing certificate name
-if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
-  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
-else
-  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
-    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
-  else
-    CODE_SIGN_NAME=""
-  fi
-fi
-
-# get the package signing certificate name
-if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
-  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
-else
-  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
-    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
-  else
-    PKG_SIGN_NAME=""
-  fi
-fi
-
-# sign the cloudflared binary
-if [[ ! -z "$CODE_SIGN_NAME" ]]; then
-  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
-  
-  # notarize the binary
-  if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
-    zip "${BINARY_NAME}.zip" ${BINARY_NAME} 
-    xcrun altool --notarize-app -f "${BINARY_NAME}.zip" -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
-  fi
-fi
-
-
-# creating build directory
-rm -rf $TARGET_DIRECTORY
-mkdir "${TARGET_DIRECTORY}"
-mkdir "${TARGET_DIRECTORY}/contents"
-cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
-
-# copy cloudflared into the build directory
-cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
-
-# compress cloudflared into a tar and gzipped file
-tar czf "$FILENAME" "${BINARY_NAME}"
-
-# build the installer package
-if [[ ! -z "$PKG_SIGN_NAME" ]]; then
-  pkgbuild --identifier com.cloudflare.${PRODUCT} \
-      --version ${VERSION} \
-      --scripts ${TARGET_DIRECTORY}/scripts \
-      --root ${TARGET_DIRECTORY}/contents \
-      --install-location /usr/local/bin \
-      --sign "${PKG_SIGN_NAME}" \
-      ${PKGNAME}
-
-      # notarize the package
-      if [[ ! -z "$CFD_NOTE_PASSWORD" ]]; then
-        xcrun altool --notarize-app -f ${PKGNAME} -t osx -u ${CFD_NOTE_USERNAME} -p ${CFD_NOTE_PASSWORD} --primary-bundle-id ${BUNDLE_ID}
-        xcrun stapler staple ${PKGNAME}
-      fi
-else
-    pkgbuild --identifier com.cloudflare.${PRODUCT} \
-      --version ${VERSION} \
-      --scripts ${TARGET_DIRECTORY}/scripts \
-      --root ${TARGET_DIRECTORY}/contents \
-      --install-location /usr/local/bin \
-      ${PKGNAME}
-fi
-
-
-# cleaning up the build directory
-rm -rf $TARGET_DIRECTORY

.teamcity/install-cloudflare-go.sh

@@ -0,0 +1,8 @@
+# !/usr/bin/env bash
+
+cd /tmp
+git clone -q https://github.com/cloudflare/go
+cd go/src
+# https://github.com/cloudflare/go/tree/34129e47042e214121b6bbff0ded4712debed18e is version go1.21.5-devel-cf
+git checkout -q 34129e47042e214121b6bbff0ded4712debed18e
+./make.bash

.teamcity/mac/build.sh

@@ -0,0 +1,184 @@
+#!/bin/bash
+
+set -exo pipefail
+
+if [[ "$(uname)" != "Darwin" ]] ; then
+    echo "This should be run on macOS"
+    exit 1
+fi
+
+go version
+export GO111MODULE=on
+
+# build 'cloudflared-darwin-amd64.tgz'
+mkdir -p artifacts
+FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
+PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
+TARGET_DIRECTORY=".build"
+BINARY_NAME="cloudflared"
+VERSION=$(git describe --tags --always --dirty="-dev")
+PRODUCT="cloudflared"
+CODE_SIGN_PRIV="code_sign.p12"
+CODE_SIGN_CERT="code_sign.cer"
+INSTALLER_PRIV="installer.p12"
+INSTALLER_CERT="installer.cer"
+BUNDLE_ID="com.cloudflare.cloudflared"
+SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
+export PATH="$PATH:/usr/local/bin"
+mkdir -p ../src/github.com/cloudflare/    
+cp -r . ../src/github.com/cloudflare/cloudflared
+cd ../src/github.com/cloudflare/cloudflared 
+GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
+
+# Add code signing private key to the key chain
+if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
+  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
+    # write private key to disk and then import it keychain
+    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
+    # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error 
+    # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
+    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
+    exitcode=$?
+    if [ -n "$out" ]; then
+      if [ $exitcode -eq 0 ]; then
+          echo "$out"
+      else
+          if [ "$out" != "${SEC_DUP_MSG}" ]; then
+              echo "$out" >&2
+              exit $exitcode
+          fi
+      fi
+    fi
+    rm ${CODE_SIGN_PRIV}
+  fi
+fi
+
+# Add code signing certificate to the key chain
+if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
+  # write certificate to disk and then import it keychain
+  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
+  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
+  exitcode1=$?
+  if [ -n "$out1" ]; then
+    if [ $exitcode1 -eq 0 ]; then
+        echo "$out1"
+    else
+        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
+            echo "$out1" >&2
+            exit $exitcode1
+        else 
+            echo "already imported code signing certificate"
+        fi
+    fi
+  fi
+  rm ${CODE_SIGN_CERT}
+fi
+
+# Add package signing private key to the key chain
+if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
+  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
+    # write private key to disk and then import it into the keychain
+    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
+    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
+    exitcode2=$?
+    if [ -n "$out2" ]; then
+      if [ $exitcode2 -eq 0 ]; then
+          echo "$out2"
+      else
+          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
+              echo "$out2" >&2
+              exit $exitcode2
+          fi
+      fi
+    fi
+    rm ${INSTALLER_PRIV}
+  fi
+fi
+
+# Add package signing certificate to the key chain
+if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
+  # write certificate to disk and then import it keychain
+  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
+  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
+  exitcode3=$?
+  if [ -n "$out3" ]; then
+    if [ $exitcode3 -eq 0 ]; then
+        echo "$out3"
+    else
+        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
+            echo "$out3" >&2
+            exit $exitcode3
+        else 
+            echo "already imported installer certificate"
+        fi
+    fi
+  fi
+  rm ${INSTALLER_CERT}
+fi
+
+# get the code signing certificate name
+if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
+  CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
+else
+  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
+    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
+  else
+    CODE_SIGN_NAME=""
+  fi
+fi
+
+# get the package signing certificate name
+if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
+  PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
+else
+  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
+    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
+  else
+    PKG_SIGN_NAME=""
+  fi
+fi
+
+# sign the cloudflared binary
+if [[ ! -z "$CODE_SIGN_NAME" ]]; then
+  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
+  
+ # notarize the binary
+ # TODO: TUN-5789
+fi
+
+# creating build directory
+rm -rf $TARGET_DIRECTORY
+mkdir "${TARGET_DIRECTORY}"
+mkdir "${TARGET_DIRECTORY}/contents"
+cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
+
+# copy cloudflared into the build directory
+cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
+
+# compress cloudflared into a tar and gzipped file
+tar czf "$FILENAME" "${BINARY_NAME}"
+
+# build the installer package
+if [[ ! -z "$PKG_SIGN_NAME" ]]; then
+  pkgbuild --identifier com.cloudflare.${PRODUCT} \
+      --version ${VERSION} \
+      --scripts ${TARGET_DIRECTORY}/scripts \
+      --root ${TARGET_DIRECTORY}/contents \
+      --install-location /usr/local/bin \
+      --sign "${PKG_SIGN_NAME}" \
+      ${PKGNAME}
+
+      # notarize the package
+      # TODO: TUN-5789
+else
+    pkgbuild --identifier com.cloudflare.${PRODUCT} \
+      --version ${VERSION} \
+      --scripts ${TARGET_DIRECTORY}/scripts \
+      --root ${TARGET_DIRECTORY}/contents \
+      --install-location /usr/local/bin \
+      ${PKGNAME}
+fi
+
+
+# cleaning up the build directory
+rm -rf $TARGET_DIRECTORY

.teamcity/mac/install-cloudflare-go.sh

@@ -0,0 +1,10 @@
+rm -rf /tmp/go
+export GOCACHE=/tmp/gocache
+rm -rf $GOCACHE
+
+./.teamcity/install-cloudflare-go.sh
+
+export PATH="/tmp/go/bin:$PATH"
+go version
+which go
+go env

.teamcity/package-windows.sh

@@ -0,0 +1,17 @@
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+export TARGET_OS=windows
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=built_artifacts/
+mkdir -p $ARTIFACT_DIR
+windowsArchs=("amd64" "386")
+for arch in ${windowsArchs[@]}; do
+    export TARGET_ARCH=$arch
+    # Copy exe into final directory
+    cp ./artifacts/cloudflared-windows-$arch.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
+    cp ./artifacts/cloudflared-windows-$arch.exe ./cloudflared.exe
+    make cloudflared-msi
+    # Copy msi into final directory
+    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
+done

.teamcity/update-homebrew.sh

@@ -1,67 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-FILENAME="${PWD}/artifacts/cloudflared-darwin-amd64.tgz"
-
-if ! VERSION="$(git describe --tags --exact-match 2>/dev/null)" ; then
-    echo "Skipping public release for an untagged commit."
-    echo "##teamcity[buildStatus status='SUCCESS' text='Skipped due to lack of tag']"
-    exit 0
-fi
-
-if [[ ! -f "$FILENAME" ]] ; then
-    echo "Missing $FILENAME"
-    exit 1
-fi
-
-if [[ "${GITHUB_PRIVATE_KEY:-}" == "" ]] ; then
-    echo "Missing GITHUB_PRIVATE_KEY"
-    exit 1
-fi
-
-# upload to s3 bucket for use by Homebrew formula
-s3cmd \
-    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
-    put "$FILENAME" "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz"
-s3cmd \
-    --acl-public --signature-v2 --access_key="$AWS_ACCESS_KEY_ID" --secret_key="$AWS_SECRET_ACCESS_KEY" --host-bucket="%(bucket)s.s3.cfdata.org" \
-    cp "s3://cftunnel-docs/dl/cloudflared-$VERSION-darwin-amd64.tgz" "s3://cftunnel-docs/dl/cloudflared-stable-darwin-amd64.tgz"
-SHA256=$(sha256sum "$FILENAME" | cut -b1-64)
-
-# set up git (note that UserKnownHostsFile is an absolute path so we can cd wherever)
-mkdir -p tmp
-ssh-keyscan -t rsa github.com > tmp/github.txt
-echo "$GITHUB_PRIVATE_KEY" > tmp/private.key
-chmod 0400 tmp/private.key
-export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PWD/tmp/github.txt -i $PWD/tmp/private.key -o IdentitiesOnly=yes"
-
-# clone Homebrew repo into tmp/homebrew-cloudflare
-git clone git@github.com:cloudflare/homebrew-cloudflare.git tmp/homebrew-cloudflare    
-cd tmp/homebrew-cloudflare
-git checkout -f master
-git reset --hard origin/master
-
-# modify cloudflared.rb
-URL="https://packages.argotunnel.com/dl/cloudflared-$VERSION-darwin-amd64.tgz"
-tee cloudflared.rb <<EOF
-class Cloudflared < Formula
-  desc 'Argo Tunnel'
-  homepage 'https://developers.cloudflare.com/argo-tunnel/'
-  url '$URL'
-  sha256 '$SHA256'
-  version '$VERSION'
-  def install
-    bin.install 'cloudflared'
-  end
-end
-EOF
-
-# push cloudflared.rb
-git add cloudflared.rb
-git diff
-git config user.name "cloudflare-warp-bot"
-git config user.email "warp-bot@cloudflare.com"
-git commit -m "Release Argo Tunnel $VERSION"
-
-git push -v origin master

.teamcity/windows/builds.ps1

@@ -0,0 +1,28 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+# Relative path to working directory
+$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
+
+cd $CloudflaredDirectory
+
+Write-Output "Building for amd64"
+$env:TARGET_OS = "windows"
+$env:CGO_ENABLED = 1
+$env:TARGET_ARCH = "amd64"
+$env:Path = "$Env:Temp\go\bin;$($env:Path)"
+
+go env
+go version
+
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
+copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
+
+Write-Output "Building for 386"
+$env:CGO_ENABLED = 0
+$env:TARGET_ARCH = "386"
+make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
+copy .\cloudflared.exe .\cloudflared-windows-386.exe

.teamcity/windows/component-test.ps1

@@ -0,0 +1,82 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+$WorkingDirectory = Get-Location
+$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
+
+Write-Output "Installing python..."
+
+$PythonVersion = "3.10.11"
+$PythonZipFile = "$env:Temp\python-$PythonVersion-embed-amd64.zip"
+$PipInstallFile = "$env:Temp\get-pip.py"
+$PythonZipUrl = "https://www.python.org/ftp/python/$PythonVersion/python-$PythonVersion-embed-amd64.zip"
+$PythonPath = "$WorkingDirectory\Python"
+$PythonBinPath = "$PythonPath\python.exe"
+
+# Download Python zip file
+Invoke-WebRequest -Uri $PythonZipUrl -OutFile $PythonZipFile
+
+# Download Python pip file
+Invoke-WebRequest -Uri "https://bootstrap.pypa.io/get-pip.py" -OutFile $PipInstallFile
+
+# Extract Python files
+Expand-Archive $PythonZipFile -DestinationPath $PythonPath -Force
+
+# Add Python to PATH
+$env:Path = "$PythonPath\Scripts;$PythonPath;$($env:Path)"
+
+Write-Output "Installed to $PythonPath"
+
+# Install pip
+& $PythonBinPath $PipInstallFile
+
+# Add package paths in pythonXX._pth to unblock python -m pip
+$PythonImportPathFile = "$PythonPath\python310._pth"
+$ComponentTestsDir = "$CloudflaredDirectory\component-tests\"
+@($ComponentTestsDir, "Lib\site-packages", $(Get-Content $PythonImportPathFile)) | Set-Content $PythonImportPathFile
+
+# Test Python installation
+& $PythonBinPath --version
+& $PythonBinPath -m pip --version
+
+go env
+go version
+
+$env:TARGET_OS = "windows"
+$env:CGO_ENABLED = 1
+$env:TARGET_ARCH = "amd64"
+$env:Path = "$Env:Temp\go\bin;$($env:Path)"
+
+& $PythonBinPath --version
+& $PythonBinPath -m pip --version
+
+cd $CloudflaredDirectory
+
+go env
+go version
+
+Write-Output "Building cloudflared"
+
+& make cloudflared
+if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
+
+echo $LASTEXITCODE
+
+Write-Output "Running unit tests"
+
+# Not testing with race detector because of https://github.com/golang/go/issues/61058
+# We already test it on other platforms
+& go test -failfast -mod=vendor ./...
+if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
+
+Write-Output "Running component tests"
+
+& $PythonBinPath -m pip install --upgrade -r component-tests/requirements.txt
+& $PythonBinPath component-tests/setup.py --type create
+& $PythonBinPath -m pytest component-tests -o log_cli=true --log-cli-level=INFO
+if ($LASTEXITCODE -ne 0) {
+    & $PythonBinPath component-tests/setup.py --type cleanup
+    throw "Failed component tests"
+}
+& $PythonBinPath component-tests/setup.py --type cleanup

.teamcity/windows/install-cloudflare-go.ps1

@@ -0,0 +1,16 @@
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+
+Write-Output "Downloading cloudflare go..."
+
+Set-Location "$Env:Temp"
+
+git clone -q https://github.com/cloudflare/go
+Write-Output "Building go..."
+cd go/src
+# https://github.com/cloudflare/go/tree/34129e47042e214121b6bbff0ded4712debed18e is version go1.21.5-devel-cf
+git checkout -q 34129e47042e214121b6bbff0ded4712debed18e
+& ./make.bat
+
+Write-Output "Installed"

.teamcity/windows/install-go-msi.ps1

@@ -0,0 +1,20 @@
+$ErrorActionPreference = "Stop"
+$ProgressPreference = "SilentlyContinue"
+$GoMsiVersion = "go1.21.5.windows-amd64.msi"
+ 
+Write-Output "Downloading go installer..."
+ 
+Set-Location "$Env:Temp"
+ 
+(New-Object System.Net.WebClient).DownloadFile(
+    "https://go.dev/dl/$GoMsiVersion",
+    "$Env:Temp\$GoMsiVersion"
+)
+ 
+Write-Output "Installing go..."
+Install-Package "$Env:Temp\$GoMsiVersion" -Force
+ 
+# Go installer updates global $PATH
+go env
+ 
+Write-Output "Installed"

CHANGES.md

@@ -0,0 +1,356 @@
+## 2024.2.1
+### Notices
+- Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).
+
+## 2023.9.0
+### Notices
+- The `warp-routing` `enabled: boolean` flag is no longer supported in the configuration file. Warp Routing traffic (eg TCP, UDP, ICMP) traffic is proxied to cloudflared if routes to the target tunnel are configured. This change does not affect remotely managed tunnels, but for locally managed tunnels, users that might be relying on this feature flag to block traffic should instead guarantee that tunnel has no Private Routes configured for the tunnel.
+## 2023.7.0
+### New Features
+- You can now enable additional diagnostics over the management.argotunnel.com service for your active cloudflared connectors via a new runtime flag `--management-diagnostics` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`). This feature is provided as opt-in and requires the flag to enable. Endpoints such as /metrics provides your prometheus metrics endpoint another mechanism to be reached. Additionally /debug/pprof/(goroutine|heap) are also introduced to allow for remotely retrieving active pprof information from a running cloudflared connector.
+
+## 2023.4.1
+### New Features
+- You can now stream your logs from your remote cloudflared to your local terminal with `cloudflared tail <TUNNEL-ID>`. This new feature requires the remote cloudflared to be version 2023.4.1 or higher.
+
+## 2023.3.2
+### Notices
+- Due to the nature of QuickTunnels (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/do-more-with-tunnels/trycloudflare/) and its intended usage for testing and experiment of Cloudflare Tunnels, starting from 2023.3.2, QuickTunnels only make a single connection to the edge. If users want to use Tunnels in a production environment, they should move to Named Tunnels instead. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/remote/#set-up-a-tunnel-remotely-dashboard-setup)
+
+## 2023.3.1
+### Breaking Change
+- Running a tunnel without ingress rules defined in configuration file nor from the CLI flags will no longer provide a default ingress rule to localhost:8080 and instead will return HTTP response code 503 for all incoming HTTP requests.
+
+### Security Fixes
+- Windows 32 bit machines MSI now defaults to Program Files to install cloudflared. (See CVE-2023-1314). The cloudflared client itself is unaffected. This just changes how the installer works on 32 bit windows machines.
+
+### Bug Fixes
+- Fixed a bug that would cause running tunnel on Bastion mode and without ingress rules to crash.
+
+## 2023.2.2
+### Notices
+- Legacy tunnels were officially deprecated on December 1, 2022. Starting with this version, cloudflared no longer supports connecting legacy tunnels.
+- h2mux tunnel connection protocol is no longer supported. Any tunnels still configured to use this protocol will alert and use http2 tunnel protocol instead. We recommend using quic protocol for all tunnels going forward.
+
+## 2023.2.1
+### Bug fixes
+- Fixed a bug in TCP connection proxy that could result in the connection being closed before all data was written.
+- cloudflared now correctly aborts body write if connection to origin service fails after response headers were sent already.
+- Fixed a bug introduced in the previous release where debug endpoints were removed.
+
+## 2022.12.0
+### Improvements
+- cloudflared now attempts to try other edge addresses before falling back to a lower protocol.
+- cloudflared tunnel no longer spins up a quick tunnel. The call has to be explicit and provide a --url flag.
+- cloudflared will now randomly pick the first or second region to connect to instead of always connecting to region2 first.
+
+## 2022.9.0
+### New Features
+- cloudflared now rejects ingress rules with invalid http status codes for http_status.
+
+## 2022.8.1
+### New Features
+- cloudflared now remembers if it connected to a certain protocol successfully. If it did, it does not fall back to a lower
+  protocol on connection failures.
+
+## 2022.7.1
+### New Features
+- It is now possible to connect cloudflared tunnel to Cloudflare Global Network with IPv6. See `cloudflared tunnel --help` and look for `edge-ip-version` for more information. For now, the default behavior is to still connect with IPv4 only.
+
+### Bug Fixes
+- Several bug fixes related with QUIC transport (used between cloudflared tunnel and Cloudflare Global Network). Updating to this version is highly recommended.
+
+## 2022.4.0
+### Bug Fixes
+- `cloudflared tunnel run` no longer logs the Tunnel token or JSON credentials in clear text as those are the secret
+that allows to run the Tunnel.
+
+## 2022.3.4
+### New Features
+- It is now possible to retrieve the credentials that allow to run a Tunnel in case you forgot/lost them. This is
+achievable with: `cloudflared tunnel token --cred-file /path/to/file.json TUNNEL`. This new feature only works for
+Tunnels created with cloudflared version 2022.3.0 or more recent.
+
+### Bug Fixes
+- `cloudflared service install` now starts the underlying agent service on Linux operating system (similarly to the
+behaviour in Windows and MacOS).
+
+## 2022.3.3
+### Bug Fixes
+- `cloudflared service install` now starts the underlying agent service on Windows operating system (similarly to the
+behaviour in MacOS).
+
+## 2022.3.1
+### Bug Fixes
+- Various fixes to the reliability of `quic` protocol, including an edge case that could lead to cloudflared crashing.
+
+## 2022.3.0
+### New Features
+- It is now possible to configure Ingress Rules to point to an origin served by unix socket with either HTTP or HTTPS.
+If the origin starts with `unix:/` then we assume HTTP (existing behavior). Otherwise, the origin can start with
+`unix+tls:/` for HTTPS.
+
+## 2022.2.1
+### New Features
+- This project now has a new LICENSE that is more compliant with open source purposes.
+
+### Bug Fixes
+- Various fixes to the reliability of `quic` protocol.
+
+## 2022.1.3
+### New Features
+- New `cloudflared tunnel vnet` commands to allow for private routing to be virtualized. This means that the same CIDR
+can now be used to point to two different Tunnels with `cloudflared tunnel route ip` command. More information will be
+made available on blog.cloudflare.com and developers.cloudflare.com/cloudflare-one once the feature is globally available.
+
+### Bug Fixes
+- Correctly handle proxying UDP datagrams with no payload.
+- Bug fix for origins that use Server-Sent Events (SSE).
+
+## 2022.1.0
+### Improvements
+- If a specific `protocol` property is defined (e.g. for `quic`), cloudflared no longer falls back to an older protocol
+(such as `http2`) in face of connectivity errors. This is important because some features are only supported in a specific
+protocol (e.g. UDP proxying only works for `quic`). Hence, if a user chooses a protocol, cloudflared now adheres to it
+no matter what.
+
+### Bug Fixes
+- Stopping cloudflared running with `quic` protocol now respects graceful shutdown.
+
+## 2021.12.2
+### Bug Fixes
+- Fix logging when `quic` transport is used and UDP traffic is proxied.
+- FIPS compliant cloudflared binaries will now be released as separate artifacts. Recall that these are only for linux
+and amd64.
+
+## 2021.12.1
+### Bug Fixes
+ - Fixes Github issue #530 where cloudflared 2021.12.0 could not reach origins that were HTTPS and using certain encryption
+methods forbidden by FIPS compliance (such as Let's Encrypt certificates). To address this fix we have temporarily reverted
+FIPS compliance from amd64 linux binaries that was recently introduced (or fixed actually as it was never working before).
+
+## 2021.12.0
+### New Features
+- Cloudflared binary released for amd64 linux is now FIPS compliant.
+
+### Improvements
+- Logging about connectivity to Cloudflare edge now only yields `ERR` level logging if there are no connections to
+Cloudflare edge that are active. Otherwise it logs `WARN` level.
+ 
+### Bug Fixes
+- Fixes Github issue #501.
+
+## 2021.11.0
+### Improvements
+- Fallback from `protocol:quic` to `protocol:http2` immediately if UDP connectivity isn't available. This could be because of a firewall or 
+egress rule.
+
+## 2021.10.4
+### Improvements
+- Collect quic transport metrics on RTT, packets and bytes transferred.
+
+### Bug Fixes
+- Fix race condition that was writing to the connection after the http2 handler returns.
+
+## 2021.9.2
+
+### New features
+- `cloudflared` can now run with `quic` as the underlying tunnel transport protocol. To try it, change or add "protocol: quic" to your config.yml file or
+run cloudflared with the `--protocol quic` flag. e.g:
+    `cloudflared tunnel --protocol quic run <tunnel-name>`
+
+### Bug Fixes
+- Fixed some generic transport bugs in `quic` mode. It's advised to upgrade to at least this version (2021.9.2) when running `cloudflared`
+with `quic` protocol.
+- `cloudflared` docker images will now show version.
+
+
+## 2021.8.4
+### Improvements
+- Temporary tunnels (those hosted on trycloudflare.com that do not require a Cloudflare login) now run as Named Tunnels
+underneath. We recall that these tunnels should not be relied upon for production usage as they come with no guarantee
+of uptime. Previous cloudflared versions will soon be unable to run legacy temporary tunnels and will require an update
+(to this version or more recent).
+
+## 2021.8.2
+### Improvements
+- Because Equinox os shutting down, all cloudflared releases are now present [here](https://github.com/cloudflare/cloudflared/releases).
+[Equinox](https://dl.equinox.io/cloudflare/cloudflared/stable) will no longer receive updates. 
+
+## 2021.8.0
+### Bug fixes
+- Prevents tunnel from accidentally running when only proxy-dns should run. 
+
+### Improvements
+- If auto protocol transport lookup fails, we now default to a transport instead of not connecting.
+
+## 2021.6.0
+### Bug Fixes
+- Fixes a http2 transport (the new default for Named Tunnels) to work with unix socket origins.
+
+
+## 2021.5.10
+### Bug Fixes
+- Fixes a memory leak in h2mux transport that connects cloudflared to Cloudflare edge.
+
+
+## 2021.5.9
+### New Features
+- Uses new Worker based login helper service to facilitate token exchange in cloudflared flows.
+
+### Bug Fixes
+- Fixes Centos-7 builds.
+
+## 2021.5.8
+### New Features
+- When creating a DNS record to point a hostname at a tunnel, you can now use --overwrite-dns to overwrite any existing
+  DNS records with that hostname. This works both when using the CLI to provision DNS, as well as when starting an adhoc
+  named tunnel, e.g.:
+  - `cloudflared tunnel route dns --overwrite-dns foo-tunnel foo.example.com`
+  - `cloudflared tunnel --overwrite-dns --name foo-tunnel --hostname foo.example.com`
+
+## 2021.5.7
+### New Features
+- Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network.
+
+## 2021.5.0
+
+### New Features
+- It is now possible to run the same tunnel using more than one `cloudflared` instance. This is a server-side change and
+  is compatible with any client version that uses Named Tunnels.
+
+  To get started, visit our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/deploy-cloudflared-replicas).
+- `cloudflared tunnel ingress validate` will now warn about unused keys in your config file. This is helpful for
+  detecting typos in your config.
+- If `cloudflared` detects it is running inside a Linux container, it will limit itself to use only the number of CPUs
+  the pod has been granted, instead of trying to use every CPU available.
+
+## 2021.4.0
+
+### Bug Fixes
+
+- Fixed proxying of websocket requests to avoid possibility of losing initial frames that were sent in the same TCP
+  packet as response headers [#345](https://github.com/cloudflare/cloudflared/issues/345).
+- `proxy-dns` option now works in conjunction with running a named tunnel [#346](https://github.com/cloudflare/cloudflared/issues/346).
+
+## 2021.3.6
+
+### Bug Fixes
+
+- Reverted 2021.3.5 improvement to use HTTP/2 in a best-effort manner between cloudflared and origin services because
+  it was found to break in some cases.
+
+## 2021.3.5
+
+### Improvements
+
+ - HTTP/2 transport is now always chosen if origin server supports it and the service url scheme is HTTPS.
+   This was previously done in a best attempt manner.
+
+### Bug Fixes
+
+ - The MacOS binaries were not successfully released in 2021.3.3 and 2021.3.4. This release is aimed at addressing that.
+
+## 2021.3.3
+
+### Improvements
+
+- Tunnel create command, as well as, running ad-hoc tunnels using `cloudflared tunnel -name NAME`, will not overwrite
+  existing files when writing tunnel credentials.
+
+### Bug Fixes
+
+- Tunnel create and delete commands no longer use path to credentials from the configuration file.
+  If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
+- Access ssh-gen creates properly named keys for SSH short lived certs.
+
+
+## 2021.3.2
+
+### New Features
+
+- It is now possible to obtain more detailed information about the cloudflared connectors to Cloudflare Edge via
+  `cloudflared tunnel info <name/uuid>`. It is possible to sort the output as well as output in different formats,
+  such as: `cloudflared tunnel info --sort-by version --invert-sort --output json <name/uuid>`.
+  You can obtain more information via `cloudflared tunnel info --help`.
+
+### Bug Fixes
+
+- Don't look for configuration file in default paths when `--config FILE` flag is present after `tunnel` subcommand.
+- cloudflared access token command now functions correctly with the new token-per-app change from 2021.3.0.
+
+
+## 2021.3.0
+
+### New Features
+
+- [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) specific commands
+  now show up in the `cloudflared tunnel route --help` output.
+- There is a new ingress type that allows cloudflared to proxy SOCKS5 as a bastion. You can use it with an ingress
+  rule by adding `service: socks-proxy`. Traffic is routed to any destination specified by the SOCKS5 packet but only
+  if allowed by a rule. In the following example we allow proxying to a certain CIDR but explicitly forbid one address
+  within it:
+```
+ingress:
+  - hostname: socks.example.com
+    service: socks-proxy
+    originRequest:
+      ipRules:
+        - prefix: 192.168.1.8/32
+          allow: false
+        - prefix: 192.168.1.0/24
+          ports: [80, 443]
+          allow: true
+```
+
+
+### Improvements
+
+- Nested commands, such as `cloudflared tunnel run`, now consider CLI arguments even if they appear earlier on the
+  command. For instance, `cloudflared --config config.yaml tunnel run` will now behave the same as
+  `cloudflared tunnel --config config.yaml run`
+- Warnings are now shown in the output logs whenever cloudflared is running without the most recent version and
+  `no-autoupdate` is `true`.
+- Access tokens are now stored per Access App instead of per request path. This decreases the number of times that the
+  user is required to authenticate with an Access policy redundantly.
+
+### Bug Fixes
+
+- GitHub [PR #317](https://github.com/cloudflare/cloudflared/issues/317) was broken in 2021.2.5 and is now fixed again.
+
+## 2021.2.5
+
+### New Features
+
+- We introduce [Cloudflare One Routing](https://developers.cloudflare.com/cloudflare-one/tutorials/warp-to-tunnel) in
+  beta mode. Cloudflare customer can now connect users and private networks with RFC 1918 IP addresses via the
+  Cloudflare edge network. Users running Cloudflare WARP client in the same organization can connect to the services
+  made available by Argo Tunnel IP routes. Please share your feedback in the GitHub issue tracker.
+
+## 2021.2.4
+
+### Bug Fixes
+
+- Reverts the Improvement released in 2021.2.3 for CLI arguments as it introduced a regression where cloudflared failed
+  to read URLs in configuration files.
+- cloudflared now logs the reason for failed connections if the error is recoverable.
+
+## 2021.2.3
+
+### Backward Incompatible Changes
+
+- Removes db-connect. The Cloudflare Workers product will continue to support db-connect implementations with versions
+  of cloudflared that predate this release and include support for db-connect.
+
+### New Features
+
+- Introduces support for proxy configurations with websockets in arbitrary TCP connections (#318).
+
+### Improvements
+
+- (reverted) Nested command line argument handling.
+
+### Bug Fixes
+
+- The maximum number of upstream connections is now limited by default which should fix reported issues of cloudflared
+  exhausting CPU usage when faced with connectivity issues.

Dockerfile

@@ -1,7 +1,7 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.15.6 as builder
+FROM golang:1.21.5 as builder
 ENV GO111MODULE=on \
     CGO_ENABLED=0 \
     TARGET_GOOS=${TARGET_GOOS} \
@@ -12,11 +12,15 @@ WORKDIR /go/src/github.com/cloudflare/cloudflared/
 # copy our sources into the builder image
 COPY . .
 
+RUN .teamcity/install-cloudflare-go.sh
+
 # compile cloudflared
-RUN make cloudflared
+RUN PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian10:nonroot
+FROM gcr.io/distroless/base-debian11:nonroot
+
+LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
 # copy our compiled binary
 COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/

Dockerfile.amd64

@@ -0,0 +1,29 @@
+# use a builder image for building cloudflare
+FROM golang:1.21.5 as builder
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 
+    
+WORKDIR /go/src/github.com/cloudflare/cloudflared/
+
+# copy our sources into the builder image
+COPY . .
+
+RUN .teamcity/install-cloudflare-go.sh
+
+# compile cloudflared
+RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
+
+# use a distroless base image with glibc
+FROM gcr.io/distroless/base-debian11:nonroot
+
+LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
+
+# copy our compiled binary
+COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
+
+# run as non-privileged user
+USER nonroot
+
+# command / entrypoint of container
+ENTRYPOINT ["cloudflared", "--no-autoupdate"]
+CMD ["version"]

Dockerfile.arm64

@@ -0,0 +1,29 @@
+# use a builder image for building cloudflare
+FROM golang:1.21.5 as builder
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 
+    
+WORKDIR /go/src/github.com/cloudflare/cloudflared/
+
+# copy our sources into the builder image
+COPY . .
+
+RUN .teamcity/install-cloudflare-go.sh
+
+# compile cloudflared
+RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
+
+# use a distroless base image with glibc
+FROM gcr.io/distroless/base-debian11:nonroot-arm64
+
+LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
+
+# copy our compiled binary
+COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
+
+# run as non-privileged user
+USER nonroot
+
+# command / entrypoint of container
+ENTRYPOINT ["cloudflared", "--no-autoupdate"]
+CMD ["version"]

LICENSE

@@ -1,155 +1,202 @@
-SERVICES AGREEMENT
 
-Your installation of this software is symbol of your signature indicating that
-you accept the terms of this Services Agreement (this "Agreement").  This
-Agreement is a legal agreement between you (either an individual or a single
-entity) and CloudFlare, Inc. for the services being provided to you by
-CloudFlare or its authorized representative (the "Services"), including any
-computer software and any associated media, printed materials, and "online" or
-electronic documentation provided in connection with the Services (the
-"Software" and together with the Services are hereinafter collectively referred
-to as the "Solution").  If the user is not an individual, then "you" means your
-company, its officers, members, employees, agents, representatives, successors
-and assigns.  BY USING THE SOLUTION, YOU ARE INDICATING THAT YOU HAVE READ, AND
-AGREE TO BE BOUND BY, THE POLICIES, TERMS, AND CONDITIONS SET FORTH BELOW IN
-THEIR ENTIRETY WITHOUT LIMITATION OR QUALIFICATION, AS WELL AS BY ALL APPLICABLE
-LAWS AND REGULATIONS, AS IF YOU HAD HANDWRITTEN YOUR NAME ON A CONTRACT.  IF YOU
-DO NOT AGREE TO THESE TERMS AND CONDITIONS, YOU MAY NOT USE THE SOLUTION.
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-1.    GRANT OF RIGHTS
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-1.1	Grant of License.  The Solution is licensed by CloudFlare and its
-licensors, not sold.  Subject to the terms and conditions of this Agreement,
-CloudFlare hereby grants you a nonexclusive, nonsublicensable, nontransferable
-license to use the Solution.  You may examine source code, if provided to you,
-solely for the limited purpose of evaluating the Software for security flaws.
-You may also use the Service to create derivative works which are exclusively
-compatible with any CloudFlare product serviceand no other product or service.
-This license applies to the parts of the Solution developed by CloudFlare.  The
-Solution may also incorporate externally maintained libraries and other open software.
-These resources may be governed by other licenses.
+   1. Definitions.
 
-1.2	Restrictions.  The license granted herein is granted solely to you and
-not, by implication or otherwise, to any of your parents, subsidiaries or
-affiliates.  No right is granted hereunder to use the Solution to perform
-services for third parties. All rights not expressly granted hereunder are
-reserved to CloudFlare.  You may not use the Solution except as explicitly
-permitted under this Agreement.  You are expressly prohibited from modifying,
-adapting, translating, preparing derivative works from, decompiling, reverse
-engineering, disassembling or otherwise attempting to derive source code from
-the Software used to provide the Services or any internal data files generated
-by the Solution.  You are also prohibited from removing, obscuring or altering
-any copyright notice, trademarks, or other proprietary rights notices affixed to
-or associated with the Solution.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-1.3	Ownership.  As between the parties, CloudFlare and/or its licensors own
-and shall retain all right, title, and interest in and to the Solution,
-including any and all technology embodied therein, including all copyrights,
-patents, trade secrets, trade dress and other proprietary rights associated
-therewith, and any derivative works created there from.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
 
-2.	LIMITATION OF LIABILITY
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
 
-YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT DOWNLOADING THE SOFTWARE IS AT YOUR
-SOLE RISK.  THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTY OF ANY KIND
-AND CLOUDFLARE, ITS LICENSORS AND ITS AUTHORIZED REPRESENTATIVES (TOGETHER FOR
-PURPOSES HEREOF, "CLOUDFLARE") EXPRESSLY DISCLAIM ALL WARRANTIES, EXPRESS OR
-IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  CLOUDFLARE DOES NOT
-WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR
-REQUIREMENTS, OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR
-ERROR-FREE, OR THAT DEFECTS IN THE SOFTWARE WILL BE CORRECTED.  FURTHERMORE,
-CLOUDFLARE DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE SOFTWARE
-OR RELATED DOCUMENTATION IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABILITY,
-OR OTHERWISE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY CLOUDFLARE SHALL
-CREATE A WARRANTY OR IN ANY WAY INCREASE THE SCOPE OF THIS WARRANTY.
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
 
-3.	CONFIDENTIALITY
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
 
-It may be necessary during the set up and performance of the Solution for the
-parties to exchange Confidential Information. "Confidential Information" means
-any information whether oral, or written, of a private, secret, proprietary or
-confidential nature, concerning either party or its business operations,
-including without limitation: (a) your data and (b) CloudFlare's access control
-systems, specialized network equipment and techniques related to the Solution,
-use policies, which include trade secrets of CloudFlare and its licensors. Each
-party agrees to use the same degree of care to protect the confidentiality of
-the Confidential Information of the other party and to prevent its unauthorized
-use or dissemination as it uses to protect its own Confidential Information of a
-similar nature, but in no event shall exercise less than due diligence and
-reasonable care. Each party agrees to use the Confidential Information of the
-other party only for purposes related to the performance of this Agreement. All
-Confidential Information remains the property of the party disclosing the
-information and no license or other rights to Confidential Information is
-granted or implied hereby.
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
 
-4.	TERM AND TERMINATION
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
 
-4.1	Term.  This Agreement shall be effective upon download or install of the
-Software.
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
 
-4.2	Termination. This Agreement may be terminated by CloudFlare or its
-authorized representative by written notice to you if any of the following
-events occur:  (i) you fail to pay any amounts due for the Services and the
-Solution when due and after written notice of such nonpayment has been given to
-you; (ii) you are in material breach of any term, condition, or provision of
-this Agreement or any other agreement executed by you with CloudFlare or its
-authorized representative in connection with the provision of the Solution and
-Services (a "Related Agreement"); or (iii) you terminate or suspend your
-business, becomes subject to any bankruptcy or insolvency proceeding under
-federal or state statutes, or become insolvent or subject to direct control by a
-trustee, receiver or similar authority.
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
 
-4.3	Effect of Termination.  Upon the termination of this Agreement for any
-reason: (1) all license rights granted hereunder shall terminate and (2) all
-Confidential Information shall be returned to the disclosing party or destroyed.
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
 
-5.	MISCELLANEOUS
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
 
-5.1	Assignment.  You may not assign any of your rights or delegate any of
-your obligations under this Agreement, whether by operation of law or otherwise,
-without the prior express written consent of CloudFlare or its authorized
-representative.  Any such assignment without the prior express written consent
-of CloudFlare or its authorized representative shall be void.  Subject to the
-foregoing, this Agreement will bind and inure to the benefit of the parties,
-their respective successors and permitted assigns.
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
 
-5.2	Waiver and Amendment.  No modification, amendment or waiver of any
-provision of this Agreement shall be effective unless in writing and signed by
-the party to be charged.  No failure or delay by either party in exercising any
-right, power, or remedy under this Agreement, except as specifically provided
-herein, shall operate as a waiver of any such right, power or remedy.  Without
-limiting the foregoing, terms and conditions on any purchase orders or similar
-materials submitted by you to CloudFlare or its authorized representative shall
-be of no force or effect.
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
 
-5.3	Governing Law.  This Agreement shall be governed by the laws of the State
-of California, USA, excluding conflict of laws and provisions, and excluding the
-United Nations Convention on Contracts for the International Sale of Goods.
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
 
-5.4	Notices.  All notices, demands or consents required or permitted under
-this Agreement shall be in writing.  Notice shall be sent to you at the e-mail
-address provided by you to CloudFlare or its authorized representative in
-connection with the Solution.
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
 
-5.5	Independent Contractors. The parties are independent contractors.
-Neither party shall be deemed to be an employee, agent, partner or legal
-representative of the other for any purpose and neither shall have any right,
-power or authority to create any obligation or responsibility on behalf of the
-other.
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
 
-5.6	Severability.  If any provision of this Agreement is held by a court of
-competent jurisdiction to be contrary to law, such provision shall be changed
-and interpreted so as to best accomplish the objectives of the original
-provision to the fullest extent allowed by law and the remaining provisions of
-this Agreement shall remain in full force and effect.
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
 
-5.7	Force Majeure.  CloudFlare shall not be liable to the other party for any
-failure or delay in performance caused by reasons beyond its reasonable control.
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
 
-5.8	Complete Understanding.  This Agreement and the Related Agreement
-constitute the final, complete and exclusive agreement between the parties with
-respect to the subject matter hereof, and supersedes all previous written and
-oral agreements and communications related to the subject matter of this
-Agreement.  To the extent this Agreement and the Related Agreement conflict,
-this Agreement shall control.
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

Makefile

@@ -1,38 +1,79 @@
-VERSION       := $(shell git describe --tags --always --dirty="-dev" --match "[0-9][0-9][0-9][0-9].*.*")
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
-VERSION_FLAGS := -ldflags='-X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
+# The targets cannot be run in parallel
+.NOTPARALLEL:
+
+VERSION       := $(shell git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 MSI_VERSION   := $(shell git tag -l --sort=v:refname | grep "w" | tail -1 | cut -c2-)
 #MSI_VERSION expects the format of the tag to be: (wX.X.X). Starts with the w character to not break cfsetup.
 #e.g. w3.0.1 or w4.2.10. It trims off the w character when creating the MSI.
 
-IMPORT_PATH   := github.com/cloudflare/cloudflared
-PACKAGE_DIR   := $(CURDIR)/packaging
-INSTALL_BINDIR := /usr/bin/
-MAN_DIR := /usr/share/man/man1/
-
-EQUINOX_FLAGS = --version="$(VERSION)" \
-	--platforms="$(EQUINOX_BUILD_PLATFORMS)" \
-	--app="$(EQUINOX_APP_ID)" \
-	--token="$(EQUINOX_TOKEN)" \
-	--channel="$(EQUINOX_CHANNEL)"
-
-ifeq ($(EQUINOX_IS_DRAFT), true)
-	EQUINOX_FLAGS := --draft $(EQUINOX_FLAGS)
+ifeq ($(ORIGINAL_NAME), true)
+	# Used for builds that want FIPS compilation but want the artifacts generated to still have the original name.
+	BINARY_NAME := cloudflared
+else ifeq ($(FIPS), true)
+	# Used for FIPS compliant builds that do not match the case above.
+	BINARY_NAME := cloudflared-fips
+else
+	# Used for all other (non-FIPS) builds.
+	BINARY_NAME := cloudflared
 endif
 
+ifeq ($(NIGHTLY), true)
+	DEB_PACKAGE_NAME := $(BINARY_NAME)-nightly
+	NIGHTLY_FLAGS := --conflicts cloudflared --replaces cloudflared
+else
+	DEB_PACKAGE_NAME := $(BINARY_NAME)
+endif
+
+DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
+ifdef PACKAGE_MANAGER
+	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
+endif
+
+LINK_FLAGS :=
+ifeq ($(FIPS), true)
+	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
+	# Prevent linking with libc regardless of CGO enabled or not.
+	GO_BUILD_TAGS := $(GO_BUILD_TAGS) osusergo netgo fips
+	VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
+endif
+
+LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
+ifneq ($(GO_BUILD_TAGS),)
+	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
+endif
+
+ifeq ($(debug), 1)
+	GO_BUILD_TAGS += -gcflags="all=-N -l"
+endif
+
+IMPORT_PATH    := github.com/cloudflare/cloudflared
+PACKAGE_DIR    := $(CURDIR)/packaging
+PREFIX         := /usr
+INSTALL_BINDIR := $(PREFIX)/bin/
+INSTALL_MANDIR := $(PREFIX)/share/man/man1/
+CF_GO_PATH     := /tmp/go
+PATH           := $(CF_GO_PATH)/bin:$(PATH)
+
 LOCAL_ARCH ?= $(shell uname -m)
 ifneq ($(GOARCH),)
     TARGET_ARCH ?= $(GOARCH)
 else ifeq ($(LOCAL_ARCH),x86_64)
     TARGET_ARCH ?= amd64
+else ifeq ($(LOCAL_ARCH),amd64)
+    TARGET_ARCH ?= amd64
 else ifeq ($(LOCAL_ARCH),i686)
     TARGET_ARCH ?= amd64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
     TARGET_ARCH ?= arm64
 else ifeq ($(LOCAL_ARCH),aarch64)
     TARGET_ARCH ?= arm64
+else ifeq ($(LOCAL_ARCH),arm64)
+    TARGET_ARCH ?= arm64
 else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 4),armv)
     TARGET_ARCH ?= arm
+else ifeq ($(LOCAL_ARCH),s390x)
+    TARGET_ARCH ?= s390x
 else
     $(error This system's architecture $(LOCAL_ARCH) isn't supported)
 endif
@@ -46,14 +87,16 @@ else ifeq ($(LOCAL_OS),windows)
     TARGET_OS ?= windows
 else ifeq ($(LOCAL_OS),freebsd)
     TARGET_OS ?= freebsd
+else ifeq ($(LOCAL_OS),openbsd)
+    TARGET_OS ?= openbsd
 else
     $(error This system's OS $(LOCAL_OS) isn't supported)
 endif
 
 ifeq ($(TARGET_OS), windows)
-	EXECUTABLE_PATH=./cloudflared.exe
+	EXECUTABLE_PATH=./$(BINARY_NAME).exe
 else
-	EXECUTABLE_PATH=./cloudflared
+	EXECUTABLE_PATH=./$(BINARY_NAME)
 endif
 
 ifeq ($(FLAVOR), centos-7)
@@ -62,6 +105,19 @@ else
 	TARGET_PUBLIC_REPO ?= $(FLAVOR)
 endif
 
+ifneq ($(TARGET_ARM), )
+	ARM_COMMAND := GOARM=$(TARGET_ARM)
+endif
+
+ifeq ($(TARGET_ARM), 7) 
+	PACKAGE_ARCH := armhf
+else
+	PACKAGE_ARCH := $(TARGET_ARCH)
+endif
+
+#for FIPS compliance, FPM defaults to MD5.
+RPM_DIGEST := --rpm-digest sha256
+
 .PHONY: all
 all: cloudflared test
 
@@ -70,133 +126,115 @@ clean:
 	go clean
 
 .PHONY: cloudflared
-cloudflared: tunnel-deps
-	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) go build -v -mod=vendor $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
+cloudflared:
+ifeq ($(FIPS), true)
+	$(info Building cloudflared with go-fips)
+	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
+endif
+	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
+ifeq ($(FIPS), true)
+	rm -f cmd/cloudflared/fips.go
+	./check-fips.sh cloudflared
+endif
 
 .PHONY: container
 container:
 	docker build --build-arg=TARGET_ARCH=$(TARGET_ARCH) --build-arg=TARGET_OS=$(TARGET_OS) -t cloudflare/cloudflared-$(TARGET_OS)-$(TARGET_ARCH):"$(VERSION)" .
 
