TUN-9322: Add metric for unsupported RPC commands for datagram v3

Additionally adds support for the connection index as a label for the
datagram v3 specific tunnel metrics.

Closes TUN-9322

.github/workflows/check.yaml

@@ -4,7 +4,7 @@ jobs:
   check:
     strategy:
       matrix:
-        go-version: [1.21.x]
+        go-version: [1.22.x]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/semgrep.yml

@@ -0,0 +1,24 @@
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 0 * * *'
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci

.gitignore

@@ -17,3 +17,4 @@ cscope.*
 ssh_server_tests/.env
 /.cover
 built_artifacts/
+component-tests/.venv

.gitlab-ci.yml

@@ -0,0 +1,131 @@
+stages: [build, release]
+
+default:
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://vault.cfdata.org
+
+# This before_script is injected into every job that runs on master meaning that if there is no tag the step
+# will succeed but only write "No tag present - Skipping" to the console.
+.check_tag:
+  before_script:
+    - |
+      # Check if there is a Git tag pointing to HEAD
+      echo "Tag found: $(git tag --points-at HEAD | grep .)"
+      if git tag --points-at HEAD | grep .; then
+        echo "Tag found: $(git tag --points-at HEAD | grep .)"
+        export "VERSION=$(git tag --points-at HEAD | grep .)"
+      else
+        echo "No tag present — skipping."
+        exit 0
+      fi
+
+## A set of predefined rules to use on the different jobs
+.default_rules:
+  # Rules to run the job only on the master branch
+  run_on_master:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: always
+    - when: never
+  # Rules to run the job only on branches that are not master. This is needed because for now
+  # we need to keep a similar behavior due to the integration with teamcity, which requires us
+  # to not trigger pipelines on tags and/or merge requests.
+  run_on_branch:
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      when: always
+    - when: never
+
+# -----------------------------------------------
+# Stage 1: Build on every PR
+# -----------------------------------------------
+build_cloudflared_macos: &build
+  stage: build
+  rules:
+    - !reference [.default_rules, run_on_branch]
+  tags:
+    - "macstadium-${RUNNER_ARCH}"
+  parallel:
+    matrix:
+      - RUNNER_ARCH: [arm, intel]
+  artifacts:
+    paths:
+      - artifacts/*
+  script:
+    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
+    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
+    - ARCH=$(uname -m)
+    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
+    - ./.teamcity/mac/install-cloudflare-go.sh
+    - export PATH="/tmp/go/bin:$PATH"
+    - BUILD_SCRIPT=.teamcity/mac/build.sh
+    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
+    - set -euo pipefail
+    - echo "Executing ${BUILD_SCRIPT}"
+    - exec ${BUILD_SCRIPT}
+
+# -----------------------------------------------
+# Stage 1: Build and sign only on releases
+# -----------------------------------------------
+build_and_sign_cloudflared_macos:
+  <<: *build
+  rules:
+    - !reference [.default_rules, run_on_master]
+  secrets:
+    APPLE_DEV_CA_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
+      file: false
+    CFD_CODE_SIGN_PASS:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
+      file: false
+    CFD_INSTALLER_CERT:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
+      file: false
+    CFD_INSTALLER_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
+      file: false
+    CFD_INSTALLER_PASS:
+      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
+      file: false
+
+# -----------------------------------------------
+# Stage 2: Release to Github after building and signing
+# -----------------------------------------------
+release_cloudflared_macos_to_github:
+  stage: release
+  image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
+  extends: .check_tag
+  dependencies:
+    - build_and_sign_cloudflared_macos
+  rules:
+    - !reference [.default_rules, run_on_master]
+  cache:
+    paths:
+      - .cache/pip
+  variables:
+    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
+    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
+  secrets:
+    KV_API_TOKEN:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
+      file: false
+    API_KEY:
+      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
+      file: false
+  script:
+    - python3 --version ; pip --version  # For debugging
+    - python3 -m venv venv
+    - source venv/bin/activate
+    - pip install pynacl==1.4.0 pygithub==1.55
+    - echo $VERSION
+    - echo $TAG_EXISTS
+    - echo "Running release because tag exists."
+    - make macos-release

.golangci.yaml

@@ -0,0 +1,89 @@
+linters:
+  enable:
+    # Some of the linters below are commented out. We should uncomment and start running them, but they return
+    # too many problems to fix in one commit. Something for later.
+    - asasalint        # Check for pass []any as any in variadic func(...any).
+    - asciicheck       # Checks that all code identifiers does not have non-ASCII symbols in the name.
+    - bidichk          # Checks for dangerous unicode character sequences.
+    - bodyclose        # Checks whether HTTP response body is closed successfully.
+    - decorder         # Check declaration order and count of types, constants, variables and functions.
+    - dogsled          # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
+    - dupl             # Tool for code clone detection.
+    - dupword          # Checks for duplicate words in the source code.
+    - durationcheck    # Check for two durations multiplied together.
+    - errcheck         # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
+    - errname          # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
+    - exhaustive       # Check exhaustiveness of enum switch statements.
+    - gofmt            # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
+    - goimports        # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
+    - gosec            # Inspects source code for security problems.
+    - gosimple         # Linter for Go source code that specializes in simplifying code.
+    - govet            # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
+    - ineffassign      # Detects when assignments to existing variables are not used.
+    - importas         # Enforces consistent import aliases.
+    - misspell         # Finds commonly misspelled English words.
+    - prealloc         # Finds slice declarations that could potentially be pre-allocated.
+    - promlinter       # Check Prometheus metrics naming via promlint.
+    - sloglint         # Ensure consistent code style when using log/slog.
+    - sqlclosecheck    # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
+    - staticcheck      # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
+    - tenv             # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
+    - testableexamples # Linter checks if examples are testable (have an expected output).
+    - testifylint      # Checks usage of github.com/stretchr/testify.
+    - tparallel        # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
+    - unconvert        # Remove unnecessary type conversions.
+    - unused           # Checks Go code for unused constants, variables, functions and types.
+    - wastedassign     # Finds wasted assignment statements.
+    - whitespace       # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
+    - zerologlint      # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
+  # Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
+run:
+  timeout: 5m
+  modules-download-mode: vendor
+
+# output configuration options
+output:
+  formats:
+    - format: 'colored-line-number'
+  print-issued-lines: true
+  print-linter-name: true
+
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 50
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 15
+  # Show only new issues: if there are unstaged changes or untracked files,
+  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
+  # It's a super-useful option for integration of golangci-lint into existing large codebase.
+  # It's not practical to fix all existing issues at the moment of integration:
+  # much better don't allow issues in new code.
+  #
+  # Default: false
+  new: true
+  # Show only new issues created after git revision `REV`.
+  # Default: ""
+  new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
+  # Show issues in any part of update files (requires new-from-rev or new-from-patch).
+  # Default: false
+  whole-files: true
+  # Which dirs to exclude: issues from them won't be reported.
+  # Can use regexp here: `generated.*`, regexp is applied on full path,
+  # including the path prefix if one is set.
+  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
+  # "/" will be replaced by current OS file path separator to properly work on Windows.
+  # Default: []
+  exclude-dirs:
+    - vendor
+
+linters-settings:
+  # Check exhaustiveness of enum switch statements.
+  exhaustive:
+    # Presence of "default" case in switch statements satisfies exhaustiveness,
+    # even if all enum members are not listed.
+    # Default: false
+    default-signifies-exhaustive: true

.teamcity/install-cloudflare-go.sh

@@ -3,6 +3,6 @@
 cd /tmp
 git clone -q https://github.com/cloudflare/go
 cd go/src
-# https://github.com/cloudflare/go/tree/34129e47042e214121b6bbff0ded4712debed18e is version go1.21.5-devel-cf
-git checkout -q 34129e47042e214121b6bbff0ded4712debed18e
+# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
+git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 ./make.bash

.teamcity/mac/build.sh

@@ -7,17 +7,22 @@ if [[ "$(uname)" != "Darwin" ]] ; then
     exit 1
 fi
 
+if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
+then
+  echo "TARGET_ARCH must be amd64 or arm64"
+  exit 1
+fi
+
 go version
 export GO111MODULE=on
 
 # build 'cloudflared-darwin-amd64.tgz'
 mkdir -p artifacts
-FILENAME="$(pwd)/artifacts/cloudflared-darwin-amd64.tgz"
-PKGNAME="$(pwd)/artifacts/cloudflared-amd64.pkg"
 TARGET_DIRECTORY=".build"
 BINARY_NAME="cloudflared"
 VERSION=$(git describe --tags --always --dirty="-dev")
 PRODUCT="cloudflared"
+APPLE_CA_CERT="apple_dev_ca.cert"
 CODE_SIGN_PRIV="code_sign.p12"
 CODE_SIGN_CERT="code_sign.cer"
 INSTALLER_PRIV="installer.p12"
@@ -25,20 +30,84 @@ INSTALLER_CERT="installer.cer"
 BUNDLE_ID="com.cloudflare.cloudflared"
 SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
 export PATH="$PATH:/usr/local/bin"
+FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
+PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
 mkdir -p ../src/github.com/cloudflare/    
 cp -r . ../src/github.com/cloudflare/cloudflared
 cd ../src/github.com/cloudflare/cloudflared 
-GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
 
-# Add code signing private key to the key chain
-if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
-  if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
-    # write private key to disk and then import it keychain
-    echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
+# Imports certificates to the Apple KeyChain
+import_certificate() {
+    local CERTIFICATE_NAME=$1
+    local CERTIFICATE_ENV_VAR=$2
+    local CERTIFICATE_FILE_NAME=$3
+
+    echo "Importing $CERTIFICATE_NAME"
+
+    if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
+      # write certificate to disk and then import it keychain
+      echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
       # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
       # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
-    out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true 
-    exitcode=$?
+      local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
+      local exitcode=$?
+      # delete the certificate from disk
+      rm -rf ${CERTIFICATE_FILE_NAME}
+      if [ -n "$out" ]; then
+        if [ $exitcode -eq 0 ]; then
+            echo "$out"
+        else
+            if [ "$out" != "${SEC_DUP_MSG}" ]; then
+                echo "$out" >&2
+                exit $exitcode
+            else
+                echo "already imported code signing certificate"
+            fi
+        fi
+      fi
+    fi
+}
+
+create_cloudflared_build_keychain() {
+  # Reusing the private key password as the keychain key
+  local PRIVATE_KEY_PASS=$1
+
+  # Create keychain only if it doesn't already exist
+  if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
+    security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
+  else
+    echo "Keychain already exists: cloudflared_build_keychain"
+  fi
+
+  # Append temp keychain to the user domain
+  security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
+
+  # Remove relock timeout
+  security set-keychain-settings cloudflared_build_keychain
+
+  # Unlock keychain so it doesn't require password
+  security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
+
+}
+
+# Imports private keys to the Apple KeyChain
+import_private_keys() {
+    local PRIVATE_KEY_NAME=$1
+    local PRIVATE_KEY_ENV_VAR=$2
+    local PRIVATE_KEY_FILE_NAME=$3
+    local PRIVATE_KEY_PASS=$4
+
+    echo "Importing $PRIVATE_KEY_NAME"
+
+    if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
+      if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
+        # write private key to disk and then import it keychain
+        echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
+        # we set || true  here and for every `security import invoke` because the  "duplicate SecKeychainItemImport" error
+        # will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
+        local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
+        local exitcode=$?
+        rm -rf ${PRIVATE_KEY_FILE_NAME}
         if [ -n "$out" ]; then
           if [ $exitcode -eq 0 ]; then
               echo "$out"
@@ -49,79 +118,34 @@ if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
               fi
           fi
         fi
-    rm ${CODE_SIGN_PRIV}
       fi
     fi
+}
+
+# Create temp keychain only for this build
+create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
+
+# Add Apple Root Developer certificate to the key chain
+import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
+
+# Add code signing private key to the key chain
+import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
 
 # Add code signing certificate to the key chain
-if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
-  # write certificate to disk and then import it keychain
-  echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
-  out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
-  exitcode1=$?
-  if [ -n "$out1" ]; then
-    if [ $exitcode1 -eq 0 ]; then
-        echo "$out1"
-    else
-        if [ "$out1" != "${SEC_DUP_MSG}" ]; then
-            echo "$out1" >&2
-            exit $exitcode1
-        else 
-            echo "already imported code signing certificate"
-        fi
-    fi
-  fi
-  rm ${CODE_SIGN_CERT}
-fi
+import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
 
 # Add package signing private key to the key chain
-if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
-  if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
-    # write private key to disk and then import it into the keychain
-    echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
-    out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
-    exitcode2=$?
-    if [ -n "$out2" ]; then
-      if [ $exitcode2 -eq 0 ]; then
-          echo "$out2"
-      else
-          if [ "$out2" != "${SEC_DUP_MSG}" ]; then
-              echo "$out2" >&2
-              exit $exitcode2
-          fi
-      fi
-    fi
-    rm ${INSTALLER_PRIV}
-  fi
-fi
+import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
 
 # Add package signing certificate to the key chain
-if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
-  # write certificate to disk and then import it keychain
-  echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
-  out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
-  exitcode3=$?
-  if [ -n "$out3" ]; then
-    if [ $exitcode3 -eq 0 ]; then
-        echo "$out3"
-    else
-        if [ "$out3" != "${SEC_DUP_MSG}" ]; then
-            echo "$out3" >&2
-            exit $exitcode3
-        else 
-            echo "already imported installer certificate"
-        fi
-    fi
-  fi
-  rm ${INSTALLER_CERT}
-fi
+import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
 
 # get the code signing certificate name
 if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
   CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
-    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
+    CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
   else
     CODE_SIGN_NAME=""
   fi
@@ -131,40 +155,55 @@ fi
 if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
   PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
 else
-  if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
-    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
+  if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
+    PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
   else
     PKG_SIGN_NAME=""
   fi
 fi
 
+# cleanup the build directory because the previous execution might have failed without cleaning up.
+rm -rf "${TARGET_DIRECTORY}"
+export TARGET_OS="darwin"
+GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
+
+
+# This allows apple tools to use the certificates in the keychain without requiring password input.
+# This command always needs to run after the certificates have been loaded into the keychain
+if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
+  security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
+fi
+
 # sign the cloudflared binary
 if [[ ! -z "$CODE_SIGN_NAME" ]]; then
-  codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
+  codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
 
  # notarize the binary
  # TODO: TUN-5789
 fi
 
+ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
 # creating build directory
-rm -rf $TARGET_DIRECTORY
-mkdir "${TARGET_DIRECTORY}"
-mkdir "${TARGET_DIRECTORY}/contents"
-cp -r ".mac_resources/scripts" "${TARGET_DIRECTORY}/scripts"
+rm -rf $ARCH_TARGET_DIRECTORY
+mkdir -p "${ARCH_TARGET_DIRECTORY}"
+mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
+cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
 
 # copy cloudflared into the build directory
-cp ${BINARY_NAME} "${TARGET_DIRECTORY}/contents/${PRODUCT}"
+cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
 
 # compress cloudflared into a tar and gzipped file
 tar czf "$FILENAME" "${BINARY_NAME}"
 
 # build the installer package
 if [[ ! -z "$PKG_SIGN_NAME" ]]; then
+
   pkgbuild --identifier com.cloudflare.${PRODUCT} \
       --version ${VERSION} \
-      --scripts ${TARGET_DIRECTORY}/scripts \
-      --root ${TARGET_DIRECTORY}/contents \
+      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
+      --root ${ARCH_TARGET_DIRECTORY}/contents \
       --install-location /usr/local/bin \
+      --keychain cloudflared_build_keychain \
       --sign "${PKG_SIGN_NAME}" \
       ${PKGNAME}
 
@@ -173,12 +212,17 @@ if [[ ! -z "$PKG_SIGN_NAME" ]]; then
 else
     pkgbuild --identifier com.cloudflare.${PRODUCT} \
       --version ${VERSION} \
-      --scripts ${TARGET_DIRECTORY}/scripts \
-      --root ${TARGET_DIRECTORY}/contents \
+      --scripts ${ARCH_TARGET_DIRECTORY}/scripts \
+      --root ${ARCH_TARGET_DIRECTORY}/contents \
       --install-location /usr/local/bin \
       ${PKGNAME}
 fi
 
+# cleanup build directory because this script is not ran within containers,
+# which might lead to future issues in subsequent runs.
+rm -rf "${TARGET_DIRECTORY}"
 
-# cleaning up the build directory
-rm -rf $TARGET_DIRECTORY
+# cleanup the keychain
+security default-keychain -d user -s login.keychain-db
+security list-keychains -d user -s login.keychain-db
+security delete-keychain cloudflared_build_keychain

.teamcity/package-windows.sh

@@ -3,15 +3,17 @@ echo $VERSION
 
 export TARGET_OS=windows
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
-mkdir -p $ARTIFACT_DIR
+export BUILT_ARTIFACT_DIR=built_artifacts/
+export FINAL_ARTIFACT_DIR=artifacts/
+mkdir -p $BUILT_ARTIFACT_DIR
+mkdir -p $FINAL_ARTIFACT_DIR
 windowsArchs=("amd64" "386")
 for arch in ${windowsArchs[@]}; do
     export TARGET_ARCH=$arch
     # Copy exe into final directory
-    cp ./artifacts/cloudflared-windows-$arch.exe $ARTIFACT_DIR/cloudflared-windows-$arch.exe
-    cp ./artifacts/cloudflared-windows-$arch.exe ./cloudflared.exe
+    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
     make cloudflared-msi
     # Copy msi into final directory
-    mv cloudflared-$VERSION-$arch.msi $ARTIFACT_DIR/cloudflared-windows-$arch.msi
+    mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
+    cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe 
 done

.teamcity/windows/component-test.ps1

@@ -5,41 +5,6 @@ $ProgressPreference = "SilentlyContinue"
 $WorkingDirectory = Get-Location
 $CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
 
-Write-Output "Installing python..."
-
-$PythonVersion = "3.10.11"
-$PythonZipFile = "$env:Temp\python-$PythonVersion-embed-amd64.zip"
-$PipInstallFile = "$env:Temp\get-pip.py"
-$PythonZipUrl = "https://www.python.org/ftp/python/$PythonVersion/python-$PythonVersion-embed-amd64.zip"
-$PythonPath = "$WorkingDirectory\Python"
-$PythonBinPath = "$PythonPath\python.exe"
-
-# Download Python zip file
-Invoke-WebRequest -Uri $PythonZipUrl -OutFile $PythonZipFile
-
-# Download Python pip file
-Invoke-WebRequest -Uri "https://bootstrap.pypa.io/get-pip.py" -OutFile $PipInstallFile
-
-# Extract Python files
-Expand-Archive $PythonZipFile -DestinationPath $PythonPath -Force
-
-# Add Python to PATH
-$env:Path = "$PythonPath\Scripts;$PythonPath;$($env:Path)"
-
-Write-Output "Installed to $PythonPath"
-
-# Install pip
-& $PythonBinPath $PipInstallFile
-
-# Add package paths in pythonXX._pth to unblock python -m pip
-$PythonImportPathFile = "$PythonPath\python310._pth"
-$ComponentTestsDir = "$CloudflaredDirectory\component-tests\"
-@($ComponentTestsDir, "Lib\site-packages", $(Get-Content $PythonImportPathFile)) | Set-Content $PythonImportPathFile
-
-# Test Python installation
-& $PythonBinPath --version
-& $PythonBinPath -m pip --version
-
 go env
 go version
 
@@ -48,8 +13,8 @@ $env:CGO_ENABLED = 1
 $env:TARGET_ARCH = "amd64"
 $env:Path = "$Env:Temp\go\bin;$($env:Path)"
 
-& $PythonBinPath --version
-& $PythonBinPath -m pip --version
+python --version
+python -m pip --version
 
 cd $CloudflaredDirectory
 
@@ -72,11 +37,11 @@ if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
 
 Write-Output "Running component tests"
 
-& $PythonBinPath -m pip install --upgrade -r component-tests/requirements.txt
-& $PythonBinPath component-tests/setup.py --type create
-& $PythonBinPath -m pytest component-tests -o log_cli=true --log-cli-level=INFO
+python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
+python component-tests/setup.py --type create
+python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
 if ($LASTEXITCODE -ne 0) {
-    & $PythonBinPath component-tests/setup.py --type cleanup
+    python component-tests/setup.py --type cleanup
     throw "Failed component tests"
 }
-& $PythonBinPath component-tests/setup.py --type cleanup
+python component-tests/setup.py --type cleanup

.teamcity/windows/install-cloudflare-go.ps1

@@ -9,8 +9,8 @@ Set-Location "$Env:Temp"
 git clone -q https://github.com/cloudflare/go
 Write-Output "Building go..."
 cd go/src
-# https://github.com/cloudflare/go/tree/34129e47042e214121b6bbff0ded4712debed18e is version go1.21.5-devel-cf
-git checkout -q 34129e47042e214121b6bbff0ded4712debed18e
+# https://github.com/cloudflare/go/tree/af19da5605ca11f85776ef7af3384a02a315a52b is version go1.22.5-devel-cf
+git checkout -q af19da5605ca11f85776ef7af3384a02a315a52b
 & ./make.bat
 
 Write-Output "Installed"

.teamcity/windows/install-go-msi.ps1

@@ -1,6 +1,6 @@
 $ErrorActionPreference = "Stop"
 $ProgressPreference = "SilentlyContinue"
-$GoMsiVersion = "go1.21.5.windows-amd64.msi"
+$GoMsiVersion = "go1.22.5.windows-amd64.msi"
 
 Write-Output "Downloading go installer..."
 

CHANGES.md

@@ -1,3 +1,19 @@
+## 2025.1.1
+### New Features
+- This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
+
+## 2024.12.2
+### New Features
+- This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
+
+## 2024.12.1
+### Notices
+- The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
+
+## 2024.10.0
+### Bug Fixes
+- We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
+
 ## 2024.2.1
 ### Notices
 - Starting from this version, tunnel diagnostics will be enabled by default. This will allow the engineering team to remotely get diagnostics from cloudflared during debug activities. Users still have the capability to opt-out of this feature by defining `--management-diagnostics=false` (or env `TUNNEL_MANAGEMENT_DIAGNOSTICS`).

Dockerfile

@@ -1,11 +1,15 @@
 # use a builder image for building cloudflare
 ARG TARGET_GOOS
 ARG TARGET_GOARCH
-FROM golang:1.21.5 as builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0 \
   TARGET_GOOS=${TARGET_GOOS} \
-    TARGET_GOARCH=${TARGET_GOARCH}
+  TARGET_GOARCH=${TARGET_GOARCH} \
+  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
+  # which changes how cloudflared binds the metrics server
+  CONTAINER_BUILD=1
+
 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 
@@ -18,7 +22,7 @@ RUN .teamcity/install-cloudflare-go.sh
 RUN PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 

Dockerfile.amd64

@@ -1,7 +1,10 @@
 # use a builder image for building cloudflare
-FROM golang:1.21.5 as builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 
+  CGO_ENABLED=0 \
+  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
+  # which changes how cloudflared binds the metrics server
+  CONTAINER_BUILD=1 
 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 
@@ -14,7 +17,7 @@ RUN .teamcity/install-cloudflare-go.sh
 RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+FROM gcr.io/distroless/base-debian12:nonroot
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 

Dockerfile.arm64

@@ -1,7 +1,10 @@
 # use a builder image for building cloudflare
-FROM golang:1.21.5 as builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
-    CGO_ENABLED=0 
+  CGO_ENABLED=0 \
+  # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
+  # which changes how cloudflared binds the metrics server
+  CONTAINER_BUILD=1
 
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 
@@ -14,7 +17,7 @@ RUN .teamcity/install-cloudflare-go.sh
 RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
 
 # use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot-arm64
+FROM gcr.io/distroless/base-debian12:nonroot-arm64
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 

Makefile

@@ -24,12 +24,16 @@ else
 	DEB_PACKAGE_NAME := $(BINARY_NAME)
 endif
 
-DATE          := $(shell date -u '+%Y-%m-%d-%H%M UTC')
+DATE          := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H%M UTC')
 VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
 ifdef PACKAGE_MANAGER
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
 endif
 
+ifdef CONTAINER_BUILD 
+	VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
+endif
+
 LINK_FLAGS :=
 ifeq ($(FIPS), true)
 	LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@@ -129,11 +133,9 @@ clean:
 cloudflared:
 ifeq ($(FIPS), true)
 	$(info Building cloudflared with go-fips)
-	cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
 endif
 	GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
 ifeq ($(FIPS), true)
-	rm -f cmd/cloudflared/fips.go
 	./check-fips.sh cloudflared
 endif
 
@@ -165,9 +167,17 @@ cover:
 	# Generate the HTML report that can be viewed from the browser in CI.
 	$Q go tool cover -html ".cover/c.out" -o .cover/all.html
 
-.PHONY: test-ssh-server
-test-ssh-server:
-	docker-compose -f ssh_server_tests/docker-compose.yml up
+.PHONY: fuzz
+fuzz:
+	@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
+	@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
+	@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
+	@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
+	@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
 
 .PHONY: install-go
 install-go:
@@ -218,50 +228,28 @@ cloudflared-pkg: cloudflared cloudflared.1
 cloudflared-msi:
 	wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
 
-.PHONY: cloudflared-darwin-amd64.tgz
-cloudflared-darwin-amd64.tgz: cloudflared
-	tar czf cloudflared-darwin-amd64.tgz cloudflared
-	rm cloudflared
+.PHONY: github-release-dryrun
+github-release-dryrun:
+	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION) --dry-run
 
 .PHONY: github-release
-github-release: cloudflared
-	python3 github_release.py --path $(EXECUTABLE_PATH) --release-version $(VERSION)
-
-.PHONY: github-release-built-pkgs
-github-release-built-pkgs:
+github-release:
 	python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
-
-.PHONY: release-pkgs-linux
-release-pkgs-linux:
-	python3 ./release_pkgs.py
-
-.PHONY: github-message
-github-message:
 	python3 github_message.py --release-version $(VERSION)
 
-.PHONY: github-mac-upload
-github-mac-upload:
-	python3 github_release.py --path artifacts/cloudflared-darwin-amd64.tgz --release-version $(VERSION) --name cloudflared-darwin-amd64.tgz
-	python3 github_release.py --path artifacts/cloudflared-amd64.pkg --release-version $(VERSION) --name cloudflared-amd64.pkg
+.PHONY: macos-release
+macos-release:
+	python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION)
 
-.PHONY: github-windows-upload
-github-windows-upload:
-	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.exe --release-version $(VERSION) --name cloudflared-windows-amd64.exe
-	python3 github_release.py --path built_artifacts/cloudflared-windows-amd64.msi --release-version $(VERSION) --name cloudflared-windows-amd64.msi
-	python3 github_release.py --path built_artifacts/cloudflared-windows-386.exe --release-version $(VERSION) --name cloudflared-windows-386.exe
-	python3 github_release.py --path built_artifacts/cloudflared-windows-386.msi --release-version $(VERSION) --name cloudflared-windows-386.msi
+.PHONY: r2-linux-release
+r2-linux-release:
+	python3 ./release_pkgs.py
 
-.PHONY: tunnelrpc-deps
-tunnelrpc-deps:
+.PHONY: capnp
+capnp:
 	which capnp  # https://capnproto.org/install.html
 	which capnpc-go  # go install zombiezen.com/go/capnproto2/capnpc-go@latest
-	capnp compile -ogo tunnelrpc/tunnelrpc.capnp
-
-.PHONY: quic-deps
-quic-deps:
-	which capnp
-	which capnpc-go
-	capnp compile -ogo quic/schema/quic_metadata_protocol.capnp
+	capnp compile -ogo tunnelrpc/proto/tunnelrpc.capnp tunnelrpc/proto/quic_metadata_protocol.capnp
 
 .PHONY: vet
 vet:
@@ -269,4 +257,17 @@ vet:
 
 .PHONY: fmt
 fmt:
-	goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc)
+	@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
+	@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
+
+.PHONY: fmt-check
+fmt-check:
+	@./fmt-check.sh
+
+.PHONY: lint
+lint:
+	@golangci-lint run
+
+.PHONY: mocks
+mocks:
+	go generate mocks/mockgen.go

README.md

@@ -40,7 +40,7 @@ User documentation for Cloudflare Tunnel can be found at https://developers.clou
 
 Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
 
-* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
+* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/)
 * Route traffic to that Tunnel:
   * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
   * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
@@ -49,10 +49,34 @@ Once installed, you can authenticate `cloudflared` into your Cloudflare account
 
 ## TryCloudflare
 
-Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare).
+Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
 
 ## Deprecated versions
 
 Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
 
 For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
+
+## Development
+
+### Requirements
+- [GNU Make](https://www.gnu.org/software/make/)
+- [capnp](https://capnproto.org/install.html)
+- [cloudflare go toolchain](https://github.com/cloudflare/go)
+- Optional tools:
+  - [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
+  - [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
+  - [golangci-lint](https://github.com/golangci/golangci-lint)
+  - [gomocks](https://pkg.go.dev/go.uber.org/mock)
+
+### Build
+To build cloudflared locally run `make cloudflared`
+
+### Test
+To locally run the tests run `make test`
+
+### Linting
+To format the code and keep a good code quality use `make fmt` and `make lint`
+
+### Mocks
+After changes on interfaces you might need to regenerate the mocks, so run `make mock`