+.PHONY: generate-docker-version
+generate-docker-version:
+	echo latest $(VERSION) > versions
+
+
 .PHONY: test
 test: vet
-	go test -v -mod=vendor -race $(VERSION_FLAGS) ./...
+ifndef CI
+	go test -v -mod=vendor -race $(LDFLAGS) ./...
+else
+	@mkdir -p .cover
+	go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
+endif
+
+.PHONY: cover
+cover:
+	@echo ""
+	@echo "=====> Total test coverage: <====="
+	@echo ""
+	# Print the overall coverage here for quick access.
+	$Q go tool cover -func ".cover/c.out" | grep "total:" | awk '{print $$3}'
+	# Generate the HTML report that can be viewed from the browser in CI.
+	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
 
 .PHONY: test-ssh-server
 test-ssh-server:
 	docker-compose -f ssh_server_tests/docker-compose.yml up
 
-define publish_package
-	for HOST in $(CF_PKG_HOSTS); do \
-		ssh-keyscan -t rsa $$HOST >> ~/.ssh/known_hosts; \
-		scp -4 cloudflared*.$(1) cfsync@$$HOST:/state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/; \
-		ssh cfsync@$$HOST 'chmod g+w /state/cf-pkg/staging/$(2)/$(TARGET_PUBLIC_REPO)/cloudflared/*.$(1)'; \
-	done
-endef
+.PHONY: install-go
+install-go:
+	rm -rf ${CF_GO_PATH}
+	./.teamcity/install-cloudflare-go.sh
 
-.PHONY: publish-deb
-publish-deb: cloudflared-deb
-	$(call publish_package,deb,apt)
+.PHONY: cleanup-go
+cleanup-go:
+	rm -rf ${CF_GO_PATH}
 
-.PHONY: publish-rpm
-publish-rpm: cloudflared-rpm
-	$(call publish_package,rpm,yum)
+cloudflared.1: cloudflared_man_template
+	sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
 
+install: install-go cloudflared cloudflared.1 cleanup-go
+	mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
+	install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
+	install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
+
+# When we build packages, the package name will be FIPS-aware.
+# But we keep the binary installed by it to be named "cloudflared" regardless.
 define build_package
 	mkdir -p $(PACKAGE_DIR)
 	cp cloudflared $(PACKAGE_DIR)/cloudflared
-	cat cloudflared_man_template | sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' > $(PACKAGE_DIR)/cloudflared.1
-	fakeroot fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
-		--description 'Cloudflare Argo tunnel daemon' \
+	cp cloudflared.1 $(PACKAGE_DIR)/cloudflared.1
+	fpm -C $(PACKAGE_DIR) -s dir -t $(1) \
+		--description 'Cloudflare Tunnel daemon' \
 		--vendor 'Cloudflare' \
-		--license 'Cloudflare Service Agreement' \
+		--license 'Apache License Version 2.0' \
 		--url 'https://github.com/cloudflare/cloudflared' \
 		-m 'Cloudflare <support@cloudflare.com>' \
-		-a $(TARGET_ARCH) -v $(VERSION) -n cloudflared --after-install postinst.sh --after-remove postrm.sh \
-		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(MAN_DIR)
+	    -a $(PACKAGE_ARCH) -v $(VERSION) -n $(DEB_PACKAGE_NAME) $(RPM_DIGEST) $(NIGHTLY_FLAGS) --after-install postinst.sh --after-remove postrm.sh \
+		cloudflared=$(INSTALL_BINDIR) cloudflared.1=$(INSTALL_MANDIR)
 endef
 
 .PHONY: cloudflared-deb
-cloudflared-deb: cloudflared
+cloudflared-deb: cloudflared cloudflared.1
 	$(call build_package,deb)
 
 .PHONY: cloudflared-rpm
-cloudflared-rpm: cloudflared
+cloudflared-rpm: cloudflared cloudflared.1
 	$(call build_package,rpm)
 
+.PHONY: cloudflared-pkg
+cloudflared-pkg: cloudflared cloudflared.1
+	$(call build_package,osxpkg)
+
+.PHONY: cloudflared-msi
+cloudflared-msi:
+	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
+
 .PHONY: cloudflared-darwin-amd64.tgz
 cloudflared-darwin-amd64.tgz: cloudflared
 	tar czf cloudflared-darwin-amd64.tgz cloudflared
 	rm cloudflared
 
-.PHONY: cloudflared-junos
-cloudflared-junos: cloudflared jetez-certificate.pem jetez-key.pem
-	jetez --source . \
-		  -j jet.yaml \
-		  --key jetez-key.pem \
-		  --cert jetez-certificate.pem \
-		  --version $(VERSION)
-	rm jetez-*.pem
-
-jetez-certificate.pem:
-ifndef JETEZ_CERT
-	$(error JETEZ_CERT not defined)
-endif
-	@echo "Writing JetEZ certificate"
-	@echo "$$JETEZ_CERT" > jetez-certificate.pem
-
-jetez-key.pem:
-ifndef JETEZ_KEY
-	$(error JETEZ_KEY not defined)
-endif
-	@echo "Writing JetEZ key"
-	@echo "$$JETEZ_KEY" > jetez-key.pem
-
-.PHONY: publish-cloudflared-junos
-publish-cloudflared-junos: cloudflared-junos cloudflared-x86-64.latest.s3
-ifndef S3_ENDPOINT
-	$(error S3_HOST not defined)
-endif
-ifndef S3_URI
-	$(error S3_URI not defined)
-endif
-ifndef S3_ACCESS_KEY
-	$(error S3_ACCESS_KEY not defined)
-endif
-ifndef S3_SECRET_KEY
-	$(error S3_SECRET_KEY not defined)
-endif
-	sha256sum cloudflared-x86-64-$(VERSION).tgz | awk '{printf $$1}' > cloudflared-x86-64-$(VERSION).tgz.shasum
-	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
-		put cloudflared-x86-64-$(VERSION).tgz $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz
-	s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
-		put cloudflared-x86-64-$(VERSION).tgz.shasum $(S3_URI)/cloudflared-x86-64-$(VERSION).tgz.shasum
-	dpkg --compare-versions "$(VERSION)" gt "$(shell cat cloudflared-x86-64.latest.s3)" && \
-		echo -n "$(VERSION)" > cloudflared-x86-64.latest && \
-		s4cmd --endpoint-url $(S3_ENDPOINT) --force --API-GrantRead=uri=http://acs.amazonaws.com/groups/global/AllUsers \
-			put cloudflared-x86-64.latest $(S3_URI)/cloudflared-x86-64.latest || \
-		echo "Latest version not updated"
-
-cloudflared-x86-64.latest.s3:
-	s4cmd --endpoint-url $(S3_ENDPOINT) --force \
-		get $(S3_URI)/cloudflared-x86-64.latest cloudflared-x86-64.latest.s3
-
-.PHONY: homebrew-upload
-homebrew-upload: cloudflared-darwin-amd64.tgz
-	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $$^ $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz
-	aws s3 --endpoint-url $(S3_ENDPOINT) cp --acl public-read $(S3_URI)/cloudflared-$$(VERSION)-$1.tgz  $(S3_URI)/cloudflared-stable-$1.tgz
-
-.PHONY: homebrew-release
-homebrew-release: homebrew-upload
-	./publish-homebrew-formula.sh cloudflared-darwin-amd64.tgz $(VERSION) homebrew-cloudflare
-
-.PHONY: release
-release: bin/equinox
-	bin/equinox release $(EQUINOX_FLAGS) -- $(VERSION_FLAGS) $(IMPORT_PATH)/cmd/cloudflared
-
 .PHONY: github-release
 github-release: cloudflared
 	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
 
+.PHONY: github-release-built-pkgs
+github-release-built-pkgs:
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
+
+.PHONY: release-pkgs-linux
+release-pkgs-linux:
+	python3 ./release_pkgs.py
+
 .PHONY: github-message
 github-message:
 	python3 github_message.py --release-version $(VERSION)
@@ -206,24 +244,29 @@ github-mac-upload:
 	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
 	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
 
-bin/equinox:
-	mkdir -p bin
-	curl -s https://bin.equinox.io/c/75JtLRTsJ3n/release-tool-beta-$(EQUINOX_PLATFORM).tgz | tar xz -C bin/
+.PHONY: github-windows-upload
+github-windows-upload:
+	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.exe --release-version $(VERSION) --name cloudflared-windows-amd64.exe
+	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.msi --release-version $(VERSION) --name cloudflared-windows-amd64.msi
+	python3 github_release.py --path built_artifacts/cloudflared-windows-386.exe --release-version $(VERSION) --name cloudflared-windows-386.exe
+	python3 github_release.py --path built_artifacts/cloudflared-windows-386.msi --release-version $(VERSION) --name cloudflared-windows-386.msi
 
-.PHONY: tunnel-deps
-tunnel-deps: tunnelrpc/tunnelrpc.capnp.go
-
-tunnelrpc/tunnelrpc.capnp.go: tunnelrpc/tunnelrpc.capnp
+.PHONY: tunnelrpc-deps
+tunnelrpc-deps:
 	which capnp  # https://capnproto.org/install.html
-	which capnpc-go  # go get zombiezen.com/go/capnproto2/capnpc-go
+	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
 	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
 
+.PHONY: quic-deps
+quic-deps:
+	which capnp
+	which capnpc-go
+	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
+
 .PHONY: vet
 vet:
-	go vet -mod=vendor ./...
-	which go-sumtype  # go get github.com/BurntSushi/go-sumtype
-	go-sumtype $$(go list -mod=vendor ./...)
+	go vet -mod=vendor github.com/cloudflare/cloudflared/...
 
-.PHONY: msi
-msi: cloudflared
-	go-msi make --msi cloudflared.msi --version $(MSI_VERSION)
+.PHONY: fmt
+fmt:
+	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc)

README.md

@@ -1,43 +1,58 @@
-# Argo Tunnel client
+# Cloudflare Tunnel client
+
+Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
+This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
+via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
+Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
+All usages related with proxying to your origins are available under `cloudflared tunnel help`.
+
+You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
+at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
+Such usages are available under `cloudflared access help`.
+
+You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
+to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
 
-Contains the command-line client for Argo Tunnel, a tunneling daemon that proxies any local webserver through the Cloudflare network. Extensive documentation can be found in the [Argo Tunnel section](https://developers.cloudflare.com/argo-tunnel/) of the Cloudflare Docs.
 
 ## Before you get started
 
-Before you use Argo Tunnel, you'll need to complete a few steps in the Cloudflare dashboard. The website you add to Cloudflare will be used to route traffic to your Tunnel.
-
+Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
+website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
+routing), but for legacy reasons this requirement is still necessary:
 1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
 2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
 
+
 ## Installing `cloudflared`
 
-Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases here on the `cloudflared` GitHub repository.
+Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
 
-* You can [install on macOS](https://developers.cloudflare.com/argo-tunnel/getting-started/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
-* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/argo-tunnel/getting-started/installation#linux)
+* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
+* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
 * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
-* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/argo-tunnel/getting-started/installation#windows)
+* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
+* To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
+
+User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
 
-User documentation for Argo Tunnel can be found at https://developers.cloudflare.com/argo-tunnel/
 
 ## Creating Tunnels and routing traffic
 
-Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels that serve traffic for hostnames in your account.
+Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
+
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Route traffic to that Tunnel:
+  * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
+  * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
+  * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
 
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/argo-tunnel/create-tunnel)
-* Route traffic to that Tunnel with [DNS records in Cloudflare](https://developers.cloudflare.com/argo-tunnel/routing-to-tunnel/dns) or with a [Cloudflare Load Balancer](https://developers.cloudflare.com/argo-tunnel/routing-to-tunnel/lb)
 
 ## TryCloudflare
 
-Want to test Argo Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/argo-tunnel/learning/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
 
 ## Deprecated versions
 
-Cloudflare currently supports all versions of `cloudflared`. Starting on March 20, 2021, Cloudflare will no longer support versions released prior to 2020.5.1.
+Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
 
-All features available in versions released prior to 2020.5.1 are available in current versions. Breaking changes unrelated to feature availability may be introduced that will impact versions released prior to 2020.5.1. You can read more about upgrading `cloudflared` in our [developer documentation](https://developers.cloudflare.com/argo-tunnel/getting-started/installation#updating-cloudflared).
-
-| Version(s) | Deprecation status |
-|---|---|
-| 2020.5.1 and later | Supported |
-| Versions prior to 2020.5.1 | Will no longer be supported starting March 20, 2021 |
+For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.

RELEASE_NOTES

@@ -1,3 +1,998 @@
+2024.4.1
+- 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests
+- 2024-04-19 TUN-8374: Close UDP socket if registration fails
+- 2024-04-18 TUN-8371: Bump quic-go to v0.42.0
+- 2024-04-03 TUN-8333: Bump go-jose dependency to v4
+- 2024-04-02 TUN-8331: Add unit testing for AccessJWTValidator middleware
+
+2024.4.0
+- 2024-04-02 feat: provide short version (#1206)
+- 2024-04-02 Format code
+- 2024-01-18 feat: auto tls sni
+- 2023-12-24 fix checkInPingGroup bugs
+- 2023-12-15 Add environment variables for TCP tunnel hostname / destination / URL.
+
+2024.3.0
+- 2024-03-14 TUN-8281: Run cloudflared query list tunnels/routes endpoint in a paginated way
+- 2024-03-13 TUN-8297: Improve write timeout logging on safe_stream.go
+- 2024-03-07 TUN-8290: Remove `|| true` from postrm.sh
+- 2024-03-05 TUN-8275: Skip write timeout log on "no network activity"
+- 2024-01-23 Update postrm.sh to fix incomplete uninstall
+- 2024-01-05 fix typo in errcheck for response parsing logic in CreateTunnel routine
+- 2023-12-23 Update linux_service.go
+- 2023-12-07 ci: bump actions/checkout to v4
+- 2023-12-07 ci/check: bump actions/setup-go to v5
+- 2023-04-28 check.yaml: bump actions/setup-go to v4
+
+2024.2.1
+- 2024-02-20 TUN-8242: Update Changes.md file with new remote diagnostics behaviour
+- 2024-02-19 TUN-8238: Fix type mismatch introduced by fast-forward
+- 2024-02-16 TUN-8243: Collect metrics on the number of QUIC frames sent/received
+- 2024-02-15 TUN-8238: Refactor proxy logging
+- 2024-02-14 TUN-8242: Enable remote diagnostics by default
+- 2024-02-12 TUN-8236: Add write timeout to quic and tcp connections
+- 2024-02-09 TUN-8224: Fix safety of TCP stream logging, separate connect and ack log messages
+
+2024.2.0
+- 2024-02-07 TUN-8224: Count and collect metrics on stream connect successes/errors
+
+2024.1.5
+- 2024-01-22 TUN-8176: Support ARM platforms that don't have an FPU or have it enabled in kernel
+- 2024-01-15 TUN-8158: Bring back commit e6537418859afcac29e56a39daa08bcabc09e048 and fixes infinite loop on linux when the socket is closed
+
+2024.1.4
+- 2024-01-19 Revert "TUN-8158: Add logging to confirm when ICMP reply is returned to the edge"
+
+2024.1.3
+- 2024-01-15 TUN-8161: Fix broken ARM build for armv6
+- 2024-01-15 TUN-8158: Add logging to confirm when ICMP reply is returned to the edge
+
+2024.1.2
+- 2024-01-11 TUN-8147: Disable ECN usage due to bugs in detecting if supported
+- 2024-01-11 TUN-8146: Fix export path for install-go command
+- 2024-01-11 TUN-8146: Fix Makefile targets should not be run in parallel and install-go script was missing shebang
+- 2024-01-10 TUN-8140: Remove homebrew scripts
+
+2024.1.1
+- 2024-01-10 TUN-8134: Revert installed prefix to /usr
+- 2024-01-09 TUN-8130: Fix path to install go for mac build
+- 2024-01-09 TUN-8129: Use the same build command between branch and release builds
+- 2024-01-09 TUN-8130: Install go tool chain in /tmp on build agents
+- 2024-01-09 TUN-8134: Install cloudflare go as part of make install
+- 2024-01-08 TUN-8118: Disable FIPS module to build with go-boring without CGO_ENABLED
+
+2024.1.0
+- 2024-01-01 TUN-7934: Update quic-go to a version that queues datagrams for better throughput and drops large datagram
+- 2023-12-20 TUN-8072: Need to set GOCACHE in mac go installation script
+- 2023-12-17 TUN-8072: Add script to download cloudflare go for Mac build agents
+- 2023-12-15 Fix nil pointer dereference segfault when passing "null" config json to cloudflared tunnel ingress validate (#1070)
+- 2023-12-15 configuration.go: fix developerPortal link (#960)
+- 2023-12-14 tunnelrpc/pogs: fix dropped test errors (#1106)
+- 2023-12-14 cmd/cloudflared/updater: fix dropped error (#1055)
+- 2023-12-14 use os.Executable to discover the path to cloudflared (#1040)
+- 2023-12-14 Remove extraneous `period` from Path Environment Variable (#1009)
+- 2023-12-14 Use CLI context when running tunnel (#597)
+- 2023-12-14 TUN-8066: Define scripts to build on Windows agents
+- 2023-12-11 TUN-8052: Update go to 1.21.5
+- 2023-12-07 TUN-7970: Default to enable post quantum encryption for quic transport
+- 2023-12-04 TUN-8006: Update quic-go to latest upstream
+- 2023-11-15 VULN-44842 Add a flag that allows users to not send the Access JWT to stdout
+- 2023-11-13 TUN-7965: Remove legacy incident status page check
+- 2023-11-13 AUTH-5682 Org token flow in Access logins should pass CF_AppSession cookie
+
+2023.10.0
+- 2023-10-06 TUN-7864: Document cloudflared versions support
+- 2023-10-03 CUSTESC-33731: Make rule match test report rule in 0-index base
+- 2023-09-22 TUN-7824: Fix usage of systemctl status to detect which services are installed
+- 2023-09-20 TUN-7813: Improve tunnel delete command to use cascade delete
+- 2023-09-20 TUN-7787: cloudflared only list ip routes targeted for cfd_tunnel
+- 2023-09-15 TUN-7787: Refactor cloudflared to use new route endpoints based on route IDs
+- 2023-09-08 TUN-7776: Remove warp-routing flag from cloudflared
+- 2023-09-05 TUN-7756: Clarify that QUIC is mandatory to support ICMP proxying
+
+2023.8.2
+- 2023-08-25 TUN-7700: Implement feature selector to determine if connections will prefer post quantum cryptography
+- 2023-08-22 TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled
+
+2023.8.1
+- 2023-08-23 TUN-7718: Update R2 Token to no longer encode secret
+
+2023.8.0
+- 2023-07-26 TUN-7584: Bump go 1.20.6
+
+2023.7.3
+- 2023-07-25 TUN-7628: Correct Host parsing for Access
+- 2023-07-24 TUN-7624: Fix flaky TestBackoffGracePeriod test in cloudflared
+
+2023.7.2
+- 2023-07-19 TUN-7599: Onboard cloudflared to Software Dashboard
+- 2023-07-19 TUN-7587: Remove junos builds
+- 2023-07-18 TUN-7597: Add flag to disable auto-update services to be installed
+- 2023-07-17 TUN-7594: Add nightly arm64 cloudflared internal deb publishes
+- 2023-07-14 TUN-7586: Upgrade go-jose/go-jose/v3 and core-os/go-oidc/v3
+- 2023-07-14 TUN-7589: Remove legacy golang.org/x/crypto/ssh/terminal package usage
+- 2023-07-14 TUN-7590: Remove usages of ioutil
+- 2023-07-14 TUN-7585: Remove h2mux compression
+- 2023-07-14 TUN-7588: Update package coreos/go-systemd
+
+2023.7.1
+- 2023-07-13 TUN-7582: Correct changelog wording for --management-diagnostics
+- 2023-07-12 TUN-7575: Add option to disable PTMU discovery over QUIC
+
+2023.7.0
+- 2023-07-06 TUN-7558: Flush on Writes for StreamBasedOriginProxy
+- 2023-07-05 TUN-7553: Add flag to enable management diagnostic services
+- 2023-07-05 TUN-7564: Support cf-trace-id for cloudflared access
+- 2023-07-05 TUN-7477: Decrement UDP sessions on shutdown
+- 2023-07-03 TUN-7545: Add support for full bidirectionally streaming with close signal propagation
+- 2023-06-30 TUN-7549: Add metrics route to management service
+- 2023-06-30 TUN-7551: Complete removal of raven-go to sentry-go
+- 2023-06-30 TUN-7550: Add pprof endpoint to management service
+- 2023-06-29 TUN-7543: Add --debug-stream flag to cloudflared access ssh
+- 2023-06-26 TUN-6011: Remove docker networks from ICMP Proxy test
+- 2023-06-20 AUTH-5328 Pass cloudflared_token_check param when running cloudflared access login
+
+2023.6.1
+- 2023-06-19 TUN-7480: Added a timeout for unregisterUDP.
+- 2023-06-16 TUN-7477: Add UDP/TCP session metrics
+- 2023-06-14 TUN-7468: Increase the limit of incoming streams
+
+2023.6.0
+- 2023-06-15 TUN-7471: Fixes cloudflared not closing the quic stream on unregister UDP session
+- 2023-06-09 TUN-7463: Add default ingress rule if no ingress rules are provided when updating the configuration
+- 2023-05-31 TUN-7447: Add a cover build to report code coverage
+
+2023.5.1
+- 2023-05-16 TUN-7424: Add CORS headers to host_details responses
+- 2023-05-11 TUN-7421: Add *.cloudflare.com to permitted Origins for management WebSocket requests
+- 2023-05-05 TUN-7404: Default configuration version set to -1
+- 2023-05-05 TUN-7227: Migrate to devincarr/quic-go
+
+2023.5.0
+- 2023-04-27 TUN-7398: Add support for quic safe stream to set deadline
+- 2023-04-26 TUN-7394: Retry StartFirstTunnel on quic.ApplicationErrors
+- 2023-04-26 TUN-7392: Ignore release checksum upload if asset already uploaded
+- 2023-04-25 TUN-7392: Ignore duplicate artifact uploads for github release
+- 2023-04-25 TUN-7393: Add json output for cloudflared tail
+- 2023-04-24 TUN-7390: Remove Debian stretch builds
+
+2023.4.2
+- 2023-04-24 TUN-7133: Add sampling support for streaming logs
+- 2023-04-21 TUN-7141: Add component tests for streaming logs
+- 2023-04-21 TUN-7373: Streaming logs override for same actor
+- 2023-04-20 TUN-7383: Bump requirements.txt
+- 2023-04-19 TUN-7361: Add a label to override hostname
+- 2023-04-19 TUN-7378: Remove RPC debug logs
+- 2023-04-18 TUN-7360: Add Get Host Details handler in management service
+- 2023-04-17 AUTH-3122 Verify that Access tokens are still valid in curl command
+- 2023-04-17 TUN-7129: Categorize TCP logs for streaming logs
+- 2023-04-17 TUN-7130: Categorize UDP logs for streaming logs
+- 2023-04-10 AUTH-4887 Add aud parameter to token transfer url
+
+2023.4.1
+- 2023-04-13 TUN-7368: Report destination address for TCP requests in logs
+- 2023-04-12 TUN-7134: Acquire token for cloudflared tail
+- 2023-04-12 TUN-7131: Add cloudflared log event to connection messages and enable streaming logs
+- 2023-04-11 TUN-7132 TUN-7136: Add filter support for streaming logs
+- 2023-04-06 TUN-7354: Don't warn for empty ingress rules when using --token
+- 2023-04-06 TUN-7128: Categorize logs from public hostname locations
+- 2023-04-06 TUN-7351: Add streaming logs session ping and timeout
+- 2023-04-06 TUN-7335: Fix cloudflared update not working in windows
+
+2023.4.0
+- 2023-04-07 TUN-7356: Bump golang.org/x/net package to 0.7.0
+- 2023-04-07 TUN-7357: Bump to go 1.19.6
+- 2023-04-06 TUN-7127: Disconnect logger level requirement for management
+- 2023-04-05 TUN-7332: Remove legacy tunnel force flag
+- 2023-04-05 TUN-7135: Add cloudflared tail
+- 2023-04-04 Add suport for OpenBSD (#916)
+- 2023-04-04 Fix typo (#918)
+- 2023-04-04 TUN-7125: Add management streaming logs WebSocket protocol
+- 2023-03-30 TUN-9999: Remove classic tunnel component tests
+- 2023-03-30 TUN-7126: Add Management logger io.Writer
+- 2023-03-29 TUN-7324: Add http.Hijacker to connection.ResponseWriter
+- 2023-03-29 TUN-7333: Default features checkable at runtime across all packages
+- 2023-03-21 TUN-7124: Add intercept ingress rule for management requests
+
+2023.3.1
+- 2023-03-13 TUN-7271: Return 503 status code when no ingress rules configured
+- 2023-03-10 TUN-7272: Fix cloudflared returning non supported status service which breaks configuration migration
+- 2023-03-09 TUN-7259: Add warning for missing ingress rules
+- 2023-03-09 TUN-7268: Default to Program Files as location for win32
+- 2023-03-07 TUN-7252: Remove h2mux connection
+- 2023-03-07 TUN-7253: Adopt http.ResponseWriter for connection.ResponseWriter
+- 2023-03-06 TUN-7245: Add bastion flag to origin service check
+- 2023-03-06 EDGESTORE-108: Remove deprecated s3v2 signature
+- 2023-03-02 TUN-7226: Fixed a missed rename
+
+2023.3.0
+- 2023-03-01 GH-352: Add Tunnel CLI option "edge-bind-address" (#870)
+- 2023-03-01 Fixed WIX template to allow MSI upgrades (#838)
+- 2023-02-28 TUN-7213: Decode Base64 encoded key before writing it
+- 2023-02-28 check.yaml: update actions to v3 (#876)
+- 2023-02-27 TUN-7213: Debug homebrew-cloudflare  build
+- 2023-02-15 RTG-2476 Add qtls override for Go 1.20
+
+2023.2.2
+- 2023-02-22 TUN-7197: Add connIndex tag to debug messages of incoming requests
+- 2023-02-08 TUN-7167: Respect protocol overrides with --token
+- 2023-02-06 TUN-7065: Remove classic tunnel creation
+- 2023-02-06 TUN-6938: Force h2mux protocol to http2 for named tunnels
+- 2023-02-06 TUN-6938: Provide QUIC as first in protocol list
+- 2023-02-03 TUN-7158: Correct TCP tracing propagation
+- 2023-02-01 TUN-7151: Update changes file with latest release notices
+
+2023.2.1
+- 2023-02-01 TUN-7065: Revert Ingress Rule check for named tunnel configurations
+- 2023-02-01 Revert "TUN-7065: Revert Ingress Rule check for named tunnel configurations"
+- 2023-02-01 Revert "TUN-7065: Remove classic tunnel creation"
+2023.1.0
+- 2023-01-10 TUN-7064: RPM digests are now sha256 instead of md5sum
+- 2023-01-04 RTG-2418 Update qtls
+- 2022-12-24 TUN-7057: Remove dependency github.com/gorilla/mux
+- 2022-12-24 TUN-6724: Migrate to sentry-go from raven-go
+
+2022.12.1
+- 2022-12-20 TUN-7021: Fix proxy-dns not starting when cloudflared tunnel is run
+- 2022-12-15 TUN-7010: Changelog for release 2022.12.0
+
+2022.12.0
+- 2022-12-14 TUN-6999: cloudflared should attempt other edge addresses before falling back on protocol
+- 2022-12-13 TUN-7004: Dont show local config dirs for remotely configured tuns
+- 2022-12-12 TUN-7003: Tempoarily disable erroneous notarize-app
+- 2022-12-12 TUN-7003: Add back a missing fi
+- 2022-12-07 TUN-7000: Reduce metric cardinality of closedConnections metric by removing error as tag
+- 2022-12-07 TUN-6994: Improve logging config file not found
+- 2022-12-07 TUN-7002: Randomise first region selection
+- 2022-12-07 TUN-6995: Disable quick-tunnels spin up by default
+- 2022-12-05 TUN-6984: Add bash set x to improve visibility during builds
+- 2022-12-05 TUN-6984: [CI] Ignore security import errors for code_sigining
+- 2022-12-05 TUN-6984: [CI] Don't fail on unset.
+- 2022-11-30 TUN-6984: Set euo pipefile for homebrew builds
+
+2022.11.1
+- 2022-11-29 TUN-6981: We should close UDP socket if failed to connecto to edge
+- 2022-11-25 CUSTESC-23757: Fix a bug where a wildcard ingress rule would match an host without starting with a dot
+- 2022-11-24 TUN-6970: Print newline when printing tunnel token
+- 2022-11-22 TUN-6963: Refactor Metrics service setup
+2022.11.0
+- 2022-11-16 Revert "TUN-6935: Cloudflared should use APIToken instead of serviceKey"
+- 2022-11-16 TUN-6929: Use same protocol for other connections as first one
+- 2022-11-14 TUN-6941: Reduce log level to debug when failing to proxy ICMP reply
+- 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
+- 2022-11-14 TUN-6935: Cloudflared should use APIToken instead of serviceKey
+- 2022-11-11 TUN-6937: Bump golang.org/x/* packages to new release tags
+- 2022-11-10 ZTC-234: macOS tests
+- 2022-11-09 TUN-6927: Refactor validate access configuration to allow empty audTags only
+- 2022-11-08 ZTC-234: Replace ICMP funnels when ingress connection changes
+- 2022-11-04 TUN-6917: Bump go to 1.19.3
+- 2022-11-02 Issue #574: Better ssh config for short-lived cert (#763)
+- 2022-10-28 TUN-6898: Fix bug handling IPv6 based ingresses with missing port
+- 2022-10-28 TUN-6898: Refactor addPortIfMissing
+2022.10.3
+- 2022-10-24 TUN-6871: Add default feature to cloudflared to support EOF on QUIC connections
+- 2022-10-19 TUN-6876: Fix flaky TestTraceICMPRouterEcho by taking account request span can return before reply
+- 2022-10-18 TUN-6867: Clear spans right after they are serialized to avoid returning duplicate spans
+2022.10.2
+- 2022-10-18 TUN-6869: Fix Makefile complaining about missing GO packages
+- 2022-10-18 TUN-6864: Don't reuse port in quic unit tests
+- 2022-10-18 TUN-6868: Return left padded tracing ID when tracing identity is converted to string
+
+2022.10.1
+- 2022-10-16 TUN-6861: Trace ICMP on Windows
+- 2022-10-15 TUN-6860: Send access configuration keys to the edge
+- 2022-10-14 TUN-6858: Trace ICMP reply
+- 2022-10-13 TUN-6855: Add DatagramV2Type for IP packet with trace and tracing spans
+- 2022-10-13 TUN-6856: Refactor to lay foundation for tracing ICMP
+- 2022-10-13 TUN-6604: Trace icmp echo request on Linux and Darwin
+- 2022-10-12 Fix log message (#591)
+- 2022-10-12 TUN-6853: Reuse source port when connecting to the edge for quic connections
+- 2022-10-11 TUN-6829: Allow user of datagramsession to control logging level of errors
+- 2022-10-10 RTG-2276 Update qtls and go mod tidy
+- 2022-10-05 Add post-quantum flag to quick tunnel
+- 2022-10-05 TUN-6823: Update github release message to pull from KV
+- 2022-10-04 TUN-6825: Fix cloudflared:version images require arch hyphens
+- 2022-10-03 TUN-6806: Add ingress rule number to log when filtering due to middlware handler
+- 2022-08-17 Label correct container
+- 2022-08-16 Fix typo in help text for `cloudflared tunnel route lb`
+- 2022-07-18 drop usage of cat when sed is invoked to generate the manpage
+- 2021-03-15 update-build-readme
+- 2021-03-15 fix link
+
+2022.10.0
+- 2022-09-30 TUN-6755: Remove unused publish functions
+- 2022-09-30 TUN-6813: Only proxy ICMP packets when warp-routing is enabled
+- 2022-09-29 TUN-6811: Ping group range should be parsed as int32
+- 2022-09-29 TUN-6812: Drop IP packets if ICMP proxy is not initialized
+- 2022-09-28 TUN-6716: Document limitation of Windows ICMP proxy
+- 2022-09-28 TUN-6810: Add component test for post-quantum
+- 2022-09-27 TUN-6715: Provide suggestion to add cloudflared to ping_group_range if it failed to open ICMP socket
+- 2022-09-22 TUN-6792: Fix brew core release by not auditing the formula
+- 2022-09-22 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
+- 2022-09-22 TUN-6775: Add middleware.Handler verification to ProxyHTTP
+- 2022-09-22 TUN-6791: Calculate ICMPv6 checksum
+- 2022-09-22 TUN-6801: Add punycode alternatives for ingress rules
+- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
+- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
+- 2022-09-21 TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware
+- 2022-09-21 TUN-6772: Add a JWT Validator as an ingress verifier
+- 2022-09-20 TUN-6741: ICMP proxy tries to listen on specific IPv4 & IPv6 when possible
+2022.9.1
+- 2022-09-20 TUN-6777: Fix race condition in TestFunnelIdleTimeout
+- 2022-09-20 TUN-6595: Enable datagramv2 and icmp proxy by default
+- 2022-09-20 TUN-6773: Add access based configuration to ingress.OriginRequestConfig
+- 2022-09-19 TUN-6778: Cleanup logs about ICMP
+- 2022-09-19 TUN-6779: cloudflared should also use the root CAs from system pool to validate edge certificate
+- 2022-09-19 TUN-6780: Add support for certReload to also include support for client certificates
+- 2022-09-16 TUN-6767: Build ICMP proxy for Windows only when CGO is enabled
+- 2022-09-15 TUN-6590: Use Windows Teamcity agent to build binary
+- 2022-09-13 TUN-6592: Decrement TTL and return ICMP time exceed if it's 0
+- 2022-09-09 TUN-6749: Fix icmp_generic build
+- 2022-09-09 TUN-6744: On posix platforms, assign unique echo ID per (src, dst, echo ID)
+- 2022-09-08 TUN-6743: Support ICMPv6 echo on Windows
+- 2022-09-08 TUN-6689: Utilize new RegisterUDPSession to begin tracing
+- 2022-09-07 TUN-6688: Update RegisterUdpSession capnproto to include trace context
+- 2022-09-06 TUN-6740: Detect no UDP packets allowed and fallback from QUIC in that case
+- 2022-09-06 TUN-6654: Support ICMPv6 on Linux and Darwin
+- 2022-09-02 TUN-6696: Refactor flow into funnel and close idle funnels
+- 2022-09-02 TUN-6718: Bump go and go-boring 1.18.6
+- 2022-08-29 TUN-6531: Implement ICMP proxy for Windows using IcmpSendEcho
+- 2022-08-24 RTG-1339 Support post-quantum hybrid key exchange
+
+2022.9.0
+- 2022-09-05 TUN-6737: Fix datagramV2Type should be declared in its own block so it starts at 0
+- 2022-09-01 TUN-6725: Fix testProxySSEAllData
+- 2022-09-01 TUN-6726: Fix maxDatagramPayloadSize for Windows QUIC datagrams
+- 2022-09-01 TUN-6729: Fix flaky TestClosePreviousProxies
+- 2022-09-01 TUN-6728: Verify http status code ingress rule
+- 2022-08-25 TUN-6695: Implement ICMP proxy for linux
+
+2022.8.4
+- 2022-08-31 TUN-6717: Update Github action to run with Go 1.19
+- 2022-08-31 TUN-6720: Remove forcibly closing connection during reconnect signal
+- 2022-08-29 Release 2022.8.3
+
+2022.8.3
+- 2022-08-26 TUN-6708: Fix replace flow logic
+- 2022-08-25 TUN-6705: Tunnel should retry connections forever
+- 2022-08-25 TUN-6704: Honor protocol flag when edge discovery is unreachable
+- 2022-08-25 TUN-6699: Add metric for packet too big dropped
+- 2022-08-24 TUN-6691: Properly error check for net.ErrClosed
+- 2022-08-22 TUN-6679: Allow client side of quic request to close body
+- 2022-08-22 TUN-6586: Change ICMP proxy to only build for Darwin and use echo ID to track flows
+- 2022-08-18 TUN-6530: Implement ICMPv4 proxy
+- 2022-08-17 TUN-6666: Define packet package
+- 2022-08-17 TUN-6667: DatagramMuxerV2 provides a method to receive RawPacket
+- 2022-08-16 TUN-6657: Ask for Tunnel ID and Configuration on Bug Report
+- 2022-08-16 TUN-6676: Add suport for trailers in http2 connections
+- 2022-08-11 TUN-6575: Consume cf-trace-id from incoming http2 TCP requests
+
+2022.8.2
+- 2022-08-16 TUN-6656: Docker for arm64 should not be deployed in an amd64 container
+
+2022.8.1
+- 2022-08-15 TUN-6617: Updated CHANGES.md for protocol stickiness
+- 2022-08-12 EDGEPLAT-3918: bump go and go-boring to 1.18.5
+- 2022-08-12 TUN-6652: Publish dockerfile for both amd64 and arm64
+- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
+- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
+- 2022-08-11 Revert "TUN-6617: Dont fallback to http2 if QUIC conn was successful."
+- 2022-08-11 TUN-6617: Dont fallback to http2 if QUIC conn was successful.
+- 2022-08-01 TUN-6584: Define QUIC datagram v2 format to support proxying IP packets
+
+2022.8.0
+- 2022-08-10 TUN-6637: Upgrade quic-go
+- 2022-08-10 TUN-6646: Add support to SafeStreamCloser to close only write side of stream
+- 2022-08-09 TUN-6642: Fix unexpected close of quic stream triggered by upstream origin close
+- 2022-08-09 TUN-6639: Validate cyclic ingress configuration
+- 2022-08-08 TUN-6637: Upgrade go version and quic-go
+- 2022-08-08 TUN-6639: Validate cyclic ingress configuration
+- 2022-08-04 EDGEPLAT-3918: build cloudflared for Bookworm
+- 2022-08-02 Revert "TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span"
+- 2022-07-27 TUN-6601: Update gopkg.in/yaml.v3 references in modules
+- 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
+- 2022-07-26 TUN-6576: Consume cf-trace-id from incoming TCP requests to create root span
+- 2022-07-25 TUN-6598: Remove auto assignees on github issues
+- 2022-07-20 TUN-6583: Remove legacy --ui flag
+- 2022-07-20 cURL supports stdin and uses os pipes directly without copying
+- 2022-07-07 TUN-6517: Use QUIC stream context while proxying HTTP requests and TCP connections
+2022.7.1
+- 2022-07-06 TUN-6503: Fix transport fallback from QUIC in face of dial error "no network activity"
+
+2022.7.0
+- 2022-07-05 TUN-6499: Remove log that is per datagram
+- 2022-06-24 TUN-6460: Rename metric label location to edge_location
+- 2022-06-24 TUN-6459: Add cloudflared user-agent to access calls
+- 2022-06-17 TUN-6427: Differentiate between upstream request closed/canceled and failed origin requests
+- 2022-06-17 TUN-6388: Fix first tunnel connection not retrying
+- 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first
+- 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration
+- 2022-06-07 TUN-6010: Add component tests for --edge-ip-version
+- 2022-05-20 TUN-6007: Implement new edge discovery algorithm
+- 2022-02-18 Ensure service install directories are created before writing file
+
+2022.6.3
+- 2022-06-20 TUN-6362: Add armhf support to cloudflare packaging
+
+2022.6.2
+- 2022-06-13 TUN-6381: Write error data on QUIC stream when we fail to talk to the origin; separate logging for protocol errors vs. origin errors.
+- 2022-06-17 TUN-6414: Remove go-sumtype from cloudflared build process
+- 2022-06-01 Add Http2Origin option to force HTTP/2 origin connections
+- 2022-06-02 fix ingress rules unit test
+- 2022-06-09 Update remaining OriginRequestConfig functions for Http2Origins
+- 2022-05-31 Add image source label to docker container.
+- 2022-05-10 Warp Private Network link updated
+
+2022.6.1
+- 2022-06-14 TUN-6395: Fix writing RPM repo data
+
+2022.6.0
+- 2022-06-14 Revert "TUN-6010: Add component tests for --edge-ip-version"
+- 2022-06-14 Revert "TUN-6373: Add edge-ip-version to remotely pushed configuration"
+- 2022-06-14 Revert "TUN-6384: Correct duplicate connection error to fetch new IP first"
+- 2022-06-14 Revert "TUN-6007: Implement new edge discovery algorithm"
+- 2022-06-13 TUN-6385: Don't share err between acceptStream loop and per-stream goroutines
+- 2022-06-13 TUN-6384: Correct duplicate connection error to fetch new IP first
+- 2022-06-13 TUN-6373: Add edge-ip-version to remotely pushed configuration
+- 2022-06-13 TUN-6380: Enforce connect and keep-alive timeouts for TCP connections in both WARP routing and websocket based TCP proxy.
+- 2022-06-11 Update issue templates
+- 2022-06-11 Amendment to previous PR
+- 2022-06-09 TUN-6347: Add TCP stream logs with FlowID
+- 2022-06-08 TUN-6361: Add cloudflared arm builds to pkging as well
+- 2022-06-07 TUN-6357: Add connector id to ready check endpoint
+- 2022-06-07 TUN-6010: Add component tests for --edge-ip-version
+- 2022-06-06 TUN-6191: Update quic-go to v0.27.1 and with custom patch to allow keep alive period to be configurable
+- 2022-06-03 TUN-6343: Fix QUIC->HTTP2 fallback
+- 2022-06-02 TUN-6339: Add config for IPv6 support
+- 2022-06-02 TUN-6341: Fix default config value for edge-ip-version
+- 2022-06-01 TUN-6323: Add Xenial and Trusty for Ubuntu pkging
+- 2022-05-31 TUN-6210: Add cloudflared.repo to make it easy for yum installs
+- 2022-05-30 TUN-6293: Update yaml v3 to latest hotfix
+- 2022-05-20 TUN-6007: Implement new edge discovery algorithm
+2022.5.3
+- 2022-05-30 TUN-6308: Add debug logs to see if packets are sent/received from edge
+- 2022-05-30 TUN-6301: Allow to update logger used by UDP session manager
+
+2022.5.2
+- 2022-05-23 TUN-6270: Import gpg keys from environment variables
+- 2022-05-24 TUN-6209: Improve feedback process if release_pkgs to deb and rpm fail
+- 2022-05-24 TUN-6280: Don't wrap qlog connection tracer for gatethering QUIC metrics since we're not writing qlog files.
+- 2022-05-25 TUN-6209: Sign RPM packages
+- 2022-05-25 TUN-6285: Upload pkg assets to repos when cloudflared is released.
+- 2022-05-24 TUN-6282: Upgrade golang to 1.17.10, go-boring to 1.17.9
+- 2022-05-26 TUN-6292: Debug builds for cloudflared
+- 2022-05-28 TUN-6304: Fixed some file permission issues
+- 2022-05-11 TUN-6197: Publish to brew core should not try to open the browser
+- 2022-05-12 TUN-5943: Add RPM support
+- 2022-05-18 TUN-6248: Fix panic in cloudflared during tracing when origin doesn't provide header map
+- 2022-05-18 TUN-6250: Add upstream response status code to tracing span attributes
+
+2022.5.1
+- 2022-05-06 TUN-6146: Release_pkgs is now a generic command line script
+- 2022-05-06 TUN-6185: Fix tcpOverWSOriginService not using original scheme for String representation
+- 2022-05-05 TUN-6175: Simply debian packaging by structural upload
+- 2022-05-05 TUN-5945: Added support for Ubuntu releases
+- 2022-05-04 TUN-6054: Create and upload deb packages to R2
+- 2022-05-03 TUN-6161: Set git user/email for brew core release
+- 2022-05-03 TUN-6166: Fix mocked QUIC transport for UDP proxy manager to return expected error
+- 2022-04-27 TUN-6016: Push local managed tunnels configuration to the edge
+2022.5.0
+- 2022-05-02 TUN-6158: Update golang.org/x/crypto
+- 2022-04-20 VULN-8383 Bump yaml.v2 to yaml.v3
+- 2022-04-21 TUN-6123: For a given connection with edge, close all datagram sessions through this connection when it's closed
+- 2022-04-20 TUN-6015: Add RPC method for pushing local config
+- 2022-04-21 TUN-6130: Fix vendoring due to case sensitive typo in package
+- 2022-04-27 TUN-6142: Add tunnel details support to RPC
+- 2022-04-28 TUN-6014: Add remote config flag as default feature
+- 2022-04-12 TUN-6000: Another fix for publishing to brew core
+- 2022-04-11 TUN-5990: Add otlp span export to response header
+- 2022-04-19 TUN-6070: First connection retries other edge IPs if the error is quic timeout(likely due to firewall blocking UDP)
+- 2022-04-11 TUN-6030: Add ttfb span for origin http request
+
+2022.4.1
+- 2022-04-11 TUN-6035: Reduce buffer size when proxying data
+- 2022-04-11 TUN-6038: Reduce buffer size used for proxying data
+- 2022-04-11 TUN-6043: Allow UI-managed Tunnels to fallback from QUIC but warn about that
+- 2022-04-07 TUN-6000 add version argument to bump-formula-pr
+- 2022-04-06 TUN-5989: Add in-memory otlp exporter
+
+2022.4.0
+- 2022-04-01 TUN-5973: Add backoff for non-recoverable errors as well
+- 2022-04-05 TUN-5992: Use QUIC protocol for remotely managed tunnels when protocol is unspecified
+- 2022-04-06 Update Makefile
+- 2022-04-06 TUN-5995: Update prometheus to 1.12.1 to avoid vulnerabilities
+- 2022-04-07 TUN-5995: Force prometheus v1.12.1 usage
+- 2022-04-07 TUN-4130: cloudflared docker images now have a latest tag
+- 2022-03-30 TUN-5842: Fix flaky TestConcurrentUpdateAndRead by making sure resources are released
+- 2022-03-30 carrier: fix dropped errors
+- 2022-03-25 TUN-5959: tidy go.mod
+- 2022-03-25 TUN-5958: Fix release to homebrew core
+- 2022-03-28 TUN-5960: Do not log the tunnel token or json credentials
+- 2022-03-28 TUN-5956: Add timeout to session manager APIs
+
+2022.3.4
+- 2022-03-22 TUN-5918: Clean up text in cloudflared tunnel --help
+- 2022-03-22 TUN-5895 run brew bump-formula-pr on release
+- 2022-03-22 TUN-5915: New cloudflared command to allow to retrieve the token credentials for a Tunnel
+- 2022-03-24 TUN-5933: Better messaging to help user when installing service if it is already installed
+- 2022-03-25 TUN-5954: Start cloudflared service in Linux too similarly to other OSs
+- 2022-03-14 TUN-5869: Add configuration endpoint in metrics server
+
+2022.3.3
+- 2022-03-17 TUN-5893: Start windows service on install, stop on uninstall. Previously user had to manually start the service after running 'cloudflared tunnel install' and stop the service before running uninstall command.
+- 2022-03-17 Revert "CC-796: Remove dependency on unsupported version of go-oidc"
+- 2022-03-18 TUN-5881: Clarify success (or lack thereof) of (un)installing cloudflared service
+- 2022-03-18 CC-796: Remove dependency on unsupported version of go-oidc
+- 2022-03-18 TUN-5907: Change notes for 2022.3.3
+
+2022.3.2
+- 2022-03-10 TUN-5833: Create constant for allow-remote-config
+- 2022-03-15 TUN-5867: Return error if service was already installed
+- 2022-03-16 TUN-5833: Send feature `allow_remote_config` if Tunnel is run with --token
+- 2022-03-08 TUN-5849: Remove configuration debug log
+- 2022-03-08 TUN-5850: Update CHANGES.md with latest releases
+- 2022-03-08 TUN-5851: Update all references to point to Apache License 2.0
+- 2022-03-07 TUN-5853 Add "install" make target and build package manager info into executable
+- 2022-03-08 TUN-5801: Add custom wrapper for OriginConfig for JSON serde
+- 2022-03-09 TUN-5703: Add prometheus metric for current configuration version
+- 2022-02-05 CC-796: Remove dependency on unsupported version of go-oidc
+
+2022.3.1
+- 2022-03-04 TUN-5837: Log panic recovery in http2 logic with debug level log
+- 2022-03-04  TUN-5696: HTTP/2 Configuration Update
+- 2022-03-04 TUN-5836: Avoid websocket#Stream function from crashing cloudflared with unexpected memory access
+- 2022-03-05 TUN-5836: QUIC transport no longer sets body to nil in any condition
+
+2022.3.0
+- 2022-03-02 TUN-5680: Adapt component tests for new service install based on token
+- 2022-02-21 TUN-5682: Remove name field from credentials
+- 2022-02-21 TUN-5681: Add support for running tunnel using Token
+- 2022-02-28 TUN-5824: Update updater no-update-in-shell link
+- 2022-02-28 TUN-5823: Warn about legacy flags that are ignored when ingress rules are used
+- 2022-02-28 TUN-5737: Support https protocol over unix socket origin
+- 2022-02-23 TUN-5679: Add support for service install using Tunnel Token
+
+2022.2.2
+- 2022-02-22 TUN-5754: Allow ingress validate to take plaintext option
+- 2022-02-17 TUN-5678: Cloudflared uses typed tunnel API
+
+2022.2.1
+- 2022-02-10 TUN-5184: Handle errors in bidrectional streaming (websocket#Stream) gracefully when 1 side has ended
+- 2022-02-14 Update issue templates
+- 2022-02-14 Update issue templates
+- 2022-02-11 TUN-5768: Update cloudflared license file
+- 2022-02-11 TUN-5698: Make ingress rules and warp routing dynamically configurable
+- 2022-02-14 TUN-5678: Adapt cloudflared to use new typed APIs
+- 2022-02-17 Revert "TUN-5678: Adapt cloudflared to use new typed APIs"
+- 2022-02-11 TUN-5697: Listen for UpdateConfiguration RPC in quic transport
+- 2022-02-04 TUN-5744: Add a test to make sure cloudflared uses scheme defined in ingress rule, not X-Forwarded-Proto header
+- 2022-02-07 TUN-5749: Refactor cloudflared to pave way for reconfigurable ingress - Split origin into supervisor and proxy packages - Create configManager to handle dynamic config
+- 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown
+
+2022.2.0
+- 2022-02-02 TUN-4947: Use http when talking to Unix sockets origins
+- 2022-02-02 TUN-5695: Define RPC method to update configuration
+- 2022-01-27 TUN-5621: Correctly manage QUIC stream closing
+- 2022-01-28 TUN-5702: Allow to deserialize config from JSON
+
+2022.1.3
+- 2022-01-21 TUN-5477: Unhide vnet commands
+- 2022-01-24 TUN-5669: Change network command to vnet
+- 2022-01-25 TUN-5675: Remove github.com/dgrijalva/jwt-go dependency by upgrading coredns version
+- 2022-01-27 TUN-5719: Re-attempt connection to edge with QUIC despite network error when there is no fallback
+- 2022-01-28 TUN-5724: Fix SSE streaming by guaranteeing we write everything we read
+- 2022-01-17 TUN-5547: Bump golang x/net package to fix http2 transport bugs
+- 2022-01-19 TUN-5659: Proxy UDP with zero-byte payload
+- 2021-10-22 Add X-Forwarded-Host for http proxy
+
+2022.1.2
+- 2022-01-13 TUN-5650: Fix pynacl version to 1.4.0 and pygithub version to 1.55 so release doesn't break unexpectedly
+
+2022.1.1
+- 2022-01-10 TUN-5631: Build everything with go 1.17.5
+- 2022-01-06 TUN-5623: Configure quic max datagram frame size to 1350 bytes for none Windows platforms
+
+2022.1.0
+- 2022-01-03 TUN-5612: Add support for specifying TLS min/max version
+- 2022-01-03 TUN-5612: Make tls min/max version public visible
+- 2022-01-03 TUN-5551: Internally published debian artifacts are now named just cloudflared even though they are FIPS compliant
+- 2022-01-04 TUN-5600: Close QUIC transports as soon as possible while respecting graceful shutdown
+- 2022-01-05 TUN-5616: Never fallback transport if user chooses it on purpose
+- 2022-01-05 TUN-5204: Unregister QUIC transports on disconnect
+- 2022-01-04 TUN-5600: Add coverage to component tests for various transports
+
+2021.12.4
+- 2021-12-27 TUN-5482: Refactor tunnelstore client related packages for more coherent package
+- 2021-12-27 TUN-5551: Change internally published debian package to be FIPS compliant
+- 2021-12-27 TUN-5551: Show whether the binary was built for FIPS compliance
+
+2021.12.3
+- 2021-12-22 TUN-5584: Changes for release 2021.12.2
+- 2021-12-22 TUN-5590: QUIC datagram max user payload is 1217 bytes
+- 2021-12-22 TUN-5593: Read full packet from UDP connection, even if it exceeds MTU of the transport. When packet length is greater than the MTU of the transport, we will silently drop packets (for now).
+- 2021-12-23 TUN-5597: Log session ID when session is terminated by edge
+
+2021.12.2
+- 2021-12-20 TUN-5571: Remove redundant session manager log, it's already logged in origin/tunnel.ServeQUIC
+- 2021-12-20 TUN-5570: Only log RPC server events at error level to reduce noise
+- 2021-12-14 TUN-5494: Send a RPC with terminate reason to edge if the session is closed locally
+- 2021-11-09 TUN-5551: Reintroduce FIPS compliance for linux amd64 now as separate binaries
+
+2021.12.1
+- 2021-12-16 TUN-5549: Revert "TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64"
+
+2021.12.0
+- 2021-12-13 TUN-5530: Get current time from ticker
+- 2021-12-15 TUN-5544: Update CHANGES.md for next release
+- 2021-12-07 TUN-5519: Adjust URL for virtual_networks endpoint to match what we will publish
+- 2021-12-02 TUN-5488: Close session after it's idle for a period defined by registerUdpSession RPC
+- 2021-12-09 TUN-5504: Fix upload of packages to public repo
+- 2021-11-30 TUN-5481: Create abstraction for Origin UDP Connection
+- 2021-11-30 TUN-5422: Define RPC to unregister session
+- 2021-11-26 TUN-5361: Commands for managing virtual networks
+- 2021-11-29 TUN-5362: Adjust route ip commands to be aware of virtual networks
+- 2021-11-23 TUN-5301: Separate datagram multiplex and session management logic from quic connection logic
+- 2021-11-10 TUN-5405: Update net package to v0.0.0-20211109214657-ef0fda0de508
+- 2021-11-10 TUN-5408: Update quic package to v0.24.0
+- 2021-11-12 Fix typos
+- 2021-11-13 Fix for Issue #501: Unexpected User-agent insertion when tunneling http request
+- 2021-11-16 TUN-5129: Remove `-dev` suffix when computing version and Git has uncommitted changes
+- 2021-11-18 TUN-5441: Fix message about available protocols
+- 2021-11-12 TUN-5300: Define RPC to register UDP sessions
+- 2021-11-14 TUN-5299: Send/receive QUIC datagram from edge and proxy to origin as UDP
+- 2021-11-04 TUN-5387: Updated CHANGES.md for 2021.11.0
+- 2021-11-08 TUN-5368: Log connection issues with LogLevel that depends on tunnel state
+- 2021-11-09 TUN-5397: Log cloudflared output when it fails to connect tunnel
+- 2021-11-09 TUN-5277: Ensure cloudflared binary is FIPS compliant on linux amd64
+- 2021-11-08 TUN-5393: Content-length is no longer a control header for non-h2mux transports
+
+2021.11.0
+- 2021-11-03 TUN-5285: Fallback to HTTP2 immediately if connection times out with no network activity
+- 2021-09-29 Add flag to 'tunnel create' subcommand to specify a base64-encoded secret
+
+2021.10.5
+- 2021-10-25 Update change log for release 2021.10.4
+- 2021-10-25 Revert "TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown"
+
+2021.10.4
+- 2021-10-21 TUN-5287: Fix misuse of wait group in TestQUICServer that caused the test to exit immediately
+- 2021-10-21 TUN-5286: Upgrade crypto/ssh package to fix CVE-2020-29652
+- 2021-10-18 TUN-5262: Allow to configure max fetch size for listing queries
+- 2021-10-19 TUN-5262: Improvements to `max-fetch-size` that allow to deal with large number of tunnels in account
+- 2021-10-15 TUN-5261: Collect QUIC metrics about RTT, packets and bytes transfered and log events at tracing level
+- 2021-10-19 TUN-5184: Make sure outstanding websocket write is finished, and no more writes after shutdown
+
+2021.10.3
+- 2021-10-14 TUN-5255: Fix potential panic if Cloudflare API fails to respond to GetTunnel(id) during delete command
+- 2021-10-14 TUN-5257: Fix more cfsetup targets that were broken by recent package changes
+
+2021.10.2
+- 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold
+- 2021-10-14 TUN-5250: Add missing packages for cfsetup to succeed in github release pkgs target
+
+2021.10.1
+- 2021-10-12 TUN-5246: Use protocol: quic for Quick tunnels if one is not already set
+- 2021-10-13 TUN-5249: Revert "TUN-5138: Switch to QUIC on auto protocol based on threshold"
+
+2021.10.0
+- 2021-10-11 TUN-5138: Switch to QUIC on auto protocol based on threshold
+- 2021-10-07 TUN-5195: Do not set empty body if not applicable
+- 2021-10-08 UN-5213: Increase MaxStreams value for QUIC transport
+- 2021-09-28 TUN-5169: Release 2021.9.2 CHANGES.md
+- 2021-09-28 TUN-5164: Update README and clean up references to Argo Tunnel (using Cloudflare Tunnel instead)
+
+2021.9.2
+- 2021-09-21 TUN-5129: Use go 1.17 and copy .git folder to docker build to compute version
+- 2021-09-21 TUN-5128: Enforce maximum grace period
+- 2021-09-22 TUN-5141: Make sure websocket pinger returns before streaming returns
+- 2021-09-24 TUN-5142: Add asynchronous servecontrolstream for QUIC
+- 2021-09-24 TUN-5142: defer close rpcconn inside unregister instead of ServeControlStream
+- 2021-09-27 TUN-5160: Set request.ContentLength when this value is in request header
+
+2021.9.1
+- 2021-09-21 TUN-5118: Quic connection now detects duplicate connections similar to http2
+- 2021-09-15 Fix TryCloudflare link
+
+2021.9.0
+- 2021-09-02 Fix broken TryCloudflare link
+- 2021-09-03 Add support for taking named tunnel credentials from an environment variable
+- 2021-08-30 TUN-5012: Use patched go-sumtype
+- 2021-08-31 TUN-5011: Use the region parameter in fallback SRV lookup
+- 2021-08-31 TUN-5029: Do not strip cf- prefixed headers
+- 2021-08-29 TUN-5009: Updated github action to use go 1.17.x for checks
+- 2021-08-28 TUN-5010: --region should be a string flag
+- 2021-08-10 Allow building on arm64 platforms
+- 2021-06-09 Update README.md
+- 2021-05-31 🖌️ Allow providing TokenID and TokenSecret as env vars when calling cloudflared access
+- 2021-05-31 🎨 Prefix env var parameters with TUNNEL
+
+2021.8.7
+- 2021-08-28 Revert "TUN-4926: Implement --region configuration option"
+
+2021.8.6
+- 2021-08-27 TUN-5000: De-flake logging to dir component test in Windows by increasing to buffer to cope with more logging
+- 2021-08-27 TUN-5003: Fix cfsetup for non-FIPS golang version
+
+2021.8.5
+- 2021-08-27 TUN-4961: Update quic-go to latest
+- 2021-08-27 Release 2021.8.4
+
+2021.8.4
+- 2021-08-26 TUN-4974: Fix regression where we were debug logging by accident
+- 2021-08-26 TUN-4970: Only default to http2 for warp-routing if protocol is h2mux
+- 2021-08-26 TUN-4981: Improve readability of prepareTunnelConfig method
+- 2021-08-26 TUN-4926: Implement --region configuration option
+- 2021-07-09 TUN-4821: Make quick tunnels the default in cloudflared
+
+2021.8.3
+- 2021-08-23 TUN-4889: Add back appendtagheaders function
+- 2021-08-21 TUN-4940: Fix cloudflared not picking up correct NextProtos for quic
+- 2021-08-21 TUN-4613: Add a no-op protocol version slot
+- 2021-08-13 TUN-4922: Downgrade quic-go library to 0.20.0
+- 2021-08-17 TUN-4866: Add Control Stream for QUIC
+- 2021-08-17 TUN-4927: Parameterize region in edge discovery code
+- 2021-08-06 TUN-4602: Added UDP resolves to Edge discovery
+
+2021.8.2
+- 2021-08-03 TUN-4597: Added HTTPProxy for QUIC
+- 2021-08-04 TUN-4795: Remove Equinox releases
+- 2021-08-09 TUN-4911: Append Environment variable to Path instead of overwriting it
+
+2021.8.1
+- 2021-08-02 TUN-4855: Added CHANGES.md for release 2021.8.0
+- 2021-08-03 TUN-4597: Add a QUIC server skeleton
+- 2021-08-03 TUN-4873: Disable unix domain socket test for windows unit tests
+- 2021-08-04 TUN-4875: Added amd64-linux builds back to releases
+
+2021.8.0
+- 2021-07-30 TUN-4847: Allow to list tunnels by prefix name or exclusion prefix name
+- 2021-07-30 TUN-4772: Release built executables with packages
+- 2021-07-30 TUN-4851: Component tests to smoke test that Proxy DNS and Tunnel are only run when expected
+- 2021-07-28 TUN-4811: Publish quick tunnels' hostname in /metrics under `userHostname` for backwards-compatibility
+- 2021-07-29 TUN-4832: Prevent tunnel from running accidentally when only proxy-dns should run
+- 2021-07-28 TUN-4819: Tolerate protocol TXT record lookup failing
+
+2021.7.4
+- 2021-07-28 TUN-4814: Revert "TUN-4699: Make quick tunnels the default in cloudflared"
+- 2021-07-28 TUN-4812: Disable CGO for cloudflared builds
+
+2021.7.3
+- 2021-07-27 TUN-4799: Build deb, msi and rpm packages with fips
+
+2021.7.2
+- 2021-07-27 Fixed a syntax error with python logging.
+
+2021.7.1
+- 2021-07-21 TUN-4755: Add a windows msi release option to Make
+- 2021-07-22 TUN-4761: Added a build-all-packages target to cfsetup
+- 2021-07-26 TUN-4771: Upload deb, rpm and msi packages to github
+- 2021-07-14 TUN-4714: Name nightly package cloudflared-nightly to avoid apt conflict
+- 2021-07-16 TUN-4701: Split Proxy into ProxyHTTP and ProxyTCP
+- 2021-07-08 TUN-4596: Add QUIC application protocol for QUIC stream handshake
+- 2021-07-09 TUN-4699: Make quick tunnels the default in cloudflared
+
+2021.7.0
+- 2021-07-01 TUN-4626: Proxy non-stream based origin websockets with http Roundtrip.
+- 2021-07-01 TUN-4655: ingress.StreamBasedProxy.EstablishConnection takes dest input
+- 2021-07-09 TUN-4698: Add cloudflared metrics endpoint to serve quick tunnel hostname
+- 2021-06-21 TUN-4521: Modify cloudflared to use zoneless-tunnels-worker for free tunnels
+- 2021-04-05 AUTH-3475: Updated GetAppInfo error message
+
+2021.6.0
+- 2021-06-21 TUN-4571: Changelog for 2021.6.0
+- 2021-06-18 TUN-4571: Fix proxying to unix sockets when using HTTP2 transport to Cloudflare Edge
+- 2021-06-07 TUN-4502: Make `cloudflared tunnel route` subcommands described consistently
+- 2021-06-08 TUN-4504: Fix component tests in windows
+- 2021-05-27 TUN-4461: Log resulting DNS hostname if one is received from Cloudflare API
+
+2021.5.10
+- 2021-05-25 TUN-4456: Replaced instances of Tick() with Ticker() in h2mux paths
+
+2021.5.9
+- 2021-05-20 TUN-4426: Fix centos builds
+- 2021-05-20 Update changelog
+- 2021-04-30 AUTH-3426: Point to new transfer service URL and eliminate PUT /ok
+
+2021.5.8
+- 2021-05-14 TUN-4419: Improve error message when cloudflared cannot reach origin
+- 2021-05-19 TUN-4425: --overwrite-dns flag for in adhoc and route dns cmds
+
+2021.5.7
+- 2021-05-17 Fix typo in Changes.md
+- 2021-05-17 TUN-4421: Named Tunnels will automatically select the protocol to connect to Cloudflare's edge network
+
+2021.5.6
+- 2021-05-14 TUN-4418: Downgrade to Go 1.16.3
+
+2021.5.5
+
+
+2021.5.4
+- Fix release pipeline
+
+2021.5.1
+- 2021-05-10 TUN-4342: Fix false positive warning about unused hostname property
+- 2021-05-10 Release 2021.5.0
+
+2021.5.0
+- 2021-05-10 TUN-4384: Silence log from automaxprocs
+- 2021-05-10 AUTH-3537: AUDs in JWTs are now always arrays
+- 2021-05-10 Update changelog for 2021.5.0
+- 2021-05-03 TUN-4343: Fix broken build by setting debug field correctly
+- 2021-05-06 TUN-4356: Set AUTOMAXPROCS to the CPU limit when running in a Linux container
+- 2021-05-06 TUN-4357: Bump Go to 1.16
+- 2021-05-06 TUN-4359: Warn about unused keys in 'tunnel ingress validate'
+- 2021-04-30 debug: log host / path
+- 2021-04-20 AUTH-3513: Checks header for app info in case response is a 403/401 from the edge
+- 2021-04-29 TUN-4000: Release notes for cloudflared replica model
+- 2021-04-09 TUN-2853: rename STDIN-CONTROL env var to STDIN_CONTROL
+- 2021-04-09 TUN-4206: Better error message when user is only using one ingress rule
+
+2021.4.0
+- 2021-04-05 TUN-4178: Fix component test for running as a service in MacOS to not assume a named tunnel
+- 2021-04-05 TUN-4177: Running with proxy-dns should not prevent running Named Tunnels
+- 2021-04-02 TUN-4168: Transparently proxy websocket connections using stdlib HTTP client instead of gorilla/websocket; move websocket client code into carrier package since it's only used by access subcommands now (#345).
+- 2021-04-07 Publish change log for 2021.4.0
+
+2021.3.6
+- 2021-03-30 TUN-4150: Only show the connector table in 'tunnel info' if there are connectors. Don't show rows with zero connections.
+- 2021-03-31 TUN-4153: Revert best-effort HTTP2 usage when talking to origins
+- 2021-03-26 TUN-4141: Better error messages for tunnel info subcommand.
+- 2021-03-29 TUN-4146: Unhide and document grace-period
+- 2021-03-25 TUN-3863: Consolidate header handling logic in the connection package; move headers definitions from h2mux to packages that manage them; cleanup header conversions
+
+2021.3.5
+- 2021-03-26 TUN-3896: http-service and tunnelstore client use http2 transport.
+- 2021-03-25 TUN-4125: Change component tests to run in CI with its own dedicated resources
+- 2021-03-26 Publish change log for 2021.3.5
+
+2021.3.4
+
+
+2021.3.3
+- 2021-03-23 TUN-4111: Warn the user if both properties "tunnel" and "hostname" are used
+- 2021-03-23 TUN-4082: Test logging when running as a service
+- 2021-03-23 TUN-4112: Skip testing graceful shutdown with SIGINT on Windows
+- 2021-03-23 TUN-4116: Ingore credentials-file setting in configuration file during tunnel create and delete opeations.
+- 2021-03-23 TUN-4118: Don't overwrite existing file with tunnel credentials. For ad-hoc tunnels, this means tunnel won't start if there's a file in the way.
+- 2021-03-24 TUN-4123: Don't capture output in reconnect componet test
+- 2021-03-23 TUN-4067: Reformat code for consistent import order, grouping, and fix formatting. Added goimports target to the Makefile to make this easier in the future.
+- 2021-03-24 AUTH-3455: Generate short-lived ssh cert per hostname
+- 2021-03-25 Update changelog 2021.3.3
+
+2021.3.2
+- 2021-03-23 TUN-4042: Capture cloudflared output to debug component tests
+- 2021-03-23 Publish changelog for 2021.3.2
+- 2021-03-16 TUN-4089: Address flakiness in component tests for termination
+- 2021-03-16 TUN-4060: Fix Go Vet warnings (new with go 1.16) where t.Fatalf is called from a test goroutine
+- 2021-03-16 TUN-4091: Use flaky decorator to rerun reconnect component tests when they fail
+- 2021-03-12 TUN-4081: Update log severities to use Zerolog's levels
+- 2021-03-16 TUN-4094: Don't read configuration file for access commands
+- 2021-03-15 TUN-3993: New `cloudflared tunnel info` to obtain details about the active connectors for a tunnel
+- 2021-03-17 TUN-3715: Apply input source to the correct context
+- 2021-03-17 AUTH-3394: Ensure scheme on token command
+- 2021-03-18 TUN-4096: Reduce tunnel not connected assertion backoff to address flaky termination tests
+- 2021-03-19 TUN-3998: Allow to cleanup the connections of a tunnel limited to a single client
+- 2021-02-04 TUN-3715: Only read config file once, right before invoking the command
+
+2021.3.1
+- 2021-03-11 TUN-4051: Add component-tests to test graceful shutdown
+- 2021-03-12 TUN-4052: Add component tests to assert service mode behavior
+
+2021.3.0
+- 2021-03-10 TUN-4075: Dedup test should not compare order of list
+- 2021-03-10 Revert "AUTH-3394: Creates a token per app instead of per path"
+- 2021-03-11 TUN-4066: Remove unnecessary chmod during package publish to CF_PKG_HOSTS
+- 2021-03-11 TUN-4066: Set permissions in build agent before 'scp'-ing to machine hosting package repo
+- 2021-03-11 TUN-4050: Add component tests to assert reconnect behavior
+- 2021-03-10 AUTH-3394: Creates a token per app instead of per path - with fix for free tunnels
+- 2021-03-15 Publish change log for 2021.3.0
+- 2021-03-01 Issue #285 - Makefile does not detect TARGET_ARCH correctly on FreeBSD  (#325)
+- 2021-03-01 TUN-3988: Log why it cannot check if origin cert exists
+- 2021-03-02 TUN-3995: Optional --features flag for tunnel run.
+- 2021-03-02 TUN-3994: Log client_id when running a named tunnel
+- 2021-03-04 TUN-4026: Fix regression where HTTP2 edge transport was no longer propagating control plane errors
+- 2021-03-05 TUN-4055: Skeleton for component tests
+- 2021-03-08 TUN-4047: Add cfsetup target to run component test
+- 2021-03-08 TUN-4016: Delegate decision to update for Worker service
+- 2021-03-02 TUN-3905: Cannot run go mod vendor in cloudflared due to fips
+- 2021-03-08 TUN-4063: Cleanup dependencies between packages.
+- 2021-03-09 Allow partial reads from a GorillaConn; add SetDeadline (from net.Conn) (#330)
+- 2021-03-09 TUN-4069: Fix regression on support for websocket over proxy
+- 2021-03-02 AUTH-3394: Creates a token per app instead of per path
+- 2021-03-01 TUN-4017: Add support for using cloudflared as a full socks proxy.
+- 2021-03-08 TUN-4062: Read component tests config from yaml file
+- 2021-03-08 TUN-4049: Add component tests to assert logging behavior when running from terminal
+- 2021-02-23 TUN-3963: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands.
+- 2021-02-25 TUN-3970: Route ip show has alias route ip list
+- 2021-02-26 TUN-3978: Unhide teamnet commands and improve their help
+- 2021-02-26 TUN-3983: Renew CA certs in cloudflared
+- 2021-02-28 TUN-3989: Check in with Updater service in more situations and convey messages to user
+- 2021-02-11 TUN-3819: Remove client-side check that deleted tunnels have no connections
+
+2021.2.5
+- 2021-02-23 Publish change notes for 2021.2.5
+- 2021-02-11 TUN-3838: ResponseWriter no longer reads and origin error tests
+- 2021-02-10 TUN-3895: Tests for socks stream handler
+- 2021-02-19 TUN-3939: Add logging that shows that Warp-routing is enabled
+- 2021-02-02 TUN-3817: Adds tests for websocket based streaming regression
+- 2021-02-04 TUN-3799: extended the Stream interface to take a logger and added debug logs for io.Copy errors
+- 2021-02-03 TUN-3855: Add ability to override target of 'access ssh' command to a different host for testing
+- 2021-02-04 TUN-3853: Respond with ws headers from the origin service rather than generating our own
+- 2021-02-08 TUN-3889: Move host header override logic to httpService
+- 2021-02-05 TUN-3868: Refactor singleTCPService and bridgeService to tcpOverWSService and rawTCPService
+- 2021-01-21 TUN-3753: Select http2 protocol when warp routing is enabled
+- 2021-01-26 TUN-3809: Allow routes ip show to output as JSON or YAML
+- 2021-01-11 TUN-3615: added support to  proxy tcp streams
+- 2021-01-17 TUN-3725: Warp-routing is independent of ingress
+- 2021-01-15 TUN-3764: Actively flush data for TCP streams
+- 2020-12-09 TUN-3617: Separate service from client, and implement different client for http vs. tcp origins
+
+2021.2.4
+- 2021-02-22 TUN-3948: Log error when retrying connection
+- 2021-02-23 TUN-3964: Revert "TUN-3922: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands."
+- 2021-02-23 Publish release notes for 2021.2.4
+
+2021.2.3
+- 2021-02-23 Publish release notes for 2021.2.3
+- 2021-02-10 TUN-3902: Add jitter to backoffhandler
+- 2021-02-11 TUN-3913: Help gives wrong exit code for autoupdate
+- 2021-02-12 Add max upstream connections dns-proxy option (#290)
+- 2021-02-16 TUN-3924: Removed db-connect command. Added a placeholder handler for this command that informs users that command is no longer supported.
+- 2021-02-12 TUN-3922: Repoint urfave/cli/v2 library at patched branch at github.com/ipostelnik/cli/v2@fixed which correctly handles reading flags declared at multiple levels of subcommands.
+- 2021-02-19 Added support for proxy (#318)
+- 2021-02-19 TUN-3945: Fix runApp signature for generic service
+- 2021-02-09 Update README.md
+- 2021-02-09 Update the TryCloudflare link
+
+2021.2.2
+- 2021-02-04 TUN-3864: Users can choose where credentials file is written after creating a tunnel
+- 2021-02-04 TUN-3869: Improve reliability of graceful shutdown.
+- 2021-02-07 TUN-3878: Do not supply -tags when none are specified
+- 2021-02-04 TUN-3635: Send event when unregistering tunnel for gracful shutdown so /ready endpoint reports down status befoe connections finish handling pending requests.
+- 2021-02-08 TUN-3890: Code coverage for cloudflared in CI
+- 2021-02-09 AUTH-3375 exchangeOrgToken deleted cookie fix
+- 2020-11-18 Update error message to use login command
+
+2021.2.1
+- 2021-02-04 TUN-3858: Do not suffix cloudflared version with -fips
+
+2021.2.0
+- 2021-02-01 TUN-3837: Remove automation_email from cloudflared status page test
+- 2021-02-03 TUN-3848: Use transport logger for h2mux
+- 2021-02-03 TUN-3854: cloudflared tunnel list flags to sort output
+- 2021-01-21 TUN-3195: Don't colorize console logs when stderr is not a terminal
+- 2021-01-20 Fixed connection error handling by removing duplicated errors, standardizing on non-pointer error types
+- 2021-01-20 TUN-3118: Changed graceful shutdown to immediately unregister tunnel from the edge, keep the connection open until the edge drops it or grace period expires
+- 2021-01-25 TUN-3165: Add reference to Argo Tunnel documentation in the help output
+- 2021-01-25 TUN-3806: Use a .dockerignore
+- 2021-01-21 TUN-3795: Use RFC-3339 style date format for logs, produce timestamp in UTC
+- 2021-01-26 TUN-3795: Removed errant test
+- 2021-01-25 TUN-3792: Handle graceful shutdown correctly when running as a windows service. Only expose one shutdown channel globally, which now triggers the graceful shutdown sequence across all modes. Removed separate handling of zero-duration grace period, instead it's checked only when we need to wait for exit.
+- 2021-01-27 TUN-3811: Better error reporting on http2 connection termination. Registration errors from control loop are now propagated out of the connection server code. Unified error handling between h2mux and http2 connections so we log and retry errors the same way, regardless of underlying transport.
+- 2021-01-28 TUN-3830: Use Go 1.15.7
+- 2021-01-28 TUN-3826: Use go-fips when building cloudflared for linux/amd64
+- 2021-01-19 TUN-3777: Fix /ready endpoint for classic tunnels
+- 2021-01-19 TUN-3773: Add back pprof endpoints
+
+2021.1.5
+- 2021-01-15 TUN-3594: Log ingress response at debug level
+- 2021-01-15 TUN-3765: Fix doubly nested log output by `logfile` option
+- 2021-01-16 TUN-3767: Tolerate logging errors
+- 2021-01-17 TUN-3768: Reuse file loggers
+- 2021-01-14 TUN-3738: Refactor observer to avoid potential of blocking on tunnel notifications
+- 2021-01-15 TUN-3766: Print flags defined at all levels of command hierarchy, not just locally defined flags for a command. This fixes output of overriden settings for  subcommand.
+
+2021.1.4
+- 2021-01-14 TUN-3759: Single file logging output should always append
+
+2021.1.3
+- 2021-01-14 TUN-3756: File logging output must consider the directory
+- 2021-01-14 TUN-3757: Fix legacy Uint flags that are incorrectly handled by ufarve library
+
+2021.1.2
+- 2021-01-13 TUN-3747: Fix logging in Windows
+
 2021.1.1
 - 2021-01-13 TUN-3744: Fix compilation error in windows service
 