RELEASE_NOTES

@@ -1,3 +1,196 @@
+2025.4.2
+- 2025-04-30 chore: Do not use gitlab merge request pipelines
+- 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
+- 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
+- 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
+
+2025.4.0
+- 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
+- 2025-04-02 chore: remove repetitive words
+- 2025-04-01 Fix messages to point to one.dash.cloudflare.com
+- 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
+- 2025-04-01 Use RELEASE_NOTES date instead of build date
+- 2025-04-01 chore: Update tunnel configuration link in the readme
+- 2025-04-01 fix: expand home directory for credentials file
+- 2025-04-01 fix: Use path and filepath operation appropriately
+- 2025-04-01 feat: Adds a new command line for tunnel run for token file
+- 2025-04-01 chore: fix linter rules
+- 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
+- 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
+
+2025.2.1
+- 2025-02-26 TUN-9016: update base-debian to v12
+- 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
+- 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
+- 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml
+- 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags
+
+2025.2.0
+- 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows
+- 2025-02-03 Bump x/crypto to 0.31.0
+
+2025.1.1
+- 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
+- 2025-01-30 TUN-8855: fix lint issues
+- 2025-01-30 TUN-8855: Update PQ curve preferences
+- 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ
+- 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
+- 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata
+- 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth
+- 2025-01-20 TUN-8861: Add session limiter to UDP session manager
+- 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter
+- 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
+- 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment
+- 2025-01-16 TUN-8866: Add linter to cloudflared repository
+- 2025-01-14 TUN-8861: Add session limiter to TCP session manager
+- 2025-01-13 TUN-8861: Add configuration for active sessions limiter
+- 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done
+
+2025.1.0
+- 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script
+- 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout
+- 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles
+
+2024.12.2
+- 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder
+- 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand
+- 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers
+- 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server
+- 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure
+- 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure
+- 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON
+- 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure
+- 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state
+- 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files
+
+2024.12.1
+- 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
+
+2024.12.0
+- 2024-12-09 TUN-8640: Add ICMP support for datagram V3
+- 2024-12-09 TUN-8789: make python package installation consistent
+- 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
+- 2024-12-05 TUN-8775: Make sure the session Close can only be called once
+- 2024-12-04 TUN-8725: implement diagnostic procedure
+- 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
+- 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
+- 2024-12-04 TUN-8768: add job report to diagnostic zipfile
+- 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
+- 2024-12-03 TUN-8732: implement port selection algorithm
+- 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
+- 2024-12-03 TUN-8769: fix k8s log collector arguments
+- 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
+- 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
+- 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
+- 2024-11-27 TUN-8733: add log collection for docker
+- 2024-11-27 TUN-8734: add log collection for kubernetes
+- 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
+- 2024-11-26 TUN-8735: add managed/local log collection
+- 2024-11-25 TUN-8728: implement diag/tunnel endpoint
+- 2024-11-25 TUN-8730: implement diag/configuration
+- 2024-11-22 TUN-8737: update metrics server port selection
+- 2024-11-22 TUN-8731: Implement diag/system endpoint
+- 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
+
+2024.11.1
+- 2024-11-18 Add cloudflared tunnel ready command
+- 2024-11-14 Make metrics a requirement for tunnel ready command
+- 2024-11-12 TUN-8701:  Simplify flow registration logs for datagram v3
+- 2024-11-11 add: new go-fuzz targets
+- 2024-11-07 TUN-8701: Add metrics and adjust logs for datagram v3
+- 2024-11-06 TUN-8709: Add session migration for datagram v3
+- 2024-11-04 Fixed 404 in README.md to TryCloudflare
+- 2024-09-24 Update semgrep.yml
+
+2024.11.0
+- 2024-11-05 VULN-66059: remove ssh server tests
+- 2024-11-04 TUN-8700: Add datagram v3 muxer
+- 2024-11-04 TUN-8646: Allow experimental feature support for datagram v3
+- 2024-11-04 TUN-8641: Expose methods to simplify V3 Datagram parsing on the edge
+- 2024-10-31 TUN-8708: Bump python min version to 3.10
+- 2024-10-31 TUN-8667: Add datagram v3 session manager
+- 2024-10-25 TUN-8692: remove dashes from session id
+- 2024-10-24 TUN-8694: Rework release script
+- 2024-10-24 TUN-8661: Refactor connection methods to support future different datagram muxing methods
+- 2024-07-22 TUN-8553: Bump go to 1.22.5 and go-boring 1.22.5-1
+
+2024.10.1
+- 2024-10-23 TUN-8694: Fix github release script
+- 2024-10-21 Revert "TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport"
+- 2024-10-18 TUN-8688: Correct UDP bind for IPv6 edge connectivity on macOS
+- 2024-10-17 TUN-8685: Bump coredns dependency
+- 2024-10-16 TUN-8638: Add datagram v3 serializers and deserializers
+- 2024-10-15 chore: Remove h2mux code
+- 2024-10-11 TUN-8631: Abort release on version mismatch
+
+2024.10.0
+- 2024-10-01 TUN-8646: Add datagram v3 support feature flag
+- 2024-09-30 TUN-8621: Fix cloudflared version in change notes to account for release date
+- 2024-09-19 Adding semgrep yaml file
+- 2024-09-12 TUN-8632: Delay checking auto-update by the provided frequency
+- 2024-09-11 TUN-8630: Check checksum of downloaded binary to compare to current for auto-updating
+- 2024-09-09 TUN-8629: Cloudflared update on Windows requires running it twice to update
+- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
+- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
+- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
+- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
+
+2024.9.1
+- 2024-09-10 Revert Release 2024.9.0
+
+2024.9.0
+- 2024-09-10 TUN-8621: Fix cloudflared version in change notes.
+- 2024-09-06 PPIP-2310: Update quick tunnel disclaimer
+- 2024-08-30 TUN-8621: Prevent QUIC connection from closing before grace period after unregistering
+- 2024-08-09 TUN-8592: Use metadata from the edge to determine if request body is empty for QUIC transport
+- 2024-06-26 TUN-8484: Print response when QuickTunnel can't be unmarshalled
+
+2024.8.3
+- 2024-08-15 TUN-8591 login command without extra text
+- 2024-03-25 remove code that will not be executed
+- 2024-03-25 remove code that will not be executed
+
+2024.8.2
+- 2024-08-05 TUN-8583: change final directory of artifacts
+- 2024-08-05 TUN-8585: Avoid creating GH client when dry-run is true
+
+2024.7.3
+- 2024-07-31 TUN-8546: Fix final artifacts paths
+
+2024.7.2
+- 2024-07-17 TUN-8546: rework MacOS build script
+
+2024.7.1
+- 2024-07-16 TUN-8543: use -p flag to create intermediate directories
+
+2024.7.0
+- 2024-07-05 TUN-8520: add macos arm64 build
+- 2024-07-05 TUN-8523: refactor makefile and cfsetup
+- 2024-07-02 TUN-8504: Use pre-installed python version instead of downloading it on Windows builds
+- 2024-06-26 TUN-8489: Add default noop logger for capnprpc
+- 2024-06-25 TUN-8487: Add user-agent for quick-tunnel requests
+- 2023-12-12 TUN-8057: cloudflared uses new PQ curve ID
+
+2024.6.1
+- 2024-06-12 TUN-8461: Don't log Failed to send session payload if the error is EOF
+- 2024-06-07 TUN-8456: Update quic-go to 0.45 and collect mtu and congestion control metrics
+- 2024-06-06 TUN-8452: Add flag to control QUIC stream-level flow control limit
+- 2024-06-06 TUN-8451: Log QUIC flow control frames and transport parameters received
+- 2024-06-05 TUN-8449: Add flag to control QUIC connection-level flow control limit and increase default to 30MB
+
+2024.6.0
+- 2024-05-30 TUN-8441: Correct UDP total sessions metric to a counter and add new ICMP metrics
+- 2024-05-28 TUN-8422: Add metrics for capnp method calls
+- 2024-05-24 TUN-8424: Refactor capnp registration server
+- 2024-05-23 TUN-8427: Fix BackoffHandler's internally shared clock structure
+- 2024-05-21 TUN-8425: Remove ICMP binding for quick tunnels
+- 2024-05-20 TUN-8423: Deprecate older legacy tunnel capnp interfaces
+- 2024-05-15 TUN-8419: Add capnp safe transport
+- 2024-05-13 TUN-8415: Refactor capnp rpc into a single module
+
+2024.5.0
+- 2024-05-07 TUN-8407: Upgrade go to version 1.22.2
+
 2024.4.1
 - 2024-04-22 TUN-8380: Add sleep before requesting quick tunnel as temporary fix for component tests
 - 2024-04-19 TUN-8374: Close UDP socket if registration fails

build-packages-fips.sh

@@ -3,7 +3,7 @@ VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
 echo $VERSION
 
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 
 arch=("amd64")

build-packages.sh

@@ -7,7 +7,7 @@ export GOEXPERIMENT=noboringcrypto
 export CGO_ENABLED=0
 
 # This controls the directory the built artifacts go into
-export ARTIFACT_DIR=built_artifacts/
+export ARTIFACT_DIR=artifacts/
 mkdir -p $ARTIFACT_DIR
 
 linuxArchs=("386" "amd64" "arm" "armhf" "arm64")

catalog-info.yaml

@@ -4,7 +4,6 @@ metadata:
   name: cloudflared
   description: Client for Cloudflare Tunnels
   annotations:
-    backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
     cloudflare.com/software-excellence-opt-in: "true"
     cloudflare.com/jira-project-key: "TUN"
     cloudflare.com/jira-project-component: "Cloudflare Tunnel"
@@ -14,3 +13,5 @@ spec:
   type: "service"
   lifecycle: "Active"
   owner: "teams/tunnel-teams-routing"
+  cf:
+    FIPS: "required"

cfsetup.yaml

@@ -1,36 +1,34 @@
-pinned_go: &pinned_go go-boring=1.21.5-1
+pinned_go: &pinned_go go-boring=1.22.10-1
 
 build_dir: &build_dir /cfsetup_build
-default-flavor: bullseye
-buster: &buster
-  build:
+default-flavor: bookworm
+
+bullseye: &bullseye
+  build-linux:
     build_dir: *build_dir
     builddeps: &build_deps
       - *pinned_go
       - build-essential
-      - gotest-to-teamcity
       - fakeroot
       - rubygem-fpm
       - rpm
       - libffi-dev
-      - reprepro
-      - createrepo
+      - golangci-lint
     pre-cache: &build_pre_cache
       - export GOCACHE=/cfsetup_build/.cache/go-build
-      - go install golang.org/x/tools/cmd/goimports@latest
+      - go install golang.org/x/tools/cmd/goimports@v0.30.0
     post-cache:
-      # TODO: TUN-8126 this is temporary to make sure packages can be built before release
-      - ./build-packages.sh
+      # Linting
+      - make lint
+      - make fmt-check
       # Build binary for component test
       - GOOS=linux GOARCH=amd64 make cloudflared
-  build-fips:
+  build-linux-fips:
     build_dir: *build_dir
     builddeps: *build_deps
     pre-cache: *build_pre_cache
     post-cache:
       - export FIPS=true
-      # TODO: TUN-8126 this is temporary to make sure packages can be built before release
-      - ./build-packages-fips.sh
       # Build binary for component test
       - GOOS=linux GOARCH=amd64 make cloudflared
   cover:
@@ -39,61 +37,34 @@ buster: &buster
     pre-cache: *build_pre_cache
     post-cache:
       - make cover
-  # except FIPS (handled in github-fips-release-pkgs) and macos (handled in github-release-macos-amd64)
-  github-release-pkgs:
+  # except FIPS and macos
+  build-linux-release:
     build_dir: *build_dir
-    builddeps:
+    builddeps: &build_deps_release
       - *pinned_go
       - build-essential
       - fakeroot
       - rubygem-fpm
       - rpm
-      - wget
-      # libmsi and libgcab are libraries the wixl binary depends on.
-      - libmsi-dev
-      - libgcab-dev
-      - python3-dev
       - libffi-dev
-      - python3-setuptools
+      - python3-dev
       - python3-pip
-      - reprepro
-      - createrepo
-    pre-cache: &github_release_pkgs_pre_cache
-      - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
-      - chmod a+x /usr/local/bin/wixl
-      - pip3 install pynacl==1.4.0
-      - pip3 install pygithub==1.55
-      - pip3 install boto3==1.22.9
-      - pip3 install python-gnupg==0.4.9
+      - python3-setuptools
+      - wget
+      - python3-venv
     post-cache:
+      - python3 -m venv env
+      - . /cfsetup_build/env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
       # build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
       - ./build-packages.sh
-      # release the packages built and moved to /cfsetup/built_artifacts
-      - make github-release-built-pkgs
-      # publish packages to linux repos
-      - make release-pkgs-linux
   # handle FIPS separately so that we built with gofips compiler
-  github-fips-release-pkgs:
+  build-linux-fips-release:
     build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - build-essential
-      - fakeroot
-      - rubygem-fpm
-      - rpm
-      - wget
-      # libmsi and libgcab are libraries the wixl binary depends on.
-      - libmsi-dev
-      - libgcab-dev
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-    pre-cache: *github_release_pkgs_pre_cache
+    builddeps: *build_deps_release
     post-cache:
       # same logic as above, but for FIPS packages only
       - ./build-packages-fips.sh
-      - make github-release-built-pkgs
   generate-versions-file:
     build_dir: *build_dir
     builddeps:
@@ -152,21 +123,7 @@ buster: &buster
       - export GOOS=linux
       - export GOARCH=arm64
       - make cloudflared-deb
-  github-release-macos-amd64:
-    build_dir: *build_dir
-    builddeps: &build_pygithub
-      - *pinned_go
-      - build-essential
-      - python3-dev
-      - libffi-dev
-      - python3-setuptools
-      - python3-pip
-    pre-cache: &install_pygithub
-      - pip3 install pynacl==1.4.0
-      - pip3 install pygithub==1.55
-    post-cache:
-      - make github-mac-upload
-  github-release-windows:
+  package-windows:
     build_dir: *build_dir
     builddeps:
       - *pinned_go
@@ -179,75 +136,122 @@ buster: &buster
       # libmsi and libgcab are libraries the wixl binary depends on.
       - libmsi-dev
       - libgcab-dev
+      - python3-venv
     pre-cache:
       - wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
       - chmod a+x /usr/local/bin/wixl
-      - pip3 install pynacl==1.4.0
-      - pip3 install pygithub==1.55
     post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
       - .teamcity/package-windows.sh
-      - make github-windows-upload
   test:
     build_dir: *build_dir
-    builddeps: *build_deps
+    builddeps: &build_deps_tests
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - libffi-dev
+      - gotest-to-teamcity
     pre-cache: *build_pre_cache
     post-cache:
       - export GOOS=linux
       - export GOARCH=amd64
       - export PATH="$HOME/go/bin:$PATH"
-      - ./fmt-check.sh
       - make test | gotest-to-teamcity
   test-fips:
     build_dir: *build_dir
-    builddeps: *build_deps
+    builddeps: *build_deps_tests
     pre-cache: *build_pre_cache
     post-cache:
       - export GOOS=linux
       - export GOARCH=amd64
       - export FIPS=true
       - export PATH="$HOME/go/bin:$PATH"
-      - ./fmt-check.sh
       - make test | gotest-to-teamcity
   component-test:
     build_dir: *build_dir
-    builddeps:
+    builddeps: &build_deps_component_test
       - *pinned_go
-      - python3.7
+      - python3
       - python3-pip
       - python3-setuptools
-      # procps installs the ps command which is needed in test_sysv_service because the init script
-      # uses ps pid to determine if the agent is running
+      # procps installs the ps command which is needed in test_sysv_service
+      # because the init script uses ps pid to determine if the agent is
+      # running
       - procps
+      - python3-venv
     pre-cache-copy-paths:
       - component-tests/requirements.txt
-    pre-cache: &component_test_pre_cache
-      - sudo pip3 install --upgrade -r component-tests/requirements.txt
     post-cache: &component_test_post_cache
-      # Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install --upgrade -r component-tests/requirements.txt
+      # Creates and routes a Named Tunnel for this build. Also constructs
+      # config file from env vars.
       - python3 component-tests/setup.py --type create
       - pytest component-tests -o log_cli=true --log-cli-level=INFO
       # The Named Tunnel is deleted and its route unprovisioned here.
       - python3 component-tests/setup.py --type cleanup
   component-test-fips:
     build_dir: *build_dir
-    builddeps:
-      - *pinned_go
-      - python3.7
-      - python3-pip
-      - python3-setuptools
-      # procps installs the ps command which is needed in test_sysv_service because the init script
-      # uses ps pid to determine if the agent is running
-      - procps
+    builddeps: *build_deps_component_test
     pre-cache-copy-paths:
       - component-tests/requirements.txt
-    pre-cache: *component_test_pre_cache
     post-cache: *component_test_post_cache
-  github-message-release:
+  github-release-dryrun:
     build_dir: *build_dir
-    builddeps: *build_pygithub
-    pre-cache: *install_pygithub
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - python3-venv
     post-cache:
-      - make github-message
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
+      - make github-release-dryrun
+  github-release:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55
+      - make github-release
+  r2-linux-release:
+    build_dir: *build_dir
+    builddeps:
+      - *pinned_go
+      - build-essential
+      - fakeroot
+      - rubygem-fpm
+      - rpm
+      - wget
+      - python3-dev
+      - libffi-dev
+      - python3-setuptools
+      - python3-pip
+      - reprepro
+      - createrepo-c
+      - python3-venv
+    post-cache:
+      - python3 -m venv env
+      - . env/bin/activate
+      - pip install pynacl==1.4.0 pygithub==1.55 boto3==1.22.9 python-gnupg==0.4.9
+      - make r2-linux-release
 
-bullseye: *buster
-bookworm: *buster
+bookworm: *bullseye
+trixie: *bullseye

cmd/cloudflared/access/carrier.go

@@ -104,7 +104,7 @@ func ssh(c *cli.Context) error {
 		case 3:
 			options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
 			options.TLSClientConfig = &tls.Config{
-				InsecureSkipVerify: true,
+				InsecureSkipVerify: true, // #nosec G402
 				ServerName:         parts[0],
 			}
 			log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@@ -141,6 +141,5 @@ func ssh(c *cli.Context) error {
 		logger := log.With().Str("host", url.Host).Logger()
 		s = stream.NewDebugStream(s, &logger, maxMessages)
 	}
-	carrier.StartClient(wsConn, s, options)
-	return nil
+	return carrier.StartClient(wsConn, s, options)
 }

cmd/cloudflared/access/cmd.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/cloudflare/cloudflared/carrier"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/sshgen"
 	"github.com/cloudflare/cloudflared/token"
@@ -26,6 +27,7 @@ import (
 )
 
 const (
+	appURLFlag         = "app"
 	loginQuietFlag     = "quiet"
 	sshHostnameFlag    = "hostname"
 	sshDestinationFlag = "destination"
@@ -86,6 +88,7 @@ func Commands() []*cli.Command {
 					Name:      "login",
 					Action:    cliutil.Action(login),
 					Usage:     "login <url of access application>",
+					ArgsUsage: "url of Access application",
 					Description: `The login subcommand initiates an authentication flow with your identity provider.
 					The subcommand will launch a browser. For headless systems, a url is provided.
 					Once authenticated with your identity provider, the login command will generate a JSON Web Token (JWT)
@@ -97,6 +100,13 @@ func Commands() []*cli.Command {
 							Aliases: []string{"q"},
 							Usage:   "do not print the jwt to the command line",
 						},
+						&cli.BoolFlag{
+							Name:  "no-verbose",
+							Usage: "print only the jwt to stdout",
+						},
+						&cli.StringFlag{
+							Name: appURLFlag,
+						},
 					},
 				},
 				{
@@ -111,12 +121,12 @@ func Commands() []*cli.Command {
 				{
 					Name:        "token",
 					Action:      cliutil.Action(generateToken),
-					Usage:       "token -app=<url of access application>",
+					Usage:       "token <url of access application>",
 					ArgsUsage:   "url of Access application",
 					Description: `The token subcommand produces a JWT which can be used to authenticate requests.`,
 					Flags: []cli.Flag{
 						&cli.StringFlag{
-							Name: "app",
+							Name: appURLFlag,
 						},
 					},
 				},
@@ -163,15 +173,15 @@ func Commands() []*cli.Command {
 							EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
 						},
 						&cli.StringFlag{
-							Name:  logger.LogFileFlag,
+							Name:  cfdflags.LogFile,
 							Usage: "Save application log to this file for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:  logger.LogSSHDirectoryFlag,
+							Name:  cfdflags.LogDirectory,
 							Usage: "Save application log to this directory for reporting issues.",
 						},
 						&cli.StringFlag{
-							Name:    logger.LogSSHLevelFlag,
+							Name:    cfdflags.LogLevelSSH,
 							Aliases: []string{"loglevel"}, //added to match the tunnel side
 							Usage:   "Application logging level {debug, info, warn, error, fatal}. ",
 						},
@@ -232,9 +242,8 @@ func login(c *cli.Context) error {
 
 	log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
 
-	args := c.Args()
-	appURL, err := parseURL(args.First())
-	if args.Len() < 1 || err != nil {
+	appURL, err := getAppURLFromArgs(c)
+	if err != nil {
 		log.Error().Msg("Please provide the url of the Access application")
 		return err
 	}
@@ -261,7 +270,14 @@ func login(c *cli.Context) error {
 	if c.Bool(loginQuietFlag) {
 		return nil
 	}
+
+	// Chatty by default for backward compat. The new --app flag
+	// is an implicit opt-out of the backwards-compatible chatty output.
+	if c.Bool("no-verbose") || c.IsSet(appURLFlag) {
+		fmt.Fprint(os.Stdout, cfdToken)
+	} else {
 		fmt.Fprintf(os.Stdout, "Successfully fetched your token:\n\n%s\n\n", cfdToken)
+	}
 
 	return nil
 }
@@ -327,7 +343,7 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stderr, stderr)
+		_, _ = io.Copy(os.Stderr, stderr)
 	}()
 
 	stdout, err := c.StdoutPipe()
@@ -335,11 +351,22 @@ func run(cmd string, args ...string) error {
 		return err
 	}
 	go func() {
-		io.Copy(os.Stdout, stdout)
+		_, _ = io.Copy(os.Stdout, stdout)
 	}()
 	return c.Run()
 }
 