buffer/pool.go

@@ -1,29 +0,0 @@
-package buffer
-
-import (
-	"sync"
-)
-
-type Pool struct {
-	// A Pool must not be copied after first use.
-	// https://golang.org/pkg/sync/#Pool
-	buffers sync.Pool
-}
-
-func NewPool(bufferSize int) *Pool {
-	return &Pool{
-		buffers: sync.Pool{
-			New: func() interface{} {
-				return make([]byte, bufferSize)
-			},
-		},
-	}
-}
-
-func (p *Pool) Get() []byte {
-	return p.buffers.Get().([]byte)
-}
-
-func (p *Pool) Put(buf []byte) {
-	p.buffers.Put(buf)
-}

build-packages-fips.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=built_artifacts/
+mkdir -p $ARTIFACT_DIR
+
+arch=("amd64")
+export TARGET_ARCH=$arch
+export TARGET_OS=linux
+export FIPS=true
+# For BoringCrypto to link, we need CGO enabled. Otherwise compilation fails.
+export CGO_ENABLED=1
+
+make cloudflared-deb
+mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
+
+# rpm packages invert the - and _ and use x86_64 instead of amd64.
+RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+RPMARCH="x86_64"
+make cloudflared-rpm
+mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm
+
+# finally move the linux binary as well.
+mv ./cloudflared $ARTIFACT_DIR/cloudflared-fips-linux-$arch

build-packages.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
+echo $VERSION
+
+# Disable FIPS module in go-boring
+export GOEXPERIMENT=noboringcrypto
+export CGO_ENABLED=0
+
+# This controls the directory the built artifacts go into
+export ARTIFACT_DIR=built_artifacts/
+mkdir -p $ARTIFACT_DIR
+
+linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
+export TARGET_OS=linux
+for arch in ${linuxArchs[@]}; do
+    unset TARGET_ARM
+    export TARGET_ARCH=$arch
+
+    ## Support for arm platforms without hardware FPU enabled
+    if [[ $arch == arm ]] ; then
+        export TARGET_ARCH=arm
+        export TARGET_ARM=5
+    fi
+    
+    ## Support for armhf builds 
+    if [[ $arch == armhf ]] ; then
+        export TARGET_ARCH=arm
+        export TARGET_ARM=7 
+    fi
+    
+    make cloudflared-deb
+    mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
+
+    # rpm packages invert the - and _ and use x86_64 instead of amd64.
+    RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
+    RPMARCH=$arch
+    if [ $arch == "amd64" ];then
+        RPMARCH="x86_64"
+    fi
+    if [ $arch == "arm64" ]; then
+        RPMARCH="aarch64"
+    fi
+    make cloudflared-rpm
+    mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
+
+    # finally move the linux binary as well.
+    mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
+done

carrier/carrier.go

@@ -1,42 +1,47 @@
-//Package carrier provides a WebSocket proxy to carry or proxy a connection
-//from the local client to the edge. See it as a wrapper around any protocol
-//that it packages up in a WebSocket connection to the edge.
+// Package carrier provides a WebSocket proxy to carry or proxy a connection
+// from the local client to the edge. See it as a wrapper around any protocol
+// that it packages up in a WebSocket connection to the edge.
 package carrier
 
 import (
+	"crypto/tls"
+	"fmt"
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
-	"github.com/cloudflare/cloudflared/h2mux"
-
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/token"
 )
 
-const LogFieldOriginURL = "originURL"
+const (
+	LogFieldOriginURL       = "originURL"
+	CFAccessTokenHeader     = "Cf-Access-Token"
+	cfJumpDestinationHeader = "Cf-Access-Jump-Destination"
+)
 
 type StartOptions struct {
-	OriginURL string
-	Headers   http.Header
+	AppInfo         *token.AppInfo
+	OriginURL       string
+	Headers         http.Header
+	Host            string
+	TLSClientConfig *tls.Config
 }
 
 // Connection wraps up all the needed functions to forward over the tunnel
 type Connection interface {
 	// ServeStream is used to forward data from the client to the edge
 	ServeStream(*StartOptions, io.ReadWriter) error
-
-	// StartServer is used to listen for incoming connections from the edge to the origin
-	StartServer(net.Listener, string, <-chan struct{}) error
 }
 
 // StdinoutStream is empty struct for wrapping stdin/stdout
 // into a single ReadWriter
-type StdinoutStream struct {
-}
+type StdinoutStream struct{}
 
 // Read will read from Stdin
 func (c *StdinoutStream) Read(p []byte) (int, error) {
@@ -49,7 +54,7 @@ func (c *StdinoutStream) Write(p []byte) (int, error) {
 	return os.Stdout.Write(p)
 }
 
-// Helper to allow defering the response close with a check that the resp is not nil
+// Helper to allow deferring the response close with a check that the resp is not nil
 func closeRespBody(resp *http.Response) {
 	if resp != nil {
 		_ = resp.Body.Close()
@@ -120,7 +125,7 @@ func IsAccessResponse(resp *http.Response) bool {
 	if err != nil || location == nil {
 		return false
 	}
-	if strings.HasPrefix(location.Path, "/cdn-cgi/access/login") {
+	if strings.HasPrefix(location.Path, token.AccessLoginWorkerPath) {
 		return true
 	}
 
@@ -134,7 +139,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 		return nil, err
 	}
 
-	token, err := token.FetchTokenWithRedirect(req.URL, log)
+	token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
 	if err != nil {
 		return nil, err
 	}
@@ -145,7 +150,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 	if err != nil {
 		return nil, err
 	}
-	originRequest.Header.Set(h2mux.CFAccessTokenHeader, token)
+	originRequest.Header.Set(CFAccessTokenHeader, token)
 
 	for k, v := range options.Headers {
 		if len(v) >= 1 {
@@ -155,3 +160,26 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
 
 	return originRequest, nil
 }
+
+func SetBastionDest(header http.Header, destination string) {
+	if destination != "" {
+		header.Set(cfJumpDestinationHeader, destination)
+	}
+}
+
+func ResolveBastionDest(r *http.Request) (string, error) {
+	jumpDestination := r.Header.Get(cfJumpDestinationHeader)
+	if jumpDestination == "" {
+		return "", fmt.Errorf("Did not receive final destination from client. The --destination flag is likely not set on the client side")
+	}
+	// Strip scheme and path set by client. Without a scheme
+	// Parsing a hostname and path without scheme might not return an error due to parsing ambiguities
+	if jumpURL, err := url.Parse(jumpDestination); err == nil && jumpURL.Host != "" {
+		return removePath(jumpURL.Host), nil
+	}
+	return removePath(jumpDestination), nil
+}
+
+func removePath(dest string) string {
+	return strings.SplitN(dest, "/", 2)[0]
+}

carrier/carrier_test.go

@@ -44,7 +44,7 @@ func (s *testStreamer) Write(p []byte) (int, error) {
 func TestStartClient(t *testing.T) {
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
 	log := zerolog.Nop()
-	wsConn := NewWSConnection(&log, false)
+	wsConn := NewWSConnection(&log)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
 
@@ -70,7 +70,7 @@ func TestStartServer(t *testing.T) {
 	message := "Good morning Austin! Time for another sunny day in the great state of Texas."
 	log := zerolog.Nop()
 	shutdownC := make(chan struct{})
-	wsConn := NewWSConnection(&log, false)
+	wsConn := NewWSConnection(&log)
 	ts := newTestWebSocketServer()
 	defer ts.Close()
 	options := &StartOptions{
@@ -81,7 +81,8 @@ func TestStartServer(t *testing.T) {
 	go func() {
 		err := Serve(wsConn, listener, shutdownC, options)
 		if err != nil {
-			t.Fatalf("Error running server: %v", err)
+			t.Errorf("Error running server: %v", err)
+			return
 		}
 	}()
 
@@ -155,3 +156,99 @@ func testRequest(t *testing.T, url string, stream io.ReadWriter) *http.Request {
 
 	return req
 }
+
+func TestBastionDestination(t *testing.T) {
+	tests := []struct {
+		name         string
+		header       http.Header
+		expectedDest string
+		wantErr      bool
+	}{
+		{
+			name: "hostname destination",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"localhost"},
+			},
+			expectedDest: "localhost",
+		},
+		{
+			name: "hostname destination with port",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"localhost:9000"},
+			},
+			expectedDest: "localhost:9000",
+		},
+		{
+			name: "hostname destination with scheme and port",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"ssh://localhost:9000"},
+			},
+			expectedDest: "localhost:9000",
+		},
+		{
+			name: "full hostname url",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"ssh://localhost:9000/metrics"},
+			},
+			expectedDest: "localhost:9000",
+		},
+		{
+			name: "hostname destination with port and path",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"localhost:9000/metrics"},
+			},
+			expectedDest: "localhost:9000",
+		},
+		{
+			name: "ip destination",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"127.0.0.1"},
+			},
+			expectedDest: "127.0.0.1",
+		},
+		{
+			name: "ip destination with port",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"127.0.0.1:9000"},
+			},
+			expectedDest: "127.0.0.1:9000",
+		},
+		{
+			name: "ip destination with port and path",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"127.0.0.1:9000/metrics"},
+			},
+			expectedDest: "127.0.0.1:9000",
+		},
+		{
+			name: "ip destination with schem and port",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"tcp://127.0.0.1:9000"},
+			},
+			expectedDest: "127.0.0.1:9000",
+		},
+		{
+			name: "full ip url",
+			header: http.Header{
+				cfJumpDestinationHeader: []string{"ssh://127.0.0.1:9000/metrics"},
+			},
+			expectedDest: "127.0.0.1:9000",
+		},
+		{
+			name:    "no destination",
+			wantErr: true,
+		},
+	}
+	for _, test := range tests {
+		r := &http.Request{
+			Header: test.header,
+		}
+		dest, err := ResolveBastionDest(r)
+		if test.wantErr {
+			assert.Error(t, err, "Test %s expects error", test.name)
+		} else {
+			assert.NoError(t, err, "Test %s expects no error, got error %v", test.name, err)
+			assert.Equal(t, test.expectedDest, dest, "Test %s expect dest %s, got %s", test.name, test.expectedDest, dest)
+		}
+	}
+}

carrier/websocket.go

@@ -1,18 +1,17 @@
 package carrier
 
 import (
-	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/http/httputil"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
-	"github.com/cloudflare/cloudflared/socks"
-	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
+	"net/url"
 
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/stream"
+	"github.com/cloudflare/cloudflared/token"
+	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
 )
 
 // Websocket is used to carry data via WS binary frames over the tunnel from client to the origin
@@ -22,25 +21,10 @@ type Websocket struct {
 	isSocks bool
 }
 
-type wsdialer struct {
-	conn *cfwebsocket.Conn
-}
-
-func (d *wsdialer) Dial(address string) (io.ReadWriteCloser, *socks.AddrSpec, error) {
-	local, ok := d.conn.LocalAddr().(*net.TCPAddr)
-	if !ok {
-		return nil, nil, fmt.Errorf("not a tcp connection")
-	}
-
-	addr := socks.AddrSpec{IP: local.IP, Port: local.Port}
-	return d.conn, &addr, nil
-}
-
 // NewWSConnection returns a new connection object
-func NewWSConnection(log *zerolog.Logger, isSocks bool) Connection {
+func NewWSConnection(log *zerolog.Logger) Connection {
 	return &Websocket{
-		log:     log,
-		isSocks: isSocks,
+		log: log,
 	}
 }
 
@@ -54,41 +38,49 @@ func (ws *Websocket) ServeStream(options *StartOptions, conn io.ReadWriter) erro
 	}
 	defer wsConn.Close()
 
-	if ws.isSocks {
-		dialer := &wsdialer{conn: wsConn}
-		requestHandler := socks.NewRequestHandler(dialer)
-		socksServer := socks.NewConnectionHandler(requestHandler)
-
-		_ = socksServer.Serve(conn)
-	} else {
-		cfwebsocket.Stream(wsConn, conn)
-	}
+	stream.Pipe(wsConn, conn, ws.log)
 	return nil
 }
 
-// StartServer creates a Websocket server to listen for connections.
-// This is used on the origin (tunnel) side to take data from the muxer and send it to the origin
-func (ws *Websocket) StartServer(listener net.Listener, remote string, shutdownC <-chan struct{}) error {
-	return cfwebsocket.StartProxyServer(ws.log, listener, remote, shutdownC, cfwebsocket.DefaultStreamHandler)
-}
-
 // createWebsocketStream will create a WebSocket connection to stream data over
 // It also handles redirects from Access and will present that flow if
 // the token is not present on the request
-func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.Conn, error) {
+func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebsocket.GorillaConn, error) {
 	req, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
 	if err != nil {
 		return nil, err
 	}
 	req.Header = options.Headers
+	if options.Host != "" {
+		req.Host = options.Host
+	}
 
 	dump, err := httputil.DumpRequest(req, false)
+	if err != nil {
+		return nil, err
+	}
 	log.Debug().Msgf("Websocket request: %s", string(dump))
 
-	wsConn, resp, err := cfwebsocket.ClientConnect(req, nil)
+	dialer := &websocket.Dialer{
+		TLSClientConfig: options.TLSClientConfig,
+		Proxy:           http.ProxyFromEnvironment,
+	}
+	wsConn, resp, err := clientConnect(req, dialer)
 	defer closeRespBody(resp)
 
 	if err != nil && IsAccessResponse(resp) {
+		// Only get Access app info if we know the origin is protected by Access
+		originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
+		if err != nil {
+			return nil, err
+		}
+
+		appInfo, err := token.GetAppInfo(originReq.URL)
+		if err != nil {
+			return nil, err
+		}
+		options.AppInfo = appInfo
+
 		wsConn, err = createAccessAuthenticatedStream(options, log)
 		if err != nil {
 			return nil, err
@@ -97,7 +89,64 @@ func createWebsocketStream(options *StartOptions, log *zerolog.Logger) (*cfwebso
 		return nil, err
 	}
 
-	return &cfwebsocket.Conn{Conn: wsConn}, nil
+	return &cfwebsocket.GorillaConn{Conn: wsConn}, nil
+}
+
+var stripWebsocketHeaders = []string{
+	"Upgrade",
+	"Connection",
+	"Sec-Websocket-Key",
+	"Sec-Websocket-Version",
+	"Sec-Websocket-Extensions",
+}
+
+// the gorilla websocket library sets its own Upgrade, Connection, Sec-WebSocket-Key,
+// Sec-WebSocket-Version and Sec-Websocket-Extensions headers.
+// https://github.com/gorilla/websocket/blob/master/client.go#L189-L194.
+func websocketHeaders(req *http.Request) http.Header {
+	wsHeaders := make(http.Header)
+	for key, val := range req.Header {
+		wsHeaders[key] = val
+	}
+	// Assume the header keys are in canonical format.
+	for _, header := range stripWebsocketHeaders {
+		wsHeaders.Del(header)
+	}
+	wsHeaders.Set("Host", req.Host) // See TUN-1097
+	return wsHeaders
+}
+
+// clientConnect creates a WebSocket client connection for provided request. Caller is responsible for closing
+// the connection. The response body may not contain the entire response and does
+// not need to be closed by the application.
+func clientConnect(req *http.Request, dialler *websocket.Dialer) (*websocket.Conn, *http.Response, error) {
+	req.URL.Scheme = changeRequestScheme(req.URL)
+	wsHeaders := websocketHeaders(req)
+	if dialler == nil {
+		dialler = &websocket.Dialer{
+			Proxy: http.ProxyFromEnvironment,
+		}
+	}
+	conn, response, err := dialler.Dial(req.URL.String(), wsHeaders)
+	if err != nil {
+		return nil, response, err
+	}
+	return conn, response, nil
+}
+
+// changeRequestScheme is needed as the gorilla websocket library requires the ws scheme.
+// (even though it changes it back to http/https, but ¯\_(ツ)_/¯.)
+func changeRequestScheme(reqURL *url.URL) string {
+	switch reqURL.Scheme {
+	case "https":
+		return "wss"
+	case "http":
+		return "ws"
+	case "":
+		return "ws"
+	default:
+		return reqURL.Scheme
+	}
 }
 
 // createAccessAuthenticatedStream will try load a token from storage and make
@@ -117,11 +166,7 @@ func createAccessAuthenticatedStream(options *StartOptions, log *zerolog.Logger)
 	}
 
 	// Access Token is invalid for some reason. Go through regen flow
-	originReq, err := http.NewRequest(http.MethodGet, options.OriginURL, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err := token.RemoveTokenIfExists(originReq.URL); err != nil {
+	if err := token.RemoveTokenIfExists(options.AppInfo); err != nil {
 		return nil, err
 	}
 	wsConn, resp, err = createAccessWebSocketStream(options, log)
@@ -141,9 +186,12 @@ func createAccessWebSocketStream(options *StartOptions, log *zerolog.Logger) (*w
 	}
 
 	dump, err := httputil.DumpRequest(req, false)
+	if err != nil {
+		return nil, nil, err
+	}
 	log.Debug().Msgf("Access Websocket request: %s", string(dump))
 