+func getAppURLFromArgs(c *cli.Context) (*url.URL, error) {
+	var appURLStr string
+	args := c.Args()
+	if args.Len() < 1 {
+		appURLStr = c.String(appURLFlag)
+	} else {
+		appURLStr = args.First()
+	}
+	return parseURL(appURLStr)
+}
+
 // token dumps provided token to stdout
 func generateToken(c *cli.Context) error {
 	err := sentry.Init(sentry.ClientOptions{
@@ -349,8 +376,8 @@ func generateToken(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	appURL, err := parseURL(c.String("app"))
-	if err != nil || c.NumFlags() < 1 {
+	appURL, err := getAppURLFromArgs(c)
+	if err != nil {
 		fmt.Fprintln(os.Stderr, "Please provide a url.")
 		return err
 	}
@@ -505,7 +532,7 @@ func isFileThere(candidate string) bool {
 }
 
 // verifyTokenAtEdge checks for a token on disk, or generates a new one.
-// Then makes a request to to the origin with the token to ensure it is valid.
+// Then makes a request to the origin with the token to ensure it is valid.
 // Returns nil if token is valid.
 func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
 	headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))

cmd/cloudflared/cliutil/build_info.go

@@ -1,7 +1,10 @@
 package cliutil
 
 import (
+	"crypto/sha256"
 	"fmt"
+	"io"
+	"os"
 	"runtime"
 
 	"github.com/rs/zerolog"
@@ -13,6 +16,7 @@ type BuildInfo struct {
 	GoArch             string `json:"go_arch"`
 	BuildType          string `json:"build_type"`
 	CloudflaredVersion string `json:"cloudflared_version"`
+	Checksum           string `json:"checksum"`
 }
 
 func GetBuildInfo(buildType, version string) *BuildInfo {
@@ -22,11 +26,12 @@ func GetBuildInfo(buildType, version string) *BuildInfo {
 		GoArch:             runtime.GOARCH,
 		BuildType:          buildType,
 		CloudflaredVersion: version,
+		Checksum:           currentBinaryChecksum(),
 	}
 }
 
 func (bi *BuildInfo) Log(log *zerolog.Logger) {
-	log.Info().Msgf("Version %s", bi.CloudflaredVersion)
+	log.Info().Msgf("Version %s (Checksum %s)", bi.CloudflaredVersion, bi.Checksum)
 	if bi.BuildType != "" {
 		log.Info().Msgf("Built%s", bi.GetBuildTypeMsg())
 	}
@@ -51,3 +56,28 @@ func (bi *BuildInfo) GetBuildTypeMsg() string {
 func (bi *BuildInfo) UserAgent() string {
 	return fmt.Sprintf("cloudflared/%s", bi.CloudflaredVersion)
 }
+
+// FileChecksum opens a file and returns the SHA256 checksum.
+func FileChecksum(filePath string) (string, error) {
+	f, err := os.Open(filePath)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
+}
+
+func currentBinaryChecksum() string {
+	currentPath, err := os.Executable()
+	if err != nil {
+		return ""
+	}
+	sum, _ := FileChecksum(currentPath)
+	return sum
+}

cmd/cloudflared/cliutil/logger.go

@@ -4,7 +4,7 @@ import (
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 
-	"github.com/cloudflare/cloudflared/logger"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 )
 
 var (
@@ -15,14 +15,14 @@ var (
 func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogLevelFlag,
+			Name:    cfdflags.LogLevel,
 			Value:   "info",
 			Usage:   "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
 			EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogTransportLevelFlag,
+			Name:    cfdflags.TransportLogLevel,
 			Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
 			Value:   "info",
 			Usage:   "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@@ -30,19 +30,19 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogFileFlag,
+			Name:    cfdflags.LogFile,
 			Usage:   "Save application log to this file for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGFILE"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    logger.LogDirectoryFlag,
+			Name:    cfdflags.LogDirectory,
 			Usage:   "Save application log to this directory for reporting issues.",
 			EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "trace-output",
+			Name:    cfdflags.TraceOutput,
 			Usage:   "Name of trace output file, generated when cloudflared stops.",
 			EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
 			Hidden:  shouldHide,

cmd/cloudflared/flags/flags.go

@@ -0,0 +1,155 @@
+package flags
+
+const (
+	// HaConnections specifies how many connections to make to the edge
+	HaConnections = "ha-connections"
+
+	// SshPort is the port on localhost the cloudflared ssh server will run on
+	SshPort = "local-ssh-port"
+
+	// SshIdleTimeout defines the duration a SSH session can remain idle before being closed
+	SshIdleTimeout = "ssh-idle-timeout"
+
+	// SshMaxTimeout defines the max duration a SSH session can remain open for
+	SshMaxTimeout = "ssh-max-timeout"
+
+	// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader
+	SshLogUploaderBucketName = "bucket-name"
+
+	// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader
+	SshLogUploaderRegionName = "region-name"
+
+	// SshLogUploaderSecretID is the Secret id of SSH log uploader
+	SshLogUploaderSecretID = "secret-id"
+
+	// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader
+	SshLogUploaderAccessKeyID = "access-key-id"
+
+	// SshLogUploaderSessionTokenID is the Session token of SSH log uploader
+	SshLogUploaderSessionTokenID = "session-token"
+
+	// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
+	SshLogUploaderS3URL = "s3-url-host"
+
+	// HostKeyPath is the path of the dir to save SSH host keys too
+	HostKeyPath = "host-key-path"
+
+	// RpcTimeout is how long to wait for a Capnp RPC request to the edge
+	RpcTimeout = "rpc-timeout"
+
+	// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
+	WriteStreamTimeout = "write-stream-timeout"
+
+	// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
+	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
+	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
+	QuicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
+
+	// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
+	// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
+	// but it's blocked by flow control
+	QuicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
+
+	// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
+	// it will send a STREAM_DATA_BLOCKED frame
+	QuicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
+
+	// Ui is to enable launching cloudflared in interactive UI mode
+	Ui = "ui"
+
+	// ConnectorLabel is the command line flag to give a meaningful label to a specific connector
+	ConnectorLabel = "label"
+
+	// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time
+	MaxActiveFlows = "max-active-flows"
+
+	// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin
+	Tag = "tag"
+
+	// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge
+	Protocol = "protocol"
+
+	// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography
+	PostQuantum = "post-quantum"
+
+	// Features is the command line flag to opt into various features that are still being developed or tested
+	Features = "features"
+
+	// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with
+	EdgeIpVersion = "edge-ip-version"
+
+	// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge
+	EdgeBindAddress = "edge-bind-address"
+
+	// Force is the command line flag to specify if you wish to force an action
+	Force = "force"
+
+	// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment
+	Edge = "edge"
+
+	// Region is the command line flag to set the Cloudflare Edge region to connect to
+	Region = "region"
+
+	// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated
+	IsAutoUpdated = "is-autoupdated"
+
+	// LBPool is the command line flag to set the name of the load balancing pool to add this origin to
+	LBPool = "lb-pool"
+
+	// Retries is the command line flag to set the maximum number of retries for connection/protocol errors
+	Retries = "retries"
+
+	// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol
+	MaxEdgeAddrRetries = "max-edge-addr-retries"
+
+	// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests
+	GracePeriod = "grace-period"
+
+	// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages
+	ICMPV4Src = "icmpv4-src"
+
+	// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
+	ICMPV6Src = "icmpv6-src"
+
+	// ProxyDns is the command line flag to run DNS server over HTTPS
+	ProxyDns = "proxy-dns"
+
+	// Name is the command line to set the name of the tunnel
+	Name = "name"
+
+	// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates
+	AutoUpdateFreq = "autoupdate-freq"
+
+	// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates
+	NoAutoUpdate = "no-autoupdate"
+
+	// LogLevel is the command line flag for the cloudflared logging level
+	LogLevel = "loglevel"
+
+	// LogLevelSSH is the command line flag for the cloudflared ssh logging level
+	LogLevelSSH = "log-level"
+
+	// TransportLogLevel is the command line flag for the transport logging level
+	TransportLogLevel = "transport-loglevel"
+
+	// LogFile is the command line flag to define the file where application logs will be stored
+	LogFile = "logfile"
+
+	// LogDirectory is the command line flag to define the directory where application logs will be stored.
+	LogDirectory = "log-directory"
+
+	// TraceOutput is the command line flag to set the name of trace output file
+	TraceOutput = "trace-output"
+
+	// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared
+	OriginCert = "origincert"
+
+	// Metrics is the command line flag to define the address of the metrics server
+	Metrics = "metrics"
+
+	// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated
+	MetricsUpdateFreq = "metrics-update-freq"
+
+	// ApiURL is the command line flag used to define the base URL of the API
+	ApiURL = "api-url"
+)

cmd/cloudflared/generic_service.go

@@ -3,11 +3,38 @@
 package main
 
 import (
+	"fmt"
 	"os"
 
 	cli "github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
 func runApp(app *cli.App, graceShutdownC chan struct{}) {
+	app.Commands = append(app.Commands, &cli.Command{
+		Name:  "service",
+		Usage: "Manages the cloudflared system service (not supported on this operating system)",
+		Subcommands: []*cli.Command{
+			{
+				Name:   "install",
+				Usage:  "Install cloudflared as a system service (not supported on this operating system)",
+				Action: cliutil.ConfiguredAction(installGenericService),
+			},
+			{
+				Name:   "uninstall",
+				Usage:  "Uninstall the cloudflared service (not supported on this operating system)",
+				Action: cliutil.ConfiguredAction(uninstallGenericService),
+			},
+		},
+	})
 	app.Run(os.Args)
 }
+
+func installGenericService(c *cli.Context) error {
+	return fmt.Errorf("service installation is not supported on this operating system")
+}
+
+func uninstallGenericService(c *cli.Context) error {
+	return fmt.Errorf("service uninstallation is not supported on this operating system")
+}

cmd/cloudflared/macos_service.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"os"
 
+	homedir "github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 
@@ -17,7 +18,7 @@ const (
 	launchdIdentifier = "com.cloudflare.cloudflared"
 )
 
-func runApp(app *cli.App, graceShutdownC chan struct{}) {
+func runApp(app *cli.App, _ chan struct{}) {
 	app.Commands = append(app.Commands, &cli.Command{
 		Name:  "service",
 		Usage: "Manages the cloudflared launch agent",
@@ -119,7 +120,7 @@ func installLaunchd(c *cli.Context) error {
 		log.Info().Msg("Installing cloudflared client as an user launch agent. " +
 			"Note that cloudflared client will only run when the user is logged in. " +
 			"If you want to run cloudflared client at boot, install with root permission. " +
-			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
+			"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/")
 	}
 	etPath, err := os.Executable()
 	if err != nil {
@@ -207,3 +208,15 @@ func uninstallLaunchd(c *cli.Context) error {
 	}
 	return err
 }
+
+func userHomeDir() (string, error) {
+	// This returns the home dir of the executing user using OS-specific method
+	// for discovering the home dir. It's not recommended to call this function
+	// when the user has root permission as $HOME depends on what options the user
+	// use with sudo.
+	homeDir, err := homedir.Dir()
+	if err != nil {
+		return "", errors.Wrap(err, "Cannot determine home directory for the user")
+	}
+	return homeDir, nil
+}

cmd/cloudflared/main.go

@@ -2,19 +2,17 @@ package main
 
 import (
 	"fmt"
-	"math/rand"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/getsentry/sentry-go"
-	homedir "github.com/mitchellh/go-homedir"
-	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"go.uber.org/automaxprocs/maxprocs"
 
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/access"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
@@ -52,10 +50,8 @@ var (
 func main() {
 	// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
 	os.Setenv("QUIC_GO_DISABLE_ECN", "1")
-
-	rand.Seed(time.Now().UnixNano())
 	metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
-	maxprocs.Set()
+	_, _ = maxprocs.Set()
 	bInfo := cliutil.GetBuildInfo(BuildType, Version)
 
 	// Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
@@ -91,7 +87,7 @@ func main() {
 
 	tunnel.Init(bInfo, graceShutdownC) // we need this to support the tunnel sub command...
 	access.Init(graceShutdownC, Version)
-	updater.Init(Version)
+	updater.Init(bInfo)
 	tracing.Init(Version)
 	token.Init(Version)
 	tail.Init(bInfo)
@@ -110,7 +106,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
 					Usage: "specify if you wish to update to the latest beta version",
 				},
 				&cli.BoolFlag{
-					Name:   "force",
+					Name:   cfdflags.Force,
 					Usage:  "specify if you wish to force an upgrade to the latest version regardless of the current version",
 					Hidden: true,
 				},
@@ -184,18 +180,6 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
 	})
 }
 
-func userHomeDir() (string, error) {
-	// This returns the home dir of the executing user using OS-specific method
-	// for discovering the home dir. It's not recommended to call this function
-	// when the user has root permission as $HOME depends on what options the user
-	// use with sudo.
-	homeDir, err := homedir.Dir()
-	if err != nil {
-		return "", errors.Wrap(err, "Cannot determine home directory for the user")
-	}
-	return homeDir, nil
-}
-
 // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
 func captureError(err error) {
 	errorMessage := err.Error()

cmd/cloudflared/service_template.go

@@ -1,13 +1,13 @@
 package main
 
 import (
-	"bufio"
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
-	"path"
+	"path/filepath"
 	"text/template"
 
 	homedir "github.com/mitchellh/go-homedir"
@@ -44,7 +44,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		return err
 	}
 	if _, err = os.Stat(resolvedPath); err == nil {
-		return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
+		return errors.New(serviceAlreadyExistsWarn(resolvedPath))
 	}
 
 	var buffer bytes.Buffer
@@ -57,7 +57,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
 		fileMode = st.FileMode
 	}
 
-	plistFolder := path.Dir(resolvedPath)
+	plistFolder := filepath.Dir(resolvedPath)
 	err = os.MkdirAll(plistFolder, 0o755)
 	if err != nil {
 		return fmt.Errorf("error creating %s: %v", plistFolder, err)
@@ -118,49 +118,6 @@ func ensureConfigDirExists(configDir string) error {
 	return err
 }
 
-// openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
-func openFile(path string, create bool) (file *os.File, exists bool, err error) {
-	expandedPath, err := homedir.Expand(path)
-	if err != nil {
-		return nil, false, err
-	}
-	if create {
-		fileInfo, err := os.Stat(expandedPath)
-		if err == nil && fileInfo.Size() > 0 {
-			return nil, true, nil
-		}
-		file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
-	} else {
-		file, err = os.Open(expandedPath)
-	}
-	return file, false, err
-}
-
-func copyCredential(srcCredentialPath, destCredentialPath string) error {
-	destFile, exists, err := openFile(destCredentialPath, true)
-	if err != nil {
-		return err
-	} else if exists {
-		// credentials already exist, do nothing
-		return nil
-	}
-	defer destFile.Close()
-
-	srcFile, _, err := openFile(srcCredentialPath, false)
-	if err != nil {
-		return err
-	}
-	defer srcFile.Close()
-
-	// Copy certificate
-	_, err = io.Copy(destFile, srcFile)
-	if err != nil {
-		return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
-	}
-
-	return nil
-}
-
 func copyFile(src, dest string) error {
 	srcFile, err := os.Open(src)
 	if err != nil {
@@ -187,36 +144,3 @@ func copyFile(src, dest string) error {
 	ok = true
 	return nil
 }
-
-func copyConfig(srcConfigPath, destConfigPath string) error {
-	// Copy or create config
-	destFile, exists, err := openFile(destConfigPath, true)
-	if err != nil {
-		return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
-	} else if exists {
-		// config already exists, do nothing
-		return nil
-	}
-	defer destFile.Close()
-
-	srcFile, _, err := openFile(srcConfigPath, false)
-	if err != nil {
-		fmt.Println("Your service needs a config file that at least specifies the hostname option.")
-		fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
-		fmt.Print("Hostname: ")
-		reader := bufio.NewReader(os.Stdin)
-		input, _ := reader.ReadString('\n')
-		if input == "" {
-			return err
-		}
-		fmt.Fprintf(destFile, "hostname: %s\n", input)
-	} else {
-		defer srcFile.Close()
-		_, err = io.Copy(destFile, srcFile)
-		if err != nil {
-			return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
-		}
-	}
-
-	return nil
-}

cmd/cloudflared/tail/cmd.go

@@ -18,14 +18,12 @@ import (
 	"nhooyr.io/websocket"
 