-	conn, resp, err := cfwebsocket.ClientConnect(req, nil)
+	conn, resp, err := clientConnect(req, nil)
 
 	if resp != nil {
 		r, err := httputil.DumpResponse(resp, true)

carrier/websocket_test.go

@@ -0,0 +1,123 @@
+package carrier
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"math/rand"
+	"testing"
+	"time"
+
+	gws "github.com/gorilla/websocket"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/net/websocket"
+
+	"github.com/cloudflare/cloudflared/hello"
+	"github.com/cloudflare/cloudflared/tlsconfig"
+	cfwebsocket "github.com/cloudflare/cloudflared/websocket"
+)
+
+func websocketClientTLSConfig(t *testing.T) *tls.Config {
+	certPool := x509.NewCertPool()
+	helloCert, err := tlsconfig.GetHelloCertificateX509()
+	assert.NoError(t, err)
+	certPool.AddCert(helloCert)
+	assert.NotNil(t, certPool)
+	return &tls.Config{RootCAs: certPool}
+}
+
+func TestWebsocketHeaders(t *testing.T) {
+	req := testRequest(t, "http://example.com", nil)
+	wsHeaders := websocketHeaders(req)
+	for _, header := range stripWebsocketHeaders {
+		assert.Empty(t, wsHeaders[header])
+	}
+	assert.Equal(t, "curl/7.59.0", wsHeaders.Get("User-Agent"))
+}
+
+func TestServe(t *testing.T) {
+	log := zerolog.Nop()
+	shutdownC := make(chan struct{})
+	errC := make(chan error)
+	listener, err := hello.CreateTLSListener("localhost:1111")
+	assert.NoError(t, err)
+	defer listener.Close()
+
+	go func() {
+		errC <- hello.StartHelloWorldServer(&log, listener, shutdownC)
+	}()
+
+	req := testRequest(t, "https://localhost:1111/ws", nil)
+
+	tlsConfig := websocketClientTLSConfig(t)
+	assert.NotNil(t, tlsConfig)
+	d := gws.Dialer{TLSClientConfig: tlsConfig}
+	conn, resp, err := clientConnect(req, &d)
+	assert.NoError(t, err)
+	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
+
+	for i := 0; i < 1000; i++ {
+		messageSize := rand.Int()%2048 + 1
+		clientMessage := make([]byte, messageSize)
+		// rand.Read always returns len(clientMessage) and a nil error
+		rand.Read(clientMessage)
+		err = conn.WriteMessage(websocket.BinaryFrame, clientMessage)
+		assert.NoError(t, err)
+
+		messageType, message, err := conn.ReadMessage()
+		assert.NoError(t, err)
+		assert.Equal(t, websocket.BinaryFrame, messageType)
+		assert.Equal(t, clientMessage, message)
+	}
+
+	_ = conn.Close()
+	close(shutdownC)
+	<-errC
+}
+
+func TestWebsocketWrapper(t *testing.T) {
+	listener, err := hello.CreateTLSListener("localhost:0")
+	require.NoError(t, err)
+
+	serverErrorChan := make(chan error)
+	helloSvrCtx, cancelHelloSvr := context.WithCancel(context.Background())
+	defer func() { <-serverErrorChan }()
+	defer cancelHelloSvr()
+	go func() {
+		log := zerolog.Nop()
+		serverErrorChan <- hello.StartHelloWorldServer(&log, listener, helloSvrCtx.Done())
+	}()
+
+	tlsConfig := websocketClientTLSConfig(t)
+	d := gws.Dialer{TLSClientConfig: tlsConfig, HandshakeTimeout: time.Minute}
+	testAddr := fmt.Sprintf("https://%s/ws", listener.Addr().String())
+	req := testRequest(t, testAddr, nil)
+	conn, resp, err := clientConnect(req, &d)
+	require.NoError(t, err)
+	assert.Equal(t, "websocket", resp.Header.Get("Upgrade"))
+
+	// Websocket now connected to test server so lets check our wrapper
+	wrapper := cfwebsocket.GorillaConn{Conn: conn}
+	buf := make([]byte, 100)
+	wrapper.Write([]byte("abc"))
+	n, err := wrapper.Read(buf)
+	require.NoError(t, err)
+	require.Equal(t, n, 3)
+	require.Equal(t, "abc", string(buf[:n]))
+
+	// Test partial read, read 1 of 3 bytes in one read and the other 2 in another read
+	wrapper.Write([]byte("abc"))
+	buf = buf[:1]
+	n, err = wrapper.Read(buf)
+	require.NoError(t, err)
+	require.Equal(t, n, 1)
+	require.Equal(t, "a", string(buf[:n]))
+	buf = buf[:cap(buf)]
+	n, err = wrapper.Read(buf)
+	require.NoError(t, err)
+	require.Equal(t, n, 2)
+	require.Equal(t, "bc", string(buf[:n]))
+}

catalog-info.yaml

@@ -0,0 +1,16 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: cloudflared
+  description: Client for Cloudflare Tunnels
+  annotations:
+    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
+    cloudflare.com/software-excellence-opt-in: "true"
+    cloudflare.com/jira-project-key: "TUN"
+    cloudflare.com/jira-project-component: "Cloudflare Tunnel"
+  tags:
+    - internal
+spec:
+  type: "service"
+  lifecycle: "Active"
+  owner: "teams/tunnel-teams-routing"

certutil/certutil.go

@@ -1,94 +0,0 @@
-package certutil
-
-import (
-	"crypto/x509"
-	"encoding/json"
-	"encoding/pem"
-	"fmt"
-	"strings"
-)
-
-type namedTunnelToken struct {
-	ZoneID     string `json:"zoneID"`
-	AccountID  string `json:"accountID"`
-	ServiceKey string `json:"serviceKey"`
-}
-
-type OriginCert struct {
-	PrivateKey interface{}
-	Cert       *x509.Certificate
-	ZoneID     string
-	ServiceKey string
-	AccountID  string
-}
-
-func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
-	if len(blocks) == 0 {
-		return nil, fmt.Errorf("Cannot decode empty certificate")
-	}
-	originCert := OriginCert{}
-	block, rest := pem.Decode(blocks)
-	for {
-		if block == nil {
-			break
-		}
-		switch block.Type {
-		case "PRIVATE KEY":
-			if originCert.PrivateKey != nil {
-				return nil, fmt.Errorf("Found multiple private key in the certificate")
-			}
-			// RSA private key
-			privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-			if err != nil {
-				return nil, fmt.Errorf("Cannot parse private key")
-			}
-			originCert.PrivateKey = privateKey
-		case "CERTIFICATE":
-			if originCert.Cert != nil {
-				return nil, fmt.Errorf("Found multiple certificates in the certificate")
-			}
-			cert, err := x509.ParseCertificates(block.Bytes)
-			if err != nil {
-				return nil, fmt.Errorf("Cannot parse certificate")
-			} else if len(cert) > 1 {
-				return nil, fmt.Errorf("Found multiple certificates in the certificate")
-			}
-			originCert.Cert = cert[0]
-		case "WARP TOKEN", "ARGO TUNNEL TOKEN":
-			if originCert.ZoneID != "" || originCert.ServiceKey != "" {
-				return nil, fmt.Errorf("Found multiple tokens in the certificate")
-			}
-			// The token is a string,
-			// Try the newer JSON format
-			ntt := namedTunnelToken{}
-			if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
-				originCert.ZoneID = ntt.ZoneID
-				originCert.ServiceKey = ntt.ServiceKey
-				originCert.AccountID = ntt.AccountID
-			} else {
-				// Try the older format, where the zoneID and service key are seperated by
-				// a new line character
-				token := string(block.Bytes)
-				s := strings.Split(token, "\n")
-				if len(s) != 2 {
-					return nil, fmt.Errorf("Cannot parse token")
-				}
-				originCert.ZoneID = s[0]
-				originCert.ServiceKey = s[1]
-			}
-		default:
-			return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
-		}
-		block, rest = pem.Decode(rest)
-	}
-
-	if originCert.PrivateKey == nil {
-		return nil, fmt.Errorf("Missing private key in the certificate")
-	} else if originCert.Cert == nil {
-		return nil, fmt.Errorf("Missing certificate in the certificate")
-	} else if originCert.ZoneID == "" || originCert.ServiceKey == "" {
-		return nil, fmt.Errorf("Missing token in the certificate")
-	}
-
-	return &originCert, nil
-}

certutil/certutil_test.go

@@ -1,67 +0,0 @@
-package certutil
-
-import (
-	"fmt"
-	"io/ioutil"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestLoadOriginCert(t *testing.T) {
-	cert, err := DecodeOriginCert([]byte{})
-	assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
-	assert.Nil(t, cert)
-
-	blocks, err := ioutil.ReadFile("test-cert-no-key.pem")
-	assert.Nil(t, err)
-	cert, err = DecodeOriginCert(blocks)
-	assert.Equal(t, fmt.Errorf("Missing private key in the certificate"), err)
-	assert.Nil(t, cert)
-
-	blocks, err = ioutil.ReadFile("test-cert-two-certificates.pem")
-	assert.Nil(t, err)
-	cert, err = DecodeOriginCert(blocks)
-	assert.Equal(t, fmt.Errorf("Found multiple certificates in the certificate"), err)
-	assert.Nil(t, cert)
-
-	blocks, err = ioutil.ReadFile("test-cert-unknown-block.pem")
-	assert.Nil(t, err)
-	cert, err = DecodeOriginCert(blocks)
-	assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
-	assert.Nil(t, cert)
-
-	blocks, err = ioutil.ReadFile("test-cert.pem")
-	assert.Nil(t, err)
-	cert, err = DecodeOriginCert(blocks)
-	assert.Nil(t, err)
-	assert.NotNil(t, cert)
-	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
-	key := "v1.0-58bd4f9e28f7b3c28e05a35ff3e80ab4fd9644ef3fece537eb0d12e2e9258217-183442fbb0bbdb3e571558fec9b5589ebd77aafc87498ee3f09f64a4ad79ffe8791edbae08b36c1d8f1d70a8670de56922dff92b15d214a524f4ebfa1958859e-7ce80f79921312a6022c5d25e2d380f82ceaefe3fbdc43dd13b080e3ef1e26f7"
-	assert.Equal(t, key, cert.ServiceKey)
-}
-
-func TestNewlineArgoTunnelToken(t *testing.T) {
-	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert.pem")
-}
-
-func TestJSONArgoTunnelToken(t *testing.T) {
-	// The given cert's Argo Tunnel Token was generated by base64 encoding this JSON:
-	// {
-	// "zoneID": "7b0a4d77dfb881c1a3b7d61ea9443e19",
-	// "serviceKey": "test-service-key",
-	// "accountID": "abcdabcdabcdabcd1234567890abcdef"
-	// }
-	ArgoTunnelTokenTest(t, "test-argo-tunnel-cert-json.pem")
-}
-
-func ArgoTunnelTokenTest(t *testing.T, path string) {
-	blocks, err := ioutil.ReadFile(path)
-	assert.Nil(t, err)
-	cert, err := DecodeOriginCert(blocks)
-	assert.Nil(t, err)
-	assert.NotNil(t, cert)
-	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
-	key := "test-service-key"
-	assert.Equal(t, key, cert.ServiceKey)
-}

certutil/test-argo-tunnel-cert-json.pem

@@ -1,57 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
-sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
-1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
-z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
-6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
-x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
-1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
-IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
-xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
-sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
-2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
-sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
-Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
-AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
-m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
-QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
-P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
-pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
-G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
-6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
-LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
-OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
-W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
-M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
-y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
-uQicoQq3yzeQh20wtrtaXzTNmA==
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN ARGO TUNNEL TOKEN-----
-eyJ6b25lSUQiOiAiN2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkiLCAi
-c2VydmljZUtleSI6ICJ0ZXN0LXNlcnZpY2Uta2V5IiwgImFjY291bnRJRCI6ICJh
-YmNkYWJjZGFiY2RhYmNkMTIzNDU2Nzg5MGFiY2RlZiJ9
------END ARGO TUNNEL TOKEN-----

certutil/test-argo-tunnel-cert.pem

@@ -1,56 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
-sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
-1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
-z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
-6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
-x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
-1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
-IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
-xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
-sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
-2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
-sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
-Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
-AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
-m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
-QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
-P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
-pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
-G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
-6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
-LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
-OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
-W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
-M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
-y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
-uQicoQq3yzeQh20wtrtaXzTNmA==
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN ARGO TUNNEL TOKEN-----
-N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdGVzdC1zZXJ2aWNlLWtl
-eQ==
------END ARGO TUNNEL TOKEN-----

certutil/test-cert-no-key.pem

@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN WARP TOKEN-----
-N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
-ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
-MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
-NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
-NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
-OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
-ZWYxZTI2Zjc=
------END WARP TOKEN-----

certutil/test-cert-two-certificates.pem

@@ -1,85 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
-sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
-1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
-z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
-6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
-x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
-1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
-IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
-xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
-sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
-2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
-sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
-Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
-AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
-m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
-QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
-P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
-pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
-G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
-6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
-LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
-OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
-W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
-M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
-y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
-uQicoQq3yzeQh20wtrtaXzTNmA==
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN WARP TOKEN-----
-N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
-ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
-MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
-NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
-NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
-OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
-ZWYxZTI2Zjc=
------END WARP TOKEN-----

certutil/test-cert.pem

@@ -1,61 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCfGswL16Fz9Ei3
-sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng6yHR1H5oX1Lg
-1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bxtG0uyrXYh7Mt
-z0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyXPE6SuDvMHIeX
-6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZAzNOxVKrUsyS
-x7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOglHJ2n0sMcZ+Ja
-1Y649mPVAgMBAAECggEAEbPF0ah9fH0IzTU/CPbIeh3flyY8GDuMpR1HvwUurSWB
-IFI9bLyVAXKb8vYP1TMaTnXi5qmFof+/JShgyZc3+1tZtWTfoaiC8Y1bRfE2yk+D
-xmwddhDmijYGG7i8uEaeddSdFEh2GKAqkbV/QgBvN2Nl4EVmIOAJXXNe9l5LFyjy
-sR10aNVJRYV1FahrCTwZ3SovHP4d4AUvHh/3FFZDukHc37CFA0+CcR4uehp5yedi
-2UdqaszXqunFo/3h+Tn9dW2C7gTTZx4+mfyaws3p3YOmdYArXvpejxHIc0FGwLBm
-sb9K7wGVUiF0Bt0ch+C1mdYrCaFNHnPuDswjmm3FwQKBgQDYtxOwwSLA6ZyppozX
-Doyx9a7PhiMHCFKSdVB4l8rpK545a+AmpG6LRScTtBsMTHBhT3IQ3QPWlVm1AhjF
-AvXMa1rOeaGbCbDn1xqEoEVPtj4tys8eTfyWmtU73jWTFauOt4/xpf/urEpg91xj
-m+Gl/8qgBrpm5rQxV5Y4MysRlQKBgQC78jzzlhocXGNvw0wT/K2NsknyeoZXqpIE
-QYL60FMl4geZn6w9hwxaL1r+g/tUjTnpBPQtS1r2Ed2gXby5zspN1g/PW8U3t3to
-P7zHIJ/sLBXrCh5RJko3hUgGhDNOOCIQj4IaKUfvHYvEIbIxlyI0vdsXsgXgMuQ8
-pb9Yifn5QQKBgQCmGu0EtYQlyOlDP10EGSrN3Dm45l9CrKZdi326cN4eCkikSoLs
-G2x/YumouItiydP5QiNzuXOPrbmse4bwumwb2s0nJSMw6iSmDsFMlmuJxW2zO5e0
-6qGH7fUyhgcaTanJIfk6hrm7/mKkH/S4hGpYCc8NCRsmc/35M+D4AoAoYQKBgQC0
-LWpZaxDlF30MbAHHN3l6We2iU+vup0sMYXGb2ZOcwa/fir+ozIr++l8VmJmdWTan
-OWSM96zgMghx8Os4hhJTxF+rvqK242OfcVsc2x31X94zUaP2z+peh5uhA6Pb3Nxr
-W+iyA9k+Vujiwhr+h5D3VvtvH++aG6/KpGtoCf5nAQKBgQDXX2+d7bd5CLNLLFNd
-M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
-y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
-uQicoQq3yzeQh20wtrtaXzTNmA==
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIID+jCCA6CgAwIBAgIUJhFxUKEGvTRc3CjCok6dbPGH/P4wCgYIKoZIzj0EAwIw
-gagxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYD
-VQQLEy9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhv
-cml0eTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZvcm5p
-YTEXMBUGA1UEAxMOKGRldiB1c2Ugb25seSkwHhcNMTcxMDEzMTM1OTAwWhcNMzIx
-MDA5MTM1OTAwWjBiMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR0wGwYDVQQL
-ExRDbG91ZEZsYXJlIE9yaWdpbiBDQTEmMCQGA1UEAxMdQ2xvdWRGbGFyZSBPcmln
-aW4gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCf
-GswL16Fz9Ei3sAg5AmBizoN2nZdyXHP8T57UxUMcrlJXEEXCVS5RR4m9l+EmK0ng
-6yHR1H5oX1Lg1WKyXgWwr0whwmdTD+qWFJW2M8HyefyBKLrsGPuxw4CVYT0h72bx
-tG0uyrXYh7Mtz0lHjGV90qrFpq5o0jx0sLbDlDvpFPbIO58uYzKG4Sn2VTC4rOyX
-PE6SuDvMHIeX6Ekw4wSVQ9eTbksLQqTyxSqM3zp2ygc56SjGjy1nGQT8ZBGFzSbZ
-AzNOxVKrUsySx7LzZVl+zCGCPlQwaYLKObKXadZJmrqSFmErC5jcbVgBz7oJQOgl
-HJ2n0sMcZ+Ja1Y649mPVAgMBAAGjggEgMIIBHDAOBgNVHQ8BAf8EBAMCBaAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzA6f2Ajq
-zhX67c6piY2a1uTiUkwwHwYDVR0jBBgwFoAU2qfBlqxKMZnf0QeTeYiMelfqJfgw
-RAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzABhihodHRwOi8vb2NzcC5jbG91ZGZs
-YXJlLmNvbS9vcmlnaW5fZWNjX2NhMCMGA1UdEQQcMBqCDCouYXJub2xkLmNvbYIK
-YXJub2xkLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmNsb3VkZmxh
-cmUuY29tL29yaWdpbl9lY2NfY2EuY3JsMAoGCCqGSM49BAMCA0gAMEUCIDV7HoMj
-K5rShE/l+90YAOzHC89OH/wUz3I5KYOFuehoAiEA8e92aIf9XBkr0K6EvFCiSsD+
-x+Yo/cL8fGfVpPt4UM8=
------END CERTIFICATE-----
------BEGIN WARP TOKEN-----
-N2IwYTRkNzdkZmI4ODFjMWEzYjdkNjFlYTk0NDNlMTkKdjEuMC01OGJkNGY5ZTI4
-ZjdiM2MyOGUwNWEzNWZmM2U4MGFiNGZkOTY0NGVmM2ZlY2U1MzdlYjBkMTJlMmU5
-MjU4MjE3LTE4MzQ0MmZiYjBiYmRiM2U1NzE1NThmZWM5YjU1ODllYmQ3N2FhZmM4
-NzQ5OGVlM2YwOWY2NGE0YWQ3OWZmZTg3OTFlZGJhZTA4YjM2YzFkOGYxZDcwYTg2
-NzBkZTU2OTIyZGZmOTJiMTVkMjE0YTUyNGY0ZWJmYTE5NTg4NTllLTdjZTgwZjc5
-OTIxMzEyYTYwMjJjNWQyNWUyZDM4MGY4MmNlYWVmZTNmYmRjNDNkZDEzYjA4MGUz
-ZWYxZTI2Zjc=
------END WARP TOKEN-----

cfapi/base_client.go

@@ -0,0 +1,247 @@
+package cfapi
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog"
+	"golang.org/x/net/http2"
+)
+
+const (
+	defaultTimeout  = 15 * time.Second
+	jsonContentType = "application/json"
+)
+
+var (
+	ErrUnauthorized = errors.New("unauthorized")
+	ErrBadRequest   = errors.New("incorrect request parameters")
+	ErrNotFound     = errors.New("not found")
+	ErrAPINoSuccess = errors.New("API call failed")
+)
+
+type RESTClient struct {
+	baseEndpoints *baseEndpoints
+	authToken     string
+	userAgent     string
+	client        http.Client
+	log           *zerolog.Logger
+}
+
+type baseEndpoints struct {
+	accountLevel  url.URL
+	zoneLevel     url.URL
+	accountRoutes url.URL
+	accountVnets  url.URL
+}
+
+var _ Client = (*RESTClient)(nil)
+
+func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
+	if strings.HasSuffix(baseURL, "/") {
+		baseURL = baseURL[:len(baseURL)-1]
+	}
+	accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create account level endpoint")
+	}
+	accountRoutesEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/routes", baseURL, accountTag))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create route account-level endpoint")
+	}
+	accountVnetsEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/teamnet/virtual_networks", baseURL, accountTag))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create virtual network account-level endpoint")
+	}
+	zoneLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/zones/%s/tunnels", baseURL, zoneTag))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create account level endpoint")
+	}
+	httpTransport := http.Transport{
+		TLSHandshakeTimeout:   defaultTimeout,
+		ResponseHeaderTimeout: defaultTimeout,
+	}
+	http2.ConfigureTransport(&httpTransport)
+	return &RESTClient{
+		baseEndpoints: &baseEndpoints{
+			accountLevel:  *accountLevelEndpoint,
+			zoneLevel:     *zoneLevelEndpoint,
+			accountRoutes: *accountRoutesEndpoint,
+			accountVnets:  *accountVnetsEndpoint,
+		},
+		authToken: authToken,
+		userAgent: userAgent,
+		client: http.Client{
+			Transport: &httpTransport,
+			Timeout:   defaultTimeout,
+		},
+		log: log,
+	}, nil
+}
+
+func (r *RESTClient) sendRequest(method string, url url.URL, body interface{}) (*http.Response, error) {
+	var bodyReader io.Reader
+	if body != nil {
+		if bodyBytes, err := json.Marshal(body); err != nil {
+			return nil, errors.Wrap(err, "failed to serialize json body")
+		} else {
+			bodyReader = bytes.NewBuffer(bodyBytes)
+		}
+	}
+
+	req, err := http.NewRequest(method, url.String(), bodyReader)
+	if err != nil {
+		return nil, errors.Wrapf(err, "can't create %s request", method)
+	}
+	req.Header.Set("User-Agent", r.userAgent)
+	if bodyReader != nil {
+		req.Header.Set("Content-Type", jsonContentType)
+	}
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", r.authToken))
+	req.Header.Add("Accept", "application/json;version=1")
+	return r.client.Do(req)
+}
+
+func parseResponseEnvelope(reader io.Reader) (*response, error) {
+	// Schema for Tunnelstore responses in the v1 API.
+	// Roughly, it's a wrapper around a particular result that adds failures/errors/etc
+	var result response
+	// First, parse the wrapper and check the API call succeeded
+	if err := json.NewDecoder(reader).Decode(&result); err != nil {
+		return nil, errors.Wrap(err, "failed to decode response")
+	}
+	if err := result.checkErrors(); err != nil {
+		return nil, err
+	}
+	if !result.Success {
+		return nil, ErrAPINoSuccess
+	}
+
+	return &result, nil
+}
+
+func parseResponse(reader io.Reader, data interface{}) error {
+	result, err := parseResponseEnvelope(reader)
+	if err != nil {
+		return err
+	}
+
+	return parseResponseBody(result, data)
+}
+
+func parseResponseBody(result *response, data interface{}) error {
+	// At this point we know the API call succeeded, so, parse out the inner
+	// result into the datatype provided as a parameter.
+	if err := json.Unmarshal(result.Result, &data); err != nil {
+		return errors.Wrap(err, "the Cloudflare API response was an unexpected type")
+	}
+	return nil
+}
+
+func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T, error) {
+	page := 0
+	var fullResponse []*T
+
+	for {
+		page += 1
+		envelope, parsedBody, err := fetchPage[T](requestFn, page)
+
+		if err != nil {
+			return nil, errors.Wrap(err, fmt.Sprintf("Error Parsing page %d", page))
+		}
+
+		fullResponse = append(fullResponse, parsedBody...)
+		if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
+			break
+		}
+
+	}
+	return fullResponse, nil
+}
+
+func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*response, []*T, error) {
+	pageResp, err := requestFn(page)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "REST request failed")
+	}
+	defer pageResp.Body.Close()
+	if pageResp.StatusCode == http.StatusOK {
+		envelope, err := parseResponseEnvelope(pageResp.Body)
+		if err != nil {
+			return nil, nil, err
+		}
+		var parsedRspBody []*T
+		return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
+
+	}
+	return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
+}
+
+type response struct {
+	Success    bool            `json:"success,omitempty"`
+	Errors     []apiErr        `json:"errors,omitempty"`
+	Messages   []string        `json:"messages,omitempty"`
+	Result     json.RawMessage `json:"result,omitempty"`
+	Pagination Pagination      `json:"result_info,omitempty"`
+}
+
+type Pagination struct {
+	Count      int `json:"count,omitempty"`
+	Page       int `json:"page,omitempty"`
+	PerPage    int `json:"per_page,omitempty"`
+	TotalCount int `json:"total_count,omitempty"`
+}
+
+func (r *response) checkErrors() error {
+	if len(r.Errors) == 0 {
+		return nil
+	}
+	if len(r.Errors) == 1 {
+		return r.Errors[0]
+	}
+	var messages string
+	for _, e := range r.Errors {
+		messages += fmt.Sprintf("%s; ", e)
+	}
+	return fmt.Errorf("API errors: %s", messages)
+}
+
+type apiErr struct {
+	Code    json.Number `json:"code,omitempty"`
+	Message string      `json:"message,omitempty"`
+}
+
+func (e apiErr) Error() string {
+	return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
+}
+
+func (r *RESTClient) statusCodeToError(op string, resp *http.Response) error {
+	if resp.Header.Get("Content-Type") == "application/json" {
+		var errorsResp response
+		if json.NewDecoder(resp.Body).Decode(&errorsResp) == nil {
+			if err := errorsResp.checkErrors(); err != nil {
+				return errors.Errorf("Failed to %s: %s", op, err)
+			}
+		}
+	}
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		return nil
+	case http.StatusBadRequest:
+		return ErrBadRequest
+	case http.StatusUnauthorized, http.StatusForbidden:
+		return ErrUnauthorized
+	case http.StatusNotFound:
+		return ErrNotFound
+	}
+	return errors.Errorf("API call to %s failed with status %d: %s", op,
+		resp.StatusCode, http.StatusText(resp.StatusCode))
+}

cfapi/client.go

@@ -0,0 +1,41 @@
+package cfapi
+
+import (
+	"github.com/google/uuid"
+)
+
+type TunnelClient interface {
+	CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
+	GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
+	GetTunnelToken(tunnelID uuid.UUID) (string, error)
+	GetManagementToken(tunnelID uuid.UUID) (string, error)
+	DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
+	ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
+	ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)
+	CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error
+}
+
+type HostnameClient interface {
+	RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error)
+}
+
+type IPRouteClient interface {
+	ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error)
+	AddRoute(newRoute NewRoute) (Route, error)
+	DeleteRoute(id uuid.UUID) error
+	GetByIP(params GetRouteByIpParams) (DetailedRoute, error)
+}
+
+type VnetClient interface {
+	CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error)
+	ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error)
+	DeleteVirtualNetwork(id uuid.UUID, force bool) error
+	UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error
+}
+
+type Client interface {
+	TunnelClient
+	HostnameClient
+	IPRouteClient
+	VnetClient
+}

cfapi/hostname.go

@@ -0,0 +1,192 @@
+package cfapi
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"path"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+type Change = string
+
+const (
+	ChangeNew       = "new"
+	ChangeUpdated   = "updated"
+	ChangeUnchanged = "unchanged"
+)
+
+// HostnameRoute represents a record type that can route to a tunnel
+type HostnameRoute interface {
+	json.Marshaler
+	RecordType() string
+	UnmarshalResult(body io.Reader) (HostnameRouteResult, error)
+	String() string
+}
+
+type HostnameRouteResult interface {
+	// SuccessSummary explains what will route to this tunnel when it's provisioned successfully
+	SuccessSummary() string
+}
+
+type DNSRoute struct {
+	userHostname      string
+	overwriteExisting bool
+}
+
+type DNSRouteResult struct {
+	route *DNSRoute
+	CName Change `json:"cname"`
+	Name  string `json:"name"`
+}
+
+func NewDNSRoute(userHostname string, overwriteExisting bool) HostnameRoute {
+	return &DNSRoute{
+		userHostname:      userHostname,
+		overwriteExisting: overwriteExisting,
+	}
+}
+
+func (dr *DNSRoute) MarshalJSON() ([]byte, error) {
+	s := struct {
+		Type              string `json:"type"`
+		UserHostname      string `json:"user_hostname"`
+		OverwriteExisting bool   `json:"overwrite_existing"`
+	}{
+		Type:              dr.RecordType(),
+		UserHostname:      dr.userHostname,
+		OverwriteExisting: dr.overwriteExisting,
+	}
+	return json.Marshal(&s)
+}
+
+func (dr *DNSRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
+	var result DNSRouteResult
+	err := parseResponse(body, &result)
+	result.route = dr
+	return &result, err
+}
+
+func (dr *DNSRoute) RecordType() string {
+	return "dns"
+}
+
+func (dr *DNSRoute) String() string {
+	return fmt.Sprintf("%s %s", dr.RecordType(), dr.userHostname)
+}
+
+func (res *DNSRouteResult) SuccessSummary() string {
+	var msgFmt string
+	switch res.CName {
+	case ChangeNew:
+		msgFmt = "Added CNAME %s which will route to this tunnel"
+	case ChangeUpdated: // this is not currently returned by tunnelsore
+		msgFmt = "%s updated to route to your tunnel"
+	case ChangeUnchanged:
+		msgFmt = "%s is already configured to route to your tunnel"
+	}
+	return fmt.Sprintf(msgFmt, res.hostname())
+}
+
+// hostname yields the resulting name for the DNS route; if that is not available from Cloudflare API, then the
+// requested name is returned instead (should not be the common path, it is just a fall-back).
+func (res *DNSRouteResult) hostname() string {
+	if res.Name != "" {
+		return res.Name
+	}
+	return res.route.userHostname
+}
+
+type LBRoute struct {
+	lbName string
+	lbPool string
+}
+
+type LBRouteResult struct {
+	route        *LBRoute
+	LoadBalancer Change `json:"load_balancer"`
+	Pool         Change `json:"pool"`
+}
+
+func NewLBRoute(lbName, lbPool string) HostnameRoute {
+	return &LBRoute{
+		lbName: lbName,
+		lbPool: lbPool,
+	}
+}
+
+func (lr *LBRoute) MarshalJSON() ([]byte, error) {
+	s := struct {
+		Type   string `json:"type"`
+		LBName string `json:"lb_name"`
+		LBPool string `json:"lb_pool"`
+	}{
+		Type:   lr.RecordType(),
+		LBName: lr.lbName,
+		LBPool: lr.lbPool,
+	}
+	return json.Marshal(&s)
+}
+
+func (lr *LBRoute) RecordType() string {
+	return "lb"
+}
+
+func (lb *LBRoute) String() string {
+	return fmt.Sprintf("%s %s %s", lb.RecordType(), lb.lbName, lb.lbPool)
+}
+
+func (lr *LBRoute) UnmarshalResult(body io.Reader) (HostnameRouteResult, error) {
+	var result LBRouteResult
+	err := parseResponse(body, &result)
+	result.route = lr
+	return &result, err
+}
+
+func (res *LBRouteResult) SuccessSummary() string {
+	var msg string
+	switch res.LoadBalancer + "," + res.Pool {
+	case "new,new":
+		msg = "Created load balancer %s and added a new pool %s with this tunnel as an origin"
+	case "new,updated":
+		msg = "Created load balancer %s with an existing pool %s which was updated to use this tunnel as an origin"
+	case "new,unchanged":
+		msg = "Created load balancer %s with an existing pool %s which already has this tunnel as an origin"
+	case "updated,new":
+		msg = "Added new pool %[2]s with this tunnel as an origin to load balancer %[1]s"
+	case "updated,updated":
+		msg = "Updated pool %[2]s to use this tunnel as an origin and added it to load balancer %[1]s"
+	case "updated,unchanged":
+		msg = "Added pool %[2]s, which already has this tunnel as an origin, to load balancer %[1]s"
+	case "unchanged,updated":
+		msg = "Added this tunnel as an origin in pool %[2]s which is already used by load balancer %[1]s"
+	case "unchanged,unchanged":
+		msg = "Load balancer %s already uses pool %s which has this tunnel as an origin"
+	case "unchanged,new":
+		// this state is not possible
+		fallthrough
+	default:
+		msg = "Something went wrong: failed to modify load balancer %s with pool %s; please check traffic manager configuration in the dashboard"
+	}
+
+	return fmt.Sprintf(msg, res.route.lbName, res.route.lbPool)
+}
+
+func (r *RESTClient) RouteTunnel(tunnelID uuid.UUID, route HostnameRoute) (HostnameRouteResult, error) {
+	endpoint := r.baseEndpoints.zoneLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/routes", tunnelID))
+	resp, err := r.sendRequest("PUT", endpoint, route)
+	if err != nil {
+		return nil, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return route.UnmarshalResult(resp.Body)
+	}
+
+	return nil, r.statusCodeToError("add route", resp)
+}

cfapi/hostname_test.go

@@ -0,0 +1,99 @@
+package cfapi
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDNSRouteUnmarshalResult(t *testing.T) {
+	route := &DNSRoute{
+		userHostname: "example.com",
+	}
+
+	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"cname": "new"}}`))
+
+	assert.NoError(t, err)
+	assert.Equal(t, &DNSRouteResult{
+		route: route,
+		CName: ChangeNew,
+	}, result)
+
+	badJSON := []string{
+		`abc`,
+		`{"success": false, "result": {"cname": "new"}}`,
+		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"cname": "new"}}`,
+		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"cname": "new"}}`,
+		`{"result": {"cname": "new"}}`,
+		`{"result": {"cname": "new"}}`,
+	}
+
+	for _, j := range badJSON {
+		_, err = route.UnmarshalResult(strings.NewReader(j))
+		assert.NotNil(t, err)
+	}
+}
+
+func TestLBRouteUnmarshalResult(t *testing.T) {
+	route := &LBRoute{
+		lbName: "lb.example.com",
+		lbPool: "pool",
+	}
+
+	result, err := route.UnmarshalResult(strings.NewReader(`{"success": true, "result": {"pool": "unchanged", "load_balancer": "updated"}}`))
+
+	assert.NoError(t, err)
+	assert.Equal(t, &LBRouteResult{
+		route:        route,
+		LoadBalancer: ChangeUpdated,
+		Pool:         ChangeUnchanged,
+	}, result)
+
+	badJSON := []string{
+		`abc`,
+		`{"success": false, "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
+		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
+		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}, {"code": 1004, "message":"Cannot use tunnel as origin for non-proxied load balancer"}], "result": {"pool": "unchanged", "load_balancer": "updated"}}`,
+		`{"result": {"pool": "unchanged", "load_balancer": "updated"}}`,
+	}
+
+	for _, j := range badJSON {
+		_, err = route.UnmarshalResult(strings.NewReader(j))
+		assert.NotNil(t, err)
+	}
+}
+
+func TestLBRouteResultSuccessSummary(t *testing.T) {
+	route := &LBRoute{
+		lbName: "lb.example.com",
+		lbPool: "POOL",
+	}
+
+	tests := []struct {
+		lb       Change
+		pool     Change
+		expected string
+	}{
+		{ChangeNew, ChangeNew, "Created load balancer lb.example.com and added a new pool POOL with this tunnel as an origin"},
+		{ChangeNew, ChangeUpdated, "Created load balancer lb.example.com with an existing pool POOL which was updated to use this tunnel as an origin"},
+		{ChangeNew, ChangeUnchanged, "Created load balancer lb.example.com with an existing pool POOL which already has this tunnel as an origin"},
+		{ChangeUpdated, ChangeNew, "Added new pool POOL with this tunnel as an origin to load balancer lb.example.com"},
+		{ChangeUpdated, ChangeUpdated, "Updated pool POOL to use this tunnel as an origin and added it to load balancer lb.example.com"},
+		{ChangeUpdated, ChangeUnchanged, "Added pool POOL, which already has this tunnel as an origin, to load balancer lb.example.com"},
+		{ChangeUnchanged, ChangeNew, "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
+		{ChangeUnchanged, ChangeUpdated, "Added this tunnel as an origin in pool POOL which is already used by load balancer lb.example.com"},
+		{ChangeUnchanged, ChangeUnchanged, "Load balancer lb.example.com already uses pool POOL which has this tunnel as an origin"},
+		{"", "", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
+		{"a", "b", "Something went wrong: failed to modify load balancer lb.example.com with pool POOL; please check traffic manager configuration in the dashboard"},
+	}
+	for i, tt := range tests {
+		res := &LBRouteResult{
+			route:        route,
+			LoadBalancer: tt.lb,
+			Pool:         tt.pool,
+		}
+		actual := res.SuccessSummary()
+		assert.Equal(t, tt.expected, actual, "case %d", i+1)
+	}
+}

cfapi/ip_route.go

@@ -0,0 +1,235 @@
+package cfapi
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"path"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+// Route is a mapping from customer's IP space to a tunnel.
+// Each route allows the customer to route eyeballs in their corporate network
+// to certain private IP ranges. Each Route represents an IP range in their
+// network, and says that eyeballs can reach that route using the corresponding
+// tunnel.
+type Route struct {
+	Network  CIDR      `json:"network"`
+	TunnelID uuid.UUID `json:"tunnel_id"`
+	// Optional field. When unset, it means the Route belongs to the default virtual network.
+	VNetID    *uuid.UUID `json:"virtual_network_id,omitempty"`
+	Comment   string     `json:"comment"`
+	CreatedAt time.Time  `json:"created_at"`
+	DeletedAt time.Time  `json:"deleted_at"`
+}
+
+// CIDR is just a newtype wrapper around net.IPNet. It adds JSON unmarshalling.
+type CIDR net.IPNet
+
+func (c CIDR) String() string {
+	n := net.IPNet(c)
+	return n.String()
+}
+
+func (c CIDR) MarshalJSON() ([]byte, error) {
+	str := c.String()
+	json, err := json.Marshal(str)
+	if err != nil {
+		return nil, errors.Wrap(err, "error serializing CIDR into JSON")
+	}
+	return json, nil
+}
+
+// UnmarshalJSON parses a JSON string into net.IPNet
+func (c *CIDR) UnmarshalJSON(data []byte) error {
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return errors.Wrap(err, "error parsing cidr string")
+	}
+	_, network, err := net.ParseCIDR(s)
+	if err != nil {
+		return errors.Wrap(err, "error parsing invalid network from backend")
+	}
+	if network == nil {
+		return fmt.Errorf("backend returned invalid network %s", s)
+	}
+	*c = CIDR(*network)
+	return nil
+}
+
+// NewRoute has all the parameters necessary to add a new route to the table.
+type NewRoute struct {
+	Network  net.IPNet
+	TunnelID uuid.UUID
+	Comment  string
+	// Optional field. If unset, backend will assume the default vnet for the account.
+	VNetID *uuid.UUID
+}
+
+// MarshalJSON handles fields with non-JSON types (e.g. net.IPNet).
+func (r NewRoute) MarshalJSON() ([]byte, error) {
+	return json.Marshal(&struct {
+		Network  string     `json:"network"`
+		TunnelID uuid.UUID  `json:"tunnel_id"`
+		Comment  string     `json:"comment"`
+		VNetID   *uuid.UUID `json:"virtual_network_id,omitempty"`
+	}{
+		Network:  r.Network.String(),
+		TunnelID: r.TunnelID,
+		Comment:  r.Comment,
+		VNetID:   r.VNetID,
+	})
+}
+
+// DetailedRoute is just a Route with some extra fields, e.g. TunnelName.
+type DetailedRoute struct {
+	ID       uuid.UUID `json:"id"`
+	Network  CIDR      `json:"network"`
+	TunnelID uuid.UUID `json:"tunnel_id"`
+	// Optional field. When unset, it means the DetailedRoute belongs to the default virtual network.
+	VNetID     *uuid.UUID `json:"virtual_network_id,omitempty"`
+	Comment    string     `json:"comment"`
+	CreatedAt  time.Time  `json:"created_at"`
+	DeletedAt  time.Time  `json:"deleted_at"`
+	TunnelName string     `json:"tunnel_name"`
+}
+
+// IsZero checks if DetailedRoute is the zero value.
+func (r *DetailedRoute) IsZero() bool {
+	return r.TunnelID == uuid.Nil
+}
+
+// TableString outputs a table row summarizing the route, to be used
+// when showing the user their routing table.
+func (r DetailedRoute) TableString() string {
+	deletedColumn := "-"
+	if !r.DeletedAt.IsZero() {
+		deletedColumn = r.DeletedAt.Format(time.RFC3339)
+	}
+	vnetColumn := "default"
+	if r.VNetID != nil {
+		vnetColumn = r.VNetID.String()
+	}
+
+	return fmt.Sprintf(
+		"%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t",
+		r.ID,
+		r.Network.String(),
+		vnetColumn,
+		r.Comment,
+		r.TunnelID,
+		r.TunnelName,
+		r.CreatedAt.Format(time.RFC3339),
+		deletedColumn,
+	)
+}
+
+type GetRouteByIpParams struct {
+	Ip net.IP
+	// Optional field. If unset, backend will assume the default vnet for the account.
+	VNetID *uuid.UUID
+}
+
+// ListRoutes calls the Tunnelstore GET endpoint for all routes under an account.
+// Due to pagination on the server side it will call the endpoint multiple times if needed.
+func (r *RESTClient) ListRoutes(filter *IpRouteFilter) ([]*DetailedRoute, error) {
+	fetchFn := func(page int) (*http.Response, error) {
+		endpoint := r.baseEndpoints.accountRoutes
+		filter.Page(page)
+		endpoint.RawQuery = filter.Encode()
+		rsp, err := r.sendRequest("GET", endpoint, nil)
+
+		if err != nil {
+			return nil, errors.Wrap(err, "REST request failed")
+		}
+		if rsp.StatusCode != http.StatusOK {
+			rsp.Body.Close()
+			return nil, r.statusCodeToError("list routes", rsp)
+		}
+		return rsp, nil
+	}
+	return fetchExhaustively[DetailedRoute](fetchFn)
+}
+
+// AddRoute calls the Tunnelstore POST endpoint for a given route.
+func (r *RESTClient) AddRoute(newRoute NewRoute) (Route, error) {
+	endpoint := r.baseEndpoints.accountRoutes
+	endpoint.Path = path.Join(endpoint.Path)
+	resp, err := r.sendRequest("POST", endpoint, newRoute)
+	if err != nil {
+		return Route{}, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return parseRoute(resp.Body)
+	}
+
+	return Route{}, r.statusCodeToError("add route", resp)
+}
+
+// DeleteRoute calls the Tunnelstore DELETE endpoint for a given route.
+func (r *RESTClient) DeleteRoute(id uuid.UUID) error {
+	endpoint := r.baseEndpoints.accountRoutes
+	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
+
+	resp, err := r.sendRequest("DELETE", endpoint, nil)
+	if err != nil {
+		return errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		_, err := parseRoute(resp.Body)
+		return err
+	}
+
+	return r.statusCodeToError("delete route", resp)
+}
+
+// GetByIP checks which route will proxy a given IP.
+func (r *RESTClient) GetByIP(params GetRouteByIpParams) (DetailedRoute, error) {
+	endpoint := r.baseEndpoints.accountRoutes
+	endpoint.Path = path.Join(endpoint.Path, "ip", url.PathEscape(params.Ip.String()))
+	setVnetParam(&endpoint, params.VNetID)
+
+	resp, err := r.sendRequest("GET", endpoint, nil)
+	if err != nil {
+		return DetailedRoute{}, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return parseDetailedRoute(resp.Body)
+	}
+
+	return DetailedRoute{}, r.statusCodeToError("get route by IP", resp)
+}
+
+func parseRoute(body io.ReadCloser) (Route, error) {
+	var route Route
+	err := parseResponse(body, &route)
+	return route, err
+}
+
+func parseDetailedRoute(body io.ReadCloser) (DetailedRoute, error) {
+	var route DetailedRoute
+	err := parseResponse(body, &route)
+	return route, err
+}
+
+// setVnetParam overwrites the URL's query parameters with a query param to scope the HostnameRoute action to a certain
+// virtual network (if one is provided).
+func setVnetParam(endpoint *url.URL, vnetID *uuid.UUID) {
+	queryParams := url.Values{}
+	if vnetID != nil {
+		queryParams.Set("virtual_network_id", vnetID.String())
+	}
+	endpoint.RawQuery = queryParams.Encode()
+}

cfapi/ip_route_filter.go

@@ -0,0 +1,176 @@
+package cfapi
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli/v2"
+)
+
+var (
+	filterIpRouteDeleted = cli.BoolFlag{
+		Name:  "filter-is-deleted",
+		Usage: "If false (default), only show non-deleted routes. If true, only show deleted routes.",
+	}
+	filterIpRouteTunnelID = cli.StringFlag{
+		Name:  "filter-tunnel-id",
+		Usage: "Show only routes with the given tunnel ID.",
+	}
+	filterSubsetIpRoute = cli.StringFlag{
+		Name:    "filter-network-is-subset-of",
+		Aliases: []string{"nsub"},
+		Usage:   "Show only routes whose network is a subset of the given network.",
+	}
+	filterSupersetIpRoute = cli.StringFlag{
+		Name:    "filter-network-is-superset-of",
+		Aliases: []string{"nsup"},
+		Usage:   "Show only routes whose network is a superset of the given network.",
+	}
+	filterIpRouteComment = cli.StringFlag{
+		Name:  "filter-comment-is",
+		Usage: "Show only routes with this comment.",
+	}
+	filterIpRouteByVnet = cli.StringFlag{
+		Name:  "filter-vnet-id",
+		Usage: "Show only routes that are attached to the given virtual network ID.",
+	}
+
+	// Flags contains all filter flags.
+	IpRouteFilterFlags = []cli.Flag{
+		&filterIpRouteDeleted,
+		&filterIpRouteTunnelID,
+		&filterSubsetIpRoute,
+		&filterSupersetIpRoute,
+		&filterIpRouteComment,
+		&filterIpRouteByVnet,
+	}
+)
+
+// IpRouteFilter which routes get queried.
+type IpRouteFilter struct {
+	queryParams url.Values
+}
+
+// NewIpRouteFilterFromCLI parses CLI flags to discover which filters should get applied.
+func NewIpRouteFilterFromCLI(c *cli.Context) (*IpRouteFilter, error) {
+	f := NewIPRouteFilter()
+
+	// Set deletion filter
+	if flag := filterIpRouteDeleted.Name; c.IsSet(flag) && c.Bool(flag) {
+		f.Deleted()
+	} else {
+		f.NotDeleted()
+	}
+
+	if subset, err := cidrFromFlag(c, filterSubsetIpRoute); err != nil {
+		return nil, err
+	} else if subset != nil {
+		f.NetworkIsSupersetOf(*subset)
+	}
+
+	if superset, err := cidrFromFlag(c, filterSupersetIpRoute); err != nil {
+		return nil, err
+	} else if superset != nil {
+		f.NetworkIsSupersetOf(*superset)
+	}
+
+	if comment := c.String(filterIpRouteComment.Name); comment != "" {
+		f.CommentIs(comment)
+	}
+
+	if tunnelID := c.String(filterIpRouteTunnelID.Name); tunnelID != "" {
+		u, err := uuid.Parse(tunnelID)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteTunnelID.Name)
+		}
+		f.TunnelID(u)
+	}
+
+	if vnetId := c.String(filterIpRouteByVnet.Name); vnetId != "" {
+		u, err := uuid.Parse(vnetId)
+		if err != nil {
+			return nil, errors.Wrapf(err, "Couldn't parse UUID from %s", filterIpRouteByVnet.Name)
+		}
+		f.VNetID(u)
+	}
+
+	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
+		f.MaxFetchSize(uint(maxFetch))
+	}
+
+	return f, nil
+}
+
+// Parses a CIDR from the flag. If the flag was unset, returns (nil, nil).
+func cidrFromFlag(c *cli.Context, flag cli.StringFlag) (*net.IPNet, error) {
+	if !c.IsSet(flag.Name) {
+		return nil, nil
+	}
+
+	_, subset, err := net.ParseCIDR(c.String(flag.Name))
+	if err != nil {
+		return nil, err
+	} else if subset == nil {
+		return nil, fmt.Errorf("Invalid CIDR supplied for %s", flag.Name)
+	}
+
+	return subset, nil
+}
+
+func NewIPRouteFilter() *IpRouteFilter {
+	values := &IpRouteFilter{queryParams: url.Values{}}
+
+	// always list cfd_tunnel routes only
+	values.queryParams.Set("tun_types", "cfd_tunnel")
+
+	return values
+}
+
+func (f *IpRouteFilter) CommentIs(comment string) {
+	f.queryParams.Set("comment", comment)
+}
+
+func (f *IpRouteFilter) NotDeleted() {
+	f.queryParams.Set("is_deleted", "false")
+}
+
+func (f *IpRouteFilter) Deleted() {
+	f.queryParams.Set("is_deleted", "true")
+}
+
+func (f *IpRouteFilter) NetworkIsSubsetOf(superset net.IPNet) {
+	f.queryParams.Set("network_subset", superset.String())
+}
+
+func (f *IpRouteFilter) NetworkIsSupersetOf(subset net.IPNet) {
+	f.queryParams.Set("network_superset", subset.String())
+}
+
+func (f *IpRouteFilter) ExistedAt(existedAt time.Time) {
+	f.queryParams.Set("existed_at", existedAt.Format(time.RFC3339))
+}
+
+func (f *IpRouteFilter) TunnelID(id uuid.UUID) {
+	f.queryParams.Set("tunnel_id", id.String())
+}
+
+func (f *IpRouteFilter) VNetID(id uuid.UUID) {
+	f.queryParams.Set("virtual_network_id", id.String())
+}
+
+func (f *IpRouteFilter) MaxFetchSize(max uint) {
+	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
+}
+
+func (f *IpRouteFilter) Page(page int) {
+	f.queryParams.Set("page", strconv.Itoa(page))
+}
+
+func (f IpRouteFilter) Encode() string {
+	return f.queryParams.Encode()
+}

cfapi/ip_route_test.go

@@ -0,0 +1,178 @@
+package cfapi
+
+import (
+	"encoding/json"
+	"fmt"
+	"net"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUnmarshalRoute(t *testing.T) {
+	testCases := []struct {
+		Json    string
+		HasVnet bool
+	}{
+		{
+			`{
+				"network":"10.1.2.40/29",
+				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
+				"comment":"test",
+				"created_at":"2020-12-22T02:00:15.587008Z",
+				"deleted_at":null
+			}`,
+			false,
+		},
+		{
+			`{
+				"network":"10.1.2.40/29",
+				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
+				"comment":"test",
+				"created_at":"2020-12-22T02:00:15.587008Z",
+				"deleted_at":null,
+				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9"
+			}`,
+			true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		data := testCase.Json
+
+		var r Route
+		err := json.Unmarshal([]byte(data), &r)
+
+		// Check everything worked
+		require.NoError(t, err)
+		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
+		require.Equal(t, "test", r.Comment)
+		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
+		require.NoError(t, err)
+		require.Equal(t, CIDR(*cidr), r.Network)
+		require.Equal(t, "test", r.Comment)
+
+		if testCase.HasVnet {
+			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
+		} else {
+			require.Nil(t, r.VNetID)
+		}
+	}
+}
+
+func TestDetailedRouteJsonRoundtrip(t *testing.T) {
+	testCases := []struct {
+		Json    string
+		HasVnet bool
+	}{
+		{
+			`{
+				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
+				"network":"10.1.2.40/29",
+				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
+				"comment":"test",
+				"created_at":"2020-12-22T02:00:15.587008Z",
+				"deleted_at":"2021-01-14T05:01:42.183002Z",
+				"tunnel_name":"Mr. Tun"
+			}`,
+			false,
+		},
+		{
+			`{
+				"id":"91ebc578-cc99-4641-9937-0fb630505fa0",
+				"network":"10.1.2.40/29",
+				"tunnel_id":"fba6ffea-807f-4e7a-a740-4184ee1b82c8",
+				"virtual_network_id":"38c95083-8191-4110-8339-3f438d44fdb9",
+				"comment":"test",
+				"created_at":"2020-12-22T02:00:15.587008Z",
+				"deleted_at":"2021-01-14T05:01:42.183002Z",
+				"tunnel_name":"Mr. Tun"
+			}`,
+			true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		data := testCase.Json
+
+		var r DetailedRoute
+		err := json.Unmarshal([]byte(data), &r)
+
+		// Check everything worked
+		require.NoError(t, err)
+		require.Equal(t, uuid.MustParse("fba6ffea-807f-4e7a-a740-4184ee1b82c8"), r.TunnelID)
+		require.Equal(t, "test", r.Comment)
+		_, cidr, err := net.ParseCIDR("10.1.2.40/29")
+		require.NoError(t, err)
+		require.Equal(t, CIDR(*cidr), r.Network)
+		require.Equal(t, "test", r.Comment)
+		require.Equal(t, "Mr. Tun", r.TunnelName)
+
+		if testCase.HasVnet {
+			require.Equal(t, uuid.MustParse("38c95083-8191-4110-8339-3f438d44fdb9"), *r.VNetID)
+		} else {
+			require.Nil(t, r.VNetID)
+		}
+
+		bytes, err := json.Marshal(r)
+		require.NoError(t, err)
+		obtainedJson := string(bytes)
+		data = strings.Replace(data, "\t", "", -1)
+		data = strings.Replace(data, "\n", "", -1)
+		require.Equal(t, data, obtainedJson)
+	}
+}
+
+func TestMarshalNewRoute(t *testing.T) {
+	_, network, err := net.ParseCIDR("1.2.3.4/32")
+	require.NoError(t, err)
+	require.NotNil(t, network)
+	vnetId := uuid.New()
+
+	newRoutes := []NewRoute{
+		{
+			Network:  *network,
+			TunnelID: uuid.New(),
+			Comment:  "hi",
+		},
+		{
+			Network:  *network,
+			TunnelID: uuid.New(),
+			Comment:  "hi",
+			VNetID:   &vnetId,
+		},
+	}
+
+	for _, newRoute := range newRoutes {
+		// Test where receiver is struct
+		serialized, err := json.Marshal(newRoute)
+		require.NoError(t, err)
+		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
+
+		// Test where receiver is pointer to struct
+		serialized, err = json.Marshal(&newRoute)
+		require.NoError(t, err)
+		require.True(t, strings.Contains(string(serialized), "tunnel_id"))
+
+		if newRoute.VNetID == nil {
+			require.False(t, strings.Contains(string(serialized), "virtual_network_id"))
+		} else {
+			require.True(t, strings.Contains(string(serialized), "virtual_network_id"))
+		}
+	}
+}
+
+func TestRouteTableString(t *testing.T) {
+	_, network, err := net.ParseCIDR("1.2.3.4/32")
+	require.NoError(t, err)
+	require.NotNil(t, network)
+	r := DetailedRoute{
+		ID:      uuid.Nil,
+		Network: CIDR(*network),
+	}
+	row := r.TableString()
+	fmt.Println(row)
+	require.True(t, strings.HasPrefix(row, "00000000-0000-0000-0000-000000000000\t1.2.3.4/32"))
+}

cfapi/tunnel.go

@@ -0,0 +1,237 @@
+package cfapi
+
+import (
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"path"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
+
+type Tunnel struct {
+	ID          uuid.UUID    `json:"id"`
+	Name        string       `json:"name"`
+	CreatedAt   time.Time    `json:"created_at"`
+	DeletedAt   time.Time    `json:"deleted_at"`
+	Connections []Connection `json:"connections"`
+}
+
+type TunnelWithToken struct {
+	Tunnel
+	Token string `json:"token"`
+}
+
+type Connection struct {
+	ColoName           string    `json:"colo_name"`
+	ID                 uuid.UUID `json:"id"`
+	IsPendingReconnect bool      `json:"is_pending_reconnect"`
+	OriginIP           net.IP    `json:"origin_ip"`
+	OpenedAt           time.Time `json:"opened_at"`
+}
+
+type ActiveClient struct {
+	ID          uuid.UUID    `json:"id"`
+	Features    []string     `json:"features"`
+	Version     string       `json:"version"`
+	Arch        string       `json:"arch"`
+	RunAt       time.Time    `json:"run_at"`
+	Connections []Connection `json:"conns"`
+}
+
+type newTunnel struct {
+	Name         string `json:"name"`
+	TunnelSecret []byte `json:"tunnel_secret"`
+}
+
+type managementRequest struct {
+	Resources []string `json:"resources"`
+}
+
+type CleanupParams struct {
+	queryParams url.Values
+}
+
+func NewCleanupParams() *CleanupParams {
+	return &CleanupParams{
+		queryParams: url.Values{},
+	}
+}
+
+func (cp *CleanupParams) ForClient(clientID uuid.UUID) {
+	cp.queryParams.Set("client_id", clientID.String())
+}
+
+func (cp CleanupParams) encode() string {
+	return cp.queryParams.Encode()
+}
+
+func (r *RESTClient) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) {
+	if name == "" {
+		return nil, errors.New("tunnel name required")
+	}
+	if _, err := uuid.Parse(name); err == nil {
+		return nil, errors.New("you cannot use UUIDs as tunnel names")
+	}
+	body := &newTunnel{
+		Name:         name,
+		TunnelSecret: tunnelSecret,
+	}
+
+	resp, err := r.sendRequest("POST", r.baseEndpoints.accountLevel, body)
+	if err != nil {
+		return nil, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case http.StatusOK:
+		var tunnel TunnelWithToken
+		if serdeErr := parseResponse(resp.Body, &tunnel); serdeErr != nil {
+			return nil, serdeErr
+		}
+		return &tunnel, nil
+	case http.StatusConflict:
+		return nil, ErrTunnelNameConflict
+	}
+
+	return nil, r.statusCodeToError("create tunnel", resp)
+}
+
+func (r *RESTClient) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
+	resp, err := r.sendRequest("GET", endpoint, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return unmarshalTunnel(resp.Body)
+	}
+
+	return nil, r.statusCodeToError("get tunnel", resp)
+}
+
+func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error) {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/token", tunnelID))
+	resp, err := r.sendRequest("GET", endpoint, nil)
+	if err != nil {
+		return "", errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		err = parseResponse(resp.Body, &token)
+		return token, err
+	}
+
+	return "", r.statusCodeToError("get tunnel token", resp)
+}
+
+func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
+
+	body := &managementRequest{
+		Resources: []string{"logs"},
+	}
+
+	resp, err := r.sendRequest("POST", endpoint, body)
+	if err != nil {
+		return "", errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		err = parseResponse(resp.Body, &token)
+		return token, err
+	}
+
+	return "", r.statusCodeToError("get tunnel token", resp)
+}
+
+func (r *RESTClient) DeleteTunnel(tunnelID uuid.UUID, cascade bool) error {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v", tunnelID))
+	// Cascade will delete all tunnel dependencies (connections, routes, etc.) that
+	// are linked to the deleted tunnel.
+	if cascade {
+		endpoint.RawQuery = "cascade=true"
+	}
+	resp, err := r.sendRequest("DELETE", endpoint, nil)
+	if err != nil {
+		return errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	return r.statusCodeToError("delete tunnel", resp)
+}
+
+func (r *RESTClient) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) {
+	fetchFn := func(page int) (*http.Response, error) {
+		endpoint := r.baseEndpoints.accountLevel
+		filter.Page(page)
+		endpoint.RawQuery = filter.encode()
+		rsp, err := r.sendRequest("GET", endpoint, nil)
+		if err != nil {
+			return nil, errors.Wrap(err, "REST request failed")
+		}
+		if rsp.StatusCode != http.StatusOK {
+			rsp.Body.Close()
+			return nil, r.statusCodeToError("list tunnels", rsp)
+		}
+		return rsp, nil
+	}
+
+	return fetchExhaustively[Tunnel](fetchFn)
+}
+
+func (r *RESTClient) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
+	resp, err := r.sendRequest("GET", endpoint, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return parseConnectionsDetails(resp.Body)
+	}
+
+	return nil, r.statusCodeToError("list connection details", resp)
+}
+
+func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
+	var clients []*ActiveClient
+	err := parseResponse(reader, &clients)
+	return clients, err
+}
+
+func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
+	endpoint := r.baseEndpoints.accountLevel
+	endpoint.RawQuery = params.encode()
+	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
+	resp, err := r.sendRequest("DELETE", endpoint, nil)
+	if err != nil {
+		return errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	return r.statusCodeToError("cleanup connections", resp)
+}
+
+func unmarshalTunnel(reader io.Reader) (*Tunnel, error) {
+	var tunnel Tunnel
+	err := parseResponse(reader, &tunnel)
+	return &tunnel, err
+}

cfapi/tunnel_filter.go

@@ -0,0 +1,59 @@
+package cfapi
+
+import (
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const (
+	TimeLayout = time.RFC3339
+)
+
+type TunnelFilter struct {
+	queryParams url.Values
+}
+
+func NewTunnelFilter() *TunnelFilter {
+	return &TunnelFilter{
+		queryParams: url.Values{},
+	}
+}
+
+func (f *TunnelFilter) ByName(name string) {
+	f.queryParams.Set("name", name)
+}
+
+func (f *TunnelFilter) ByNamePrefix(namePrefix string) {
+	f.queryParams.Set("name_prefix", namePrefix)
+}
+
+func (f *TunnelFilter) ExcludeNameWithPrefix(excludePrefix string) {
+	f.queryParams.Set("exclude_prefix", excludePrefix)
+}
+
+func (f *TunnelFilter) NoDeleted() {
+	f.queryParams.Set("is_deleted", "false")
+}
+
+func (f *TunnelFilter) ByExistedAt(existedAt time.Time) {
+	f.queryParams.Set("existed_at", existedAt.Format(TimeLayout))
+}
+
+func (f *TunnelFilter) ByTunnelID(tunnelID uuid.UUID) {
+	f.queryParams.Set("uuid", tunnelID.String())
+}
+
+func (f *TunnelFilter) MaxFetchSize(max uint) {
+	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
+}
+
+func (f *TunnelFilter) Page(page int) {
+	f.queryParams.Set("page", strconv.Itoa(page))
+}
+
+func (f TunnelFilter) encode() string {
+	return f.queryParams.Encode()
+}

cfapi/tunnel_test.go

@@ -0,0 +1,102 @@
+package cfapi
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+var loc, _ = time.LoadLocation("UTC")
+
+func Test_unmarshalTunnel(t *testing.T) {
+	type args struct {
+		body string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *Tunnel
+		wantErr bool
+	}{
+		{
+			name: "empty list",
+			args: args{body: `{"success": true, "result": {"id":"b34cc7ce-925b-46ee-bc23-4cb5c18d8292","created_at":"2021-07-29T13:46:14.090955Z","deleted_at":"2021-07-29T14:07:27.559047Z","name":"qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV","account_id":6946212,"account_tag":"5ab4e9dfbd435d24068829fda0077963","conns_active_at":null,"conns_inactive_at":"2021-07-29T13:47:22.548482Z","tun_type":"cfd_tunnel","metadata":{"qtid":"a6fJROgkXutNruBGaJjD"}}}`},
+			want: &Tunnel{
+				ID:          uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292"),
+				Name:        "qt-bIWWN7D662ogh61pCPfu5s2XgqFY1OyV",
+				CreatedAt:   time.Date(2021, 07, 29, 13, 46, 14, 90955000, loc),
+				DeletedAt:   time.Date(2021, 07, 29, 14, 7, 27, 559047000, loc),
+				Connections: nil,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := unmarshalTunnel(strings.NewReader(tt.args.body))
+			if (err != nil) != tt.wantErr {
+				t.Errorf("unmarshalTunnel() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("unmarshalTunnel() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestUnmarshalTunnelOk(t *testing.T) {
+
+	jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
+	expected := Tunnel{
+		ID:          uuid.Nil,
+		Name:        "test",
+		CreatedAt:   time.Time{},
+		Connections: []Connection{},
+	}
+	actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
+	assert.NoError(t, err)
+	assert.Equal(t, &expected, actual)
+}
+
+func TestUnmarshalTunnelErr(t *testing.T) {
+
+	tests := []string{
+		`abc`,
+		`{"success": true, "result": abc}`,
+		`{"success": false, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
+		`{"errors": [{"code": 1003, "message":"An A, AAAA or CNAME record already exists with that host"}], "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}}`,
+	}
+
+	for i, test := range tests {
+		_, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
+		assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
+	}
+}
+
+func TestUnmarshalConnections(t *testing.T) {
+	jsonBody := `{"success":true,"messages":[],"errors":[],"result":[{"id":"d4041254-91e3-4deb-bd94-b46e11680b1e","features":["ha-origin"],"version":"2021.2.5","arch":"darwin_amd64","conns":[{"colo_name":"LIS","id":"ac2286e5-c708-4588-a6a0-ba6b51940019","is_pending_reconnect":false,"origin_ip":"148.38.28.2","opened_at":"0001-01-01T00:00:00Z"}],"run_at":"0001-01-01T00:00:00Z"}]}`
+	expected := ActiveClient{
+		ID:       uuid.MustParse("d4041254-91e3-4deb-bd94-b46e11680b1e"),
+		Features: []string{"ha-origin"},
+		Version:  "2021.2.5",
+		Arch:     "darwin_amd64",
+		RunAt:    time.Time{},
+		Connections: []Connection{{
+			ID:                 uuid.MustParse("ac2286e5-c708-4588-a6a0-ba6b51940019"),
+			ColoName:           "LIS",
+			IsPendingReconnect: false,
+			OriginIP:           net.ParseIP("148.38.28.2"),
+			OpenedAt:           time.Time{},
+		}},
+	}
+	actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
+	assert.NoError(t, err)
+	assert.Equal(t, []*ActiveClient{&expected}, actual)
+}

cfapi/virtual_network.go

@@ -0,0 +1,134 @@
+package cfapi
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"path"
+	"strconv"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+type NewVirtualNetwork struct {
+	Name      string `json:"name"`
+	Comment   string `json:"comment"`
+	IsDefault bool   `json:"is_default"`
+}
+
+type VirtualNetwork struct {
+	ID        uuid.UUID `json:"id"`
+	Comment   string    `json:"comment"`
+	Name      string    `json:"name"`
+	IsDefault bool      `json:"is_default_network"`
+	CreatedAt time.Time `json:"created_at"`
+	DeletedAt time.Time `json:"deleted_at"`
+}
+
+type UpdateVirtualNetwork struct {
+	Name      *string `json:"name,omitempty"`
+	Comment   *string `json:"comment,omitempty"`
+	IsDefault *bool   `json:"is_default_network,omitempty"`
+}
+
+func (virtualNetwork VirtualNetwork) TableString() string {
+	deletedColumn := "-"
+	if !virtualNetwork.DeletedAt.IsZero() {
+		deletedColumn = virtualNetwork.DeletedAt.Format(time.RFC3339)
+	}
+	return fmt.Sprintf(
+		"%s\t%s\t%s\t%s\t%s\t%s\t",
+		virtualNetwork.ID,
+		virtualNetwork.Name,
+		strconv.FormatBool(virtualNetwork.IsDefault),
+		virtualNetwork.Comment,
+		virtualNetwork.CreatedAt.Format(time.RFC3339),
+		deletedColumn,
+	)
+}
+
+func (r *RESTClient) CreateVirtualNetwork(newVnet NewVirtualNetwork) (VirtualNetwork, error) {
+	resp, err := r.sendRequest("POST", r.baseEndpoints.accountVnets, newVnet)
+	if err != nil {
+		return VirtualNetwork{}, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return parseVnet(resp.Body)
+	}
+
+	return VirtualNetwork{}, r.statusCodeToError("add virtual network", resp)
+}
+
+func (r *RESTClient) ListVirtualNetworks(filter *VnetFilter) ([]*VirtualNetwork, error) {
+	endpoint := r.baseEndpoints.accountVnets
+	endpoint.RawQuery = filter.Encode()
+	resp, err := r.sendRequest("GET", endpoint, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		return parseListVnets(resp.Body)
+	}
+
+	return nil, r.statusCodeToError("list virtual networks", resp)
+}
+
+func (r *RESTClient) DeleteVirtualNetwork(id uuid.UUID, force bool) error {
+	endpoint := r.baseEndpoints.accountVnets
+	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
+
+	queryParams := url.Values{}
+	if force {
+		queryParams.Set("force", strconv.FormatBool(force))
+	}
+	endpoint.RawQuery = queryParams.Encode()
+
+	resp, err := r.sendRequest("DELETE", endpoint, nil)
+	if err != nil {
+		return errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		_, err := parseVnet(resp.Body)
+		return err
+	}
+
+	return r.statusCodeToError("delete virtual network", resp)
+}
+
+func (r *RESTClient) UpdateVirtualNetwork(id uuid.UUID, updates UpdateVirtualNetwork) error {
+	endpoint := r.baseEndpoints.accountVnets
+	endpoint.Path = path.Join(endpoint.Path, url.PathEscape(id.String()))
+	resp, err := r.sendRequest("PATCH", endpoint, updates)
+	if err != nil {
+		return errors.Wrap(err, "REST request failed")
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode == http.StatusOK {
+		_, err := parseVnet(resp.Body)
+		return err
+	}
+
+	return r.statusCodeToError("update virtual network", resp)
+}
+
+func parseListVnets(body io.ReadCloser) ([]*VirtualNetwork, error) {
+	var vnets []*VirtualNetwork
+	err := parseResponse(body, &vnets)
+	return vnets, err
+}
+
+func parseVnet(body io.ReadCloser) (VirtualNetwork, error) {
+	var vnet VirtualNetwork
+	err := parseResponse(body, &vnet)
+	return vnet, err
+}

cfapi/virtual_network_filter.go

@@ -0,0 +1,99 @@
+package cfapi
+
+import (
+	"net/url"
+	"strconv"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli/v2"
+)
+
+var (
+	filterVnetId = cli.StringFlag{
+		Name:  "id",
+		Usage: "List virtual networks with the given `ID`",
+	}
+	filterVnetByName = cli.StringFlag{
+		Name:  "name",
+		Usage: "List virtual networks with the given `NAME`",
+	}
+	filterDefaultVnet = cli.BoolFlag{
+		Name:  "is-default",
+		Usage: "If true, lists the virtual network that is the default one. If false, lists all non-default virtual networks for the account. If absent, all are included in the results regardless of their default status.",
+	}
+	filterDeletedVnet = cli.BoolFlag{
+		Name:  "show-deleted",
+		Usage: "If false (default), only show non-deleted virtual networks. If true, only show deleted virtual networks.",
+	}
+	VnetFilterFlags = []cli.Flag{
+		&filterVnetId,
+		&filterVnetByName,
+		&filterDefaultVnet,
+		&filterDeletedVnet,
+	}
+)
+
+// VnetFilter which virtual networks get queried.
+type VnetFilter struct {
+	queryParams url.Values
+}
+
+func NewVnetFilter() *VnetFilter {
+	return &VnetFilter{
+		queryParams: url.Values{},
+	}
+}
+
+func (f *VnetFilter) ById(vnetId uuid.UUID) {
+	f.queryParams.Set("id", vnetId.String())
+}
+
+func (f *VnetFilter) ByName(name string) {
+	f.queryParams.Set("name", name)
+}
+
+func (f *VnetFilter) ByDefaultStatus(isDefault bool) {
+	f.queryParams.Set("is_default", strconv.FormatBool(isDefault))
+}
+
+func (f *VnetFilter) WithDeleted(isDeleted bool) {
+	f.queryParams.Set("is_deleted", strconv.FormatBool(isDeleted))
+}
+
+func (f *VnetFilter) MaxFetchSize(max uint) {
+	f.queryParams.Set("per_page", strconv.Itoa(int(max)))
+}
+
+func (f VnetFilter) Encode() string {
+	return f.queryParams.Encode()
+}
+
+// NewFromCLI parses CLI flags to discover which filters should get applied to list virtual networks.
+func NewFromCLI(c *cli.Context) (*VnetFilter, error) {
+	f := NewVnetFilter()
+
+	if id := c.String("id"); id != "" {
+		vnetId, err := uuid.Parse(id)
+		if err != nil {
+			return nil, errors.Wrapf(err, "%s is not a valid virtual network ID", id)
+		}
+		f.ById(vnetId)
+	}
+
+	if name := c.String("name"); name != "" {
+		f.ByName(name)
+	}
+
+	if c.IsSet("is-default") {
+		f.ByDefaultStatus(c.Bool("is-default"))
+	}
+
+	f.WithDeleted(c.Bool("show-deleted"))
+
+	if maxFetch := c.Int("max-fetch-size"); maxFetch > 0 {
+		f.MaxFetchSize(uint(maxFetch))
+	}
+
+	return f, nil
+}

cfapi/virtual_network_test.go

@@ -0,0 +1,79 @@
+package cfapi
+
+import (
+	"encoding/json"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+)
+
+func TestVirtualNetworkJsonRoundtrip(t *testing.T) {
+	data := `{
+		"id":"74fce949-351b-4752-b261-81a56cfd3130",
+		"comment":"New York DC1",
+		"name":"us-east-1",
+		"is_default_network":true,
+		"created_at":"2021-11-26T14:40:02.600673Z",
+		"deleted_at":"2021-12-01T10:23:13.102645Z"
+	}`
+	var v VirtualNetwork
+	err := json.Unmarshal([]byte(data), &v)
+
+	require.NoError(t, err)
+	require.Equal(t, uuid.MustParse("74fce949-351b-4752-b261-81a56cfd3130"), v.ID)
+	require.Equal(t, "us-east-1", v.Name)
+	require.Equal(t, "New York DC1", v.Comment)
+	require.Equal(t, true, v.IsDefault)
+
+	bytes, err := json.Marshal(v)
+	require.NoError(t, err)
+	obtainedJson := string(bytes)
+	data = strings.Replace(data, "\t", "", -1)
+	data = strings.Replace(data, "\n", "", -1)
+	require.Equal(t, data, obtainedJson)
+}
+
+func TestMarshalNewVnet(t *testing.T) {
+	newVnet := NewVirtualNetwork{
+		Name:      "eu-west-1",
+		Comment:   "London office",
+		IsDefault: true,
+	}
+
+	serialized, err := json.Marshal(newVnet)
+	require.NoError(t, err)
+	require.True(t, strings.Contains(string(serialized), newVnet.Name))
+}
+
+func TestMarshalUpdateVnet(t *testing.T) {
+	newName := "bulgaria-1"
+	updates := UpdateVirtualNetwork{
+		Name: &newName,
+	}
+
+	// Test where receiver is struct
+	serialized, err := json.Marshal(updates)
+	require.NoError(t, err)
+	require.True(t, strings.Contains(string(serialized), newName))
+}
+
+func TestVnetTableString(t *testing.T) {
+	virtualNet := VirtualNetwork{
+		ID:        uuid.New(),
+		Name:      "us-east-1",
+		Comment:   "New York DC1",
+		IsDefault: true,
+		CreatedAt: time.Now(),
+		DeletedAt: time.Time{},
+	}
+
+	row := virtualNet.TableString()
+	require.True(t, strings.HasPrefix(row, virtualNet.ID.String()))
+	require.True(t, strings.Contains(row, virtualNet.Name))
+	require.True(t, strings.Contains(row, virtualNet.Comment))
+	require.True(t, strings.Contains(row, "true"))
+	require.True(t, strings.HasSuffix(row, "-\t"))
+}

cfio/copy.go

@@ -0,0 +1,27 @@
+package cfio
+
+import (
+	"io"
+	"sync"
+)
+
+const defaultBufferSize = 16 * 1024
+
+var bufferPool = sync.Pool{
+	New: func() interface{} {
+		return make([]byte, defaultBufferSize)
+	},
+}
+
+func Copy(dst io.Writer, src io.Reader) (written int64, err error) {
+	_, okWriteTo := src.(io.WriterTo)
+	_, okReadFrom := dst.(io.ReaderFrom)
+	var buffer []byte = nil
+
+	if !(okWriteTo || okReadFrom) {
+		buffer = bufferPool.Get().([]byte)
+		defer bufferPool.Put(buffer)
+	}
+
+	return io.CopyBuffer(dst, src, buffer)
+}

cfsetup.yaml

@@ -1,280 +1,253 @@
-pinned_go: &pinned_go go=1.15.6-1
+pinned_go: &pinned_go go-boring=1.21.5-1
+
 build_dir: &build_dir /cfsetup_build
-default-flavor: buster
-stretch: &stretch
+default-flavor: bullseye
+buster: &buster
   build:
+    build_dir: *build_dir
+    builddeps: &build_deps
+      - *pinned_go
+      - build-essential
+      - gotest-to-teamcity
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - libffi-dev
+      - reprepro
+      - createrepo
+    pre-cache: &build_pre_cache
+      - export GOCACHE=/cfsetup_build/.cache/go-build
+      - go install golang.org/x/tools/cmd/goimports@latest
+    post-cache:
+      # TODO: TUN-8126 this is temporary to make sure packages can be built before release
+      - ./build-packages.sh
+      # Build binary for component test
+      - GOOS=linux GOARCH=amd64 make cloudflared
+  build-fips:
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
+    post-cache:
+      - export FIPS=true
+      # TODO: TUN-8126 this is temporary to make sure packages can be built before release
+      - ./build-packages-fips.sh
+      # Build binary for component test
+      - GOOS=linux GOARCH=amd64 make cloudflared
+  cover: 
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
+    post-cache: 
+     - make cover
+  # except FIPS (handled in github-fips-release-pkgs) and macos (handled in github-release-macos-amd64)
+  github-release-pkgs:
     build_dir: *build_dir
     builddeps:
       - *pinned_go
       - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - wget
+      # libmsi and libgcab are libraries the wixl binary depends on.
+      - libmsi-dev
+      - libgcab-dev
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - reprepro
+      - createrepo
+    pre-cache: &github_release_pkgs_pre_cache
+      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
+      - chmod a+x /usr/local/bin/wixl
+      - pip3 install pynacl==1.4.0
+      - pip3 install pygithub==1.55
+      - pip3 install boto3==1.22.9
+      - pip3 install python-gnupg==0.4.9
     post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make cloudflared
-  build-deb:
+      # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
+      - ./build-packages.sh
+      # release the packages built and moved to /cfsetup/built_artifacts
+      - make github-release-built-pkgs
+      # publish packages to linux repos
+      - make release-pkgs-linux
+  # handle FIPS separately so that we built with gofips compiler
+  github-fips-release-pkgs:
     build_dir: *build_dir
     builddeps:
       - *pinned_go
       - build-essential
       - fakeroot
       - rubygem-fpm
+      - rpm
+      - wget
+      # libmsi and libgcab are libraries the wixl binary depends on.
+      - libmsi-dev
+      - libgcab-dev
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+    pre-cache: *github_release_pkgs_pre_cache
+    post-cache:
+      # same logic as above, but for FIPS packages only
+      - ./build-packages-fips.sh
+      - make github-release-built-pkgs
+  generate-versions-file:
+    build_dir: *build_dir
+    builddeps: 
+      - *pinned_go
+      - build-essential
+    post-cache:
+      - make generate-docker-version
+  build-deb:
+    build_dir: *build_dir
+    builddeps: &build_deb_deps
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
     post-cache:
       - export GOOS=linux
       - export GOARCH=amd64
       - make cloudflared-deb
+  build-fips-internal-deb:
+    build_dir: *build_dir
+    builddeps: &build_fips_deb_deps
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export FIPS=true
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
+  build-internal-deb-nightly-amd64:
+    build_dir: *build_dir
+    builddeps: *build_fips_deb_deps
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export NIGHTLY=true
+      - export FIPS=true
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
+  build-internal-deb-nightly-arm64:
+    build_dir: *build_dir
+    builddeps: *build_fips_deb_deps
+    post-cache:
+      - export GOOS=linux
+      - export GOARCH=arm64
+      - export NIGHTLY=true
+      #- export FIPS=true # TUN-7595
+      - export ORIGINAL_NAME=true
+      - make cloudflared-deb
   build-deb-arm64:
     build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
+    builddeps: *build_deb_deps
     post-cache:
       - export GOOS=linux
       - export GOARCH=arm64
       - make cloudflared-deb
-  publish-deb:
+  github-release-macos-amd64:
     build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - openssh-client
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make publish-deb
-  release-linux-amd64:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make release
-  github-release-linux-amd64:
-    build_dir: *build_dir
-    builddeps:
+    builddeps: &build_pygithub
       - *pinned_go
       - build-essential
+      - python3-dev
+      - libffi-dev
       - python3-setuptools
       - python3-pip
     pre-cache: &install_pygithub
-      - pip3 install pygithub
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make github-release
-  release-linux-armv6:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - crossbuild-essential-armhf
-      - gcc-arm-linux-gnueabihf
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm
-      - export CC=arm-linux-gnueabihf-gcc
-      - make release
-  github-release-linux-armv6:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - crossbuild-essential-armhf
-      - gcc-arm-linux-gnueabihf
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm
-      - export CC=arm-linux-gnueabihf-gcc
-      - make github-release
-  release-linux-386:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-multilib
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=386
-      - make release
-  github-release-linux-386:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-multilib
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=386
-      - make github-release
-  release-windows-amd64:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-mingw-w64
-    post-cache:
-      - export GOOS=windows
-      - export GOARCH=amd64
-      - export CC=x86_64-w64-mingw32-gcc
-      - make release
-  github-release-windows-amd64:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-mingw-w64
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
-    post-cache:
-      - export GOOS=windows
-      - export GOARCH=amd64
-      - export CC=x86_64-w64-mingw32-gcc
-      - make github-release
-  release-windows-386:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-mingw-w64
-    post-cache:
-      - export GOOS=windows
-      - export GOARCH=386
-      - export CC=i686-w64-mingw32-gcc-win32
-      - make release
-  github-release-windows-386:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - gcc-mingw-w64
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
-    post-cache:
-      - export GOOS=windows
-      - export GOARCH=386
-      - export CC=i686-w64-mingw32-gcc-win32
-      - make github-release
-  github-release-linux-arm64:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - crossbuild-essential-armhf
-      - g++-aarch64-linux-gnu
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
-    post-cache:
-      - export GOOS=linux
-      - export GOARCH=arm64
-      - export CC=aarch64-linux-gnu-gcc
-      - make github-release
-  github-release-macos-amd64:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *install_pygithub
+      - pip3 install pynacl==1.4.0
+      - pip3 install pygithub==1.55
     post-cache:
       - make github-mac-upload
-  test:
+  github-release-windows:
     build_dir: *build_dir
     builddeps:
       - *pinned_go
       - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - wget
+      # libmsi and libgcab are libraries the wixl binary depends on.
+      - libmsi-dev
+      - libgcab-dev
+    pre-cache:
+      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
+      - chmod a+x /usr/local/bin/wixl
+      - pip3 install pynacl==1.4.0
+      - pip3 install pygithub==1.55
+    post-cache:
+      - .teamcity/package-windows.sh
+      - make github-windows-upload
+  test:
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
     post-cache:
       - export GOOS=linux
       - export GOARCH=amd64
-      # cd to a non-module directory: https://github.com/golang/go/issues/24250
-      - (cd / && go get github.com/BurntSushi/go-sumtype)
       - export PATH="$HOME/go/bin:$PATH"
-      - make test
-  update-homebrew:
-    builddeps:
-      - openssh-client
-      - s3cmd
+      - ./fmt-check.sh
+      - make test | gotest-to-teamcity
+  test-fips:
+    build_dir: *build_dir
+    builddeps: *build_deps
+    pre-cache: *build_pre_cache
     post-cache:
-      - .teamcity/update-homebrew.sh
-  github-message-release:
+      - export GOOS=linux
+      - export GOARCH=amd64
+      - export FIPS=true
+      - export PATH="$HOME/go/bin:$PATH"
+      - ./fmt-check.sh
+      - make test | gotest-to-teamcity
+  component-test:
     build_dir: *build_dir
     builddeps:
       - *pinned_go
-      - python3-setuptools
+      - python3.7
       - python3-pip
+      - python3-setuptools
+      # procps installs the ps command which is needed in test_sysv_service because the init script
+      # uses ps pid to determine if the agent is running
+      - procps
+    pre-cache-copy-paths:
+      - component-tests/requirements.txt
+    pre-cache: &component_test_pre_cache
+      - sudo pip3 install --upgrade -r component-tests/requirements.txt
+    post-cache: &component_test_post_cache
+      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
+      - python3 component-tests/setup.py --type create
+      - pytest component-tests -o log_cli=true --log-cli-level=INFO
+      # The Named Tunnel is deleted and its route unprovisioned here.
+      - python3 component-tests/setup.py --type cleanup
+  component-test-fips:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - python3.7
+      - python3-pip
+      - python3-setuptools
+      # procps installs the ps command which is needed in test_sysv_service because the init script
+      # uses ps pid to determine if the agent is running
+      - procps
+    pre-cache-copy-paths:
+      - component-tests/requirements.txt
+    pre-cache: *component_test_pre_cache
+    post-cache: *component_test_post_cache
+  github-message-release:
+    build_dir: *build_dir
+    builddeps: *build_pygithub
     pre-cache: *install_pygithub
     post-cache:
       - make github-message
-  build-junos:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3
-      - genisoimage
-      - jetez
-    pre-cache:
-      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
-    post-cache:
-      - export GOOS=freebsd
-      - export GOARCH=amd64
-      - make cloudflared-junos
-  publish-junos:
-    build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - python3
-      - genisoimage
-      - jetez
-      - s4cmd
-    pre-cache:
-      - ln -s /usr/bin/genisoimage /usr/bin/mkisofs
-    post-cache:
-      - export GOOS=freebsd
-      - export GOARCH=amd64
-      - make publish-cloudflared-junos
 
-buster: *stretch
-bullseye: *stretch
-centos-7:
-  publish-rpm:
-    build_dir: *build_dir
-    builddeps: &el7_builddeps
-      - https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
-    pre-cache:
-      - yum install -y fakeroot
-      - wget https://golang.org/dl/go1.15.6.linux-amd64.tar.gz -P /tmp/
-      - tar -C /usr/local -xzf /tmp/go1.15.6.linux-amd64.tar.gz
-    post-cache:
-      - export PATH=$PATH:/usr/local/go/bin
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make publish-rpm
-  build-rpm:
-    build_dir: *build_dir
-    builddeps: *el7_builddeps
-    pre-cache:
-      - yum install -y fakeroot
-      - wget https://golang.org/dl/go1.15.6.linux-amd64.tar.gz -P /tmp/
-      - tar -C /usr/local -xzf /tmp/go1.15.6.linux-amd64.tar.gz
-    post-cache:
-      - export PATH=$PATH:/usr/local/go/bin
-      - export GOOS=linux
-      - export GOARCH=amd64
-      - make cloudflared-rpm
-
-# cfsetup compose
-default-stack: test_dbconnect
-test_dbconnect:
-  compose:
-    up-args:
-      - --renew-anon-volumes
-      - --abort-on-container-exit
-      - --exit-code-from=cloudflared
-    files:
-      - dbconnect_tests/dbconnect.yaml
+bullseye: *buster
+bookworm: *buster

check-fips.sh

@@ -0,0 +1,15 @@
+# Pass the path to the executable to check for FIPS compliance
+exe=$1
+
+if [ "$(go tool nm "${exe}" | grep -c '_Cfunc__goboringcrypto_')" -eq 0 ]; then
+    # Asserts that executable is using FIPS-compliant boringcrypto
+    echo "${exe}: missing goboring symbols" >&2
+    exit 1
+fi
+if [ "$(go tool nm "${exe}" | grep -c 'crypto/internal/boring/sig.FIPSOnly')" -eq 0 ]; then
+    # Asserts that executable is using FIPS-only schemes
+    echo "${exe}: missing fipsonly symbols" >&2
+    exit 1
+fi
+
+echo "${exe} is FIPS-compliant"

cloudflared.wxs

@@ -0,0 +1,64 @@
+<?xml version="1.0"?>
+
+<?if $(var.Platform)="x64" ?>
+    <?define Program_Files="ProgramFiles64Folder"?>
+<?else ?>
+    <?define Program_Files="ProgramFilesFolder"?>
+<?endif ?>
+<?ifndef var.Version?>
+    <?error Undefined Version variable?>
+<?endif ?>
+<?ifndef var.Path?>
+    <?error Undefined Path variable?>
+<?endif ?>
+
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+    <Product Id="*"
+        UpgradeCode="23f90fdd-9328-47ea-ab52-5380855a4b12"
+        Name="cloudflared"
+        Version="$(var.Version)"
+        Manufacturer="cloudflare"
+        Language="1033">
+
+        <Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package" InstallScope="perMachine" />
+
+        <Media Id="1" Cabinet="product.cab" EmbedCab="yes" />
+
+        <MajorUpgrade DowngradeErrorMessage="A later version of [ProductName] is already installed. Setup will now exit." />
+
+        <Upgrade Id="23f90fdd-9328-47ea-ab52-5380855a4b12">
+            <UpgradeVersion Minimum="$(var.Version)" OnlyDetect="yes" Property="NEWERVERSIONDETECTED" />
+            <UpgradeVersion Minimum="2020.8.0" Maximum="$(var.Version)" IncludeMinimum="yes" IncludeMaximum="no"
+                Property="OLDERVERSIONBEINGUPGRADED" />
+        </Upgrade>
+        <Condition Message="A newer version of this software is already installed.">NOT NEWERVERSIONDETECTED</Condition>
+
+        <Directory Id="TARGETDIR" Name="SourceDir">
+            <!--This specifies where the cloudflared.exe is moved to in the windows Operation System-->
+            <Directory Id="$(var.Program_Files)">
+                <Directory Id="INSTALLDIR" Name="cloudflared">
+                    <Component Id="ApplicationFiles" Guid="35e5e858-9372-4449-bf73-1cd6f7267128">
+                        <File Id="ApplicationFile0" Source="$(var.Path)" />
+                    </Component>
+                </Directory>
+            </Directory>
+            <Component Id="ENVS" Guid="6bb74449-d10d-4f4a-933e-6fc9fa006eae">
+                <!--Set the cloudflared bin location to the Path Environment Variable-->
+                <Environment Id="ENV0"
+                    Name="PATH"
+                    Value="[INSTALLDIR]"
+                    Permanent="no"
+                    Part="last"
+                    Action="create"
+                    System="yes" />
+            </Component>
+        </Directory>
+
+
+        <Feature Id='Complete' Level='1'>
+            <ComponentRef Id="ENVS" />
+            <ComponentRef Id='ApplicationFiles' />
+        </Feature>
+
+    </Product>
+</Wix>

cmd/cloudflared/access/carrier.go

@@ -1,22 +1,27 @@
 package access
 
 import (
+	"crypto/tls"
+	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
-	"github.com/cloudflare/cloudflared/carrier"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/h2mux"
-	"github.com/cloudflare/cloudflared/logger"
-	"github.com/cloudflare/cloudflared/validation"
-
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/carrier"
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/stream"
+	"github.com/cloudflare/cloudflared/validation"
 )
 
 const (
-	LogFieldHost = "host"
+	LogFieldHost               = "host"
+	cfAccessClientIDHeader     = "Cf-Access-Client-Id"
+	cfAccessClientSecretHeader = "Cf-Access-Client-Secret"
 )
 
 // StartForwarder starts a client side websocket forward
@@ -29,16 +34,15 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	// get the headers from the config file and add to the request
 	headers := make(http.Header)
 	if forwarder.TokenClientID != "" {
-		headers.Set(h2mux.CFAccessClientIDHeader, forwarder.TokenClientID)
+		headers.Set(cfAccessClientIDHeader, forwarder.TokenClientID)
 	}
 
 	if forwarder.TokenSecret != "" {
-		headers.Set(h2mux.CFAccessClientSecretHeader, forwarder.TokenSecret)
+		headers.Set(cfAccessClientSecretHeader, forwarder.TokenSecret)
 	}
+	headers.Set("User-Agent", userAgent)
 
-	if forwarder.Destination != "" {
-		headers.Add(h2mux.CFJumpDestinationHeader, forwarder.Destination)
-	}
+	carrier.SetBastionDest(headers, forwarder.Destination)
 
 	options := &carrier.StartOptions{
 		OriginURL: forwarder.URL,
@@ -46,7 +50,7 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 	}
 
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
-	wsConn := carrier.NewWSConnection(log, false)
+	wsConn := carrier.NewWSConnection(log)
 
 	log.Info().Str(LogFieldHost, validURL.Host).Msg("Start Websocket listener")
 	return carrier.StartForwarder(wsConn, validURL.Host, shutdown, options)
@@ -57,37 +61,60 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
 // useful for proxying other protocols (like ssh) over websockets
 // (which you can put Access in front of)
 func ssh(c *cli.Context) error {
-	log := logger.CreateSSHLoggerFromContext(c, logger.EnableTerminalLog)
+	// If not running as a forwarder, disable terminal logs as it collides with the stdin/stdout of the parent process
+	outputTerminal := logger.DisableTerminalLog
+	if c.IsSet(sshURLFlag) {
+		outputTerminal = logger.EnableTerminalLog
+	}
+	log := logger.CreateSSHLoggerFromContext(c, outputTerminal)
 
 	// get the hostname from the cmdline and error out if its not provided
 	rawHostName := c.String(sshHostnameFlag)
-	hostname, err := validation.ValidateHostname(rawHostName)
-	if err != nil || rawHostName == "" {
+	url, err := parseURL(rawHostName)
+	if err != nil {
+		log.Err(err).Send()
 		return cli.ShowCommandHelp(c, "ssh")
 	}
-	originURL := ensureURLScheme(hostname)
 
 	// get the headers from the cmdline and add them
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
-		headers.Set(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
+		headers.Set(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
-		headers.Set(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
+		headers.Set(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
+	headers.Set("User-Agent", userAgent)
 
-	destination := c.String(sshDestinationFlag)
-	if destination != "" {
-		headers.Add(h2mux.CFJumpDestinationHeader, destination)
-	}
+	carrier.SetBastionDest(headers, c.String(sshDestinationFlag))
 
 	options := &carrier.StartOptions{
-		OriginURL: originURL,
+		OriginURL: url.String(),
 		Headers:   headers,
+		Host:      url.Host,
+	}
+
+	if connectTo := c.String(sshConnectTo); connectTo != "" {
+		parts := strings.Split(connectTo, ":")
+		switch len(parts) {
+		case 1:
+			options.OriginURL = fmt.Sprintf("https://%s", parts[0])
+		case 2:
+			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[0], parts[1])
+		case 3:
+			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
+			options.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
+				ServerName:         parts[0],
+			}
+			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
+		default:
+			return fmt.Errorf("invalid connection override: %s", connectTo)
+		}
 	}
 
 	// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
-	wsConn := carrier.NewWSConnection(log, false)
+	wsConn := carrier.NewWSConnection(log)
 
 	if c.NArg() > 0 || c.IsSet(sshURLFlag) {
 		forwarder, err := config.ValidateUrl(c, true)
@@ -95,7 +122,6 @@ func ssh(c *cli.Context) error {
 			log.Err(err).Msg("Error validating origin URL")
 			return errors.Wrap(err, "error validating origin URL")
 		}
-
 		log.Info().Str(LogFieldHost, forwarder.Host).Msg("Start Websocket listener")
 		err = carrier.StartForwarder(wsConn, forwarder.Host, shutdownC, options)
 		if err != nil {
@@ -104,16 +130,17 @@ func ssh(c *cli.Context) error {
 		return err
 	}
 
-	return carrier.StartClient(wsConn, &carrier.StdinoutStream{}, options)
-}
-
-func buildRequestHeaders(values []string) http.Header {
-	headers := make(http.Header)
-	for _, valuePair := range values {
-		split := strings.Split(valuePair, ":")
-		if len(split) > 1 {
-			headers.Add(strings.TrimSpace(split[0]), strings.TrimSpace(split[1]))
+	var s io.ReadWriter
+	s = &carrier.StdinoutStream{}
+	if c.IsSet(sshDebugStream) {
+		maxMessages := c.Uint64(sshDebugStream)
+		if maxMessages == 0 {
+			// default to 10 if provided but unset
+			maxMessages = 10
 		}
+		logger := log.With().Str("host", url.Host).Logger()
+		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	return headers
+	carrier.StartClient(wsConn, s, options)
+	return nil
 }

cmd/cloudflared/access/carrier_test.go

@@ -1,18 +0,0 @@
-package access
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestBuildRequestHeaders(t *testing.T) {
-	headers := make(http.Header)
-	headers.Add("client", "value")
-	headers.Add("secret", "safe-value")
-
-	values := buildRequestHeaders([]string{"client: value", "secret: safe-value", "trash"})
-	assert.Equal(t, headers.Get("client"), values.Get("client"))
-	assert.Equal(t, headers.Get("secret"), values.Get("secret"))
-}

cmd/cloudflared/access/cmd.go

@@ -2,30 +2,31 @@ package access
 
 import (
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
+	"os/exec"
 	"strings"
 	"text/template"
 	"time"
 
-	"github.com/cloudflare/cloudflared/carrier"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/token"
-	"github.com/cloudflare/cloudflared/h2mux"
-	"github.com/cloudflare/cloudflared/logger"
-	"github.com/cloudflare/cloudflared/sshgen"
-	"github.com/cloudflare/cloudflared/validation"
-
-	"github.com/getsentry/raven-go"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 	"golang.org/x/net/idna"
+
+	"github.com/cloudflare/cloudflared/carrier"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/sshgen"
+	"github.com/cloudflare/cloudflared/token"
+	"github.com/cloudflare/cloudflared/validation"
 )
 
 const (
+	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
 	sshURLFlag         = "url"
@@ -33,19 +34,18 @@ const (
 	sshTokenIDFlag     = "service-token-id"
 	sshTokenSecretFlag = "service-token-secret"
 	sshGenCertFlag     = "short-lived-cert"
+	sshConnectTo       = "connect-to"
+	sshDebugStream     = "debug-stream"
 	sshConfigTemplate  = `
 Add to your {{.Home}}/.ssh/config:
 
-Host {{.Hostname}}
 {{- if .ShortLivedCerts}}
-  ProxyCommand bash -c '{{.Cloudflared}} access ssh-gen --hostname %h; ssh -tt %r@cfpipe-{{.Hostname}} >&2 <&1' 
-
-Host cfpipe-{{.Hostname}}
-  HostName {{.Hostname}}
+Match host {{.Hostname}} exec "{{.Cloudflared}} access ssh-gen --hostname %h"
   ProxyCommand {{.Cloudflared}} access ssh --hostname %h
-  IdentityFile ~/.cloudflared/{{.Hostname}}-cf_key
-  CertificateFile ~/.cloudflared/{{.Hostname}}-cf_key-cert.pub
+  IdentityFile ~/.cloudflared/%h-cf_key
+  CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
 {{- else}}
+Host {{.Hostname}}
   ProxyCommand {{.Cloudflared}} access ssh --hostname %h
 {{end}}
 `
@@ -54,13 +54,14 @@ Host cfpipe-{{.Hostname}}
 const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
 
 var (
-	shutdownC      chan struct{}
-	graceShutdownC chan struct{}
+	shutdownC chan struct{}
+	userAgent = "DEV"
 )
 
 // Init will initialize and store vars from the main program
-func Init(s, g chan struct{}) {
-	shutdownC, graceShutdownC = s, g
+func Init(shutdown chan struct{}, version string) {
+	shutdownC = shutdown
+	userAgent = fmt.Sprintf("cloudflared/%s", version)
 }
 