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/credentials"
-	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
 )
 
-var (
-	buildInfo *cliutil.BuildInfo
-)
+var buildInfo *cliutil.BuildInfo
 
 func Init(bi *cliutil.BuildInfo) {
 	buildInfo = bi
@@ -56,7 +54,7 @@ func managementTokenCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
-	var tokenResponse = struct {
+	tokenResponse := struct {
 		Token string `json:"token"`
 	}{Token: token}
 
@@ -119,13 +117,13 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
 				Value:  "",
 			},
 			&cli.StringFlag{
-				Name:    logger.LogLevelFlag,
+				Name:    cfdflags.LogLevel,
 				Value:   "info",
 				Usage:   "Application logging level {debug, info, warn, error, fatal}",
 				EnvVars: []string{"TUNNEL_LOGLEVEL"},
 			},
 			&cli.StringFlag{
-				Name:    credentials.OriginCertFlag,
+				Name:    cfdflags.OriginCert,
 				Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 				EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 				Value:   credentials.FindDefaultOriginCertPath(),
@@ -169,7 +167,7 @@ func handleValidationError(resp *http.Response, log *zerolog.Logger) {
 // logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
 // management requests
 func createLogger(c *cli.Context) *zerolog.Logger {
-	level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
+	level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
 	if levelErr != nil {
 		level = zerolog.InfoLevel
 	}
@@ -183,9 +181,10 @@ func createLogger(c *cli.Context) *zerolog.Logger {
 // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
 func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 	var level *management.LogLevel
-	var events []management.LogEventType
 	var sample float64
 
+	events := make([]management.LogEventType, 0)
+
 	argLevel := c.String("level")
 	argEvents := c.StringSlice("event")
 	argSample := c.Float64("sample")
@@ -225,12 +224,12 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
 
 // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
 func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
-	userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
+	userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
 	if err != nil {
 		return "", err
 	}
 
-	client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
+	client, err := userCreds.Client(c.String(cfdflags.ApiURL), buildInfo.UserAgent(), log)
 	if err != nil {
 		return "", err
 	}
@@ -331,6 +330,7 @@ func Run(c *cli.Context) error {
 		header["cf-trace-id"] = []string{trace}
 	}
 	ctx := c.Context
+	// nolint: bodyclose
 	conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: header,
 	})

cmd/cloudflared/tunnel/cmd.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"path/filepath"
 	"runtime/trace"
 	"strings"
 	"sync"
@@ -15,7 +16,7 @@ import (
 	"github.com/facebookgo/grace/gracenet"
 	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
@@ -23,13 +24,14 @@ import (
 
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
+	"github.com/cloudflare/cloudflared/diagnostic"
 	"github.com/cloudflare/cloudflared/edgediscovery"
-	"github.com/cloudflare/cloudflared/features"
 	"github.com/cloudflare/cloudflared/ingress"
 	"github.com/cloudflare/cloudflared/logger"
 	"github.com/cloudflare/cloudflared/management"
@@ -39,59 +41,13 @@ import (
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
 	"github.com/cloudflare/cloudflared/tunneldns"
+	"github.com/cloudflare/cloudflared/tunnelstate"
 	"github.com/cloudflare/cloudflared/validation"
 )
 
 const (
 	sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
 
-	// ha-Connections specifies how many connections to make to the edge
-	haConnectionsFlag = "ha-connections"
-
-	// sshPortFlag is the port on localhost the cloudflared ssh server will run on
-	sshPortFlag = "local-ssh-port"
-
-	// sshIdleTimeoutFlag defines the duration a SSH session can remain idle before being closed
-	sshIdleTimeoutFlag = "ssh-idle-timeout"
-
-	// sshMaxTimeoutFlag defines the max duration a SSH session can remain open for
-	sshMaxTimeoutFlag = "ssh-max-timeout"
-
-	// bucketNameFlag is the bucket name to use for the SSH log uploader
-	bucketNameFlag = "bucket-name"
-
-	// regionNameFlag is the AWS region name to use for the SSH log uploader
-	regionNameFlag = "region-name"
-
-	// secretIDFlag is the Secret id of SSH log uploader
-	secretIDFlag = "secret-id"
-
-	// accessKeyIDFlag is the Access key id of SSH log uploader
-	accessKeyIDFlag = "access-key-id"
-
-	// sessionTokenIDFlag is the Session token of SSH log uploader
-	sessionTokenIDFlag = "session-token"
-
-	// s3URLFlag is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
-	s3URLFlag = "s3-url-host"
-
-	// hostKeyPath is the path of the dir to save SSH host keys too
-	hostKeyPath = "host-key-path"
-
-	// udpUnregisterSessionTimeout is how long we wait before we stop trying to unregister a UDP session from the edge
-	udpUnregisterSessionTimeoutFlag = "udp-unregister-session-timeout"
-
-	// writeStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
-	writeStreamTimeout = "write-stream-timeout"
-
-	// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
-	// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
-	// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
-	quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
-
-	// uiFlag is to enable launching cloudflared in interactive UI mode
-	uiFlag = "ui"
-
 	LogFieldCommand             = "command"
 	LogFieldExpandedPath        = "expandedPath"
 	LogFieldPIDPathname         = "pidPathname"
@@ -106,7 +62,6 @@ Eg. cloudflared tunnel --url localhost:8080/.
 Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
 For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
 `
-	connectorLabelFlag = "label"
 )
 
 var (
@@ -116,7 +71,96 @@ var (
 	routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
 		"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
 		"any existing DNS records for this hostname.", overwriteDNSFlag)
-	deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
+	errDeprecatedClassicTunnel = errors.New("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
+	// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information
+	// however this approach is not maintainble in the long-term.
+	nonSecretFlagsList = []string{
+		"config",
+		cfdflags.AutoUpdateFreq,
+		cfdflags.NoAutoUpdate,
+		cfdflags.Metrics,
+		"pidfile",
+		"url",
+		"hello-world",
+		"socks5",
+		"proxy-connect-timeout",
+		"proxy-tls-timeout",
+		"proxy-tcp-keepalive",
+		"proxy-no-happy-eyeballs",
+		"proxy-keepalive-connections",
+		"proxy-keepalive-timeout",
+		"proxy-connection-timeout",
+		"proxy-expect-continue-timeout",
+		"http-host-header",
+		"origin-server-name",
+		"unix-socket",
+		"origin-ca-pool",
+		"no-tls-verify",
+		"no-chunked-encoding",
+		"http2-origin",
+		"management-hostname",
+		"service-op-ip",
+		"local-ssh-port",
+		"ssh-idle-timeout",
+		"ssh-max-timeout",
+		"bucket-name",
+		"region-name",
+		"s3-url-host",
+		"host-key-path",
+		"ssh-server",
+		"bastion",
+		"proxy-address",
+		"proxy-port",
+		cfdflags.LogLevel,
+		cfdflags.TransportLogLevel,
+		cfdflags.LogFile,
+		cfdflags.LogDirectory,
+		cfdflags.TraceOutput,
+		cfdflags.ProxyDns,
+		"proxy-dns-port",
+		"proxy-dns-address",
+		"proxy-dns-upstream",
+		"proxy-dns-max-upstream-conns",
+		"proxy-dns-bootstrap",
+		cfdflags.IsAutoUpdated,
+		cfdflags.Edge,
+		cfdflags.Region,
+		cfdflags.EdgeIpVersion,
+		cfdflags.EdgeBindAddress,
+		"cacert",
+		"hostname",
+		"id",
+		cfdflags.LBPool,
+		cfdflags.ApiURL,
+		cfdflags.MetricsUpdateFreq,
+		cfdflags.Tag,
+		"heartbeat-interval",
+		"heartbeat-count",
+		cfdflags.MaxEdgeAddrRetries,
+		cfdflags.Retries,
+		"ha-connections",
+		"rpc-timeout",
+		"write-stream-timeout",
+		"quic-disable-pmtu-discovery",
+		"quic-connection-level-flow-control-limit",
+		"quic-stream-level-flow-control-limit",
+		cfdflags.ConnectorLabel,
+		cfdflags.GracePeriod,
+		"compression-quality",
+		"use-reconnect-token",
+		"dial-edge-timeout",
+		"stdin-control",
+		cfdflags.Name,
+		cfdflags.Ui,
+		"quick-service",
+		"max-fetch-size",
+		cfdflags.PostQuantum,
+		"management-diagnostics",
+		cfdflags.Protocol,
+		"overwrite-dns",
+		"help",
+		cfdflags.MaxActiveFlows,
+	}
 )
 
 func Flags() []cli.Flag {
@@ -131,11 +175,13 @@ func Commands() []*cli.Command {
 		buildVirtualNetworkSubcommand(false),
 		buildRunCommand(),
 		buildListCommand(),
+		buildReadyCommand(),
 		buildInfoCommand(),
 		buildIngressSubcommand(),
 		buildDeleteCommand(),
 		buildCleanupCommand(),
 		buildTokenCommand(),
+		buildDiagCommand(),
 		// for compatibility, allow following as tunnel subcommands
 		proxydns.Command(true),
 		cliutil.RemovedCommand("db-connect"),
@@ -162,7 +208,7 @@ then protect with Cloudflare Access).
   B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
 those enrolled to a Zero Trust WARP Client.
 
-You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
+You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command
 later in each machine where you wish to run a Tunnel.
 
 Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@@ -198,7 +244,7 @@ func TunnelCommand(c *cli.Context) error {
 	// --name required
 	// --url or --hello-world required
 	// --hostname optional
-	if name := c.String("name"); name != "" {
+	if name := c.String(cfdflags.Name); name != "" {
 		hostname, err := validation.ValidateHostname(c.String("hostname"))
 		if err != nil {
 			return errors.Wrap(err, "Invalid hostname provided")
@@ -215,7 +261,7 @@ func TunnelCommand(c *cli.Context) error {
 	// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
 	// We don't support running proxy-dns and a quick tunnel at the same time as the same process
 	shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
-	if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
+	if !c.IsSet(cfdflags.ProxyDns) && c.String("quick-service") != "" && shouldRunQuickTunnel {
 		return RunQuickTunnel(sc)
 	}
 
@@ -226,10 +272,10 @@ func TunnelCommand(c *cli.Context) error {
 
 	// Classic tunnel usage is no longer supported
 	if c.String("hostname") != "" {
-		return deprecatedClassicTunnelErr
+		return errDeprecatedClassicTunnel
 	}
 
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		if shouldRunQuickTunnel {
 			return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
 		}
@@ -276,7 +322,7 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
 
 func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 	if hostname := c.String("hostname"); hostname != "" {
-		if lbPool := c.String("lb-pool"); lbPool != "" {
+		if lbPool := c.String(cfdflags.LBPool); lbPool != "" {
 			return cfapi.NewLBRoute(hostname, lbPool), true
 		}
 		return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
@@ -287,7 +333,7 @@ func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
 func StartServer(
 	c *cli.Context,
 	info *cliutil.BuildInfo,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 	log *zerolog.Logger,
 ) error {
 	err := sentry.Init(sentry.ClientOptions{
@@ -306,7 +352,7 @@ func StartServer(
 		log.Info().Msg(config.ErrNoConfigFile.Error())
 	}
 
-	if c.IsSet("trace-output") {
+	if c.IsSet(cfdflags.TraceOutput) {
 		tmpTraceFile, err := os.CreateTemp("", "trace")
 		if err != nil {
 			log.Err(err).Msg("Failed to create new temporary file to save trace output")
@@ -318,7 +364,7 @@ func StartServer(
 			if err := tmpTraceFile.Close(); err != nil {
 				traceLog.Err(err).Msg("Failed to close temporary trace output file")
 			}
-			traceOutputFilepath := c.String("trace-output")
+			traceOutputFilepath := c.String(cfdflags.TraceOutput)
 			if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {
 				traceLog.
 					Err(err).
@@ -348,7 +394,7 @@ func StartServer(
 
 	go waitForSignal(graceShutdownC, log)
 
-	if c.IsSet("proxy-dns") {
+	if c.IsSet(cfdflags.ProxyDns) {
 		dnsReadySignal := make(chan struct{})
 		wg.Add(1)
 		go func() {
@@ -370,7 +416,7 @@ func StartServer(
 	go func() {
 		defer wg.Done()
 		autoupdater := updater.NewAutoUpdater(
-			c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
+			c.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log,
 		)
 		errC <- autoupdater.Run(ctx)
 	}()
@@ -409,8 +455,11 @@ func StartServer(
 		}
 	}
 
-	internalRules := []ingress.Rule{}
-	if features.Contains(features.FeatureManagementLogs) {
+	// Disable ICMP packet routing for quick tunnels
+	if quickTunnelURL != "" {
+		tunnelConfig.ICMPRouterServer = nil
+	}
+
 	serviceIP := c.String("service-op-ip")
 	if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
 		if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
@@ -423,37 +472,59 @@ func StartServer(
 		c.Bool("management-diagnostics"),
 		serviceIP,
 		clientID,
-			c.String(connectorLabelFlag),
+		c.String(cfdflags.ConnectorLabel),
 		logger.ManagementLogger.Log,
 		logger.ManagementLogger,
 	)
-		internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
-	}
+	internalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)}
 	orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
 	if err != nil {
 		return err
 	}
 
-	metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
+	metricsListener, err := metrics.CreateMetricsListener(&listeners, c.String("metrics"))
 	if err != nil {
 		log.Err(err).Msg("Error opening metrics server listener")
 		return errors.Wrap(err, "Error opening metrics server listener")
 	}
+
 	defer metricsListener.Close()
 	wg.Add(1)
+
 	go func() {
 		defer wg.Done()
-		readinessServer := metrics.NewReadyServer(log, clientID)
-		observer.RegisterSink(readinessServer)
+		tracker := tunnelstate.NewConnTracker(log)
+		observer.RegisterSink(tracker)
+
+		ipv4, ipv6, err := determineICMPSources(c, log)
+		sources := make([]string, 0)
+		if err == nil {
+			sources = append(sources, ipv4.String())
+			sources = append(sources, ipv6.String())
+		}
+
+		readinessServer := metrics.NewReadyServer(clientID, tracker)
+		cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
+		diagnosticHandler := diagnostic.NewDiagnosticHandler(
+			log,
+			0,
+			diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
+			tunnelConfig.NamedTunnel.Credentials.TunnelID,
+			clientID,
+			tracker,
+			cliFlags,
+			sources,
+		)
 		metricsConfig := metrics.Config{
 			ReadyServer:         readinessServer,
+			DiagnosticHandler:   diagnosticHandler,
 			QuickTunnelHostname: quickTunnelURL,
 			Orchestrator:        orchestrator,
 		}
 		errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
 	}()
 