 // Flags return the global flags for Access related commands (hopefully none)
@@ -76,30 +77,31 @@ func Commands() []*cli.Command {
 			Aliases:  []string{"forward"},
 			Category: "Access",
 			Usage:    "access <subcommand>",
-			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access 
-			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are 
-			able to reach sensitive resources. The commands provided here allow you to interact with Access protected 
+			Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
+			per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
+			able to reach sensitive resources. The commands provided here allow you to interact with Access protected
 			applications from the command line.`,
 			Subcommands: []*cli.Command{
 				{
 					Name:   "login",
-					Action: cliutil.ErrorHandler(login),
+					Action: cliutil.Action(login),
 					Usage:  "login <url of access application>",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
-					scoped to your identity, the application you intend to reach, and valid for a session duration set by your 
+					scoped to your identity, the application you intend to reach, and valid for a session duration set by your
 					administrator. cloudflared stores the token in local storage.`,
 					Flags: []cli.Flag{
-						&cli.StringFlag{
-							Name:   "url",
-							Hidden: true,
+						&cli.BoolFlag{
+							Name:    loginQuietFlag,
+							Aliases: []string{"q"},
+							Usage:   "do not print the jwt to the command line",
 						},
 					},
 				},
 				{
 					Name:   "curl",
-					Action: cliutil.ErrorHandler(curl),
+					Action: cliutil.Action(curl),
 					Usage:  "curl [--allow-request, -ar] <url> [<curl args>...]",
 					Description: `The curl subcommand wraps curl and automatically injects the JWT into a cf-access-token
 					header when using curl to reach an application behind Access.`,
@@ -108,7 +110,7 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "token",
-					Action:      cliutil.ErrorHandler(generateToken),
+					Action:      cliutil.Action(generateToken),
 					Usage:       "token -app=<url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
@@ -120,7 +122,7 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "tcp",
-					Action:      cliutil.ErrorHandler(ssh),
+					Action:      cliutil.Action(ssh),
 					Aliases:     []string{"rdp", "ssh", "smb"},
 					Usage:       "",
 					ArgsUsage:   "",
@@ -130,15 +132,18 @@ func Commands() []*cli.Command {
 							Name:    sshHostnameFlag,
 							Aliases: []string{"tunnel-host", "T"},
 							Usage:   "specify the hostname of your application.",
+							EnvVars: []string{"TUNNEL_SERVICE_HOSTNAME"},
 						},
 						&cli.StringFlag{
-							Name:  sshDestinationFlag,
-							Usage: "specify the destination address of your SSH server.",
+							Name:    sshDestinationFlag,
+							Usage:   "specify the destination address of your SSH server.",
+							EnvVars: []string{"TUNNEL_SERVICE_DESTINATION"},
 						},
 						&cli.StringFlag{
 							Name:    sshURLFlag,
 							Aliases: []string{"listener", "L"},
 							Usage:   "specify the host:port to forward data to Cloudflare edge.",
+							EnvVars: []string{"TUNNEL_SERVICE_URL"},
 						},
 						&cli.StringSliceFlag{
 							Name:    sshHeaderFlag,
@@ -149,27 +154,42 @@ func Commands() []*cli.Command {
 							Name:    sshTokenIDFlag,
 							Aliases: []string{"id"},
 							Usage:   "specify an Access service token ID you wish to use.",
+							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_ID"},
 						},
 						&cli.StringFlag{
 							Name:    sshTokenSecretFlag,
 							Aliases: []string{"secret"},
 							Usage:   "specify an Access service token secret you wish to use.",
+							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHDirectoryFlag,
-							Aliases: []string{"logfile"}, //added to match the tunnel side
-							Usage:   "Save application log to this directory for reporting issues.",
+							Name:  logger.LogFileFlag,
+							Usage: "Save application log to this file for reporting issues.",
+						},
+						&cli.StringFlag{
+							Name:  logger.LogSSHDirectoryFlag,
+							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
 							Name:    logger.LogSSHLevelFlag,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
-							Usage:   "Application logging level {fatal, error, info, debug}. ",
+							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
+						},
+						&cli.StringFlag{
+							Name:   sshConnectTo,
+							Hidden: true,
+							Usage:  "Connect to alternate location for testing, value is host, host:port, or sni:port:host",
+						},
+						&cli.Uint64Flag{
+							Name:   sshDebugStream,
+							Hidden: true,
+							Usage:  "Writes up-to the max provided stream payloads to the logger as debug statements.",
 						},
 					},
 				},
 				{
 					Name:        "ssh-config",
-					Action:      cliutil.ErrorHandler(sshConfig),
+					Action:      cliutil.Action(sshConfig),
 					Usage:       "",
 					Description: `Prints an example configuration ~/.ssh/config`,
 					Flags: []cli.Flag{
@@ -185,7 +205,7 @@ func Commands() []*cli.Command {
 				},
 				{
 					Name:        "ssh-gen",
-					Action:      cliutil.ErrorHandler(sshGen),
+					Action:      cliutil.Action(sshGen),
 					Usage:       "",
 					Description: `Generates a short lived certificate for given hostname`,
 					Flags: []cli.Flag{
@@ -202,25 +222,34 @@ func Commands() []*cli.Command {
 
 // login pops up the browser window to do the actual login and JWT generation
 func login(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
+		Dsn:     sentryDSN,
+		Release: c.App.Version,
+	})
+	if err != nil {
 		return err
 	}
 
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
 	args := c.Args()
-	rawURL := ensureURLScheme(args.First())
-	appURL, err := url.Parse(rawURL)
+	appURL, err := parseURL(args.First())
 	if args.Len() < 1 || err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
-	if err := verifyTokenAtEdge(appURL, c, log); err != nil {
+
+	appInfo, err := token.GetAppInfo(appURL)
+	if err != nil {
+		return err
+	}
+
+	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
 		log.Err(err).Msg("Could not verify token")
 		return err
 	}
 
-	cfdToken, err := token.GetAppTokenIfExists(appURL)
+	cfdToken, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil {
 		fmt.Fprintln(os.Stderr, "Unable to find token for provided application.")
 		return err
@@ -228,24 +257,22 @@ func login(c *cli.Context) error {
 		fmt.Fprintln(os.Stderr, "token for provided application was empty.")
 		return errors.New("empty application token")
 	}
+
+	if c.Bool(loginQuietFlag) {
+		return nil
+	}
 	fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
 
 	return nil
 }
 
-// ensureURLScheme prepends a URL with https:// if it doesnt have a scheme. http:// URLs will not be converted.
-func ensureURLScheme(url string) string {
-	url = strings.Replace(strings.ToLower(url), "http://", "https://", 1)
-	if !strings.HasPrefix(url, "https://") {
-		url = fmt.Sprintf("https://%s", url)
-
-	}
-	return url
-}
-
 // curl provides a wrapper around curl, passing Access JWT along in request
 func curl(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
+		Dsn:     sentryDSN,
+		Release: c.App.Version,
+	})
+	if err != nil {
 		return err
 	}
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
@@ -262,13 +289,24 @@ func curl(c *cli.Context) error {
 		return err
 	}
 
-	tok, err := token.GetAppTokenIfExists(appURL)
+	appInfo, err := token.GetAppInfo(appURL)
+	if err != nil {
+		return err
+	}
+
+	// Verify that the existing token is still good; if not fetch a new one
+	if err := verifyTokenAtEdge(appURL, appInfo, c, log); err != nil {
+		log.Err(err).Msg("Could not verify token")
+		return err
+	}
+
+	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
 		if allowRequest {
 			log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
-			return shell.Run("curl", cmdArgs...)
+			return run("curl", cmdArgs...)
 		}
-		tok, err = token.FetchToken(appURL, log)
+		tok, err = token.FetchToken(appURL, appInfo, log)
 		if err != nil {
 			log.Err(err).Msg("Failed to refresh token")
 			return err
@@ -276,23 +314,54 @@ func curl(c *cli.Context) error {
 	}
 
 	cmdArgs = append(cmdArgs, "-H")
-	cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", h2mux.CFAccessTokenHeader, tok))
-	return shell.Run("curl", cmdArgs...)
+	cmdArgs = append(cmdArgs, fmt.Sprintf("%s: %s", carrier.CFAccessTokenHeader, tok))
+	return run("curl", cmdArgs...)
+}
+
+// run kicks off a shell task and pipe the results to the respective std pipes
+func run(cmd string, args ...string) error {
+	c := exec.Command(cmd, args...)
+	c.Stdin = os.Stdin
+	stderr, err := c.StderrPipe()
+	if err != nil {
+		return err
+	}
+	go func() {
+		io.Copy(os.Stderr, stderr)
+	}()
+
+	stdout, err := c.StdoutPipe()
+	if err != nil {
+		return err
+	}
+	go func() {
+		io.Copy(os.Stdout, stdout)
+	}()
+	return c.Run()
 }
 
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
-	if err := raven.SetDSN(sentryDSN); err != nil {
+	err := sentry.Init(sentry.ClientOptions{
+		Dsn:     sentryDSN,
+		Release: c.App.Version,
+	})
+	if err != nil {
 		return err
 	}
-	appURL, err := url.Parse(c.String("app"))
+	appURL, err := parseURL(c.String("app"))
 	if err != nil || c.NumFlags() < 1 {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
-	tok, err := token.GetAppTokenIfExists(appURL)
+
+	appInfo, err := token.GetAppInfo(appURL)
+	if err != nil {
+		return err
+	}
+	tok, err := token.GetAppTokenIfExists(appInfo)
 	if err != nil || tok == "" {
-		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run token command to generate token.")
+		fmt.Fprintln(os.Stderr, "Unable to find token for provided application. Please run login command to generate token.")
 		return err
 	}
 
@@ -333,7 +402,7 @@ func sshGen(c *cli.Context) error {
 		return cli.ShowCommandHelp(c, "ssh-gen")
 	}
 
-	originURL, err := url.Parse(ensureURLScheme(hostname))
+	originURL, err := parseURL(hostname)
 	if err != nil {
 		return err
 	}
@@ -341,7 +410,12 @@ func sshGen(c *cli.Context) error {
 	// this fetchToken function mutates the appURL param. We should refactor that
 	fetchTokenURL := &url.URL{}
 	*fetchTokenURL = *originURL
-	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, log)
+
+	appInfo, err := token.GetAppInfo(fetchTokenURL)
+	if err != nil {
+		return err
+	}
+	cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
 	if err != nil {
 		return err
 	}
@@ -353,7 +427,7 @@ func sshGen(c *cli.Context) error {
 	return nil
 }
 
-// getAppURL will pull the appURL needed for fetching a user's Access token
+// getAppURL will pull the request URL needed for fetching a user's Access token
 func getAppURL(cmdArgs []string, log *zerolog.Logger) (*url.URL, error) {
 	if len(cmdArgs) < 1 {
 		log.Error().Msg("Please provide a valid URL as the first argument to curl.")
@@ -407,6 +481,11 @@ func processURL(s string) (*url.URL, error) {
 
 // cloudflaredPath pulls the full path of cloudflared on disk
 func cloudflaredPath() string {
+	path, err := os.Executable()
+	if err == nil && isFileThere(path) {
+		return path
+	}
+
 	for _, p := range strings.Split(os.Getenv("PATH"), ":") {
 		path := fmt.Sprintf("%s/%s", p, "cloudflared")
 		if isFileThere(path) {
@@ -428,15 +507,15 @@ func isFileThere(candidate string) bool {
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
 // Then makes a request to to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
-func verifyTokenAtEdge(appUrl *url.URL, c *cli.Context, log *zerolog.Logger) error {
-	headers := buildRequestHeaders(c.StringSlice(sshHeaderFlag))
+func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
+	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
 	if c.IsSet(sshTokenIDFlag) {
-		headers.Add(h2mux.CFAccessClientIDHeader, c.String(sshTokenIDFlag))
+		headers.Add(cfAccessClientIDHeader, c.String(sshTokenIDFlag))
 	}
 	if c.IsSet(sshTokenSecretFlag) {
-		headers.Add(h2mux.CFAccessClientSecretHeader, c.String(sshTokenSecretFlag))
+		headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
 	}
-	options := &carrier.StartOptions{OriginURL: appUrl.String(), Headers: headers}
+	options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
 
 	if valid, err := isTokenValid(options, log); err != nil {
 		return err
@@ -444,7 +523,7 @@ func verifyTokenAtEdge(appUrl *url.URL, c *cli.Context, log *zerolog.Logger) err
 		return nil
 	}
 
-	if err := token.RemoveTokenIfExists(appUrl); err != nil {
+	if err := token.RemoveTokenIfExists(appInfo); err != nil {
 		return err
 	}
 
@@ -463,6 +542,11 @@ func isTokenValid(options *carrier.StartOptions, log *zerolog.Logger) (bool, err
 	if err != nil {
 		return false, errors.Wrap(err, "Could not create access request")
 	}
+	req.Header.Set("User-Agent", userAgent)
+
+	query := req.URL.Query()
+	query.Set("cloudflared_token_check", "true")
+	req.URL.RawQuery = query.Encode()
 
 	// Do not follow redirects
 	client := &http.Client{

cmd/cloudflared/access/cmd_test.go

@@ -1,25 +0,0 @@
-package access
-
-import "testing"
-
-func Test_ensureURLScheme(t *testing.T) {
-	type args struct {
-		url string
-	}
-	tests := []struct {
-		name string
-		args args
-		want string
-	}{
-		{"no scheme", args{"localhost:123"}, "https://localhost:123"},
-		{"http scheme", args{"http://test"}, "https://test"},
-		{"https scheme", args{"https://test"}, "https://test"},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := ensureURLScheme(tt.args.url); got != tt.want {
-				t.Errorf("ensureURLScheme() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

cmd/cloudflared/access/validation.go

@@ -0,0 +1,55 @@
+package access
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"golang.org/x/net/http/httpguts"
+)
+
+// parseRequestHeaders will take user-provided header values as strings "Content-Type: application/json" and create
+// a http.Header object.
+func parseRequestHeaders(values []string) http.Header {
+	headers := make(http.Header)
+	for _, valuePair := range values {
+		header, value, found := strings.Cut(valuePair, ":")
+		if found {
+			headers.Add(strings.TrimSpace(header), strings.TrimSpace(value))
+		}
+	}
+	return headers
+}
+
+// parseHostname will attempt to convert a user provided URL string into a string with some light error checking on
+// certain expectations from the URL.
+// Will convert all HTTP URLs to HTTPS
+func parseURL(input string) (*url.URL, error) {
+	if input == "" {
+		return nil, errors.New("no input provided")
+	}
+	if !strings.HasPrefix(input, "https://") && !strings.HasPrefix(input, "http://") {
+		input = fmt.Sprintf("https://%s", input)
+	}
+	url, err := url.ParseRequestURI(input)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse as URL: %w", err)
+	}
+	if url.Scheme != "https" {
+		url.Scheme = "https"
+	}
+	if url.Host == "" {
+		return nil, errors.New("failed to parse Host")
+	}
+	host, err := httpguts.PunycodeHostPort(url.Host)
+	if err != nil || host == "" {
+		return nil, err
+	}
+	if !httpguts.ValidHostHeader(host) {
+		return nil, errors.New("invalid Host provided")
+	}
+	url.Host = host
+	return url, nil
+}

cmd/cloudflared/access/validation_test.go

@@ -0,0 +1,80 @@
+package access
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseRequestHeaders(t *testing.T) {
+	values := parseRequestHeaders([]string{"client: value", "secret: safe-value", "trash", "cf-trace-id: 000:000:0:1:asd"})
+	assert.Len(t, values, 3)
+	assert.Equal(t, "value", values.Get("client"))
+	assert.Equal(t, "safe-value", values.Get("secret"))
+	assert.Equal(t, "000:000:0:1:asd", values.Get("cf-trace-id"))
+}
+
+func TestParseURL(t *testing.T) {
+	schemes := []string{
+		"http://",
+		"https://",
+		"",
+	}
+	hosts := []struct {
+		input    string
+		expected string
+	}{
+		{"localhost", "localhost"},
+		{"127.0.0.1", "127.0.0.1"},
+		{"127.0.0.1:9090", "127.0.0.1:9090"},
+		{"::1", "::1"},
+		{"::1:8080", "::1:8080"},
+		{"[::1]", "[::1]"},
+		{"[::1]:8080", "[::1]:8080"},
+		{":8080", ":8080"},
+		{"example.com", "example.com"},
+		{"hello.example.com", "hello.example.com"},
+		{"bücher.example.com", "xn--bcher-kva.example.com"},
+	}
+	paths := []string{
+		"",
+		"/test",
+		"/example.com?qwe=123",
+	}
+	for i, scheme := range schemes {
+		for j, host := range hosts {
+			for k, path := range paths {
+				t.Run(fmt.Sprintf("%d_%d_%d", i, j, k), func(t *testing.T) {
+					input := fmt.Sprintf("%s%s%s", scheme, host.input, path)
+					expected := fmt.Sprintf("%s%s%s", "https://", host.expected, path)
+					url, err := parseURL(input)
+					assert.NoError(t, err, "input: %s\texpected: %s", input, expected)
+					assert.Equal(t, expected, url.String())
+					assert.Equal(t, host.expected, url.Host)
+					assert.Equal(t, "https", url.Scheme)
+				})
+			}
+		}
+	}
+
+	t.Run("no input", func(t *testing.T) {
+		_, err := parseURL("")
+		assert.ErrorContains(t, err, "no input provided")
+	})
+
+	t.Run("missing host", func(t *testing.T) {
+		_, err := parseURL("https:///host")
+		assert.ErrorContains(t, err, "failed to parse Host")
+	})
+
+	t.Run("invalid path only", func(t *testing.T) {
+		_, err := parseURL("/host")
+		assert.ErrorContains(t, err, "failed to parse Host")
+	})
+
+	t.Run("invalid parse URL", func(t *testing.T) {
+		_, err := parseURL("https://host\\host")
+		assert.ErrorContains(t, err, "failed to parse as URL")
+	})
+}

cmd/cloudflared/app_forward_service.go

@@ -1,10 +1,10 @@
 package main
 
 import (
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-
 	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
+	"github.com/cloudflare/cloudflared/config"
 )
 
 // ForwardServiceType is used to identify what kind of overwatch service this is

cmd/cloudflared/app_resolver_service.go

@@ -1,18 +1,19 @@
 package main
 
 import (
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/tunneldns"
-
 	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/tunneldns"
 )
 
 const (
 	// ResolverServiceType is used to identify what kind of overwatch service this is
 	ResolverServiceType = "resolver"
 
-	LogFieldResolverAddress = "resolverAddress"
-	LogFieldResolverPort    = "resolverPort"
+	LogFieldResolverAddress          = "resolverAddress"
+	LogFieldResolverPort             = "resolverPort"
+	LogFieldResolverMaxUpstreamConns = "resolverMaxUpstreamConns"
 )
 
 // ResolverService is used to wrap the tunneldns package's DNS over HTTP
@@ -57,7 +58,7 @@ func (s *ResolverService) Shutdown() {
 func (s *ResolverService) Run() error {
 	// create a listener
 	l, err := tunneldns.CreateListener(s.resolver.AddressOrDefault(), s.resolver.PortOrDefault(),
-		s.resolver.UpstreamsOrDefault(), s.resolver.BootstrapsOrDefault(), s.log)
+		s.resolver.UpstreamsOrDefault(), s.resolver.BootstrapsOrDefault(), s.resolver.MaxUpstreamConnectionsOrDefault(), s.log)
 	if err != nil {
 		return err
 	}
@@ -74,6 +75,7 @@ func (s *ResolverService) Run() error {
 	resolverLog := s.log.With().
 		Str(LogFieldResolverAddress, s.resolver.AddressOrDefault()).
 		Uint16(LogFieldResolverPort, s.resolver.PortOrDefault()).
+		Int(LogFieldResolverMaxUpstreamConns, s.resolver.MaxUpstreamConnectionsOrDefault()).
 		Logger()
 
 	resolverLog.Info().Msg("Starting resolver")

cmd/cloudflared/app_service.go

@@ -1,10 +1,10 @@
 package main
 
 import (
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/overwatch"
-
 	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/overwatch"
 )
 
 // AppService is the main service that runs when no command lines flags are passed to cloudflared

cmd/cloudflared/buildinfo/build_info.go

@@ -1,27 +0,0 @@
-package buildinfo
-
-import (
-	"github.com/rs/zerolog"
-	"runtime"
-)
-
-type BuildInfo struct {
-	GoOS               string `json:"go_os"`
-	GoVersion          string `json:"go_version"`
-	GoArch             string `json:"go_arch"`
-	CloudflaredVersion string `json:"cloudflared_version"`
-}
-
-func GetBuildInfo(cloudflaredVersion string) *BuildInfo {
-	return &BuildInfo{
-		GoOS:               runtime.GOOS,
-		GoVersion:          runtime.Version(),
-		GoArch:             runtime.GOARCH,
-		CloudflaredVersion: cloudflaredVersion,
-	}
-}
-
-func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
-	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
-}

cmd/cloudflared/cliutil/build_info.go

@@ -0,0 +1,53 @@
+package cliutil
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/rs/zerolog"
+)
+
+type BuildInfo struct {
+	GoOS               string `json:"go_os"`
+	GoVersion          string `json:"go_version"`
+	GoArch             string `json:"go_arch"`
+	BuildType          string `json:"build_type"`
+	CloudflaredVersion string `json:"cloudflared_version"`
+}
+
+func GetBuildInfo(buildType, version string) *BuildInfo {
+	return &BuildInfo{
+		GoOS:               runtime.GOOS,
+		GoVersion:          runtime.Version(),
+		GoArch:             runtime.GOARCH,
+		BuildType:          buildType,
+		CloudflaredVersion: version,
+	}
+}
+
+func (bi *BuildInfo) Log(log *zerolog.Logger) {
+	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	if bi.BuildType != "" {
+		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
+	}
+	log.Info().Msgf("GOOS: %s, GOVersion: %s, GoArch: %s", bi.GoOS, bi.GoVersion, bi.GoArch)
+}
+
+func (bi *BuildInfo) OSArch() string {
+	return fmt.Sprintf("%s_%s", bi.GoOS, bi.GoArch)
+}
+
+func (bi *BuildInfo) Version() string {
+	return bi.CloudflaredVersion
+}
+
+func (bi *BuildInfo) GetBuildTypeMsg() string {
+	if bi.BuildType == "" {
+		return ""
+	}
+	return fmt.Sprintf(" with %s", bi.BuildType)
+}
+
+func (bi *BuildInfo) UserAgent() string {
+	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
+}

cmd/cloudflared/cliutil/deprecated.go

@@ -0,0 +1,21 @@
+package cliutil
+
+import (
+	"fmt"
+
+	"github.com/urfave/cli/v2"
+)
+
+func RemovedCommand(name string) *cli.Command {
+	return &cli.Command{
+		Name: name,
+		Action: func(context *cli.Context) error {
+			return cli.Exit(
+				fmt.Sprintf("%s command is no longer supported by cloudflared. Consult Cloudflare Tunnel documentation for possible alternative solutions.", name),
+				-1,
+			)
+		},
+		Description: fmt.Sprintf("%s is deprecated", name),
+		Hidden:      true,
+	}
+}

cmd/cloudflared/cliutil/errors.go

@@ -2,6 +2,7 @@ package cliutil
 
 import (
 	"fmt"
+
 	"github.com/urfave/cli/v2"
 )
 
@@ -21,7 +22,7 @@ func UsageError(format string, args ...interface{}) error {
 }
 
 // Ensures exit with error code if actionFunc returns an error
-func ErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
+func WithErrorHandler(actionFunc cli.ActionFunc) cli.ActionFunc {
 	return func(ctx *cli.Context) error {
 		err := actionFunc(ctx)
 		if err != nil {

cmd/cloudflared/cliutil/handler.go

@@ -0,0 +1,50 @@
+package cliutil
+
+import (
+	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v2/altsrc"
+
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/logger"
+)
+
+func Action(actionFunc cli.ActionFunc) cli.ActionFunc {
+	return WithErrorHandler(actionFunc)
+}
+
+func ConfiguredAction(actionFunc cli.ActionFunc) cli.ActionFunc {
+	// Adapt actionFunc to the type signature required by ConfiguredActionWithWarnings
+	f := func(context *cli.Context, _ string) error {
+		return actionFunc(context)
+	}
+
+	return ConfiguredActionWithWarnings(f)
+}
+
+// Just like ConfiguredAction, but accepts a second parameter with configuration warnings.
+func ConfiguredActionWithWarnings(actionFunc func(*cli.Context, string) error) cli.ActionFunc {
+	return WithErrorHandler(func(c *cli.Context) error {
+		warnings, err := setFlagsFromConfigFile(c)
+		if err != nil {
+			return err
+		}
+		return actionFunc(c, warnings)
+	})
+}
+
+func setFlagsFromConfigFile(c *cli.Context) (configWarnings string, err error) {
+	const errorExitCode = 1
+	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
+	inputSource, warnings, err := config.ReadConfigFile(c, log)
+	if err != nil {
+		if err == config.ErrNoConfigFile {
+			return "", nil
+		}
+		return "", cli.Exit(err, errorExitCode)
+	}
+
+	if err := altsrc.ApplyInputSource(c, inputSource); err != nil {
+		return "", cli.Exit(err, errorExitCode)
+	}
+	return warnings, nil
+}

cmd/cloudflared/cliutil/logger.go

@@ -0,0 +1,51 @@
+package cliutil
+
+import (
+	"github.com/urfave/cli/v2"
+	"github.com/urfave/cli/v2/altsrc"
+
+	"github.com/cloudflare/cloudflared/logger"
+)
+
+var (
+	debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
+		"This can expose sensitive information in your logs."
+)
+
+func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
+	return []cli.Flag{
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    logger.LogLevelFlag,
+			Value:   "info",
+			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
+			EnvVars: []string{"TUNNEL_LOGLEVEL"},
+			Hidden:  shouldHide,
+		}),
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    logger.LogTransportLevelFlag,
+			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
+			Value:   "info",
+			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
+			EnvVars: []string{"TUNNEL_PROTO_LOGLEVEL", "TUNNEL_TRANSPORT_LOGLEVEL"},
+			Hidden:  shouldHide,
+		}),
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    logger.LogFileFlag,
+			Usage:   "Save application log to this file for reporting issues.",
+			EnvVars: []string{"TUNNEL_LOGFILE"},
+			Hidden:  shouldHide,
+		}),
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    logger.LogDirectoryFlag,
+			Usage:   "Save application log to this directory for reporting issues.",
+			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
+			Hidden:  shouldHide,
+		}),
+		altsrc.NewStringFlag(&cli.StringFlag{
+			Name:    "trace-output",
+			Usage:   "Name of trace output file, generated when cloudflared stops.",
+			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
+			Hidden:  shouldHide,
+		}),
+	}
+}

cmd/cloudflared/common_service.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"github.com/rs/zerolog"
+	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
+)
+
+func buildArgsForToken(c *cli.Context, log *zerolog.Logger) ([]string, error) {
+	token := c.Args().First()
+	if _, err := tunnel.ParseToken(token); err != nil {
+		return nil, cliutil.UsageError("Provided tunnel token is not valid (%s).", err)
+	}
+
+	return []string{
+		"tunnel", "run", "--token", token,
+	}, nil
+}
+
+func getServiceExtraArgsFromCliArgs(c *cli.Context, log *zerolog.Logger) ([]string, error) {
+	if c.NArg() > 0 {
+		// currently, we only support extra args for token
+		return buildArgsForToken(c, log)
+	} else {
+		// empty extra args
+		return make([]string, 0), nil
+	}
+}

cmd/cloudflared/config/configuration.go

@@ -1,375 +0,0 @@
-package config
-
-import (
-	"fmt"
-	"io"
-	"net/url"
-	"os"
-	"path/filepath"
-	"runtime"
-	"time"
-
-	"github.com/mitchellh/go-homedir"
-	"github.com/pkg/errors"
-	"github.com/urfave/cli/v2"
-	"gopkg.in/yaml.v2"
-
-	"github.com/cloudflare/cloudflared/validation"
-	"github.com/rs/zerolog"
-)
-
-var (
-	// DefaultConfigFiles is the file names from which we attempt to read configuration.
-	DefaultConfigFiles = []string{"config.yml", "config.yaml"}
-
-	// DefaultUnixConfigLocation is the primary location to find a config file
-	DefaultUnixConfigLocation = "/usr/local/etc/cloudflared"
-
-	// DefaultUnixLogLocation is the primary location to find log files
-	DefaultUnixLogLocation = "/var/log/cloudflared"
-
-	// Launchd doesn't set root env variables, so there is default
-	// Windows default config dir was ~/cloudflare-warp in documentation; let's keep it compatible
-	defaultUserConfigDirs = []string{"~/.cloudflared", "~/.cloudflare-warp", "~/cloudflare-warp"}
-	defaultNixConfigDirs  = []string{"/etc/cloudflared", DefaultUnixConfigLocation}
-
-	ErrNoConfigFile = fmt.Errorf("Cannot determine default configuration path. No file %v in %v", DefaultConfigFiles, DefaultConfigSearchDirectories())
-)
-
-const (
-	DefaultCredentialFile = "cert.pem"
-
-	// BastionFlag is to enable bastion, or jump host, operation
-	BastionFlag = "bastion"
-)
-
-// DefaultConfigDirectory returns the default directory of the config file
-func DefaultConfigDirectory() string {
-	if runtime.GOOS == "windows" {
-		path := os.Getenv("CFDPATH")
-		if path == "" {
-			path = filepath.Join(os.Getenv("ProgramFiles(x86)"), "cloudflared")
-			if _, err := os.Stat(path); os.IsNotExist(err) { //doesn't exist, so return an empty failure string
-				return ""
-			}
-		}
-		return path
-	}
-	return DefaultUnixConfigLocation
-}
-
-// DefaultLogDirectory returns the default directory for log files
-func DefaultLogDirectory() string {
-	if runtime.GOOS == "windows" {
-		return DefaultConfigDirectory()
-	}
-	return DefaultUnixLogLocation
-}
-
-// DefaultConfigPath returns the default location of a config file
-func DefaultConfigPath() string {
-	dir := DefaultConfigDirectory()
-	if dir == "" {
-		return DefaultConfigFiles[0]
-	}
-	return filepath.Join(dir, DefaultConfigFiles[0])
-}
-
-// DefaultConfigSearchDirectories returns the default folder locations of the config
-func DefaultConfigSearchDirectories() []string {
-	dirs := make([]string, len(defaultUserConfigDirs))
-	copy(dirs, defaultUserConfigDirs)
-	if runtime.GOOS != "windows" {
-		dirs = append(dirs, defaultNixConfigDirs...)
-	}
-	return dirs
-}
-
-// FileExists checks to see if a file exist at the provided path.
-func FileExists(path string) (bool, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// ignore missing files
-			return false, nil
-		}
-		return false, err
-	}
-	_ = f.Close()
-	return true, nil
-}
-
-// FindDefaultConfigPath returns the first path that contains a config file.
-// If none of the combination of DefaultConfigSearchDirectories() and DefaultConfigFiles
-// contains a config file, return empty string.
-func FindDefaultConfigPath() string {
-	for _, configDir := range DefaultConfigSearchDirectories() {
-		for _, configFile := range DefaultConfigFiles {
-			dirPath, err := homedir.Expand(configDir)
-			if err != nil {
-				continue
-			}
-			path := filepath.Join(dirPath, configFile)
-			if ok, _ := FileExists(path); ok {
-				return path
-			}
-		}
-	}
-	return ""
-}
-
-// FindOrCreateConfigPath returns the first path that contains a config file
-// or creates one in the primary default path if it doesn't exist
-func FindOrCreateConfigPath() string {
-	path := FindDefaultConfigPath()
-
-	if path == "" {
-		// create the default directory if it doesn't exist
-		path = DefaultConfigPath()
-		if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil {
-			return ""
-		}
-
-		// write a new config file out
-		file, err := os.Create(path)
-		if err != nil {
-			return ""
-		}
-		defer file.Close()
-
-		logDir := DefaultLogDirectory()
-		_ = os.MkdirAll(logDir, os.ModePerm) //try and create it. Doesn't matter if it succeed or not, only byproduct will be no logs
-
-		c := Root{
-			LogDirectory: logDir,
-		}
-		if err := yaml.NewEncoder(file).Encode(&c); err != nil {
-			return ""
-		}
-	}
-
-	return path
-}
-
-// ValidateUnixSocket ensures --unix-socket param is used exclusively
-// i.e. it fails if a user specifies both --url and --unix-socket
-func ValidateUnixSocket(c *cli.Context) (string, error) {
-	if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
-		return "", errors.New("--unix-socket must be used exclusivly.")
-	}
-	return c.String("unix-socket"), nil
-}
-
-// ValidateUrl will validate url flag correctness. It can be either from --url or argument
-// Notice ValidateUnixSocket, it will enforce --unix-socket is not used with --url or argument
-func ValidateUrl(c *cli.Context, allowURLFromArgs bool) (*url.URL, error) {
-	var url = c.String("url")
-	if allowURLFromArgs && c.NArg() > 0 {
-		if c.IsSet("url") {
-			return nil, errors.New("Specified origin urls using both --url and argument. Decide which one you want, I can only support one.")
-		}
-		url = c.Args().Get(0)
-	}
-	validUrl, err := validation.ValidateUrl(url)
-	return validUrl, err
-}
-
-type UnvalidatedIngressRule struct {
-	Hostname      string
-	Path          string
-	Service       string
-	OriginRequest OriginRequestConfig `yaml:"originRequest"`
-}
-
-// OriginRequestConfig is a set of optional fields that users may set to
-// customize how cloudflared sends requests to origin services. It is used to set
-// up general config that apply to all rules, and also, specific per-rule
-// config.
-// Note: To specify a time.Duration in go-yaml, use e.g. "3s" or "24h".
-type OriginRequestConfig struct {
-	// HTTP proxy timeout for establishing a new connection
-	ConnectTimeout *time.Duration `yaml:"connectTimeout"`
-	// HTTP proxy timeout for completing a TLS handshake
-	TLSTimeout *time.Duration `yaml:"tlsTimeout"`
-	// HTTP proxy TCP keepalive duration
-	TCPKeepAlive *time.Duration `yaml:"tcpKeepAlive"`
-	// HTTP proxy should disable "happy eyeballs" for IPv4/v6 fallback
-	NoHappyEyeballs *bool `yaml:"noHappyEyeballs"`
-	// HTTP proxy maximum keepalive connection pool size
-	KeepAliveConnections *int `yaml:"keepAliveConnections"`
-	// HTTP proxy timeout for closing an idle connection
-	KeepAliveTimeout *time.Duration `yaml:"keepAliveTimeout"`
-	// Sets the HTTP Host header for the local webserver.
-	HTTPHostHeader *string `yaml:"httpHostHeader"`
-	// Hostname on the origin server certificate.
-	OriginServerName *string `yaml:"originServerName"`
-	// Path to the CA for the certificate of your origin.
-	// This option should be used only if your certificate is not signed by Cloudflare.
-	CAPool *string `yaml:"caPool"`
-	// Disables TLS verification of the certificate presented by your origin.
-	// Will allow any certificate from the origin to be accepted.
-	// Note: The connection from your machine to Cloudflare's Edge is still encrypted.
-	NoTLSVerify *bool `yaml:"noTLSVerify"`
-	// Disables chunked transfer encoding.
-	// Useful if you are running a WSGI server.
-	DisableChunkedEncoding *bool `yaml:"disableChunkedEncoding"`
-	// Runs as jump host
-	BastionMode *bool `yaml:"bastionMode"`
-	// Listen address for the proxy.
-	ProxyAddress *string `yaml:"proxyAddress"`
-	// Listen port for the proxy.
-	ProxyPort *uint `yaml:"proxyPort"`
-	// Valid options are 'socks' or empty.
-	ProxyType *string `yaml:"proxyType"`
-}
-
-type Configuration struct {
-	TunnelID      string `yaml:"tunnel"`
-	Ingress       []UnvalidatedIngressRule
-	OriginRequest OriginRequestConfig `yaml:"originRequest"`
-	sourceFile    string
-}
-
-type configFileSettings struct {
-	Configuration `yaml:",inline"`
-	// older settings will be aggregated into the generic map, should be read via cli.Context
-	Settings map[string]interface{} `yaml:",inline"`
-}
-
-func (c *Configuration) Source() string {
-	return c.sourceFile
-}
-
-func (c *configFileSettings) Int(name string) (int, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if v, ok := raw.(int); ok {
-			return v, nil
-		}
-		return 0, fmt.Errorf("expected int found %T for %s", raw, name)
-	}
-	return 0, nil
-}
-
-func (c *configFileSettings) Duration(name string) (time.Duration, error) {
-	if raw, ok := c.Settings[name]; ok {
-		switch v := raw.(type) {
-		case time.Duration:
-			return v, nil
-		case string:
-			return time.ParseDuration(v)
-		}
-		return 0, fmt.Errorf("expected duration found %T for %s", raw, name)
-	}
-	return 0, nil
-}
-
-func (c *configFileSettings) Float64(name string) (float64, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if v, ok := raw.(float64); ok {
-			return v, nil
-		}
-		return 0, fmt.Errorf("expected float found %T for %s", raw, name)
-	}
-	return 0, nil
-}
-
-func (c *configFileSettings) String(name string) (string, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if v, ok := raw.(string); ok {
-			return v, nil
-		}
-		return "", fmt.Errorf("expected string found %T for %s", raw, name)
-	}
-	return "", nil
-}
-
-func (c *configFileSettings) StringSlice(name string) ([]string, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if slice, ok := raw.([]interface{}); ok {
-			strSlice := make([]string, len(slice))
-			for i, v := range slice {
-				str, ok := v.(string)
-				if !ok {
-					return nil, fmt.Errorf("expected string, found %T for %v", i, v)
-				}
-				strSlice[i] = str
-			}
-			return strSlice, nil
-		}
-		return nil, fmt.Errorf("expected string slice found %T for %s", raw, name)
-	}
-	return nil, nil
-}
-
-func (c *configFileSettings) IntSlice(name string) ([]int, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if slice, ok := raw.([]interface{}); ok {
-			intSlice := make([]int, len(slice))
-			for i, v := range slice {
-				str, ok := v.(int)
-				if !ok {
-					return nil, fmt.Errorf("expected int, found %T for %v ", v, v)
-				}
-				intSlice[i] = str
-			}
-			return intSlice, nil
-		}
-		if v, ok := raw.([]int); ok {
-			return v, nil
-		}
-		return nil, fmt.Errorf("expected int slice found %T for %s", raw, name)
-	}
-	return nil, nil
-}
-
-func (c *configFileSettings) Generic(name string) (cli.Generic, error) {
-	return nil, errors.New("option type Generic not supported")
-}
-
-func (c *configFileSettings) Bool(name string) (bool, error) {
-	if raw, ok := c.Settings[name]; ok {
-		if v, ok := raw.(bool); ok {
-			return v, nil
-		}
-		return false, fmt.Errorf("expected boolean found %T for %s", raw, name)
-	}
-	return false, nil
-}
-
-var configuration configFileSettings
-
-func GetConfiguration() *Configuration {
-	return &configuration.Configuration
-}
-
-// ReadConfigFile returns InputSourceContext initialized from the configuration file.
-// On repeat calls returns with the same file, returns without reading the file again; however,
-// if value of "config" flag changes, will read the new config file
-func ReadConfigFile(c *cli.Context, log *zerolog.Logger) (*configFileSettings, error) {
-	configFile := c.String("config")
-	if configuration.Source() == configFile || configFile == "" {
-		if configuration.Source() == "" {
-			return nil, ErrNoConfigFile
-		}
-		return &configuration, nil
-	}
-
-	log.Debug().Msgf("Loading configuration from %s", configFile)
-	file, err := os.Open(configFile)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = ErrNoConfigFile
-		}
-		return nil, err
-	}
-	defer file.Close()
-	if err := yaml.NewDecoder(file).Decode(&configuration); err != nil {
-		if err == io.EOF {
-			log.Error().Msgf("Configuration file %s was empty", configFile)
-			return &configuration, nil
-		}
-		return nil, errors.Wrap(err, "error parsing YAML in config file at "+configFile)
-	}
-	configuration.sourceFile = configFile
-	return &configuration, nil
-}

cmd/cloudflared/config/configuration_test.go

@@ -1,76 +0,0 @@
-package config
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"gopkg.in/yaml.v2"
-)
-
-func TestConfigFileSettings(t *testing.T) {
-	var (
-		firstIngress = UnvalidatedIngressRule{
-			Hostname: "tunnel1.example.com",
-			Path:     "/id",
-			Service:  "https://localhost:8000",
-		}
-		secondIngress = UnvalidatedIngressRule{
-			Hostname: "*",
-			Path:     "",
-			Service:  "https://localhost:8001",
-		}
-	)
-	rawYAML := `
-tunnel: config-file-test
-ingress:
- - hostname: tunnel1.example.com
-   path: /id
-   service: https://localhost:8000
- - hostname: "*"
-   service: https://localhost:8001
-retries: 5
-grace-period: 30s
-percentage: 3.14
-hostname: example.com
-tag:
- - test
- - central-1
-counters:
- - 123
- - 456
-`
-	var config configFileSettings
-	err := yaml.Unmarshal([]byte(rawYAML), &config)
-	assert.NoError(t, err)
-
-	assert.Equal(t, "config-file-test", config.TunnelID)
-	assert.Equal(t, firstIngress, config.Ingress[0])
-	assert.Equal(t, secondIngress, config.Ingress[1])
-
-	retries, err := config.Int("retries")
-	assert.NoError(t, err)
-	assert.Equal(t, 5, retries)
-
-	gracePeriod, err := config.Duration("grace-period")
-	assert.NoError(t, err)
-	assert.Equal(t, time.Second*30, gracePeriod)
-
-	percentage, err := config.Float64("percentage")
-	assert.NoError(t, err)
-	assert.Equal(t, 3.14, percentage)
-
-	hostname, err := config.String("hostname")
-	assert.NoError(t, err)
-	assert.Equal(t, "example.com", hostname)
-
-	tags, err := config.StringSlice("tag")
-	assert.NoError(t, err)
-	assert.Equal(t, "test", tags[0])
-	assert.Equal(t, "central-1", tags[1])
-
-	counters, err := config.IntSlice("counters")
-	assert.NoError(t, err)
-	assert.Equal(t, 123, counters[0])
-	assert.Equal(t, 456, counters[1])
-}

cmd/cloudflared/config/manager.go

@@ -1,112 +0,0 @@
-package config
-
-import (
-	"io"
-	"os"
-
-	"github.com/cloudflare/cloudflared/watcher"
-
-	"github.com/pkg/errors"
-	"github.com/rs/zerolog"
-	"gopkg.in/yaml.v2"
-)
-
-// Notifier sends out config updates
-type Notifier interface {
-	ConfigDidUpdate(Root)
-}
-
-// Manager is the base functions of the config manager
-type Manager interface {
-	Start(Notifier) error
-	Shutdown()
-}
-
-// FileManager watches the yaml config for changes
-// sends updates to the service to reconfigure to match the updated config
-type FileManager struct {
-	watcher    watcher.Notifier
-	notifier   Notifier
-	configPath string
-	log        *zerolog.Logger
-	ReadConfig func(string, *zerolog.Logger) (Root, error)
-}
-
-// NewFileManager creates a config manager
-func NewFileManager(watcher watcher.Notifier, configPath string, log *zerolog.Logger) (*FileManager, error) {
-	m := &FileManager{
-		watcher:    watcher,
-		configPath: configPath,
-		log:        log,
-		ReadConfig: readConfigFromPath,
-	}
-	err := watcher.Add(configPath)
-	return m, err
-}
-
-// Start starts the runloop to watch for config changes
-func (m *FileManager) Start(notifier Notifier) error {
-	m.notifier = notifier
-
-	// update the notifier with a fresh config on start
-	config, err := m.GetConfig()
-	if err != nil {
-		return err
-	}
-	notifier.ConfigDidUpdate(config)
-
-	m.watcher.Start(m)
-	return nil
-}
-
-// GetConfig reads the yaml file from the disk
-func (m *FileManager) GetConfig() (Root, error) {
-	return m.ReadConfig(m.configPath, m.log)
-}
-
-// Shutdown stops the watcher
-func (m *FileManager) Shutdown() {
-	m.watcher.Shutdown()
-}
-
-func readConfigFromPath(configPath string, log *zerolog.Logger) (Root, error) {
-	if configPath == "" {
-		return Root{}, errors.New("unable to find config file")
-	}
-
-	file, err := os.Open(configPath)
-	if err != nil {
-		return Root{}, err
-	}
-	defer file.Close()
-
-	var config Root
-	if err := yaml.NewDecoder(file).Decode(&config); err != nil {
-		if err == io.EOF {
-			log.Error().Msgf("Configuration file %s was empty", configPath)
-			return Root{}, nil
-		}
-		return Root{}, errors.Wrap(err, "error parsing YAML in config file at "+configPath)
-	}
-
-	return config, nil
-}
-
-// File change notifications from the watcher
-
-// WatcherItemDidChange triggers when the yaml config is updated
-// sends the updated config to the service to reload its state
-func (m *FileManager) WatcherItemDidChange(filepath string) {
-	config, err := m.GetConfig()
-	if err != nil {
-		m.log.Err(err).Msg("Failed to read new config")
-		return
-	}
-	m.log.Info().Msg("Config file has been updated")
-	m.notifier.ConfigDidUpdate(config)
-}
-
-// WatcherDidError notifies of errors with the file watcher
-func (m *FileManager) WatcherDidError(err error) {
-	m.log.Err(err).Msg("Config watcher encountered an error")
-}

cmd/cloudflared/config/manager_test.go

@@ -1,88 +0,0 @@
-package config
-
-import (
-	"os"
-	"testing"
-
-	"github.com/cloudflare/cloudflared/watcher"
-
-	"github.com/rs/zerolog"
-	"github.com/stretchr/testify/assert"
-)
-
-type mockNotifier struct {
-	configs []Root
-}
-
-func (n *mockNotifier) ConfigDidUpdate(c Root) {
-	n.configs = append(n.configs, c)
-}
-
-type mockFileWatcher struct {
-	path     string
-	notifier watcher.Notification
-	ready    chan struct{}
-}
-
-func (w *mockFileWatcher) Start(n watcher.Notification) {
-	w.notifier = n
-	w.ready <- struct{}{}
-}
-
-func (w *mockFileWatcher) Add(string) error {
-	return nil
-}
-
-func (w *mockFileWatcher) Shutdown() {
-
-}
-
-func (w *mockFileWatcher) TriggerChange() {
-	w.notifier.WatcherItemDidChange(w.path)
-}
-
-func TestConfigChanged(t *testing.T) {
-	filePath := "config.yaml"
-	f, err := os.Create(filePath)
-	assert.NoError(t, err)
-	defer func() {
-		_ = f.Close()
-		_ = os.Remove(filePath)
-	}()
-	c := &Root{
-		Forwarders: []Forwarder{
-			{
-				URL:      "test.daltoniam.com",
-				Listener: "127.0.0.1:8080",
-			},
-		},
-	}
-	configRead := func(configPath string, log *zerolog.Logger) (Root, error) {
-		return *c, nil
-	}
-	wait := make(chan struct{})
-	w := &mockFileWatcher{path: filePath, ready: wait}
-
-	log := zerolog.Nop()
-
-	service, err := NewFileManager(w, filePath, &log)
-	service.ReadConfig = configRead
-	assert.NoError(t, err)
-
-	n := &mockNotifier{}
-	go service.Start(n)
-
-	<-wait
-	c.Forwarders = append(c.Forwarders, Forwarder{URL: "add.daltoniam.com", Listener: "127.0.0.1:8081"})
-	w.TriggerChange()
-
-	service.Shutdown()
-
-	assert.Len(t, n.configs, 2, "did not get 2 config updates as expected")
-	assert.Len(t, n.configs[0].Forwarders, 1, "not the amount of forwarders expected")
-	assert.Len(t, n.configs[1].Forwarders, 2, "not the amount of forwarders expected")
-
-	assert.Equal(t, n.configs[0].Forwarders[0].Hash(), c.Forwarders[0].Hash(), "forwarder hashes don't match")
-	assert.Equal(t, n.configs[1].Forwarders[0].Hash(), c.Forwarders[0].Hash(), "forwarder hashes don't match")
-	assert.Equal(t, n.configs[1].Forwarders[1].Hash(), c.Forwarders[1].Hash(), "forwarder hashes don't match")
-}

cmd/cloudflared/config/model.go

@@ -1,101 +0,0 @@
-package config
-
-import (
-	"crypto/md5"
-	"fmt"
-	"io"
-	"strings"
-)
-
-// Forwarder represents a client side listener to forward traffic to the edge
-type Forwarder struct {
-	URL           string `json:"url"`
-	Listener      string `json:"listener"`
-	TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
-	TokenSecret   string `json:"secret_token_id" yaml:"serviceTokenSecret"`
-	Destination   string `json:"destination"`
-}
-
-// Tunnel represents a tunnel that should be started
-type Tunnel struct {
-	URL          string `json:"url"`
-	Origin       string `json:"origin"`
-	ProtocolType string `json:"type"`
-}
-
-// DNSResolver represents a client side DNS resolver
-type DNSResolver struct {
-	Enabled    bool     `json:"enabled"`
-	Address    string   `json:"address,omitempty"`
-	Port       uint16   `json:"port,omitempty"`
-	Upstreams  []string `json:"upstreams,omitempty"`
-	Bootstraps []string `json:"bootstraps,omitempty"`
-}
-
-// Root is the base options to configure the service
-type Root struct {
-	LogDirectory string      `json:"log_directory" yaml:"logDirectory,omitempty"`
-	LogLevel     string      `json:"log_level" yaml:"logLevel,omitempty"`
-	Forwarders   []Forwarder `json:"forwarders,omitempty" yaml:"forwarders,omitempty"`
-	Tunnels      []Tunnel    `json:"tunnels,omitempty" yaml:"tunnels,omitempty"`
-	Resolver     DNSResolver `json:"resolver,omitempty" yaml:"resolver,omitempty"`
-}
-
-// Hash returns the computed values to see if the forwarder values change
-func (f *Forwarder) Hash() string {
-	h := md5.New()
-	io.WriteString(h, f.URL)
-	io.WriteString(h, f.Listener)
-	io.WriteString(h, f.TokenClientID)
-	io.WriteString(h, f.TokenSecret)
-	io.WriteString(h, f.Destination)
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
-
-// Hash returns the computed values to see if the forwarder values change
-func (r *DNSResolver) Hash() string {
-	h := md5.New()
-	io.WriteString(h, r.Address)
-	io.WriteString(h, strings.Join(r.Bootstraps, ","))
-	io.WriteString(h, strings.Join(r.Upstreams, ","))
-	io.WriteString(h, fmt.Sprintf("%d", r.Port))
-	io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
-	return fmt.Sprintf("%x", h.Sum(nil))
-}
-
-// EnabledOrDefault returns the enabled property
-func (r *DNSResolver) EnabledOrDefault() bool {
-	return r.Enabled
-}
-
-// AddressOrDefault returns the address or returns the default if empty
-func (r *DNSResolver) AddressOrDefault() string {
-	if r.Address != "" {
-		return r.Address
-	}
-	return "localhost"
-}
-
-// PortOrDefault return the port or returns the default if 0
-func (r *DNSResolver) PortOrDefault() uint16 {
-	if r.Port > 0 {
-		return r.Port
-	}
-	return 53
-}
-
-// UpstreamsOrDefault returns the upstreams or returns the default if empty
-func (r *DNSResolver) UpstreamsOrDefault() []string {
-	if len(r.Upstreams) > 0 {
-		return r.Upstreams
-	}
-	return []string{"https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"}
-}
-
-// BootstrapsOrDefault returns the bootstraps or returns the default if empty
-func (r *DNSResolver) BootstrapsOrDefault() []string {
-	if len(r.Bootstraps) > 0 {
-		return r.Bootstraps
-	}
-	return []string{"https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"}
-}

cmd/cloudflared/generic_service.go

@@ -1,4 +1,4 @@
-// +build !windows,!darwin,!linux
+//go:build !windows && !darwin && !linux
 
 package main
 
@@ -8,6 +8,6 @@ import (
 	cli "github.com/urfave/cli/v2"
 )
 
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Run(os.Args)
 }

cmd/cloudflared/linux_service.go

@@ -1,41 +1,37 @@
-// +build linux
+//go:build linux
 
 package main
 
 import (
 	"fmt"
 	"os"
-	"path/filepath"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
-	"github.com/cloudflare/cloudflared/logger"
 
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/logger"
 )
 
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the Argo Tunnel system service",
+		Usage: "Manages the cloudflared system service",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
-				Usage:  "Install Argo Tunnel as a system service",
-				Action: cliutil.ErrorHandler(installLinuxService),
+				Usage:  "Install cloudflared as a system service",
+				Action: cliutil.ConfiguredAction(installLinuxService),
 				Flags: []cli.Flag{
-					&cli.BoolFlag{
-						Name:  "legacy",
-						Usage: "Generate service file for non-named tunnels",
-					},
+					noUpdateServiceFlag,
 				},
 			},
 			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the Argo Tunnel service",
-				Action: cliutil.ErrorHandler(uninstallLinuxService),
+				Usage:  "Uninstall the cloudflared service",
+				Action: cliutil.ConfiguredAction(uninstallLinuxService),
 			},
 		},
 	})
@@ -45,23 +41,27 @@ func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
 // The directory and files that are used by the service.
 // These are hard-coded in the templates below.
 const (
-	serviceConfigDir      = "/etc/cloudflared"
-	serviceConfigFile     = "config.yml"
-	serviceCredentialFile = "cert.pem"
-	serviceConfigPath     = serviceConfigDir + "/" + serviceConfigFile
+	serviceConfigDir         = "/etc/cloudflared"
+	serviceConfigFile        = "config.yml"
+	serviceCredentialFile    = "cert.pem"
+	serviceConfigPath        = serviceConfigDir + "/" + serviceConfigFile
+	cloudflaredService       = "cloudflared.service"
+	cloudflaredUpdateService = "cloudflared-update.service"
+	cloudflaredUpdateTimer   = "cloudflared-update.timer"
 )
 
-var systemdTemplates = []ServiceTemplate{
-	{
-		Path: "/etc/systemd/system/cloudflared.service",
+var systemdAllTemplates = map[string]ServiceTemplate{
+	cloudflaredService: {
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredService),
 		Content: `[Unit]
-Description=Argo Tunnel
-After=network.target
+Description=cloudflared
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 TimeoutStartSec=0
 Type=notify
-ExecStart={{ .Path }} --config /etc/cloudflared/config.yml --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
+ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
 Restart=on-failure
 RestartSec=5s
 
@@ -69,20 +69,21 @@ RestartSec=5s
 WantedBy=multi-user.target
 `,
 	},
-	{
-		Path: "/etc/systemd/system/cloudflared-update.service",
+	cloudflaredUpdateService: {
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateService),
 		Content: `[Unit]
-Description=Update Argo Tunnel
-After=network.target
+Description=Update cloudflared
+After=network-online.target
+Wants=network-online.target
 
 [Service]
 ExecStart=/bin/bash -c '{{ .Path }} update; code=$?; if [ $code -eq 11 ]; then systemctl restart cloudflared; exit 0; fi; exit $code'
 `,
 	},
-	{
-		Path: "/etc/systemd/system/cloudflared-update.timer",
+	cloudflaredUpdateTimer: {
+		Path: fmt.Sprintf("/etc/systemd/system/%s", cloudflaredUpdateTimer),
 		Content: `[Unit]
-Description=Update Argo Tunnel
+Description=Update cloudflared
 
 [Timer]
 OnCalendar=daily
@@ -99,7 +100,7 @@ var sysvTemplate = ServiceTemplate{
 	Content: `#!/bin/sh
 # For RedHat and cousins:
 # chkconfig: 2345 99 01
-# description: Argo Tunnel agent
+# description: cloudflared
 # processname: {{.Path}}
 ### BEGIN INIT INFO
 # Provides:          {{.Path}}
@@ -107,11 +108,11 @@ var sysvTemplate = ServiceTemplate{
 # Required-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
-# Short-Description: Argo Tunnel
-# Description:       Argo Tunnel agent
+# Short-Description: cloudflared
+# Description:       cloudflared agent
 ### END INIT INFO
 name=$(basename $(readlink -f $0))
-cmd="{{.Path}} --config /etc/cloudflared/config.yml --pidfile /var/run/$name.pid --autoupdate-freq 24h0m0s{{ range .ExtraArgs }} {{ . }}{{ end }}"
+cmd="{{.Path}} --pidfile /var/run/$name.pid {{ range .ExtraArgs }} {{ . }}{{ end }}"
 pid_file="/var/run/$name.pid"
 stdout_log="/var/log/$name.log"
 stderr_log="/var/log/$name.err"
@@ -183,6 +184,14 @@ exit 0
 `,
 }
 
+var (
+	noUpdateServiceFlag = &cli.BoolFlag{
+		Name:  "no-update-service",
+		Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
+		Value: false,
+	}
+)
+
 func isSystemd() bool {
 	if _, err := os.Stat("/run/systemd/system"); err == nil {
 		return true
@@ -190,27 +199,6 @@ func isSystemd() bool {
 	return false
 }
 
-func copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile string, log *zerolog.Logger) error {
-	srcCredentialPath := filepath.Join(userConfigDir, userCredentialFile)
-	destCredentialPath := filepath.Join(serviceConfigDir, serviceCredentialFile)
-	if srcCredentialPath != destCredentialPath {
-		if err := copyCredential(srcCredentialPath, destCredentialPath); err != nil {
-			return err
-		}
-	}
-
-	srcConfigPath := filepath.Join(userConfigDir, userConfigFile)
-	destConfigPath := filepath.Join(serviceConfigDir, serviceConfigFile)
-	if srcConfigPath != destConfigPath {
-		if err := copyConfig(srcConfigPath, destConfigPath); err != nil {
-			return err
-		}
-		log.Info().Msgf("Copied %s to %s", srcConfigPath, destConfigPath)
-	}
-
-	return nil
-}
-
 func installLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
@@ -222,64 +210,88 @@ func installLinuxService(c *cli.Context) error {
 		Path: etPath,
 	}
 
-	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
+	// Check if the "no update flag" is set
+	autoUpdate := !c.IsSet(noUpdateServiceFlag.Name)
+
+	var extraArgsFunc func(c *cli.Context, log *zerolog.Logger) ([]string, error)
+	if c.NArg() == 0 {
+		extraArgsFunc = buildArgsForConfig
+	} else {
+		extraArgsFunc = buildArgsForToken
+	}
+
+	extraArgs, err := extraArgsFunc(c, log)
+	if err != nil {
 		return err
 	}
-	if c.Bool("legacy") {
-		userConfigDir := filepath.Dir(c.String("config"))
-		userConfigFile := filepath.Base(c.String("config"))
-		userCredentialFile := config.DefaultCredentialFile
-		if err = copyUserConfiguration(userConfigDir, userConfigFile, userCredentialFile, log); err != nil {
-			log.Err(err).Msgf("Failed to copy user configuration. Before running the service, ensure that %s contains two files, %s and %s",
-				serviceConfigDir, serviceCredentialFile, serviceConfigFile)
-			return err
-		}
-		templateArgs.ExtraArgs = []string{
-			"--origincert", serviceConfigDir + "/" + serviceCredentialFile,
-		}
-	} else {
-		src, err := config.ReadConfigFile(c, log)
-		if err != nil {
-			return err
-		}
 
-		// can't use context because this command doesn't define "credentials-file" flag
-		configPresent := func(s string) bool {
-			val, err := src.String(s)
-			return err == nil && val != ""
-		}
-		if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
-			return fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
-tunnel: TUNNEL-UUID
-credentials-file: CREDENTIALS-FILE
-`, src.Source())
-		}
-		if src.Source() != serviceConfigPath {
-			if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
-				return fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
-			}
-
-			if err := copyFile(src.Source(), serviceConfigPath); err != nil {
-				return fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
-			}
-		}
-
-		templateArgs.ExtraArgs = []string{
-			"tunnel", "run",
-		}
-	}
+	templateArgs.ExtraArgs = extraArgs
 
 	switch {
 	case isSystemd():
 		log.Info().Msgf("Using Systemd")
-		return installSystemd(&templateArgs, log)
+		err = installSystemd(&templateArgs, autoUpdate, log)
 	default:
 		log.Info().Msgf("Using SysV")
-		return installSysv(&templateArgs, log)
+		err = installSysv(&templateArgs, autoUpdate, log)
 	}
+
+	if err == nil {
+		log.Info().Msg("Linux service for cloudflared installed successfully")
+	}
+	return err
 }
 
-func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
+func buildArgsForConfig(c *cli.Context, log *zerolog.Logger) ([]string, error) {
+	if err := ensureConfigDirExists(serviceConfigDir); err != nil {
+		return nil, err
+	}
+
+	src, _, err := config.ReadConfigFile(c, log)
+	if err != nil {
+		return nil, err
+	}
+
+	// can't use context because this command doesn't define "credentials-file" flag
+	configPresent := func(s string) bool {
+		val, err := src.String(s)
+		return err == nil && val != ""
+	}
+	if src.TunnelID == "" || !configPresent(tunnel.CredFileFlag) {
+		return nil, fmt.Errorf(`Configuration file %s must contain entries for the tunnel to run and its associated credentials:
+tunnel: TUNNEL-UUID
+credentials-file: CREDENTIALS-FILE
+`, src.Source())
+	}
+	if src.Source() != serviceConfigPath {
+		if exists, err := config.FileExists(serviceConfigPath); err != nil || exists {
+			return nil, fmt.Errorf("Possible conflicting configuration in %[1]s and %[2]s. Either remove %[2]s or run `cloudflared --config %[2]s service install`", src.Source(), serviceConfigPath)
+		}
+
+		if err := copyFile(src.Source(), serviceConfigPath); err != nil {
+			return nil, fmt.Errorf("failed to copy %s to %s: %w", src.Source(), serviceConfigPath, err)
+		}
+	}
+
+	return []string{
+		"--config", "/etc/cloudflared/config.yml", "tunnel", "run",
+	}, nil
+}
+
+func installSystemd(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
+	var systemdTemplates []ServiceTemplate
+	if autoUpdate {
+		systemdTemplates = []ServiceTemplate{
+			systemdAllTemplates[cloudflaredService],
+			systemdAllTemplates[cloudflaredUpdateService],
+			systemdAllTemplates[cloudflaredUpdateTimer],
+		}
+	} else {
+		systemdTemplates = []ServiceTemplate{
+			systemdAllTemplates[cloudflaredService],
+		}
+	}
+
 	for _, serviceTemplate := range systemdTemplates {
 		err := serviceTemplate.Generate(templateArgs)
 		if err != nil {
@@ -287,24 +299,38 @@ func installSystemd(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) erro
 			return err
 		}
 	}
-	if err := runCommand("systemctl", "enable", "cloudflared.service"); err != nil {
-		log.Err(err).Msg("systemctl enable cloudflared.service error")
+	if err := runCommand("systemctl", "enable", cloudflaredService); err != nil {
+		log.Err(err).Msgf("systemctl enable %s error", cloudflaredService)
 		return err
 	}
-	if err := runCommand("systemctl", "start", "cloudflared-update.timer"); err != nil {
-		log.Err(err).Msg("systemctl start cloudflared-update.timer error")
+
+	if autoUpdate {
+		if err := runCommand("systemctl", "start", cloudflaredUpdateTimer); err != nil {
+			log.Err(err).Msgf("systemctl start %s error", cloudflaredUpdateTimer)
+			return err
+		}
+	}
+
+	if err := runCommand("systemctl", "daemon-reload"); err != nil {
+		log.Err(err).Msg("systemctl daemon-reload error")
 		return err
 	}
-	log.Info().Msg("systemctl daemon-reload")
-	return runCommand("systemctl", "daemon-reload")
+	return runCommand("systemctl", "start", cloudflaredService)
 }
 
-func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
+func installSysv(templateArgs *ServiceTemplateArgs, autoUpdate bool, log *zerolog.Logger) error {
 	confPath, err := sysvTemplate.ResolvePath()
 	if err != nil {
 		log.Err(err).Msg("error resolving system path")
 		return err
 	}
+
+	if autoUpdate {
+		templateArgs.ExtraArgs = append([]string{"--autoupdate-freq 24h0m0s"}, templateArgs.ExtraArgs...)
+	} else {
+		templateArgs.ExtraArgs = append([]string{"--no-autoupdate"}, templateArgs.ExtraArgs...)
+	}
+
 	if err := sysvTemplate.Generate(templateArgs); err != nil {
 		log.Err(err).Msg("error generating system template")
 		return err
@@ -319,42 +345,75 @@ func installSysv(templateArgs *ServiceTemplateArgs, log *zerolog.Logger) error {
 			continue
 		}
 	}
-	return nil
+	return runCommand("service", "cloudflared", "start")
 }
 
 func uninstallLinuxService(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
+	var err error
 	switch {
 	case isSystemd():
 		log.Info().Msg("Using Systemd")
-		return uninstallSystemd(log)
+		err = uninstallSystemd(log)
 	default:
 		log.Info().Msg("Using SysV")
-		return uninstallSysv(log)
+		err = uninstallSysv(log)
 	}
+
+	if err == nil {
+		log.Info().Msg("Linux service for cloudflared uninstalled successfully")
+	}
+	return err
 }
 
 func uninstallSystemd(log *zerolog.Logger) error {
-	if err := runCommand("systemctl", "disable", "cloudflared.service"); err != nil {
-		log.Err(err).Msg("systemctl disable cloudflared.service error")
-		return err
+	// Get only the installed services
+	installedServices := make(map[string]ServiceTemplate)
+	for serviceName, serviceTemplate := range systemdAllTemplates {
+		if err := runCommand("systemctl", "list-units", "--all", "|", "grep", serviceName); err == nil {
+			installedServices[serviceName] = serviceTemplate
+		} else {
+			log.Info().Msgf("Service '%s' not installed, skipping its uninstall", serviceName)
+		}
 	}
-	if err := runCommand("systemctl", "stop", "cloudflared-update.timer"); err != nil {
-		log.Err(err).Msg("systemctl stop cloudflared-update.timer error")
-		return err
+
+	if _, exists := installedServices[cloudflaredService]; exists {
+		if err := runCommand("systemctl", "disable", cloudflaredService); err != nil {
+			log.Err(err).Msgf("systemctl disable %s error", cloudflaredService)
+			return err
+		}
+		if err := runCommand("systemctl", "stop", cloudflaredService); err != nil {
+			log.Err(err).Msgf("systemctl stop %s error", cloudflaredService)
+			return err
+		}
 	}
-	for _, serviceTemplate := range systemdTemplates {
+
+	if _, exists := installedServices[cloudflaredUpdateTimer]; exists {
+		if err := runCommand("systemctl", "stop", cloudflaredUpdateTimer); err != nil {
+			log.Err(err).Msgf("systemctl stop %s error", cloudflaredUpdateTimer)
+			return err
+		}
+	}
+
+	for _, serviceTemplate := range installedServices {
 		if err := serviceTemplate.Remove(); err != nil {
 			log.Err(err).Msg("error removing service template")
 			return err
 		}
 	}
-	log.Info().Msgf("Successfully uninstalled cloudflared service from systemd")
+	if err := runCommand("systemctl", "daemon-reload"); err != nil {
+		log.Err(err).Msg("systemctl daemon-reload error")
+		return err
+	}
 	return nil
 }
 
 func uninstallSysv(log *zerolog.Logger) error {
+	if err := runCommand("service", "cloudflared", "stop"); err != nil {
+		log.Err(err).Msg("service cloudflared stop error")
+		return err
+	}
 	if err := sysvTemplate.Remove(); err != nil {
 		log.Err(err).Msg("error removing service template")
 		return err
@@ -369,6 +428,5 @@ func uninstallSysv(log *zerolog.Logger) error {
 			continue
 		}
 	}
-	log.Info().Msgf("Successfully uninstalled cloudflared service from sysv")
 	return nil
 }

cmd/cloudflared/macos_service.go

@@ -1,4 +1,4 @@
-// +build darwin
+//go:build darwin
 
 package main
 
@@ -6,31 +6,31 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	"github.com/cloudflare/cloudflared/logger"
-
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/logger"
 )
 
 const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
 
-func runApp(app *cli.App, shutdownC, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, graceShutdownC chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
-		Usage: "Manages the Argo Tunnel launch agent",
+		Usage: "Manages the cloudflared launch agent",
 		Subcommands: []*cli.Command{
 			{
 				Name:   "install",
-				Usage:  "Install Argo Tunnel as an user launch agent",
-				Action: cliutil.ErrorHandler(installLaunchd),
+				Usage:  "Install cloudflared as an user launch agent",
+				Action: cliutil.ConfiguredAction(installLaunchd),
 			},
 			{
 				Name:   "uninstall",
-				Usage:  "Uninstall the Argo Tunnel launch agent",
-				Action: cliutil.ErrorHandler(uninstallLaunchd),
+				Usage:  "Uninstall the cloudflared launch agent",
+				Action: cliutil.ConfiguredAction(uninstallLaunchd),
 			},
 		},
 	})
@@ -49,6 +49,9 @@ func newLaunchdTemplate(installPath, stdoutPath, stderrPath string) *ServiceTemp
 		<key>ProgramArguments</key>
 		<array>
 			<string>{{ .Path }}</string>
+			{{- range $i, $item := .ExtraArgs}}
+			<string>{{ $item }}</string>
+			{{- end}}
 		</array>
 		<key>RunAtLoad</key>
 		<true/>
@@ -110,13 +113,13 @@ func installLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
 	if isRootUser() {
-		log.Info().Msg("Installing Argo Tunnel client as a system launch daemon. " +
-			"Argo Tunnel client will run at boot")
+		log.Info().Msg("Installing cloudflared client as a system launch daemon. " +
+			"cloudflared client will run at boot")
 	} else {
-		log.Info().Msg("Installing Argo Tunnel client as an user launch agent. " +
-			"Note that Argo Tunnel client will only run when the user is logged in. " +
-			"If you want to run Argo Tunnel client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/argo-tunnel/reference/service/")
+		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
+			"Note that cloudflared client will only run when the user is logged in. " +
+			"If you want to run cloudflared client at boot, install with root permission. " +
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@@ -128,6 +131,13 @@ func installLaunchd(c *cli.Context) error {
 		log.Err(err).Msg("Error determining install path")
 		return errors.Wrap(err, "Error determining install path")
 	}
+	extraArgs, err := getServiceExtraArgsFromCliArgs(c, log)
+	if err != nil {
+		errMsg := "Unable to determine extra arguments for launch daemon"
+		log.Err(err).Msg(errMsg)
+		return errors.Wrap(err, errMsg)
+	}
+
 	stdoutPath, err := stdoutPath()
 	if err != nil {
 		log.Err(err).Msg("error determining stdout path")
@@ -139,7 +149,7 @@ func installLaunchd(c *cli.Context) error {
 		return errors.Wrap(err, "error determining stderr path")
 	}
 	launchdTemplate := newLaunchdTemplate(installPath, stdoutPath, stderrPath)
-	templateArgs := ServiceTemplateArgs{Path: etPath}
+	templateArgs := ServiceTemplateArgs{Path: etPath, ExtraArgs: extraArgs}
 	err = launchdTemplate.Generate(&templateArgs)
 	if err != nil {
 		log.Err(err).Msg("error generating launchd template")
@@ -152,16 +162,20 @@ func installLaunchd(c *cli.Context) error {
 	}
 
 	log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
-	return runCommand("launchctl", "load", plistPath)
+	err = runCommand("launchctl", "load", plistPath)
+	if err == nil {
+		log.Info().Msg("MacOS service for cloudflared installed successfully")
+	}
+	return err
 }
 
 func uninstallLaunchd(c *cli.Context) error {
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
 	if isRootUser() {
-		log.Info().Msg("Uninstalling Argo Tunnel as a system launch daemon")
+		log.Info().Msg("Uninstalling cloudflared as a system launch daemon")
 	} else {
-		log.Info().Msg("Uninstalling Argo Tunnel as an user launch agent")
+		log.Info().Msg("Uninstalling cloudflared as a user launch agent")
 	}
 	installPath, err := installPath()
 	if err != nil {
@@ -183,10 +197,13 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	err = runCommand("launchctl", "unload", plistPath)
 	if err != nil {
-		log.Err(err).Msg("error unloading")
+		log.Err(err).Msg("error unloading launchd")
 		return err
 	}
 
-	log.Info().Msgf("Outputs are logged to %s and %s", stderrPath, stdoutPath)
-	return launchdTemplate.Remove()
+	err = launchdTemplate.Remove()
+	if err == nil {
+		log.Info().Msg("Launchd for cloudflared was uninstalled successfully")
+	}
+	return err
 }

cmd/cloudflared/main.go

@@ -2,24 +2,30 @@ package main
 
 import (
 	"fmt"
+	"math/rand"
+	"os"
 	"strings"
 	"time"
 
+	"github.com/getsentry/sentry-go"
+	homedir "github.com/mitchellh/go-homedir"
+	"github.com/pkg/errors"
+	"github.com/urfave/cli/v2"
+	"go.uber.org/automaxprocs/maxprocs"
+
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
+	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/metrics"
 	"github.com/cloudflare/cloudflared/overwatch"
-	"github.com/cloudflare/cloudflared/tunneldns"
+	"github.com/cloudflare/cloudflared/token"
+	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/watcher"
-
-	"github.com/getsentry/raven-go"
-	"github.com/mitchellh/go-homedir"
-	"github.com/pkg/errors"
-	"github.com/urfave/cli/v2"
 )
 
 const (
@@ -29,6 +35,7 @@ const (
 var (
 	Version   = "DEV"
 	BuildTime = "unknown"
+	BuildType = ""
 	// Mostly network errors that we don't want reported back to Sentry, this is done by substring match.
 	ignoredErrors = []string{
 		"connection reset by peer",
@@ -43,13 +50,15 @@ var (
 )
 
 func main() {
-	metrics.RegisterBuildInfo(BuildTime, Version)
-	raven.SetRelease(Version)
+	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
+	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
 
-	// Force shutdown channel used by the app. When closed, app must terminate.
-	// Windows service manager closes this channel when it receives shutdown command.
-	shutdownC := make(chan struct{})
-	// Graceful shutdown channel used by the app. When closed, app must terminate.
+	rand.Seed(time.Now().UnixNano())
+	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
+	maxprocs.Set()
+	bInfo := cliutil.GetBuildInfo(BuildType, Version)
+
+	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
 	// Windows service manager closes this channel when it receives stop command.
 	graceShutdownC := make(chan struct{})
 
@@ -66,30 +75,34 @@ func main() {
 	app.Copyright = fmt.Sprintf(
 		`(c) %d Cloudflare Inc.
    Your installation of cloudflared software constitutes a symbol of your signature indicating that you accept
-   the terms of the Cloudflare License (https://developers.cloudflare.com/argo-tunnel/license/),
+   the terms of the Apache License Version 2.0 (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/license),
    Terms (https://www.cloudflare.com/terms/) and Privacy Policy (https://www.cloudflare.com/privacypolicy/).`,
 		time.Now().Year(),
 	)
-	app.Version = fmt.Sprintf("%s (built %s)", Version, BuildTime)
+	app.Version = fmt.Sprintf("%s (built %s%s)", Version, BuildTime, bInfo.GetBuildTypeMsg())
 	app.Description = `cloudflared connects your machine or user identity to Cloudflare's global network.
 	You can use it to authenticate a session to reach an API behind Access, route web traffic to this machine,
-	and configure access control.`
+	and configure access control.
+
+	See https://developers.cloudflare.com/cloudflare-one/connections/connect-apps for more in-depth documentation.`
 	app.Flags = flags()
-	app.Action = action(Version, shutdownC, graceShutdownC)
-	app.Before = tunnel.SetFlagsFromConfigFile
+	app.Action = action(graceShutdownC)
 	app.Commands = commands(cli.ShowVersion)
 
-	tunnel.Init(Version, shutdownC, graceShutdownC) // we need this to support the tunnel sub command...
-	access.Init(shutdownC, graceShutdownC)
+	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
+	access.Init(graceShutdownC, Version)
 	updater.Init(Version)
-	runApp(app, shutdownC, graceShutdownC)
+	tracing.Init(Version)
+	token.Init(Version)
+	tail.Init(bInfo)
+	runApp(app, graceShutdownC)
 }
 
 func commands(version func(c *cli.Context)) []*cli.Command {
 	cmds := []*cli.Command{
 		{
 			Name:   "update",
-			Action: cliutil.ErrorHandler(updater.Update),
+			Action: cliutil.ConfiguredAction(updater.Update),
 			Usage:  "Update the agent if a new version exists",
 			Flags: []cli.Flag{
 				&cli.BoolFlag{
@@ -116,21 +129,33 @@ func commands(version func(c *cli.Context)) []*cli.Command {
 If a new version exists, updates the agent binary and quits.
 Otherwise, does nothing.
 
-To determine if an update happened in a script, check for error code 64.`,
+To determine if an update happened in a script, check for error code 11.`,
 		},
 		{
 			Name: "version",
 			Action: func(c *cli.Context) (err error) {
+				if c.Bool("short") {
+					fmt.Println(strings.Split(c.App.Version, " ")[0])
+					return nil
+				}
 				version(c)
 				return nil
 			},
 			Usage:       versionText,
 			Description: versionText,
+			Flags: []cli.Flag{
+				&cli.BoolFlag{
+					Name:    "short",
+					Aliases: []string{"s"},
+					Usage:   "print just the version number",
+				},
+			},
 		},
 	}
 	cmds = append(cmds, tunnel.Commands()...)
-	cmds = append(cmds, tunneldns.Command(false))
+	cmds = append(cmds, proxydns.Command(false))
 	cmds = append(cmds, access.Commands()...)
+	cmds = append(cmds, tail.Command())
 	return cmds
 }
 
@@ -143,15 +168,15 @@ func isEmptyInvocation(c *cli.Context) bool {
 	return c.NArg() == 0 && c.NumFlags() == 0
 }
 
-func action(version string, shutdownC, graceShutdownC chan struct{}) cli.ActionFunc {
-	return cliutil.ErrorHandler(func(c *cli.Context) (err error) {
+func action(graceShutdownC chan struct{}) cli.ActionFunc {
+	return cliutil.ConfiguredAction(func(c *cli.Context) (err error) {
 		if isEmptyInvocation(c) {
-			return handleServiceMode(c, shutdownC)
+			return handleServiceMode(c, graceShutdownC)
 		}
-		tags := make(map[string]string)
-		tags["hostname"] = c.String("hostname")
-		raven.SetTagsContext(tags)
-		raven.CapturePanic(func() { err = tunnel.TunnelCommand(c) }, nil)
+		func() {
+			defer sentry.Recover()
+			err = tunnel.TunnelCommand(c)
+		}()
 		if err != nil {
 			captureError(err)
 		}
@@ -179,7 +204,7 @@ func captureError(err error) {
 			return
 		}
 	}
-	raven.CaptureError(err, nil)
+	sentry.CaptureException(err)
 }
 
 // cloudflared was started without any flags

cmd/cloudflared/path/path.go

@@ -1,45 +0,0 @@
-package path
-
-import (
-	"fmt"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/mitchellh/go-homedir"
-)
-
-// GenerateAppTokenFilePathFromURL will return a filepath for given Access org token
-func GenerateAppTokenFilePathFromURL(url *url.URL, suffix string) (string, error) {
-	configPath, err := getConfigPath()
-	if err != nil {
-		return "", err
-	}
-	name := strings.Replace(fmt.Sprintf("%s%s-%s", url.Hostname(), url.EscapedPath(), suffix), "/", "-", -1)
-	return filepath.Join(configPath, name), nil
-}
-
-// GenerateOrgTokenFilePathFromURL will return a filepath for given Access application token
-func GenerateOrgTokenFilePathFromURL(authDomain string) (string, error) {
-	configPath, err := getConfigPath()
-	if err != nil {
-		return "", err
-	}
-	name := strings.Replace(fmt.Sprintf("%s-org-token", authDomain), "/", "-", -1)
-	return filepath.Join(configPath, name), nil
-}
-
-func getConfigPath() (string, error) {
-	configPath, err := homedir.Expand(config.DefaultConfigSearchDirectories()[0])
-	if err != nil {
-		return "", err
-	}
-	ok, err := config.FileExists(configPath)
-	if !ok && err == nil {
-		// create config directory if doesn't already exist
-		err = os.Mkdir(configPath, 0700)
-	}
-	return configPath, err
-}

cmd/cloudflared/proxydns/cmd.go

@@ -0,0 +1,115 @@
+package proxydns
+
+import (
+	"context"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/metrics"
+	"github.com/cloudflare/cloudflared/tunneldns"
+)
+
+func Command(hidden bool) *cli.Command {
+	return &cli.Command{
+		Name:   "proxy-dns",
+		Action: cliutil.ConfiguredAction(Run),
+
+		Usage: "Run a DNS over HTTPS proxy server.",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:    "metrics",
+				Value:   "localhost:",
+				Usage:   "Listen address for metrics reporting.",
+				EnvVars: []string{"TUNNEL_METRICS"},
+			},
+			&cli.StringFlag{
+				Name:    "address",
+				Usage:   "Listen address for the DNS over HTTPS proxy server.",
+				Value:   "localhost",
+				EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
+			},
+			// Note TUN-3758 , we use Int because UInt is not supported with altsrc
+			&cli.IntFlag{
+				Name:    "port",
+				Usage:   "Listen on given port for the DNS over HTTPS proxy server.",
+				Value:   53,
+				EnvVars: []string{"TUNNEL_DNS_PORT"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "upstream",
+				Usage:   "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
+				Value:   cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
+				EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "bootstrap",
+				Usage:   "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
+				Value:   cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
+				EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
+			},
+			&cli.IntFlag{
+				Name:    "max-upstream-conns",
+				Usage:   "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
+				Value:   tunneldns.MaxUpstreamConnsDefault,
+				EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
+			},
+		},
+		ArgsUsage: " ", // can't be the empty string or we get the default output
+		Hidden:    hidden,
+	}
+}
+
+// Run implements a foreground runner
+func Run(c *cli.Context) error {
+	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
+
+	metricsListener, err := net.Listen("tcp", c.String("metrics"))
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to open the metrics listener")
+	}
+
+	go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
+
+	listener, err := tunneldns.CreateListener(
+		c.String("address"),
+		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
+		uint16(c.Int("port")),
+		c.StringSlice("upstream"),
+		c.StringSlice("bootstrap"),
+		c.Int("max-upstream-conns"),
+		log,
+	)
+
+	if err != nil {
+		log.Err(err).Msg("Failed to create the listeners")
+		return err
+	}
+
+	// Try to start the server
+	readySignal := make(chan struct{})
+	err = listener.Start(readySignal)
+	if err != nil {
+		log.Err(err).Msg("Failed to start the listeners")
+		return listener.Stop()
+	}
+	<-readySignal
+
+	// Wait for signal
+	signals := make(chan os.Signal, 10)
+	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
+	defer signal.Stop(signals)
+	<-signals
+
+	// Shut down server
+	err = listener.Stop()
+	if err != nil {
+		log.Err(err).Msg("failed to stop")
+	}
+	return err
+}

cmd/cloudflared/service_template.go

@@ -5,14 +5,14 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
+	"path"
 	"text/template"
 
-	"github.com/mitchellh/go-homedir"
+	homedir "github.com/mitchellh/go-homedir"
 
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/config"
 )
 
 type ServiceTemplate struct {
@@ -43,16 +43,27 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 	if err != nil {
 		return err
 	}
+	if _, err = os.Stat(resolvedPath); err == nil {
+		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+	}
+
 	var buffer bytes.Buffer
 	err = tmpl.Execute(&buffer, args)
 	if err != nil {
 		return fmt.Errorf("error generating %s: %v", st.Path, err)
 	}
-	fileMode := os.FileMode(0644)
+	fileMode := os.FileMode(0o644)
 	if st.FileMode != 0 {
 		fileMode = st.FileMode
 	}
-	err = ioutil.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
+
+	plistFolder := path.Dir(resolvedPath)
+	err = os.MkdirAll(plistFolder, 0o755)
+	if err != nil {
+		return fmt.Errorf("error creating %s: %v", plistFolder, err)
+	}
+
+	err = os.WriteFile(resolvedPath, buffer.Bytes(), fileMode)
 	if err != nil {
 		return fmt.Errorf("error writing %s: %v", resolvedPath, err)
 	}
@@ -71,6 +82,15 @@ func (st *ServiceTemplate) Remove() error {
 	return nil
 }
 
+func serviceAlreadyExistsWarn(service string) string {
+	return fmt.Sprintf("cloudflared service is already installed at %s; if you are running a cloudflared tunnel, you "+
+		"can point it to multiple origins, avoiding the need to run more than one cloudflared service in the "+
+		"same machine; otherwise if you are really sure, you can do `cloudflared service uninstall` to clean "+
+		"up the existing service and then try again this command",
+		service,
+	)
+}
+
 func runCommand(command string, args ...string) error {
 	cmd := exec.Command(command, args...)
 	stderr, err := cmd.StderrPipe()
@@ -82,10 +102,10 @@ func runCommand(command string, args ...string) error {
 		return fmt.Errorf("error starting %s: %v", command, err)
 	}
 
-	_, _ = ioutil.ReadAll(stderr)
+	output, _ := io.ReadAll(stderr)
 	err = cmd.Wait()
 	if err != nil {
-		return fmt.Errorf("%s returned with error: %v", command, err)
+		return fmt.Errorf("%s %v returned with error code %v due to: %v", command, args, err, string(output))
 	}
 	return nil
 }

cmd/cloudflared/shell/launch_browser_other.go

@@ -1,11 +0,0 @@
-//+build !windows,!darwin,!linux,!netbsd,!freebsd,!openbsd
-
-package shell
-
-import (
-	"os/exec"
-)
-
-func getBrowserCmd(url string) *exec.Cmd {
-	return nil
-}

cmd/cloudflared/shell/launch_browser_unix.go

@@ -1,11 +0,0 @@
-//+build linux freebsd openbsd netbsd
-
-package shell
-
-import (
-	"os/exec"
-)
-
-func getBrowserCmd(url string) *exec.Cmd {
-	return exec.Command("xdg-open", url)
-}

cmd/cloudflared/shell/shell.go

@@ -1,33 +0,0 @@
-package shell
-
-import (
-	"io"
-	"os"
-	"os/exec"
-)
-
-// OpenBrowser opens the specified URL in the default browser of the user
-func OpenBrowser(url string) error {
-	return getBrowserCmd(url).Start()
-}
-
-// Run will kick off a shell task and pipe the results to the respective std pipes
-func Run(cmd string, args ...string) error {
-	c := exec.Command(cmd, args...)
-	stderr, err := c.StderrPipe()
-	if err != nil {
-		return err
-	}
-	go func() {
-		io.Copy(os.Stderr, stderr)
-	}()
-
-	stdout, err := c.StdoutPipe()
-	if err != nil {
-		return err
-	}
-	go func() {
-		io.Copy(os.Stdout, stdout)
-	}()
-	return c.Run()
-}

cmd/cloudflared/tail/cmd.go

@@ -0,0 +1,428 @@
+package tail
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/mattn/go-colorable"
+	"github.com/rs/zerolog"
+	"github.com/urfave/cli/v2"
+	"nhooyr.io/websocket"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/credentials"
+	"github.com/cloudflare/cloudflared/logger"
+	"github.com/cloudflare/cloudflared/management"
+)
+
+var (
+	buildInfo *cliutil.BuildInfo
+)
+
+func Init(bi *cliutil.BuildInfo) {
+	buildInfo = bi
+}
+
+func Command() *cli.Command {
+	subcommands := []*cli.Command{
+		buildTailManagementTokenSubcommand(),
+	}
+
+	return buildTailCommand(subcommands)
+}
+
+func buildTailManagementTokenSubcommand() *cli.Command {
+	return &cli.Command{
+		Name:        "token",
+		Action:      cliutil.ConfiguredAction(managementTokenCommand),
+		Usage:       "Get management access jwt",
+		UsageText:   "cloudflared tail token TUNNEL_ID",
+		Description: `Get management access jwt for a tunnel`,
+		Hidden:      true,
+	}
+}
+
+func managementTokenCommand(c *cli.Context) error {
+	log := createLogger(c)
+	token, err := getManagementToken(c, log)
+	if err != nil {
+		return err
+	}
+	var tokenResponse = struct {
+		Token string `json:"token"`
+	}{Token: token}
+
+	return json.NewEncoder(os.Stdout).Encode(tokenResponse)
+}
+
+func buildTailCommand(subcommands []*cli.Command) *cli.Command {
+	return &cli.Command{
+		Name:      "tail",
+		Action:    Run,
+		Usage:     "Stream logs from a remote cloudflared",
+		UsageText: "cloudflared tail [tail command options] [TUNNEL-ID]",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:    "connector-id",
+				Usage:   "Access a specific cloudflared instance by connector id (for when a tunnel has multiple cloudflared's)",
+				Value:   "",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_CONNECTOR"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "event",
+				Usage:   "Filter by specific Events (cloudflared, http, tcp, udp) otherwise, defaults to send all events",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_EVENTS"},
+			},
+			&cli.StringFlag{
+				Name:    "level",
+				Usage:   "Filter by specific log levels (debug, info, warn, error). Filters by debug log level by default.",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_LEVEL"},
+				Value:   "debug",
+			},
+			&cli.Float64Flag{
+				Name:    "sample",
+				Usage:   "Sample log events by percentage (0.0 .. 1.0). No sampling by default.",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_FILTER_SAMPLE"},
+				Value:   1.0,
+			},
+			&cli.StringFlag{
+				Name:    "token",
+				Usage:   "Access token for a specific tunnel",
+				Value:   "",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
+			},
+			&cli.StringFlag{
+				Name:    "output",
+				Usage:   "Output format for the logs (default, json)",
+				Value:   "default",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
+			},
+			&cli.StringFlag{
+				Name:    "management-hostname",
+				Usage:   "Management hostname to signify incoming management requests",
+				EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
+				Hidden:  true,
+				Value:   "management.argotunnel.com",
+			},
+			&cli.StringFlag{
+				Name:   "trace",
+				Usage:  "Set a cf-trace-id for the request",
+				Hidden: true,
+				Value:  "",
+			},
+			&cli.StringFlag{
+				Name:    logger.LogLevelFlag,
+				Value:   "info",
+				Usage:   "Application logging level {debug, info, warn, error, fatal}",
+				EnvVars: []string{"TUNNEL_LOGLEVEL"},
+			},
+			&cli.StringFlag{
+				Name:    credentials.OriginCertFlag,
+				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
+				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
+				Value:   credentials.FindDefaultOriginCertPath(),
+			},
+		},
+		Subcommands: subcommands,
+	}
+}
+
+// Middleware validation error struct for returning to the eyeball
+type managementError struct {
+	Code    int    `json:"code,omitempty"`
+	Message string `json:"message,omitempty"`
+}
+
+// Middleware validation error HTTP response JSON for returning to the eyeball
+type managementErrorResponse struct {
+	Success bool              `json:"success,omitempty"`
+	Errors  []managementError `json:"errors,omitempty"`
+}
+
+func handleValidationError(resp *http.Response, log *zerolog.Logger) {
+	if resp.StatusCode == 530 {
+		log.Error().Msgf("no cloudflared connector available or reachable via management request (a recent version of cloudflared is required to use streaming logs)")
+	}
+	var managementErr managementErrorResponse
+	err := json.NewDecoder(resp.Body).Decode(&managementErr)
+	if err != nil {
+		log.Error().Msgf("unable to start management log streaming session: http response code returned %d", resp.StatusCode)
+		return
+	}
+	if managementErr.Success || len(managementErr.Errors) == 0 {
+		log.Error().Msgf("management tunnel validation returned success with invalid HTTP response code to convert to a WebSocket request")
+		return
+	}
+	for _, e := range managementErr.Errors {
+		log.Error().Msgf("management request failed validation: (%d) %s", e.Code, e.Message)
+	}
+}
+
+// logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
+// management requests
+func createLogger(c *cli.Context) *zerolog.Logger {
+	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
+	if levelErr != nil {
+		level = zerolog.InfoLevel
+	}
+	log := zerolog.New(zerolog.ConsoleWriter{
+		Out:        colorable.NewColorable(os.Stderr),
+		TimeFormat: time.RFC3339,
+	}).With().Timestamp().Logger().Level(level)
+	return &log
+}
+
+// parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
+func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
+	var level *management.LogLevel
+	var events []management.LogEventType
+	var sample float64
+
+	argLevel := c.String("level")
+	argEvents := c.StringSlice("event")
+	argSample := c.Float64("sample")
+
+	if argLevel != "" {
+		l, ok := management.ParseLogLevel(argLevel)
+		if !ok {
+			return nil, fmt.Errorf("invalid --level filter provided, please use one of the following Log Levels: debug, info, warn, error")
+		}
+		level = &l
+	}
+
+	for _, v := range argEvents {
+		t, ok := management.ParseLogEventType(v)
+		if !ok {
+			return nil, fmt.Errorf("invalid --event filter provided, please use one of the following EventTypes: cloudflared, http, tcp, udp")
+		}
+		events = append(events, t)
+	}
+
+	if argSample <= 0.0 || argSample > 1.0 {
+		return nil, fmt.Errorf("invalid --sample value provided, please make sure it is in the range (0.0 .. 1.0)")
+	}
+	sample = argSample
+
+	if level == nil && len(events) == 0 && argSample != 1.0 {
+		// When no filters are provided, do not return a StreamingFilters struct
+		return nil, nil
+	}
+
+	return &management.StreamingFilters{
+		Level:    level,
+		Events:   events,
+		Sampling: sample,
+	}, nil
+}
+
+// getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
+func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
+	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
+	if err != nil {
+		return "", err
+	}
+
+	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
+	if err != nil {
+		return "", err
+	}
+
+	tunnelIDString := c.Args().First()
+	if tunnelIDString == "" {
+		return "", errors.New("no tunnel ID provided")
+	}
+	tunnelID, err := uuid.Parse(tunnelIDString)
+	if err != nil {
+		return "", errors.New("unable to parse provided tunnel id as a valid UUID")
+	}
+
+	token, err := client.GetManagementToken(tunnelID)
+	if err != nil {
+		return "", err
+	}
+
+	return token, nil
+}
+
+// buildURL will build the management url to contain the required query parameters to authenticate the request.
+func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
+	var err error
+	managementHostname := c.String("management-hostname")
+	token := c.String("token")
+	if token == "" {
+		token, err = getManagementToken(c, log)
+		if err != nil {
+			return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
+		}
+	}
+	query := url.Values{}
+	query.Add("access_token", token)
+	connector := c.String("connector-id")
+	if connector != "" {
+		connectorID, err := uuid.Parse(connector)
+		if err != nil {
+			return url.URL{}, fmt.Errorf("unabled to parse 'connector-id' flag into a valid UUID: %w", err)
+		}
+		query.Add("connector_id", connectorID.String())
+	}
+	return url.URL{Scheme: "wss", Host: managementHostname, Path: "/logs", RawQuery: query.Encode()}, nil
+}
+
+func printLine(log *management.Log, logger *zerolog.Logger) {
+	fields, err := json.Marshal(log.Fields)
+	if err != nil {
+		fields = []byte("unable to parse fields")
+		logger.Debug().Msgf("unable to parse fields from event %+v", log)
+	}
+	fmt.Printf("%s %s %s %s %s\n", log.Time, log.Level, log.Event, log.Message, fields)
+}
+
+func printJSON(log *management.Log, logger *zerolog.Logger) {
+	output, err := json.Marshal(log)
+	if err != nil {
+		logger.Debug().Msgf("unable to parse event to json %+v", log)
+	} else {
+		fmt.Println(string(output))
+	}
+}
+
+// Run implements a foreground runner
+func Run(c *cli.Context) error {
+	log := createLogger(c)
+
+	signals := make(chan os.Signal, 10)
+	signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
+	defer signal.Stop(signals)
+
+	output := "default"
+	switch c.String("output") {
+	case "default", "":
+		output = "default"
+	case "json":
+		output = "json"
+	default:
+		log.Err(errors.New("invalid --output value provided, please make sure it is one of: default, json")).Send()
+	}
+
+	filters, err := parseFilters(c)
+	if err != nil {
+		log.Error().Err(err).Msgf("invalid filters provided")
+		return nil
+	}
+
+	u, err := buildURL(c, log)
+	if err != nil {
+		log.Err(err).Msg("unable to construct management request URL")
+		return nil
+	}
+
+	header := make(http.Header)
+	header.Add("User-Agent", buildInfo.UserAgent())
+	trace := c.String("trace")
+	if trace != "" {
+		header["cf-trace-id"] = []string{trace}
+	}
+	ctx := c.Context
+	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
+		HTTPHeader: header,
+	})
+	if err != nil {
+		if resp != nil && resp.StatusCode != http.StatusSwitchingProtocols {
+			handleValidationError(resp, log)
+			return nil
+		}
+		log.Error().Err(err).Msgf("unable to start management log streaming session")
+		return nil
+	}
+	defer conn.Close(websocket.StatusInternalError, "management connection was closed abruptly")
+
+	// Once connection is established, send start_streaming event to begin receiving logs
+	err = management.WriteEvent(conn, ctx, &management.EventStartStreaming{
+		ClientEvent: management.ClientEvent{Type: management.StartStreaming},
+		Filters:     filters,
+	})
+	if err != nil {
+		log.Error().Err(err).Msg("unable to request logs from management tunnel")
+		return nil
+	}
+	log.Debug().
+		Str("tunnel-id", c.Args().First()).
+		Str("connector-id", c.String("connector-id")).
+		Interface("filters", filters).
+		Msg("connected")
+
+	readerDone := make(chan struct{})
+
+	go func() {
+		defer close(readerDone)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				event, err := management.ReadServerEvent(conn, ctx)
+				if err != nil {
+					if closeErr := management.AsClosed(err); closeErr != nil {
+						// If the client (or the server) already closed the connection, don't continue to
+						// attempt to read from the client.
+						if closeErr.Code == websocket.StatusNormalClosure {
+							return
+						}
+						// Only log abnormal closures
+						log.Error().Msgf("received remote closure: (%d) %s", closeErr.Code, closeErr.Reason)
+						return
+					}
+					log.Err(err).Msg("unable to read event from server")
+					return
+				}
+				switch event.Type {
+				case management.Logs:
+					logs, ok := management.IntoServerEvent(event, management.Logs)
+					if !ok {
+						log.Error().Msgf("invalid logs event")
+						continue
+					}
+					// Output all the logs received to stdout
+					for _, l := range logs.Logs {
+						if output == "json" {
+							printJSON(l, log)
+						} else {
+							printLine(l, log)
+						}
+					}
+				case management.UnknownServerEventType:
+					fallthrough
+				default:
+					log.Debug().Msgf("unexpected log event type: %s", event.Type)
+				}
+			}
+		}
+	}()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil
+		case <-readerDone:
+			return nil
+		case <-signals:
+			log.Debug().Msg("closing management connection")
+			// Cleanly close the connection by sending a close message and then
+			// waiting (with timeout) for the server to close the connection.
+			conn.Close(websocket.StatusNormalClosure, "")
+			select {
+			case <-readerDone:
+			case <-time.After(time.Second):
+			}
+			return nil
+		}
+	}
+}