-	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
+	reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections))
 	if c.IsSet("stdin-control") {
 		log.Info().Msg("Enabling control through stdin")
 		go stdinControl(reconnectCh, log)
@@ -490,8 +561,10 @@ func waitToShutdown(wg *sync.WaitGroup,
 		log.Debug().Msg("Graceful shutdown signalled")
 		if gracePeriod > 0 {
 			// wait for either grace period or service termination
+			ticker := time.NewTicker(gracePeriod)
+			defer ticker.Stop()
 			select {
-			case <-time.Tick(gracePeriod):
+			case <-ticker.C:
 			case <-errC:
 			}
 		}
@@ -519,7 +592,7 @@ func waitToShutdown(wg *sync.WaitGroup,
 
 func notifySystemd(waitForSignal *signal.Signal) {
 	<-waitForSignal.Wait()
-	daemon.SdNotify(false, "READY=1")
+	_, _ = daemon.SdNotify(false, "READY=1")
 }
 
 func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {
@@ -571,31 +644,31 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 	flags = append(flags, []cli.Flag{
 		credentialsFileFlag,
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   "is-autoupdated",
+			Name:   cfdflags.IsAutoUpdated,
 			Usage:  "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
 			Value:  false,
 			Hidden: true,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "edge",
+			Name:    cfdflags.Edge,
 			Usage:   "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.",
 			EnvVars: []string{"TUNNEL_EDGE"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "region",
+			Name:    cfdflags.Region,
 			Usage:   "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
 			EnvVars: []string{"TUNNEL_REGION"},
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-ip-version",
+			Name:    cfdflags.EdgeIpVersion,
 			Usage:   "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
 			EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
 			Value:   "4",
 			Hidden:  false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "edge-bind-address",
+			Name:    cfdflags.EdgeBindAddress,
 			Usage:   "Bind to IP address for outgoing connections to Cloudflare Edge.",
 			EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
 			Hidden:  false,
@@ -619,7 +692,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "lb-pool",
+			Name:    cfdflags.LBPool,
 			Usage:   "The name of a (new/existing) load balancing pool to add this origin to.",
 			EnvVars: []string{"TUNNEL_LB_POOL"},
 			Hidden:  shouldHide,
@@ -643,24 +716,24 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "api-url",
+			Name:    cfdflags.ApiURL,
 			Usage:   "Base URL for Cloudflare API v4",
 			EnvVars: []string{"TUNNEL_API_URL"},
 			Value:   "https://api.cloudflare.com/client/v4",
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "metrics-update-freq",
+			Name:    cfdflags.MetricsUpdateFreq,
 			Usage:   "Frequency to update tunnel metrics",
 			Value:   time.Second * 5,
 			EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-			Name:    "tag",
-			Usage:   "Custom tags used to identify this tunnel, in format `KEY=VALUE`. Multiple tags may be specified",
+			Name:    cfdflags.Tag,
+			Usage:   "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
 			EnvVars: []string{"TUNNEL_TAG"},
-			Hidden:  shouldHide,
+			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
 			Name:   "heartbeat-interval",
@@ -676,50 +749,64 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden: true,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   "max-edge-addr-retries",
+			Name:   cfdflags.MaxEdgeAddrRetries,
 			Usage:  "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
 			Value:  8,
 			Hidden: true,
 		}),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:    "retries",
+			Name:    cfdflags.Retries,
 			Value:   5,
 			Usage:   "Maximum number of retries for connection/protocol errors.",
 			EnvVars: []string{"TUNNEL_RETRIES"},
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewIntFlag(&cli.IntFlag{
-			Name:   haConnectionsFlag,
+			Name:   cfdflags.HaConnections,
 			Value:  4,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   udpUnregisterSessionTimeoutFlag,
+			Name:   cfdflags.RpcTimeout,
 			Value:  5 * time.Second,
 			Hidden: true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    writeStreamTimeout,
+			Name:    cfdflags.WriteStreamTimeout,
 			EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
 			Usage:   "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
 			Value:   0 * time.Second,
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    quicDisablePathMTUDiscovery,
+			Name:    cfdflags.QuicDisablePathMTUDiscovery,
 			EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
 			Usage:   "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
 			Value:   false,
 			Hidden:  true,
 		}),
+		altsrc.NewIntFlag(&cli.IntFlag{
+			Name:    cfdflags.QuicConnLevelFlowControlLimit,
+			EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
+			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
+			Value:   30 * (1 << 20), // 30 MB
+			Hidden:  true,
+		}),
+		altsrc.NewIntFlag(&cli.IntFlag{
+			Name:    cfdflags.QuicStreamLevelFlowControlLimit,
+			EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
+			Usage:   "Use this option to change the connection-level flow control limit for QUIC transport.",
+			Value:   6 * (1 << 20), // 6 MB
+			Hidden:  true,
+		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:  connectorLabelFlag,
+			Name:  cfdflags.ConnectorLabel,
 			Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
 			Value: "",
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    "grace-period",
+			Name:    cfdflags.GracePeriod,
 			Usage:   "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
 			Value:   time.Second * 30,
 			EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
@@ -755,14 +842,14 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Value:   false,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "name",
+			Name:    cfdflags.Name,
 			Aliases: []string{"n"},
 			EnvVars: []string{"TUNNEL_NAME"},
 			Usage:   "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:   uiFlag,
+			Name:   cfdflags.Ui,
 			Usage:  "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
 			Value:  false,
 			Hidden: true,
@@ -780,11 +867,10 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
 			Hidden:  true,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "post-quantum",
+			Name:    cfdflags.PostQuantum,
 			Usage:   "When given creates an experimental post-quantum secure tunnel",
 			Aliases: []string{"pq"},
 			EnvVars: []string{"TUNNEL_POST_QUANTUM"},
-			Hidden:  FipsEnabled,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
 			Name:    "management-diagnostics",
@@ -809,29 +895,35 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
 			Hidden: shouldHide,
 		},
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    credentials.OriginCertFlag,
+			Name:    cfdflags.OriginCert,
 			Usage:   "Path to the certificate generated for your origin when you run cloudflared login.",
 			EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
 			Value:   credentials.FindDefaultOriginCertPath(),
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:   "autoupdate-freq",
+			Name:   cfdflags.AutoUpdateFreq,
 			Usage:  fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq),
 			Value:  updater.DefaultCheckUpdateFreq,
 			Hidden: shouldHide,
 		}),
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "no-autoupdate",
+			Name:    cfdflags.NoAutoUpdate,
 			Usage:   "Disable periodic check for updates, restarting the server with the new version.",
 			EnvVars: []string{"NO_AUTOUPDATE"},
 			Value:   false,
 			Hidden:  shouldHide,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    "metrics",
-			Value:   "localhost:",
-			Usage:   "Listen address for metrics reporting.",
+			Name:  cfdflags.Metrics,
+			Value: metrics.GetMetricsDefaultAddress(metrics.Runtime),
+			Usage: fmt.Sprintf(
+				`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.
+If all are unavailable, a random port will be used. Note that when running cloudflared from an virtual
+environment the default address binds to all interfaces, hence, it is important to isolate the host
+and virtualized host network stacks from each other`,
+				metrics.GetMetricsKnownAddresses(metrics.Runtime),
+			),
 			EnvVars: []string{"TUNNEL_METRICS"},
 			Hidden:  shouldHide,
 		}),
@@ -987,62 +1079,62 @@ func legacyTunnelFlag(msg string) string {
 func sshFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sshPortFlag,
+			Name:    cfdflags.SshPort,
 			Usage:   "Localhost port that cloudflared SSH server will run on",
 			Value:   "2222",
 			EnvVars: []string{"LOCAL_SSH_PORT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshIdleTimeoutFlag,
+			Name:    cfdflags.SshIdleTimeout,
 			Usage:   "Connection timeout after no activity",
 			EnvVars: []string{"SSH_IDLE_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewDurationFlag(&cli.DurationFlag{
-			Name:    sshMaxTimeoutFlag,
+			Name:    cfdflags.SshMaxTimeout,
 			Usage:   "Absolute connection timeout",
 			EnvVars: []string{"SSH_MAX_TIMEOUT"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    bucketNameFlag,
+			Name:    cfdflags.SshLogUploaderBucketName,
 			Usage:   "Bucket name of where to upload SSH logs",
 			EnvVars: []string{"BUCKET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    regionNameFlag,
+			Name:    cfdflags.SshLogUploaderRegionName,
 			Usage:   "Region name of where to upload SSH logs",
 			EnvVars: []string{"REGION_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    secretIDFlag,
+			Name:    cfdflags.SshLogUploaderSecretID,
 			Usage:   "Secret ID of where to upload SSH logs",
 			EnvVars: []string{"SECRET_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    accessKeyIDFlag,
+			Name:    cfdflags.SshLogUploaderAccessKeyID,
 			Usage:   "Access Key ID of where to upload SSH logs",
 			EnvVars: []string{"ACCESS_CLIENT_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    sessionTokenIDFlag,
+			Name:    cfdflags.SshLogUploaderSessionTokenID,
 			Usage:   "Session Token to use in the configuration of SSH logs uploading",
 			EnvVars: []string{"SESSION_TOKEN_ID"},
 			Hidden:  true,
 		}),
 		altsrc.NewStringFlag(&cli.StringFlag{
-			Name:    s3URLFlag,
+			Name:    cfdflags.SshLogUploaderS3URL,
 			Usage:   "S3 url of where to upload SSH logs",
 			EnvVars: []string{"S3_URL"},
 			Hidden:  true,
 		}),
 		altsrc.NewPathFlag(&cli.PathFlag{
-			Name:    hostKeyPath,
+			Name:    cfdflags.HostKeyPath,
 			Usage:   "Absolute path of directory to save SSH host keys in",
 			EnvVars: []string{"HOST_KEY_PATH"},
 			Hidden:  true,
@@ -1082,7 +1174,7 @@ func sshFlags(shouldHide bool) []cli.Flag {
 func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
 	return []cli.Flag{
 		altsrc.NewBoolFlag(&cli.BoolFlag{
-			Name:    "proxy-dns",
+			Name:    cfdflags.ProxyDns,
 			Usage:   "Run a DNS over HTTPS proxy server.",
 			EnvVars: []string{"TUNNEL_DNS"},
 			Hidden:  shouldHide,
@@ -1162,3 +1254,46 @@ reconnect [delay]
 		}
 	}
 }
+
+func nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {
+	flagsNames := cli.FlagNames()
+	flags := make(map[string]string, len(flagsNames))
+
+	for _, flag := range flagsNames {
+		value := cli.String(flag)
+
+		if value == "" {
+			continue
+		}
+
+		isIncluded := isFlagIncluded(flagInclusionList, flag)
+		if !isIncluded {
+			continue
+		}
+
+		switch flag {
+		case cfdflags.LogDirectory, cfdflags.LogFile:
+			{
+				absolute, err := filepath.Abs(value)
+				if err != nil {
+					log.Error().Err(err).Msgf("could not convert %s path to absolute", flag)
+				} else {
+					flags[flag] = absolute
+				}
+			}
+		default:
+			flags[flag] = value
+		}
+	}
+	return flags
+}
+
+func isFlagIncluded(flagInclusionList []string, flag string) bool {
+	for _, include := range flagInclusionList {
+		if include == flag {
+			return true
+		}
+	}
+
+	return false
+}

cmd/cloudflared/tunnel/config_test.go

@@ -1,15 +0,0 @@
-package tunnel
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/cloudflare/cloudflared/features"
-)
-
-func TestDedup(t *testing.T) {
-	expected := []string{"a", "b"}
-	actual := features.Dedup([]string{"a", "b", "a"})
-	require.ElementsMatch(t, expected, actual)
-}

cmd/cloudflared/tunnel/configuration.go

@@ -18,6 +18,7 @@ import (
 	"golang.org/x/term"
 
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
@@ -27,33 +28,34 @@ import (
 	"github.com/cloudflare/cloudflared/orchestration"
 	"github.com/cloudflare/cloudflared/supervisor"
 	"github.com/cloudflare/cloudflared/tlsconfig"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
+	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
-	developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
-	serviceUrl      = developerPortal + "/tunnel-guide/local/as-a-service/"
-	argumentsUrl    = developerPortal + "/tunnel-guide/local/local-management/arguments/"
-
 	secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
 
-	configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
+	configFlags = []string{
+		flags.AutoUpdateFreq,
+		flags.NoAutoUpdate,
+		flags.Retries,
+		flags.Protocol,
+		flags.LogLevel,
+		flags.TransportLogLevel,
+		flags.OriginCert,
+		flags.Metrics,
+		flags.MetricsUpdateFreq,
+		flags.EdgeIpVersion,
+		flags.EdgeBindAddress,
+		flags.MaxActiveFlows,
+	}
 )
 
-func generateRandomClientID(log *zerolog.Logger) (string, error) {
-	u, err := uuid.NewRandom()
-	if err != nil {
-		log.Error().Msgf("couldn't create UUID for client ID %s", err)
-		return "", err
-	}
-	return u.String(), nil
-}
-
 func logClientOptions(c *cli.Context, log *zerolog.Logger) {
 	flags := make(map[string]interface{})
 	for _, flag := range c.FlagNames() {
@@ -108,9 +110,9 @@ func isSecretEnvVar(key string) bool {
 	return false
 }
 
-func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.NamedTunnelProperties) bool {
-	return c.IsSet("proxy-dns") &&
-		!(c.IsSet("name") || // adhoc-named tunnel
+func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
+	return c.IsSet(flags.ProxyDns) &&
+		!(c.IsSet(flags.Name) || // adhoc-named tunnel
 			c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
 			namedTunnel != nil) // named tunnel
 }
@@ -121,36 +123,28 @@ func prepareTunnelConfig(
 	info *cliutil.BuildInfo,
 	log, logTransport *zerolog.Logger,
 	observer *connection.Observer,
-	namedTunnel *connection.NamedTunnelProperties,
+	namedTunnel *connection.TunnelProperties,
 ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
 	clientID, err := uuid.NewRandom()
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "can't generate connector UUID")
 	}
 	log.Info().Msgf("Generated Connector ID: %s", clientID)
-	tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
+	tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
 	if err != nil {
 		log.Err(err).Msg("Tag parse failure")
 		return nil, nil, errors.Wrap(err, "Tag parse failure")
 	}
-	tags = append(tags, tunnelpogs.Tag{Name: "ID", Value: clientID.String()})
+	tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
 
-	transportProtocol := c.String("protocol")
+	transportProtocol := c.String(flags.Protocol)
+	isPostQuantumEnforced := c.Bool(flags.PostQuantum)
 
-	clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
-
-	staticFeatures := features.StaticFeatures{}
-	if c.Bool("post-quantum") {
-		if FipsEnabled {
-			return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
-		}
-		pqMode := features.PostQuantumStrict
-		staticFeatures.PostQuantumMode = &pqMode
-	}
-	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
+	featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), c.Bool(flags.PostQuantum), log)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "Failed to create feature selector")
 	}
+	clientFeatures := featureSelector.ClientFeatures()
 	pqMode := featureSelector.PostQuantumMode()
 	if pqMode == features.PostQuantumStrict {
 		// Error if the user tries to force a non-quic transport protocol
@@ -158,15 +152,9 @@ func prepareTunnelConfig(
 			return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
 		}
 		transportProtocol = connection.QUIC.String()
-		clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
-
-		log.Info().Msgf(
-			"Using hybrid post-quantum key agreement %s",
-			supervisor.PQKexName,
-		)
 	}
 
-	namedTunnel.Client = tunnelpogs.ClientInfo{
+	namedTunnel.Client = pogs.ClientInfo{
 		ClientID: clientID[:],
 		Features: clientFeatures,
 		Version:  info.Version(),
@@ -178,7 +166,7 @@ func prepareTunnelConfig(
 		return nil, nil, err
 	}
 
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -204,11 +192,11 @@ func prepareTunnelConfig(
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
+	edgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion))
 	if err != nil {
 		return nil, nil, err
 	}
-	edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
+	edgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress))
 	if err != nil {
 		return nil, nil, err
 	}
@@ -221,46 +209,62 @@ func prepareTunnelConfig(
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 
+	region := c.String(flags.Region)
+	endpoint := namedTunnel.Credentials.Endpoint
+	var resolvedRegion string
+	// set resolvedRegion to either the region passed as argument
+	// or to the endpoint in the credentials.
+	// Region and endpoint are interchangeable
+	if region != "" && endpoint != "" {
+		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
+	} else if region != "" {
+		resolvedRegion = region
+	} else if endpoint != "" {
+		resolvedRegion = endpoint
+	}
+
 	tunnelConfig := &supervisor.TunnelConfig{
 		GracePeriod:     gracePeriod,
-		ReplaceExisting: c.Bool("force"),
+		ReplaceExisting: c.Bool(flags.Force),
 		OSArch:          info.OSArch(),
 		ClientID:        clientID.String(),
-		EdgeAddrs:       c.StringSlice("edge"),
-		Region:          c.String("region"),
+		EdgeAddrs:       c.StringSlice(flags.Edge),
+		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
-		HAConnections:   c.Int(haConnectionsFlag),
-		IsAutoupdated:   c.Bool("is-autoupdated"),
-		LBPool:          c.String("lb-pool"),
+		HAConnections:   c.Int(flags.HaConnections),
+		IsAutoupdated:   c.Bool(flags.IsAutoUpdated),
+		LBPool:          c.String(flags.LBPool),
 		Tags:            tags,
 		Log:             log,
 		LogTransport:    logTransport,
 		Observer:        observer,
 		ReportedVersion: info.Version(),
 		// Note TUN-3758 , we use Int because UInt is not supported with altsrc
-		Retries:                     uint(c.Int("retries")),
+		Retries:                             uint(c.Int(flags.Retries)), // nolint: gosec
 		RunFromTerminal:                     isRunningFromTerminal(),
 		NamedTunnel:                         namedTunnel,
 		ProtocolSelector:                    protocolSelector,
 		EdgeTLSConfigs:                      edgeTLSConfigs,
 		FeatureSelector:                     featureSelector,
-		MaxEdgeAddrRetries:          uint8(c.Int("max-edge-addr-retries")),
-		UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),
-		WriteStreamTimeout:          c.Duration(writeStreamTimeout),
-		DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
+		MaxEdgeAddrRetries:                  uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec
+		RPCTimeout:                          c.Duration(flags.RpcTimeout),
+		WriteStreamTimeout:                  c.Duration(flags.WriteStreamTimeout),
+		DisableQUICPathMTUDiscovery:         c.Bool(flags.QuicDisablePathMTUDiscovery),
+		QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit),
+		QUICStreamLevelFlowControlLimit:     c.Uint64(flags.QuicStreamLevelFlowControlLimit),
 	}
-	packetConfig, err := newPacketConfig(c, log)
+	icmpRouter, err := newICMPRouter(c, log)
 	if err != nil {
 		log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
 	} else {
-		tunnelConfig.PacketConfig = packetConfig
+		tunnelConfig.ICMPRouterServer = icmpRouter
 	}
 	orchestratorConfig := &orchestration.Config{
 		Ingress:            &ingressRules,
 		WarpRouting:        ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
 		ConfigurationFlags: parseConfigFlags(c),
-		WriteTimeout:       c.Duration(writeStreamTimeout),
+		WriteTimeout:       tunnelConfig.WriteStreamTimeout,
 	}
 	return tunnelConfig, orchestratorConfig, nil
 }
@@ -278,9 +282,9 @@ func parseConfigFlags(c *cli.Context) map[string]string {
 }
 
 func gracePeriod(c *cli.Context) (time.Duration, error) {
-	period := c.Duration("grace-period")
+	period := c.Duration(flags.GracePeriod)
 	if period > connection.MaxGracePeriod {
-		return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
+		return time.Duration(0), fmt.Errorf("%s must be equal or less than %v", flags.GracePeriod, connection.MaxGracePeriod)
 	}
 	return period, nil
 }
@@ -349,33 +353,39 @@ func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.I
 	}
 }
 