cmd/cloudflared/token/token.go

@@ -1,386 +0,0 @@
-package token
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io/ioutil"
-	"net/http"
-	"net/url"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-	"time"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/path"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/transfer"
-	"github.com/cloudflare/cloudflared/origin"
-
-	"github.com/coreos/go-oidc/jose"
-	"github.com/pkg/errors"
-	"github.com/rs/zerolog"
-)
-
-const (
-	keyName     = "token"
-	tokenHeader = "CF_Authorization"
-)
-
-type lock struct {
-	lockFilePath string
-	backoff      *origin.BackoffHandler
-	sigHandler   *signalHandler
-}
-
-type signalHandler struct {
-	sigChannel chan os.Signal
-	signals    []os.Signal
-}
-
-type appJWTPayload struct {
-	Aud   []string `json:"aud"`
-	Email string   `json:"email"`
-	Exp   int      `json:"exp"`
-	Iat   int      `json:"iat"`
-	Nbf   int      `json:"nbf"`
-	Iss   string   `json:"iss"`
-	Type  string   `json:"type"`
-	Subt  string   `json:"sub"`
-}
-
-type orgJWTPayload struct {
-	appJWTPayload
-	Aud string `json:"aud"`
-}
-
-type transferServiceResponse struct {
-	AppToken string `json:"app_token"`
-	OrgToken string `json:"org_token"`
-}
-
-func (p appJWTPayload) isExpired() bool {
-	return int(time.Now().Unix()) > p.Exp
-}
-
-func (s *signalHandler) register(handler func()) {
-	s.sigChannel = make(chan os.Signal, 1)
-	signal.Notify(s.sigChannel, s.signals...)
-	go func(s *signalHandler) {
-		for range s.sigChannel {
-			handler()
-		}
-	}(s)
-}
-
-func (s *signalHandler) deregister() {
-	signal.Stop(s.sigChannel)
-	close(s.sigChannel)
-}
-
-func errDeleteTokenFailed(lockFilePath string) error {
-	return fmt.Errorf("failed to acquire a new Access token. Please try to delete %s", lockFilePath)
-}
-
-// newLock will get a new file lock
-func newLock(path string) *lock {
-	lockPath := path + ".lock"
-	return &lock{
-		lockFilePath: lockPath,
-		backoff:      &origin.BackoffHandler{MaxRetries: 7},
-		sigHandler: &signalHandler{
-			signals: []os.Signal{syscall.SIGINT, syscall.SIGTERM},
-		},
-	}
-}
-
-func (l *lock) Acquire() error {
-	// Intercept SIGINT and SIGTERM to release lock before exiting
-	l.sigHandler.register(func() {
-		_ = l.deleteLockFile()
-		os.Exit(0)
-	})
-
-	// Check for a path.lock file
-	// if the lock file exists; start polling
-	// if not, create the lock file and go through the normal flow.
-	// See AUTH-1736 for the reason why we do all this
-	for isTokenLocked(l.lockFilePath) {
-		if l.backoff.Backoff(context.Background()) {
-			continue
-		}
-
-		if err := l.deleteLockFile(); err != nil {
-			return err
-		}
-	}
-
-	// Create a lock file so other processes won't also try to get the token at
-	// the same time
-	if err := ioutil.WriteFile(l.lockFilePath, []byte{}, 0600); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (l *lock) deleteLockFile() error {
-	if err := os.Remove(l.lockFilePath); err != nil && !os.IsNotExist(err) {
-		return errDeleteTokenFailed(l.lockFilePath)
-	}
-	return nil
-}
-
-func (l *lock) Release() error {
-	defer l.sigHandler.deregister()
-	return l.deleteLockFile()
-}
-
-// isTokenLocked checks to see if there is another process attempting to get the token already
-func isTokenLocked(lockFilePath string) bool {
-	exists, err := config.FileExists(lockFilePath)
-	return exists && err == nil
-}
-
-// FetchTokenWithRedirect will either load a stored token or generate a new one
-// it appends the full url as the redirect URL to the access cli request if opening the browser
-func FetchTokenWithRedirect(appURL *url.URL, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, false, log)
-}
-
-// FetchToken will either load a stored token or generate a new one
-// it appends the host of the appURL as the redirect URL to the access cli request if opening the browser
-func FetchToken(appURL *url.URL, log *zerolog.Logger) (string, error) {
-	return getToken(appURL, true, log)
-}
-
-// getToken will either load a stored token or generate a new one
-func getToken(appURL *url.URL, useHostOnly bool, log *zerolog.Logger) (string, error) {
-	if token, err := GetAppTokenIfExists(appURL); token != "" && err == nil {
-		return token, nil
-	}
-
-	appTokenPath, err := path.GenerateAppTokenFilePathFromURL(appURL, keyName)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to generate app token file path")
-	}
-
-	fileLockAppToken := newLock(appTokenPath)
-	if err = fileLockAppToken.Acquire(); err != nil {
-		return "", errors.Wrap(err, "failed to acquire app token lock")
-	}
-	defer fileLockAppToken.Release()
-
-	// check to see if another process has gotten a token while we waited for the lock
-	if token, err := GetAppTokenIfExists(appURL); token != "" && err == nil {
-		return token, nil
-	}
-
-	// If an app token couldnt be found on disk, check for an org token and attempt to exchange it for an app token.
-	var orgTokenPath string
-	// Get auth domain to format into org token file path
-	if authDomain, err := getAuthDomain(appURL); err != nil {
-		log.Error().Msgf("failed to get auth domain: %s", err)
-	} else {
-		orgToken, err := GetOrgTokenIfExists(authDomain)
-		if err != nil {
-			orgTokenPath, err = path.GenerateOrgTokenFilePathFromURL(authDomain)
-			if err != nil {
-				return "", errors.Wrap(err, "failed to generate org token file path")
-			}
-
-			fileLockOrgToken := newLock(orgTokenPath)
-			if err = fileLockOrgToken.Acquire(); err != nil {
-				return "", errors.Wrap(err, "failed to acquire org token lock")
-			}
-			defer fileLockOrgToken.Release()
-			// check if an org token has been created since the lock was acquired
-			orgToken, err = GetOrgTokenIfExists(authDomain)
-		}
-		if err == nil {
-			if appToken, err := exchangeOrgToken(appURL, orgToken); err != nil {
-				log.Debug().Msgf("failed to exchange org token for app token: %s", err)
-			} else {
-				if err := ioutil.WriteFile(appTokenPath, []byte(appToken), 0600); err != nil {
-					return "", errors.Wrap(err, "failed to write app token to disk")
-				}
-				return appToken, nil
-			}
-		}
-	}
-	return getTokensFromEdge(appURL, appTokenPath, orgTokenPath, useHostOnly, log)
-
-}
-
-// getTokensFromEdge will attempt to use the transfer service to retrieve an app and org token, save them to disk,
-// and return the app token.
-func getTokensFromEdge(appURL *url.URL, appTokenPath, orgTokenPath string, useHostOnly bool, log *zerolog.Logger) (string, error) {
-	// If no org token exists or if it couldnt be exchanged for an app token, then run the transfer service flow.
-
-	// this weird parameter is the resource name (token) and the key/value
-	// we want to send to the transfer service. the key is token and the value
-	// is blank (basically just the id generated in the transfer service)
-	resourceData, err := transfer.Run(appURL, keyName, keyName, "", true, useHostOnly, log)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to run transfer service")
-	}
-	var resp transferServiceResponse
-	if err = json.Unmarshal(resourceData, &resp); err != nil {
-		return "", errors.Wrap(err, "failed to marshal transfer service response")
-	}
-
-	// If we were able to get the auth domain and generate an org token path, lets write it to disk.
-	if orgTokenPath != "" {
-		if err := ioutil.WriteFile(orgTokenPath, []byte(resp.OrgToken), 0600); err != nil {
-			return "", errors.Wrap(err, "failed to write org token to disk")
-		}
-	}
-
-	if err := ioutil.WriteFile(appTokenPath, []byte(resp.AppToken), 0600); err != nil {
-		return "", errors.Wrap(err, "failed to write app token to disk")
-	}
-
-	return resp.AppToken, nil
-
-}
-
-// getAuthDomain makes a request to the appURL and stops at the first redirect. The 302 location header will contain the
-// auth domain
-func getAuthDomain(appURL *url.URL) (string, error) {
-	client := &http.Client{
-		// do not follow redirects
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			return http.ErrUseLastResponse
-		},
-		Timeout: time.Second * 7,
-	}
-
-	authDomainReq, err := http.NewRequest("HEAD", appURL.String(), nil)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to create auth domain request")
-	}
-	resp, err := client.Do(authDomainReq)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to get auth domain")
-	}
-	resp.Body.Close()
-	location, err := resp.Location()
-	if err != nil {
-		return "", fmt.Errorf("failed to get auth domain. Received status code %d from %s", resp.StatusCode, appURL.String())
-	}
-	return location.Hostname(), nil
-
-}
-
-// exchangeOrgToken attaches an org token to a request to the appURL and returns an app token. This uses the Access SSO
-// flow to automatically generate and return an app token without the login page.
-func exchangeOrgToken(appURL *url.URL, orgToken string) (string, error) {
-	client := &http.Client{
-		CheckRedirect: func(req *http.Request, via []*http.Request) error {
-			// attach org token to login request
-			if strings.Contains(req.URL.Path, "cdn-cgi/access/login") {
-				req.AddCookie(&http.Cookie{Name: tokenHeader, Value: orgToken})
-			}
-			// stop after hitting authorized endpoint since it will contain the app token
-			if strings.Contains(via[len(via)-1].URL.Path, "cdn-cgi/access/authorized") {
-				return http.ErrUseLastResponse
-			}
-			return nil
-		},
-		Timeout: time.Second * 7,
-	}
-
-	appTokenRequest, err := http.NewRequest("HEAD", appURL.String(), nil)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to create app token request")
-	}
-	resp, err := client.Do(appTokenRequest)
-	if err != nil {
-		return "", errors.Wrap(err, "failed to get app token")
-	}
-	resp.Body.Close()
-	var appToken string
-	for _, c := range resp.Cookies() {
-		if c.Name == tokenHeader {
-			appToken = c.Value
-			break
-		}
-	}
-
-	if len(appToken) > 0 {
-		return appToken, nil
-	}
-	return "", fmt.Errorf("response from %s did not contain app token", resp.Request.URL.String())
-}
-
-func GetOrgTokenIfExists(authDomain string) (string, error) {
-	path, err := path.GenerateOrgTokenFilePathFromURL(authDomain)
-	if err != nil {
-		return "", err
-	}
-	token, err := getTokenIfExists(path)
-	if err != nil {
-		return "", err
-	}
-	var payload orgJWTPayload
-	err = json.Unmarshal(token.Payload, &payload)
-	if err != nil {
-		return "", err
-	}
-
-	if payload.isExpired() {
-		err := os.Remove(path)
-		return "", err
-	}
-	return token.Encode(), nil
-}
-
-func GetAppTokenIfExists(url *url.URL) (string, error) {
-	path, err := path.GenerateAppTokenFilePathFromURL(url, keyName)
-	if err != nil {
-		return "", err
-	}
-	token, err := getTokenIfExists(path)
-	if err != nil {
-		return "", err
-	}
-	var payload appJWTPayload
-	err = json.Unmarshal(token.Payload, &payload)
-	if err != nil {
-		return "", err
-	}
-
-	if payload.isExpired() {
-		err := os.Remove(path)
-		return "", err
-	}
-	return token.Encode(), nil
-
-}
-
-// GetTokenIfExists will return the token from local storage if it exists and not expired
-func getTokenIfExists(path string) (*jose.JWT, error) {
-	content, err := ioutil.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	token, err := jose.ParseJWT(string(content))
-	if err != nil {
-		return nil, err
-	}
-
-	return &token, nil
-}
-
-// RemoveTokenIfExists removes the a token from local storage if it exists
-func RemoveTokenIfExists(url *url.URL) error {
-	path, err := path.GenerateAppTokenFilePathFromURL(url, keyName)
-	if err != nil {
-		return err
-	}
-	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
-		return err
-	}
-
-	return nil
-}

cmd/cloudflared/token/token_test.go

@@ -1,52 +0,0 @@
-package token
-
-import (
-	"os"
-	"syscall"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSignalHandler(t *testing.T) {
-	sigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}
-	handlerRan := false
-	done := make(chan struct{})
-	timer := time.NewTimer(time.Second)
-	sigHandler.register(func(){
-		handlerRan = true
-		done <- struct{}{}
-	})
-
-	p, err := os.FindProcess(os.Getpid())
-	require.Nil(t, err)
-	p.Signal(syscall.SIGUSR1)
-
-	// Blocks for up to one second to make sure the handler callback runs before the assert.
-	select {
-		case <- done:
-			assert.True(t, handlerRan)
-		case <- timer.C:
-			t.Fail()
-	}
-	sigHandler.deregister()
-}
-
-func TestSignalHandlerClose(t *testing.T) {
-	sigHandler := signalHandler{signals: []os.Signal{syscall.SIGUSR1}}
-	done := make(chan struct{})
-	timer := time.NewTimer(time.Second)
-	sigHandler.register(func(){done <- struct{}{}})
-	sigHandler.deregister()
-
-	p, err := os.FindProcess(os.Getpid())
-	require.Nil(t, err)
-	p.Signal(syscall.SIGUSR1)
-	select {
-	case <- done:
-		t.Fail()
-	case <- timer.C:
-	}
-}

cmd/cloudflared/transfer/transfer.go

@@ -1,159 +0,0 @@
-package transfer
-
-import (
-	"bytes"
-	"encoding/base64"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-	"time"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/encrypter"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/shell"
-	"github.com/pkg/errors"
-	"github.com/rs/zerolog"
-)
-
-const (
-	baseStoreURL  = "https://login.argotunnel.com/"
-	clientTimeout = time.Second * 60
-)
-
-// Run does the transfer "dance" with the end result downloading the supported resource.
-// The expanded description is run is encapsulation of shared business logic needed
-// to request a resource (token/cert/etc) from the transfer service (loginhelper).
-// The "dance" we refer to is building a HTTP request, opening that in a browser waiting for
-// the user to complete an action, while it long polls in the background waiting for an
-// action to be completed to download the resource.
-func Run(transferURL *url.URL, resourceName, key, value string, shouldEncrypt bool, useHostOnly bool, log *zerolog.Logger) ([]byte, error) {
-	encrypterClient, err := encrypter.New("cloudflared_priv.pem", "cloudflared_pub.pem")
-	if err != nil {
-		return nil, err
-	}
-	requestURL, err := buildRequestURL(transferURL, key, value+encrypterClient.PublicKey(), shouldEncrypt, useHostOnly)
-	if err != nil {
-		return nil, err
-	}
-
-	// See AUTH-1423 for why we use stderr (the way git wraps ssh)
-	err = shell.OpenBrowser(requestURL)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "Please open the following URL and log in with your Cloudflare account:\n\n%s\n\nLeave cloudflared running to download the %s automatically.\n", requestURL, resourceName)
-	} else {
-		fmt.Fprintf(os.Stderr, "A browser window should have opened at the following URL:\n\n%s\n\nIf the browser failed to open, please visit the URL above directly in your browser.\n", requestURL)
-	}
-
-	var resourceData []byte
-
-	if shouldEncrypt {
-		buf, key, err := transferRequest(baseStoreURL+"transfer/"+encrypterClient.PublicKey(), log)
-		if err != nil {
-			return nil, err
-		}
-
-		decodedBuf, err := base64.StdEncoding.DecodeString(string(buf))
-		if err != nil {
-			return nil, err
-		}
-		decrypted, err := encrypterClient.Decrypt(decodedBuf, key)
-		if err != nil {
-			return nil, err
-		}
-
-		resourceData = decrypted
-	} else {
-		buf, _, err := transferRequest(baseStoreURL+encrypterClient.PublicKey(), log)
-		if err != nil {
-			return nil, err
-		}
-		resourceData = buf
-	}
-
-	return resourceData, nil
-
-}
-
-// BuildRequestURL creates a request suitable for a resource transfer.
-// it will return a constructed url based off the base url and query key/value provided.
-// cli will build a url for cli transfer request.
-func buildRequestURL(baseURL *url.URL, key, value string, cli, useHostOnly bool) (string, error) {
-	q := baseURL.Query()
-	q.Set(key, value)
-	baseURL.RawQuery = q.Encode()
-	if useHostOnly {
-		baseURL.Path = ""
-	}
-	if !cli {
-		return baseURL.String(), nil
-	}
-	q.Set("redirect_url", baseURL.String()) // we add the token as a query param on both the redirect_url and the main url
-	q.Set("send_org_token", "true")         // indicates that the cli endpoint should return both the org and app token
-	baseURL.RawQuery = q.Encode()           // and this actual baseURL.
-	baseURL.Path = "cdn-cgi/access/cli"
-	return baseURL.String(), nil
-}
-
-// transferRequest downloads the requested resource from the request URL
-func transferRequest(requestURL string, log *zerolog.Logger) ([]byte, string, error) {
-	client := &http.Client{Timeout: clientTimeout}
-	const pollAttempts = 10
-	// we do "long polling" on the endpoint to get the resource.
-	for i := 0; i < pollAttempts; i++ {
-		buf, key, err := poll(client, requestURL, log)
-		if err != nil {
-			return nil, "", err
-		} else if len(buf) > 0 {
-			if err := putSuccess(client, requestURL); err != nil {
-				log.Err(err).Msg("Failed to update resource success")
-			}
-			return buf, key, nil
-		}
-	}
-	return nil, "", errors.New("Failed to fetch resource")
-}
-
-// poll the endpoint for the request resource, waiting for the user interaction
-func poll(client *http.Client, requestURL string, log *zerolog.Logger) ([]byte, string, error) {
-	resp, err := client.Get(requestURL)
-	if err != nil {
-		return nil, "", err
-	}
-	defer resp.Body.Close()
-
-	// ignore everything other than server errors as the resource
-	// may not exist until the user does the interaction
-	if resp.StatusCode >= 500 {
-		return nil, "", fmt.Errorf("error on request %d", resp.StatusCode)
-	}
-	if resp.StatusCode != 200 {
-		log.Info().Msg("Waiting for login...")
-		return nil, "", nil
-	}
-
-	buf := new(bytes.Buffer)
-	if _, err := io.Copy(buf, resp.Body); err != nil {
-		return nil, "", err
-	}
-	return buf.Bytes(), resp.Header.Get("service-public-key"), nil
-}
-
-// putSuccess tells the server we successfully downloaded the resource
-func putSuccess(client *http.Client, requestURL string) error {
-	req, err := http.NewRequest("PUT", requestURL+"/ok", nil)
-	if err != nil {
-		return err
-	}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-
-	resp.Body.Close()
-	if resp.StatusCode != 200 {
-		return fmt.Errorf("HTTP Response Status Code: %d", resp.StatusCode)
-	}
-	return nil
-}

cmd/cloudflared/tunnel/config_test.go

@@ -0,0 +1,15 @@
+package tunnel
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/cloudflare/cloudflared/features"
+)
+
+func TestDedup(t *testing.T) {
+	expected := []string{"a", "b"}
+	actual := features.Dedup([]string{"a", "b", "a"})
+	require.ElementsMatch(t, expected, actual)
+}

cmd/cloudflared/tunnel/configuration.go

@@ -1,55 +1,50 @@
 package tunnel
 
 import (
+	"context"
 	"crypto/tls"
 	"fmt"
-	"io/ioutil"
+	"net"
+	"net/netip"
 	"os"
-	"path/filepath"
 	"strings"
-
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/buildinfo"
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
-	"github.com/cloudflare/cloudflared/connection"
-	"github.com/cloudflare/cloudflared/edgediscovery"
-	"github.com/cloudflare/cloudflared/h2mux"
-	"github.com/cloudflare/cloudflared/ingress"
-	"github.com/cloudflare/cloudflared/origin"
-	"github.com/cloudflare/cloudflared/tlsconfig"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-	"github.com/cloudflare/cloudflared/validation"
+	"time"
 
 	"github.com/google/uuid"
-	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/crypto/ssh/terminal"
+	"github.com/urfave/cli/v2/altsrc"
+	"golang.org/x/term"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/connection"
+	"github.com/cloudflare/cloudflared/edgediscovery"
+	"github.com/cloudflare/cloudflared/edgediscovery/allregions"
+	"github.com/cloudflare/cloudflared/features"
+	"github.com/cloudflare/cloudflared/ingress"
+	"github.com/cloudflare/cloudflared/orchestration"
+	"github.com/cloudflare/cloudflared/supervisor"
+	"github.com/cloudflare/cloudflared/tlsconfig"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
-const LogFieldOriginCertPath = "originCertPath"
+const (
+	secretValue       = "*****"
+	icmpFunnelTimeout = time.Second * 10
+)
 
 var (
-	developerPortal = "https://developers.cloudflare.com/argo-tunnel"
-	quickStartUrl   = developerPortal + "/quickstart/quickstart/"
-	serviceUrl      = developerPortal + "/reference/service/"
-	argumentsUrl    = developerPortal + "/reference/arguments/"
+	developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
+	serviceUrl      = developerPortal + "/tunnel-guide/local/as-a-service/"
+	argumentsUrl    = developerPortal + "/tunnel-guide/local/local-management/arguments/"
 
-	LogFieldHostname = "hostname"
+	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
+
+	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
 )
 
-// returns the first path that contains a cert.pem file. If none of the DefaultConfigSearchDirectories
-// contains a cert.pem file, return empty string
-func findDefaultOriginCertPath() string {
-	for _, defaultConfigDir := range config.DefaultConfigSearchDirectories() {
-		originCertPath, _ := homedir.Expand(filepath.Join(defaultConfigDir, config.DefaultCredentialFile))
-		if ok, _ := config.FileExists(originCertPath); ok {
-			return originCertPath
-		}
-	}
-	return ""
-}
-
 func generateRandomClientID(log *zerolog.Logger) (string, error) {
 	u, err := uuid.NewRandom()
 	if err != nil {
@@ -61,19 +56,16 @@ func generateRandomClientID(log *zerolog.Logger) (string, error) {
 
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
-	for _, flag := range c.LocalFlagNames() {
-		flags[flag] = c.Generic(flag)
-	}
-
-	sliceFlags := []string{"header", "tag", "proxy-dns-upstream", "upstream", "edge"}
-	for _, sliceFlag := range sliceFlags {
-		if len(c.StringSlice(sliceFlag)) > 0 {
-			flags[sliceFlag] = strings.Join(c.StringSlice(sliceFlag), ", ")
+	for _, flag := range c.FlagNames() {
+		if isSecretFlag(flag) {
+			flags[flag] = secretValue
+		} else {
+			flags[flag] = c.Generic(flag)
 		}
 	}
 
 	if len(flags) > 0 {
-		log.Info().Msgf("Environment variables %v", flags)
+		log.Info().Msgf("Settings: %v", flags)
 	}
 
 	envs := make(map[string]string)
@@ -83,7 +75,11 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 		if strings.Contains(env, "TUNNEL_") {
 			vars := strings.Split(env, "=")
 			if len(vars) == 2 {
-				envs[vars[0]] = vars[1]
+				if isSecretEnvVar(vars[0]) {
+					envs[vars[0]] = secretValue
+				} else {
+					envs[vars[0]] = vars[1]
+				}
 			}
 		}
 	}
@@ -92,206 +88,407 @@ func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	}
 }
 
-func dnsProxyStandAlone(c *cli.Context) bool {
-	return c.IsSet("proxy-dns") && (!c.IsSet("hostname") && !c.IsSet("tag") && !c.IsSet("hello-world"))
-}
-
-func findOriginCert(originCertPath string, log *zerolog.Logger) (string, error) {
-	if originCertPath == "" {
-		log.Info().Msgf("Cannot determine default origin certificate path. No file %s in %v", config.DefaultCredentialFile, config.DefaultConfigSearchDirectories())
-		if isRunningFromTerminal() {
-			log.Error().Msgf("You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", argumentsUrl)
-			return "", fmt.Errorf("client didn't specify origincert path when running from terminal")
-		} else {
-			log.Error().Msgf("You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable. See %s for more information.", serviceUrl)
-			return "", fmt.Errorf("client didn't specify origincert path")
+func isSecretFlag(key string) bool {
+	for _, flag := range secretFlags {
+		if flag.Name == key {
+			return true
 		}
 	}
-	var err error
-	originCertPath, err = homedir.Expand(originCertPath)
-	if err != nil {
-		log.Err(err).Msgf("Cannot resolve origin certificate path")
-		return "", fmt.Errorf("cannot resolve path %s", originCertPath)
-	}
-	// Check that the user has acquired a certificate using the login command
-	ok, err := config.FileExists(originCertPath)
-	if err != nil {
-		log.Error().Msgf("Cannot check if origin cert exists at path %s", originCertPath)
-		return "", fmt.Errorf("cannot check if origin cert exists at path %s", originCertPath)
-	}
-	if !ok {
-		log.Error().Msgf(`Cannot find a valid certificate for your origin at the path:
-
-    %s
-
-If the path above is wrong, specify the path with the -origincert option.
-If you don't have a certificate signed by Cloudflare, run the command:
-
-	%s login
-`, originCertPath, os.Args[0])
-		return "", fmt.Errorf("cannot find a valid certificate at the path %s", originCertPath)
-	}
-
-	return originCertPath, nil
+	return false
 }
 
-func readOriginCert(originCertPath string) ([]byte, error) {
-	// Easier to send the certificate as []byte via RPC than decoding it at this point
-	originCert, err := ioutil.ReadFile(originCertPath)
-	if err != nil {
-		return nil, fmt.Errorf("cannot read %s to load origin certificate", originCertPath)
+func isSecretEnvVar(key string) bool {
+	for _, flag := range secretFlags {
+		for _, secretEnvVar := range flag.EnvVars {
+			if secretEnvVar == key {
+				return true
+			}
+		}
 	}
-	return originCert, nil
+	return false
 }
 
-func getOriginCert(originCertPath string, log *zerolog.Logger) ([]byte, error) {
-	if originCertPath, err := findOriginCert(originCertPath, log); err != nil {
-		return nil, err
-	} else {
-		return readOriginCert(originCertPath)
-	}
+func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
+	return c.IsSet("proxy-dns") &&
+		!(c.IsSet("name") || // adhoc-named tunnel
+			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
+			namedTunnel != nil) // named tunnel
 }
 
 func prepareTunnelConfig(
+	ctx context.Context,
 	c *cli.Context,
-	buildInfo *buildinfo.BuildInfo,
-	version string,
-	log *zerolog.Logger,
-	transportLogger *zerolog.Logger,
-	namedTunnel *connection.NamedTunnelConfig,
-	isUIEnabled bool,
-	eventChans []chan connection.Event,
-) (*origin.TunnelConfig, ingress.Ingress, error) {
-	isNamedTunnel := namedTunnel != nil
-
-	configHostname := c.String("hostname")
-	hostname, err := validation.ValidateHostname(configHostname)
+	info *cliutil.BuildInfo,
+	log, logTransport *zerolog.Logger,
+	observer *connection.Observer,
+	namedTunnel *connection.NamedTunnelProperties,
+) (*supervisor.TunnelConfig, *orchestration.Config, error) {
+	clientID, err := uuid.NewRandom()
 	if err != nil {
-		log.Err(err).Str(LogFieldHostname, configHostname).Msg("Invalid hostname")
-		return nil, ingress.Ingress{}, errors.Wrap(err, "Invalid hostname")
+		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 	}
-	isFreeTunnel := hostname == ""
-	clientID := c.String("id")
-	if !c.IsSet("id") {
-		clientID, err = generateRandomClientID(log)
-		if err != nil {
-			return nil, ingress.Ingress{}, err
-		}
-	}
-
+	log.Info().Msgf("Generated Connector ID: %s", clientID)
 	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
-		return nil, ingress.Ingress{}, errors.Wrap(err, "Tag parse failure")
+		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
+	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID.String()})
 
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID})
+	transportProtocol := c.String("protocol")
 
-	var originCert []byte
-	if !isFreeTunnel {
-		originCertPath := c.String("origincert")
-		originCertLog := log.With().
-			Str(LogFieldOriginCertPath, originCertPath).
-			Logger()
+	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
 
-		originCert, err = getOriginCert(originCertPath, &originCertLog)
-		if err != nil {
-			return nil, ingress.Ingress{}, errors.Wrap(err, "Error getting origin cert")
+	staticFeatures := features.StaticFeatures{}
+	if c.Bool("post-quantum") {
+		if FipsEnabled {
+			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
 		}
+		pqMode := features.PostQuantumStrict
+		staticFeatures.PostQuantumMode = &pqMode
 	}
-
-	var (
-		ingressRules  ingress.Ingress
-		classicTunnel *connection.ClassicTunnelConfig
-	)
-	if isNamedTunnel {
-		clientUUID, err := uuid.NewRandom()
-		if err != nil {
-			return nil, ingress.Ingress{}, errors.Wrap(err, "can't generate clientUUID")
-		}
-		namedTunnel.Client = tunnelpogs.ClientInfo{
-			ClientID: clientUUID[:],
-			Features: []string{origin.FeatureSerializedHeaders},
-			Version:  version,
-			Arch:     fmt.Sprintf("%s_%s", buildInfo.GoOS, buildInfo.GoArch),
-		}
-		ingressRules, err = ingress.ParseIngress(config.GetConfiguration())
-		if err != nil && err != ingress.ErrNoIngressRules {
-			return nil, ingress.Ingress{}, err
-		}
-		if !ingressRules.IsEmpty() && c.IsSet("url") {
-			return nil, ingress.Ingress{}, ingress.ErrURLIncompatibleWithIngress
-		}
-	} else {
-		classicTunnel = &connection.ClassicTunnelConfig{
-			Hostname:   hostname,
-			OriginCert: originCert,
-			// turn off use of reconnect token and auth refresh when using named tunnels
-			UseReconnectToken: !isNamedTunnel && c.Bool("use-reconnect-token"),
-		}
-	}
-
-	// Convert single-origin configuration into multi-origin configuration.
-	if ingressRules.IsEmpty() {
-		ingressRules, err = ingress.NewSingleOrigin(c, !isNamedTunnel)
-		if err != nil {
-			return nil, ingress.Ingress{}, err
-		}
-	}
-
-	protocolSelector, err := connection.NewProtocolSelector(c.String("protocol"), namedTunnel, edgediscovery.HTTP2Percentage, origin.ResolveTTL, log)
+	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
 	if err != nil {
-		return nil, ingress.Ingress{}, err
+		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
+	}
+	pqMode := featureSelector.PostQuantumMode()
+	if pqMode == features.PostQuantumStrict {
+		// Error if the user tries to force a non-quic transport protocol
+		if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
+			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
+		}
+		transportProtocol = connection.QUIC.String()
+		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
+
+		log.Info().Msgf(
+			"Using hybrid post-quantum key agreement %s",
+			supervisor.PQKexName,
+		)
+	}
+
+	namedTunnel.Client = tunnelpogs.ClientInfo{
+		ClientID: clientID[:],
+		Features: clientFeatures,
+		Version:  info.Version(),
+		Arch:     info.OSArch(),
+	}
+	cfg := config.GetConfiguration()
+	ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
+	if err != nil {
+		return nil, nil, err
 	}
 	log.Info().Msgf("Initial protocol %s", protocolSelector.Current())
 
 	edgeTLSConfigs := make(map[connection.Protocol]*tls.Config, len(connection.ProtocolList))
 	for _, p := range connection.ProtocolList {
-		edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, p.ServerName())
+		tlsSettings := p.TLSSettings()
+		if tlsSettings == nil {
+			return nil, nil, fmt.Errorf("%s has unknown TLS settings", p)
+		}
+		edgeTLSConfig, err := tlsconfig.CreateTunnelConfig(c, tlsSettings.ServerName)
 		if err != nil {
-			return nil, ingress.Ingress{}, errors.Wrap(err, "unable to create TLS config to connect with edge")
+			return nil, nil, errors.Wrap(err, "unable to create TLS config to connect with edge")
+		}
+		if len(tlsSettings.NextProtos) > 0 {
+			edgeTLSConfig.NextProtos = tlsSettings.NextProtos
 		}
 		edgeTLSConfigs[p] = edgeTLSConfig
 	}
 
-	originClient := origin.NewClient(ingressRules, tags, log)
-	connectionConfig := &connection.Config{
-		OriginClient:    originClient,
-		GracePeriod:     c.Duration("grace-period"),
-		ReplaceExisting: c.Bool("force"),
+	gracePeriod, err := gracePeriod(c)
+	if err != nil {
+		return nil, nil, err
 	}
-	muxerConfig := &connection.MuxerConfig{
-		HeartbeatInterval:  c.Duration("heartbeat-interval"),
-		MaxHeartbeats:      c.Uint64("heartbeat-count"),
-		CompressionSetting: h2mux.CompressionSetting(c.Uint64("compression-quality")),
-		MetricsUpdateFreq:  c.Duration("metrics-update-freq"),
+	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
+	if err != nil {
+		return nil, nil, err
+	}
+	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
+	if err != nil {
+		return nil, nil, err
+	}
+	if err := testIPBindable(edgeBindAddr); err != nil {
+		return nil, nil, fmt.Errorf("invalid edge-bind-address %s: %v", edgeBindAddr, err)
+	}
+	edgeIPVersion, err = adjustIPVersionByBindAddress(edgeIPVersion, edgeBindAddr)
+	if err != nil {
+		// This is not a fatal error, we just overrode edgeIPVersion
+		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 
-	return &origin.TunnelConfig{
-		ConnectionConfig: connectionConfig,
-		BuildInfo:        buildInfo,
-		ClientID:         clientID,
-		EdgeAddrs:        c.StringSlice("edge"),
-		HAConnections:    c.Int("ha-connections"),
-		IncidentLookup:   origin.NewIncidentLookup(),
-		IsAutoupdated:    c.Bool("is-autoupdated"),
-		IsFreeTunnel:     isFreeTunnel,
-		LBPool:           c.String("lb-pool"),
-		Tags:             tags,
-		Log:              log,
-		Observer:         connection.NewObserver(transportLogger, eventChans, isUIEnabled),
-		ReportedVersion:  version,
-		Retries:          c.Uint("retries"),
-		RunFromTerminal:  isRunningFromTerminal(),
-		NamedTunnel:      namedTunnel,
-		ClassicTunnel:    classicTunnel,
-		MuxerConfig:      muxerConfig,
-		TunnelEventChans: eventChans,
-		ProtocolSelector: protocolSelector,
-		EdgeTLSConfigs:   edgeTLSConfigs,
-	}, ingressRules, nil
+	tunnelConfig := &supervisor.TunnelConfig{
+		GracePeriod:     gracePeriod,
+		ReplaceExisting: c.Bool("force"),
+		OSArch:          info.OSArch(),
+		ClientID:        clientID.String(),
+		EdgeAddrs:       c.StringSlice("edge"),
+		Region:          c.String("region"),
+		EdgeIPVersion:   edgeIPVersion,
+		EdgeBindAddr:    edgeBindAddr,
+		HAConnections:   c.Int(haConnectionsFlag),
+		IsAutoupdated:   c.Bool("is-autoupdated"),
+		LBPool:          c.String("lb-pool"),
+		Tags:            tags,
+		Log:             log,
+		LogTransport:    logTransport,
+		Observer:        observer,
+		ReportedVersion: info.Version(),
+		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
+		Retries:                     uint(c.Int("retries")),
+		RunFromTerminal:             isRunningFromTerminal(),
+		NamedTunnel:                 namedTunnel,
+		ProtocolSelector:            protocolSelector,
+		EdgeTLSConfigs:              edgeTLSConfigs,
+		FeatureSelector:             featureSelector,
+		MaxEdgeAddrRetries:          uint8(c.Int("max-edge-addr-retries")),
+		UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),
+		WriteStreamTimeout:          c.Duration(writeStreamTimeout),
+		DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
+	}
+	packetConfig, err := newPacketConfig(c, log)
+	if err != nil {
+		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
+	} else {
+		tunnelConfig.PacketConfig = packetConfig
+	}
+	orchestratorConfig := &orchestration.Config{
+		Ingress:            &ingressRules,
+		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
+		ConfigurationFlags: parseConfigFlags(c),
+		WriteTimeout:       c.Duration(writeStreamTimeout),
+	}
+	return tunnelConfig, orchestratorConfig, nil
+}
+
+func parseConfigFlags(c *cli.Context) map[string]string {
+	result := make(map[string]string)
+
+	for _, flag := range configFlags {
+		if v := c.String(flag); c.IsSet(flag) && v != "" {
+			result[flag] = v
+		}
+	}
+
+	return result
+}
+
+func gracePeriod(c *cli.Context) (time.Duration, error) {
+	period := c.Duration("grace-period")
+	if period > connection.MaxGracePeriod {
+		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
+	}
+	return period, nil
 }
 
 func isRunningFromTerminal() bool {
-	return terminal.IsTerminal(int(os.Stdout.Fd()))
+	return term.IsTerminal(int(os.Stdout.Fd()))
+}
+
+// ParseConfigIPVersion returns the IP version from possible expected values from config
+func parseConfigIPVersion(version string) (v allregions.ConfigIPVersion, err error) {
+	switch version {
+	case "4":
+		v = allregions.IPv4Only
+	case "6":
+		v = allregions.IPv6Only
+	case "auto":
+		v = allregions.Auto
+	default: // unspecified or invalid
+		err = fmt.Errorf("invalid value for edge-ip-version: %s", version)
+	}
+	return
+}
+
+func parseConfigBindAddress(ipstr string) (net.IP, error) {
+	// Unspecified - it's fine
+	if ipstr == "" {
+		return nil, nil
+	}
+	ip := net.ParseIP(ipstr)
+	if ip == nil {
+		return nil, fmt.Errorf("invalid value for edge-bind-address: %s", ipstr)
+	}
+	return ip, nil
+}
+
+func testIPBindable(ip net.IP) error {
+	// "Unspecified" = let OS choose, so always bindable
+	if ip == nil {
+		return nil
+	}
+
+	addr := &net.UDPAddr{IP: ip, Port: 0}
+	listener, err := net.ListenUDP("udp", addr)
+	if err != nil {
+		return err
+	}
+	listener.Close()
+	return nil
+}
+
+func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.IP) (allregions.ConfigIPVersion, error) {
+	if ip == nil {
+		return ipVersion, nil
+	}
+	// https://pkg.go.dev/net#IP.To4: "If ip is not an IPv4 address, To4 returns nil."
+	if ip.To4() != nil {
+		if ipVersion == allregions.IPv6Only {
+			return allregions.IPv4Only, fmt.Errorf("IPv4 bind address is specified, but edge-ip-version is IPv6")
+		}
+		return allregions.IPv4Only, nil
+	} else {
+		if ipVersion == allregions.IPv4Only {
+			return allregions.IPv6Only, fmt.Errorf("IPv6 bind address is specified, but edge-ip-version is IPv4")
+		}
+		return allregions.IPv6Only, nil
+	}
+}
+
+func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
+	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
+	}
+	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
+
+	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
+	}
+	if zone != "" {
+		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
+	} else {
+		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
+	}
+
+	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return &ingress.GlobalRouterConfig{
+		ICMPRouter: icmpRouter,
+		IPv4Src:    ipv4Src,
+		IPv6Src:    ipv6Src,
+		Zone:       zone,
+	}, nil
+}
+
+func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
+	if userDefinedSrc != "" {
+		addr, err := netip.ParseAddr(userDefinedSrc)
+		if err != nil {
+			return netip.Addr{}, err
+		}
+		if addr.Is4() {
+			return addr, nil
+		}
+		return netip.Addr{}, fmt.Errorf("expect IPv4, but %s is IPv6", userDefinedSrc)
+	}
+
+	addr, err := findLocalAddr(net.ParseIP("192.168.0.1"), 53)
+	if err != nil {
+		addr = netip.IPv4Unspecified()
+		logger.Debug().Err(err).Msgf("Failed to determine the IPv4 for this machine. It will use %s to send/listen for ICMPv4 echo", addr)
+	}
+	return addr, nil
+}
+
+type interfaceIP struct {
+	name string
+	ip   net.IP
+}
+
+func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
+	if userDefinedSrc != "" {
+		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
+		addr, err := netip.ParseAddr(userDefinedIP)
+		if err != nil {
+			return netip.Addr{}, "", err
+		}
+		if addr.Is6() {
+			return addr, zone, nil
+		}
+		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
+	}
+
+	// Loop through all the interfaces, the preference is
+	// 1. The interface where ipv4Src is in
+	// 2. Interface with IPv6 address
+	// 3. Unspecified interface
+
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		return netip.IPv6Unspecified(), "", nil
+	}
+
+	interfacesWithIPv6 := make([]interfaceIP, 0)
+	for _, interf := range interfaces {
+		interfaceAddrs, err := interf.Addrs()
+		if err != nil {
+			continue
+		}
+
+		foundIPv4SrcInterface := false
+		for _, interfaceAddr := range interfaceAddrs {
+			if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
+				ip := ipnet.IP
+				if ip.Equal(ipv4Src.AsSlice()) {
+					foundIPv4SrcInterface = true
+				}
+				if ip.To4() == nil {
+					interfacesWithIPv6 = append(interfacesWithIPv6, interfaceIP{
+						name: interf.Name,
+						ip:   ip,
+					})
+				}
+			}
+		}
+		// Found the interface of ipv4Src. Loop through the addresses to see if there is an IPv6
+		if foundIPv4SrcInterface {
+			for _, interfaceAddr := range interfaceAddrs {
+				if ipnet, ok := interfaceAddr.(*net.IPNet); ok {
+					ip := ipnet.IP
+					if ip.To4() == nil {
+						addr, err := netip.ParseAddr(ip.String())
+						if err == nil {
+							return addr, interf.Name, nil
+						}
+					}
+				}
+			}
+		}
+	}
+
+	for _, interf := range interfacesWithIPv6 {
+		addr, err := netip.ParseAddr(interf.ip.String())
+		if err == nil {
+			return addr, interf.name, nil
+		}
+	}
+	logger.Debug().Err(err).Msgf("Failed to determine the IPv6 for this machine. It will use %s to send/listen for ICMPv6 echo", netip.IPv6Unspecified())
+
+	return netip.IPv6Unspecified(), "", nil
+}
+
+// FindLocalAddr tries to dial UDP and returns the local address picked by the OS
+func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
+	udpConn, err := net.DialUDP("udp", nil, &net.UDPAddr{
+		IP:   dst,
+		Port: port,
+	})
+	if err != nil {
+		return netip.Addr{}, err
+	}
+	defer udpConn.Close()
+	localAddrPort, err := netip.ParseAddrPort(udpConn.LocalAddr().String())
+	if err != nil {
+		return netip.Addr{}, err
+	}
+	localAddr := localAddrPort.Addr()
+	return localAddr, nil
 }

cmd/cloudflared/tunnel/configuration_test.go

@@ -1,4 +1,5 @@
-// +build ignore
+//go:build ignore
+
 // TODO: Remove the above build tag and include this test when we start compiling with Golang 1.10.0+
 
 package tunnel
@@ -7,6 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"net"
 	"os"
 	"testing"
 
@@ -212,3 +214,23 @@ func getCertPoolSubjects(certPool *x509.CertPool) ([]*pkix.Name, error) {
 func isUnrecoverableError(err error) bool {
 	return err != nil && err.Error() != "crypto/x509: system root pool is not available on Windows"
 }
+
+func TestTestIPBindable(t *testing.T) {
+	assert.Nil(t, testIPBindable(nil))
+
+	// Public services - if one of these IPs is on the machine, the test environment is too weird
+	assert.NotNil(t, testIPBindable(net.ParseIP("8.8.8.8")))
+	assert.NotNil(t, testIPBindable(net.ParseIP("1.1.1.1")))
+
+	addrs, err := net.InterfaceAddrs()
+	if err != nil {
+		t.Fatal(err)
+	}
+	for i, addr := range addrs {
+		if i >= 3 {
+			break
+		}
+		ip := addr.(*net.IPNet).IP
+		assert.Nil(t, testIPBindable(ip))
+	}
+}

cmd/cloudflared/tunnel/credential_finder.go

@@ -4,7 +4,8 @@ import (
 	"fmt"
 	"path/filepath"
 
-	"github.com/cloudflare/cloudflared/cmd/cloudflared/config"
+	"github.com/cloudflare/cloudflared/config"
+	"github.com/cloudflare/cloudflared/credentials"
 
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
@@ -56,13 +57,13 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String("origincert")
+	originCertPath := s.c.String(credentials.OriginCertFlag)
 	originCertLog := s.log.With().
-		Str(LogFieldOriginCertPath, originCertPath).
+		Str("originCertPath", originCertPath).
 		Logger()
 
 	// Fallback to look for tunnel credentials in the origin cert directory
-	if originCertPath, err := findOriginCert(originCertPath, &originCertLog); err == nil {
+	if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
 		originCertDir := filepath.Dir(originCertPath)
 		if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
 			if s.fs.validFilePath(filePath) {

cmd/cloudflared/tunnel/filesystem.go

@@ -1,7 +1,6 @@
 package tunnel
 
 import (
-	"io/ioutil"
 	"os"
 )
 
@@ -23,5 +22,5 @@ func (fs realFileSystem) validFilePath(path string) bool {
 }
 
 func (fs realFileSystem) readFile(filePath string) ([]byte, error) {
-	return ioutil.ReadFile(filePath)
+	return os.ReadFile(filePath)
 }

cmd/cloudflared/tunnel/fips.go

@@ -0,0 +1,3 @@
+package tunnel
+
+var FipsEnabled bool

cmd/cloudflared/tunnel/info.go

@@ -0,0 +1,16 @@
+package tunnel
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/cloudflare/cloudflared/cfapi"
+)
+
+type Info struct {
+	ID         uuid.UUID             `json:"id"`
+	Name       string                `json:"name"`
+	CreatedAt  time.Time             `json:"createdAt"`
+	Connectors []*cfapi.ActiveClient `json:"conns"`
+}