-func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
-	ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
+func newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) {
+	ipv4Src, ipv6Src, err := determineICMPSources(c, logger)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
+		return nil, err
 	}
+
+	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return icmpRouter, nil
+}
+
+func determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {
+	ipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)
+	if err != nil {
+		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
+	}
+
 	logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
 
-	ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
+	ipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
+		return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
 	}
+
 	if zone != "" {
 		logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
 	} else {
 		logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
 	}
 
-	icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
-	if err != nil {
-		return nil, err
-	}
-	return &ingress.GlobalRouterConfig{
-		ICMPRouter: icmpRouter,
-		IPv4Src:    ipv4Src,
-		IPv6Src:    ipv6Src,
-		Zone:       zone,
-	}, nil
+	return ipv4Src, ipv6Src, nil
 }
 
 func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
@@ -405,13 +415,12 @@ type interfaceIP struct {
 
 func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
 	if userDefinedSrc != "" {
-		userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
-		addr, err := netip.ParseAddr(userDefinedIP)
+		addr, err := netip.ParseAddr(userDefinedSrc)
 		if err != nil {
 			return netip.Addr{}, "", err
 		}
 		if addr.Is6() {
-			return addr, zone, nil
+			return addr, addr.Zone(), nil
 		}
 		return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
 	}

cmd/cloudflared/tunnel/credential_finder.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"path/filepath"
 
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/credentials"
 
@@ -57,7 +58,7 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
 }
 
 func (s searchByID) Path() (string, error) {
-	originCertPath := s.c.String(credentials.OriginCertFlag)
+	originCertPath := s.c.String(cfdflags.OriginCert)
 	originCertLog := s.log.With().
 		Str("originCertPath", originCertPath).
 		Logger()

cmd/cloudflared/tunnel/fips.go

@@ -1,3 +0,0 @@
-package tunnel
-
-var FipsEnabled bool

cmd/cloudflared/tunnel/login.go

@@ -20,7 +20,31 @@ import (
 
 const (
 	baseLoginURL = "https://dash.cloudflare.com/argotunnel"
-	callbackStoreURL = "https://login.cloudflareaccess.org/"
+	callbackURL  = "https://login.cloudflareaccess.org/"
+	// For now these are the same but will change in the future once we know which URLs to use (TUN-8872)
+	fedBaseLoginURL      = "https://dash.cloudflare.com/argotunnel"
+	fedCallbackStoreURL  = "https://login.cloudflareaccess.org/"
+	fedRAMPParamName     = "fedramp"
+	loginURLParamName    = "loginURL"
+	callbackURLParamName = "callbackURL"
+)
+
+var (
+	loginURL = &cli.StringFlag{
+		Name:  loginURLParamName,
+		Value: baseLoginURL,
+		Usage: "The URL used to login (default is https://dash.cloudflare.com/argotunnel)",
+	}
+	callbackStore = &cli.StringFlag{
+		Name:  callbackURLParamName,
+		Value: callbackURL,
+		Usage: "The URL used for the callback (default is https://login.cloudflareaccess.org/)",
+	}
+	fedramp = &cli.BoolFlag{
+		Name:    fedRAMPParamName,
+		Aliases: []string{"f"},
+		Usage:   "Login with FedRAMP High environment.",
+	}
 )
 
 func buildLoginSubcommand(hidden bool) *cli.Command {
@@ -30,6 +54,11 @@ func buildLoginSubcommand(hidden bool) *cli.Command {
 		Usage:     "Generate a configuration file with your login details",
 		ArgsUsage: " ",
 		Hidden:    hidden,
+		Flags: []cli.Flag{
+			loginURL,
+			callbackStore,
+			fedramp,
+		},
 	}
 }
 
@@ -38,15 +67,25 @@ func login(c *cli.Context) error {
 
 	path, ok, err := checkForExistingCert()
 	if ok {
-		fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
+		log.Error().Err(err).Msgf("You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
 		return nil
 	} else if err != nil {
 		return err
 	}
 
-	loginURL, err := url.Parse(baseLoginURL)
+	var (
+		baseloginURL     = c.String(loginURLParamName)
+		callbackStoreURL = c.String(callbackURLParamName)
+	)
+
+	isFEDRamp := c.Bool(fedRAMPParamName)
+	if isFEDRamp {
+		baseloginURL = fedBaseLoginURL
+		callbackStoreURL = fedCallbackStoreURL
+	}
+
+	loginURL, err := url.Parse(baseloginURL)
 	if err != nil {
-		// shouldn't happen, URL is hardcoded
 		return err
 	}
 
@@ -61,7 +100,23 @@ func login(c *cli.Context) error {
 		log,
 	)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
+		log.Error().Err(err).Msgf("Failed to write the certificate.\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", path)
+		return err
+	}
+
+	cert, err := credentials.DecodeOriginCert(resourceData)
+	if err != nil {
+		log.Error().Err(err).Msg("failed to decode origin certificate")
+		return err
+	}
+
+	if isFEDRamp {
+		cert.Endpoint = credentials.FedEndpoint
+	}
+
+	resourceData, err = cert.EncodeOriginCert()
+	if err != nil {
+		log.Error().Err(err).Msg("failed to encode origin certificate")
 		return err
 	}
 
@@ -69,7 +124,7 @@ func login(c *cli.Context) error {
 		return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
 	}
 
-	fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
+	log.Info().Msgf("You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
 	return nil
 }
 

cmd/cloudflared/tunnel/quick_tunnel.go

@@ -3,6 +3,7 @@ package tunnel
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 	"time"
@@ -10,15 +11,13 @@ import (
 	"github.com/google/uuid"
 	"github.com/pkg/errors"
 
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 )
 
 const httpTimeout = 15 * time.Second
 
-const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to" +
-	" experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee. If you " +
-	"intend to use Tunnels in production you should use a pre-created named tunnel by following: " +
-	"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
+const disclaimer = "Thank you for trying Cloudflare Tunnel. Doing so, without a Cloudflare account, is a quick way to experiment and try it out. However, be aware that these account-less Tunnels have no uptime guarantee, are subject to the Cloudflare Online Services Terms of Use (https://www.cloudflare.com/website-terms/), and Cloudflare reserves the right to investigate your use of Tunnels for violations of such terms. If you intend to use Tunnels in production you should use a pre-created named tunnel by following: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps"
 
 // RunQuickTunnel requests a tunnel from the specified service.
 // We use this to power quick tunnels on trycloudflare.com, but the
@@ -35,14 +34,29 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		Timeout: httpTimeout,
 	}
 
-	resp, err := client.Post(fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), "application/json", nil)
+	req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/tunnel", sc.c.String("quick-service")), nil)
+	if err != nil {
+		return errors.Wrap(err, "failed to build quick tunnel request")
+	}
+	req.Header.Add("Content-Type", "application/json")
+	req.Header.Add("User-Agent", buildInfo.UserAgent())
+	resp, err := client.Do(req)
 	if err != nil {
 		return errors.Wrap(err, "failed to request quick Tunnel")
 	}
 	defer resp.Body.Close()
 
+	// This will read the entire response into memory so we can print it in case of error
+	rsp_body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return errors.Wrap(err, "failed to read quick-tunnel response")
+	}
+
 	var data QuickTunnelResponse
-	if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
+	if err := json.Unmarshal(rsp_body, &data); err != nil {
+		rsp_string := string(rsp_body)
+		fields := map[string]interface{}{"status_code": resp.Status}
+		sc.log.Err(err).Fields(fields).Msgf("Error unmarshaling QuickTunnel response: %s", rsp_string)
 		return errors.Wrap(err, "failed to unmarshal quick Tunnel")
 	}
 
@@ -69,17 +83,17 @@ func RunQuickTunnel(sc *subcommandContext) error {
 		sc.log.Info().Msg(line)
 	}
 
-	if !sc.c.IsSet("protocol") {
-		sc.c.Set("protocol", "quic")
+	if !sc.c.IsSet(flags.Protocol) {
+		_ = sc.c.Set(flags.Protocol, "quic")
 	}
 
 	// Override the number of connections used. Quick tunnels shouldn't be used for production usage,
 	// so, use a single connection instead.
-	sc.c.Set(haConnectionsFlag, "1")
+	_ = sc.c.Set(flags.HaConnections, "1")
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
+		&connection.TunnelProperties{Credentials: credentials, QuickTunnelUrl: data.Result.Hostname},
 		sc.log,
 	)
 }

cmd/cloudflared/tunnel/subcommand_context.go

@@ -9,22 +9,26 @@ import (
 	"strings"
 
 	"github.com/google/uuid"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/urfave/cli/v2"
 
 	"github.com/cloudflare/cloudflared/cfapi"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/credentials"
 	"github.com/cloudflare/cloudflared/logger"
 )
 
-type errInvalidJSONCredential struct {
+const fedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
+
+type invalidJSONCredentialError struct {
 	err  error
 	path string
 }
 
-func (e errInvalidJSONCredential) Error() string {
+func (e invalidJSONCredentialError) Error() string {
 	return "Invalid JSON when parsing tunnel credentials file"
 }
 
@@ -51,8 +55,13 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
 // Returns something that can find the given tunnel's credentials file.
 func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
 	if path := sc.c.String(CredFileFlag); path != "" {
+		// Expand path if CredFileFlag contains `~`
+		absPath, err := homedir.Expand(path)
+		if err != nil {
 			return newStaticPath(path, sc.fs)
 		}
+		return newStaticPath(absPath, sc.fs)
+	}
 	return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
 }
 
@@ -64,7 +73,16 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 	if err != nil {
 		return nil, err
 	}
-	sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
+
+	var apiURL string
+	if cred.IsFEDEndpoint() {
+		sc.log.Info().Str("api-url", fedRampBaseApiURL).Msg("using fedramp base api")
+		apiURL = fedRampBaseApiURL
+	} else {
+		apiURL = sc.c.String(cfdflags.ApiURL)
+	}
+
+	sc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +91,7 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
 
 func (sc *subcommandContext) credential() (*credentials.User, error) {
 	if sc.userCredential == nil {
-		uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
+		uc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log)
 		if err != nil {
 			return nil, err
 		}
@@ -94,13 +112,13 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
 
 	var credentials connection.Credentials
 	if err = json.Unmarshal(body, &credentials); err != nil {
-		if strings.HasSuffix(filePath, ".pem") {
+		if filepath.Ext(filePath) == ".pem" {
 			return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
 				"The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
 				"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
 				"login`.")
 		}
-		return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
+		return connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err}
 	}
 	return credentials, nil
 }
@@ -122,7 +140,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 		if err != nil {
 			return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
 		}
-		tunnelSecret = []byte(decodedSecret)
+		tunnelSecret = decodedSecret
 		if len(tunnelSecret) < 32 {
 			return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
 		}
@@ -160,7 +178,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
 			errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
 			errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
 		} else {
-			errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
+			errorLines = append(errorLines, "The tunnel was deleted, because the tunnel can't be run without the credentials file")
 		}
 		errorMsg := strings.Join(errorLines, "\n")
 		return nil, errors.New(errorMsg)
@@ -189,7 +207,7 @@ func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel,
 }
 
 func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
-	forceFlagSet := sc.c.Bool("force")
+	forceFlagSet := sc.c.Bool(cfdflags.Force)
 
 	client, err := sc.client()
 	if err != nil {
@@ -229,7 +247,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 	var err error
 	if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
 		if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
-			err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
+			err = invalidJSONCredentialError{path: "TUNNEL_CRED_CONTENTS", err: err}
 		}
 	} else {
 		credFinder := sc.credentialFinder(tunnelID)
@@ -245,7 +263,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
 func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
 	credentials, err := sc.findCredentials(tunnelID)
 	if err != nil {
-		if e, ok := err.(errInvalidJSONCredential); ok {
+		if e, ok := err.(invalidJSONCredentialError); ok {
 			sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
 			sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
 		}
@@ -261,7 +279,7 @@ func (sc *subcommandContext) runWithCredentials(credentials connection.Credentia
 	return StartServer(
 		sc.c,
 		buildInfo,
-		&connection.NamedTunnelProperties{Credentials: credentials},
+		&connection.TunnelProperties{Credentials: credentials},
 		sc.log,
 	)
 }

cmd/cloudflared/tunnel/subcommands.go

@@ -5,6 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -14,18 +16,22 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	homedir "github.com/mitchellh/go-homedir"
+	"github.com/mitchellh/go-homedir"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"github.com/urfave/cli/v2/altsrc"
 	"golang.org/x/net/idna"
-	yaml "gopkg.in/yaml.v3"
+	"gopkg.in/yaml.v3"
 
 	"github.com/cloudflare/cloudflared/cfapi"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/connection"
+	"github.com/cloudflare/cloudflared/diagnostic"
+	"github.com/cloudflare/cloudflared/fips"
+	"github.com/cloudflare/cloudflared/metrics"
 )
 
 const (
@@ -35,7 +41,15 @@ const (
 	CredFileFlag            = "credentials-file"
 	CredContentsFlag        = "credentials-contents"
 	TunnelTokenFlag         = "token"
+	TunnelTokenFileFlag     = "token-file"
 	overwriteDNSFlagName    = "overwrite-dns"
+	noDiagLogsFlagName      = "no-diag-logs"
+	noDiagMetricsFlagName   = "no-diag-metrics"
+	noDiagSystemFlagName    = "no-diag-system"
+	noDiagRuntimeFlagName   = "no-diag-runtime"
+	noDiagNetworkFlagName   = "no-diag-network"
+	diagContainerIDFlagName = "diag-container-id"
+	diagPodFlagName         = "diag-pod-id"
 
 	LogFieldTunnelID = "tunnelID"
 )
@@ -47,7 +61,7 @@ var (
 		Usage:   "Include deleted tunnels in the list",
 	}
 	listNameFlag = &cli.StringFlag{
-		Name:    "name",
+		Name:    flags.Name,
 		Aliases: []string{"n"},
 		Usage:   "List tunnels with the given `NAME`",
 	}
@@ -95,7 +109,7 @@ var (
 		EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
 	}
 	featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
-		Name:    "features",
+		Name:    flags.Features,
 		Aliases: []string{"F"},
 		Usage:   "Opt into various features that are still being developed or tested.",
 	})
@@ -113,18 +127,23 @@ var (
 	})
 	tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
 		Name:    TunnelTokenFlag,
-		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence.",
+		Usage:   "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file",
 		EnvVars: []string{"TUNNEL_TOKEN"},
 	})
+	tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
+		Name:    TunnelTokenFileFlag,
+		Usage:   "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
+		EnvVars: []string{"TUNNEL_TOKEN_FILE"},
+	})
 	forceDeleteFlag = &cli.BoolFlag{
-		Name:    "force",
+		Name:    flags.Force,
 		Aliases: []string{"f"},
 		Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
 			" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
 		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
 	}
 	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
-		Name:    "protocol",
+		Name:    flags.Protocol,
 		Value:   connection.AutoSelectFlag,
 		Aliases: []string{"p"},
 		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
@@ -132,11 +151,11 @@ var (
 		Hidden:  true,
 	})
 	postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
-		Name:    "post-quantum",
+		Name:    flags.PostQuantum,
 		Usage:   "When given creates an experimental post-quantum secure tunnel",
 		Aliases: []string{"pq"},
 		EnvVars: []string{"TUNNEL_POST_QUANTUM"},
-		Hidden:  FipsEnabled,
+		Hidden:  fips.IsFipsEnabled(),
 	})
 	sortInfoByFlag = &cli.StringFlag{
 		Name:    "sort-by",
@@ -168,15 +187,60 @@ var (
 		EnvVars: []string{"TUNNEL_CREATE_SECRET"},
 	}
 	icmpv4SrcFlag = &cli.StringFlag{
-		Name:    "icmpv4-src",
+		Name:    flags.ICMPV4Src,
 		Usage:   "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
 		EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
 	}
 	icmpv6SrcFlag = &cli.StringFlag{
-		Name:    "icmpv6-src",
+		Name:    flags.ICMPV6Src,
 		Usage:   "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
 		EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
 	}
+	metricsFlag = &cli.StringFlag{
+		Name:  flags.Metrics,
+		Usage: "The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.",
+		Value: "",
+	}
+	diagContainerFlag = &cli.StringFlag{
+		Name:  diagContainerIDFlagName,
+		Usage: "Container ID or Name to collect logs from",
+		Value: "",
+	}
+	diagPodFlag = &cli.StringFlag{
+		Name:  diagPodFlagName,
+		Usage: "Kubernetes POD to collect logs from",
+		Value: "",
+	}
+	noDiagLogsFlag = &cli.BoolFlag{
+		Name:  noDiagLogsFlagName,
+		Usage: "Log collection will not be performed",
+		Value: false,
+	}
+	noDiagMetricsFlag = &cli.BoolFlag{
+		Name:  noDiagMetricsFlagName,
+		Usage: "Metric collection will not be performed",
+		Value: false,
+	}
+	noDiagSystemFlag = &cli.BoolFlag{
+		Name:  noDiagSystemFlagName,
+		Usage: "System information collection will not be performed",
+		Value: false,
+	}
+	noDiagRuntimeFlag = &cli.BoolFlag{
+		Name:  noDiagRuntimeFlagName,
+		Usage: "Runtime information collection will not be performed",
+		Value: false,
+	}
+	noDiagNetworkFlag = &cli.BoolFlag{
+		Name:  noDiagNetworkFlagName,
+		Usage: "Network diagnostics won't be performed",
+		Value: false,
+	}
+	maxActiveFlowsFlag = &cli.Uint64Flag{
+		Name:    flags.MaxActiveFlows,
+		Usage:   "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
+		EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
+	}
 )
 
 func buildCreateCommand() *cli.Command {
@@ -279,7 +343,7 @@ func listCommand(c *cli.Context) error {
 	if !c.Bool("show-deleted") {
 		filter.NoDeleted()
 	}
-	if name := c.String("name"); name != "" {
+	if name := c.String(flags.Name); name != "" {
 		filter.ByName(name)
 	}
 	if namePrefix := c.String("name-prefix"); namePrefix != "" {
@@ -373,7 +437,6 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
 }
 
 func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
-
 	// Count connections per colo
 	numConnsPerColo := make(map[string]uint, len(connections))
 	for _, connection := range connections {
@@ -390,13 +453,51 @@ func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected boo
 	sort.Strings(sortedColos)
 
 	// Map each colo to its frequency, combine into output string.
-	var output []string
+	output := make([]string, 0, len(sortedColos))
 	for _, coloName := range sortedColos {
 		output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
 	}
 	return strings.Join(output, ", ")
 }
 
+func buildReadyCommand() *cli.Command {
+	return &cli.Command{
+		Name:               "ready",
+		Action:             cliutil.ConfiguredAction(readyCommand),
+		Usage:              "Call /ready endpoint and return proper exit code",
+		UsageText:          "cloudflared tunnel [tunnel command options] ready [subcommand options]",
+		Description:        "cloudflared tunnel ready will return proper exit code based on the /ready endpoint",
+		Flags:              []cli.Flag{},
+		CustomHelpTemplate: commandHelpTemplate(),
+	}
+}
+
+func readyCommand(c *cli.Context) error {
+	metricsOpts := c.String(flags.Metrics)
+	if !c.IsSet(flags.Metrics) {
+		return errors.New("--metrics has to be provided")
+	}
+
+	requestURL := fmt.Sprintf("http://%s/ready", metricsOpts)
+	req, err := http.NewRequest(http.MethodGet, requestURL, nil)
+	if err != nil {
+		return err
+	}
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != 200 {
+		body, err := io.ReadAll(res.Body)
+		if err != nil {
+			return err
+		}
+		return fmt.Errorf("http://%s/ready endpoint returned status code %d\n%s", metricsOpts, res.StatusCode, body)
+	}
+	return nil
+}
+
 func buildInfoCommand() *cli.Command {
 	return &cli.Command{
 		Name:        "info",
@@ -613,8 +714,10 @@ func buildRunCommand() *cli.Command {
 		selectProtocolFlag,
 		featuresFlag,
 		tunnelTokenFlag,
+		tunnelTokenFileFlag,
 		icmpv4SrcFlag,
 		icmpv6SrcFlag,
+		maxActiveFlowsFlag,
 	}
 	flags = append(flags, configureProxyFlags(false)...)
 	return &cli.Command{
@@ -652,12 +755,22 @@ func runCommand(c *cli.Context) error {
 			"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
 	}
 
+	tokenStr := c.String(TunnelTokenFlag)
+	// Check if tokenStr is blank before checking for tokenFile
+	if tokenStr == "" {
+		if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
+			data, err := os.ReadFile(tokenFile)
+			if err != nil {
+				return cliutil.UsageError("Failed to read token file: " + err.Error())
+			}
+			tokenStr = strings.TrimSpace(string(data))
+		}
+	}
 	// Check if token is provided and if not use default tunnelID flag method
-	if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
+	if tokenStr != "" {
 		if token, err := ParseToken(tokenStr); err == nil {
 			return sc.runWithCredentials(token.Credentials())
 		}
-
 		return cliutil.UsageError("Provided Tunnel token is not valid.")
 	} else {
 		tunnelRef := c.Args().First()
@@ -862,8 +975,10 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
 	return cfapi.NewLBRoute(lbName, lbPool), nil
 }
 
-var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
-var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+var (
+	nameRegex     = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+	hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
+)
 
 func validateName(s string, allowWildcardSubdomain bool) bool {
 	if allowWildcardSubdomain {
@@ -951,3 +1066,78 @@ SUBCOMMAND OPTIONS:
 `
 	return fmt.Sprintf(template, parentFlagsHelp)
 }
+
+func buildDiagCommand() *cli.Command {
+	return &cli.Command{
+		Name:        "diag",
+		Action:      cliutil.ConfiguredAction(diagCommand),
+		Usage:       "Creates a diagnostic report from a local cloudflared instance",
+		UsageText:   "cloudflared tunnel [tunnel command options] diag [subcommand options]",
+		Description: "cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.",
+		Flags: []cli.Flag{
+			metricsFlag,
+			diagContainerFlag,
+			diagPodFlag,
+			noDiagLogsFlag,
+			noDiagMetricsFlag,
+			noDiagSystemFlag,
+			noDiagRuntimeFlag,
+			noDiagNetworkFlag,
+		},
+		CustomHelpTemplate: commandHelpTemplate(),
+	}
+}
+
+func diagCommand(ctx *cli.Context) error {
+	sctx, err := newSubcommandContext(ctx)
+	if err != nil {
+		return err
+	}
+	log := sctx.log
+	options := diagnostic.Options{
+		KnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),
+		Address:        sctx.c.String(flags.Metrics),
+		ContainerID:    sctx.c.String(diagContainerIDFlagName),
+		PodID:          sctx.c.String(diagPodFlagName),
+		Toggles: diagnostic.Toggles{
+			NoDiagLogs:    sctx.c.Bool(noDiagLogsFlagName),
+			NoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),
+			NoDiagSystem:  sctx.c.Bool(noDiagSystemFlagName),
+			NoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),
+			NoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),
+		},
+	}
+
+	if options.Address == "" {
+		log.Info().Msg("If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.")
+	}
+
+	states, err := diagnostic.RunDiagnostic(log, options)
+
+	if errors.Is(err, diagnostic.ErrMetricsServerNotFound) {
+		log.Warn().Msg("No instances found")
+		return nil
+	}
+	if errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {
+		if states != nil {
+			log.Info().Msgf("Found multiple instances running:")
+			for _, state := range states {
+				log.Info().Msgf("Instance: tunnel-id=%s connector-id=%s metrics-address=%s", state.TunnelID, state.ConnectorID, state.URL.String())
+			}
+			log.Info().Msgf("To select one instance use the option --metrics")
+		}
+		return nil
+	}
+
+	if errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {
+		log.Info().Msg("Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.")
+	}
+
+	if err != nil {
+		log.Warn().Msg("Diagnostic completed with one or more errors")
+	} else {
+		log.Info().Msg("Diagnostic completed")
+	}
+
+	return nil
+}

cmd/cloudflared/tunnel/tag.go

@@ -4,23 +4,23 @@ import (
 	"fmt"
 	"regexp"
 
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 // Restrict key names to characters allowed in an HTTP header name.
 // Restrict key values to printable characters (what is recognised as data in an HTTP header value).
 var tagRegexp = regexp.MustCompile("^([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=([[:print:]]+)$")
 
-func NewTagFromCLI(compoundTag string) (tunnelpogs.Tag, bool) {
+func NewTagFromCLI(compoundTag string) (pogs.Tag, bool) {
 	matches := tagRegexp.FindStringSubmatch(compoundTag)
 	if len(matches) == 0 {
-		return tunnelpogs.Tag{}, false
+		return pogs.Tag{}, false
 	}
-	return tunnelpogs.Tag{Name: matches[1], Value: matches[2]}, true
+	return pogs.Tag{Name: matches[1], Value: matches[2]}, true
 }
 
-func NewTagSliceFromCLI(tags []string) ([]tunnelpogs.Tag, error) {
-	var tagSlice []tunnelpogs.Tag
+func NewTagSliceFromCLI(tags []string) ([]pogs.Tag, error) {
+	var tagSlice []pogs.Tag
 	for _, compoundTag := range tags {
 		if tag, ok := NewTagFromCLI(compoundTag); ok {
 			tagSlice = append(tagSlice, tag)

cmd/cloudflared/tunnel/tag_test.go

@@ -3,7 +3,7 @@ package tunnel
 import (
 	"testing"
 
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -11,12 +11,12 @@ import (
 func TestSingleTag(t *testing.T) {
 	testCases := []struct {
 		Input  string
-		Output tunnelpogs.Tag
+		Output pogs.Tag
 		Fail   bool
 	}{
-		{Input: "x=y", Output: tunnelpogs.Tag{Name: "x", Value: "y"}},
-		{Input: "More-Complex=Tag Values", Output: tunnelpogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
-		{Input: "First=Equals=Wins", Output: tunnelpogs.Tag{Name: "First", Value: "Equals=Wins"}},
+		{Input: "x=y", Output: pogs.Tag{Name: "x", Value: "y"}},
+		{Input: "More-Complex=Tag Values", Output: pogs.Tag{Name: "More-Complex", Value: "Tag Values"}},
+		{Input: "First=Equals=Wins", Output: pogs.Tag{Name: "First", Value: "Equals=Wins"}},
 		{Input: "x=", Fail: true},
 		{Input: "=y", Fail: true},
 		{Input: "=", Fail: true},

cmd/cloudflared/tunnel/teamnet_subcommands.go

@@ -22,7 +22,7 @@ var (
 		Usage:   "The ID or name of the virtual network to which the route is associated to.",
 	}
 
-	routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
+	errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
 )
 
 func buildRouteIPSubcommand() *cli.Command {
@@ -32,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
 		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
 your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
-client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to
 determine who can reach certain routes.
 By default IP routes all exist within a single virtual network. If you use the same IP
 space(s) in different physical private networks, all meant to be reachable via IP routes,
@@ -187,7 +187,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	}
 
 	if c.NArg() != 1 {
-		return routeAddError
+		return errAddRoute
 	}
 
 	var routeId uuid.UUID
@@ -195,7 +195,7 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		_, network, err := net.ParseCIDR(c.Args().First())
 		if err != nil || network == nil {
-			return routeAddError
+			return errAddRoute
 		}
 
 		var vnetId *uuid.UUID

cmd/cloudflared/updater/update.go

@@ -14,13 +14,15 @@ import (
 	"github.com/urfave/cli/v2"
 	"golang.org/x/term"
 
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
 	"github.com/cloudflare/cloudflared/config"
 	"github.com/cloudflare/cloudflared/logger"
 )
 
 const (
 	DefaultCheckUpdateFreq        = time.Hour * 24
-	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
+	noUpdateInShellMessage        = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/"
 	noUpdateOnWindowsMessage      = "cloudflared will not automatically update on Windows systems."
 	noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
 	isManagedInstallFile          = ".installedFromPackageManager"
@@ -31,12 +33,13 @@ const (
 )
 
 var (
-	version                string
+	buildInfo              *cliutil.BuildInfo
 	BuiltForPackageManager = ""
 )
 
 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
 // https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder
+// nolint: errname
 type statusSuccess struct {
 	newVersion string
 }
@@ -49,16 +52,16 @@ func (u *statusSuccess) ExitCode() int {
 	return 11
 }
 
-// UpdateErr implements ExitCoder interface, the app will exit with status code 10
-type statusErr struct {
+// statusError implements ExitCoder interface, the app will exit with status code 10
+type statusError struct {
 	err error
 }
 
-func (e *statusErr) Error() string {
+func (e *statusError) Error() string {
 	return fmt.Sprintf("failed to update cloudflared: %v", e.err)
 }
 
-func (e *statusErr) ExitCode() int {
+func (e *statusError) ExitCode() int {
 	return 10
 }
 
@@ -78,11 +81,11 @@ type UpdateOutcome struct {
 }
 
 func (uo *UpdateOutcome) noUpdate() bool {
-	return uo.Error == nil && uo.Updated == false
+	return uo.Error == nil && !uo.Updated
 }
 
-func Init(v string) {
-	version = v
+func Init(info *cliutil.BuildInfo) {
+	buildInfo = info
 }
 
 func CheckForUpdate(options updateOptions) (CheckResult, error) {
@@ -100,11 +103,12 @@ func CheckForUpdate(options updateOptions) (CheckResult, error) {
 		cfdPath = encodeWindowsPath(cfdPath)
 	}
 
-	s := NewWorkersService(version, url, cfdPath, Options{IsBeta: options.isBeta,
+	s := NewWorkersService(buildInfo.CloudflaredVersion, url, cfdPath, Options{IsBeta: options.isBeta,
 		IsForced: options.isForced, RequestedVersion: options.intendedVersion})
 
 	return s.Check()
 }
+
 func encodeWindowsPath(path string) string {
 	// We do this because Windows allows spaces in directories such as
 	// Program Files but does not allow these directories to be spaced in batch files.
@@ -151,7 +155,7 @@ func Update(c *cli.Context) error {
 		log.Info().Msg("cloudflared is set to update from staging")
 	}
 
-	isForced := c.Bool("force")
+	isForced := c.Bool(cfdflags.Force)
 	if isForced {
 		log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version")
 	}
@@ -164,7 +168,7 @@ func Update(c *cli.Context) error {
 		intendedVersion: c.String("version"),
 	})
 	if updateOutcome.Error != nil {
-		return &statusErr{updateOutcome.Error}
+		return &statusError{updateOutcome.Error}
 	}
 
 	if updateOutcome.noUpdate() {
@@ -198,7 +202,6 @@ func loggedUpdate(log *zerolog.Logger, options updateOptions) UpdateOutcome {
 type AutoUpdater struct {
 	configurable *configurable
 	listeners    *gracenet.Net
-	updateConfigChan chan *configurable
 	log          *zerolog.Logger
 }
 
@@ -212,7 +215,6 @@ func NewAutoUpdater(updateDisabled bool, freq time.Duration, listeners *gracenet
 	return &AutoUpdater{
 		configurable: createUpdateConfig(updateDisabled, freq, log),
 		listeners:    listeners,
-		updateConfigChan: make(chan *configurable),
 		log:          log,
 	}
 }
@@ -232,19 +234,27 @@ func createUpdateConfig(updateDisabled bool, freq time.Duration, log *zerolog.Lo
 	}
 }
 
+// Run will perodically check for cloudflared updates, download them, and then restart the current cloudflared process
+// to use the new version. It delays the first update check by the configured frequency as to not attempt a
+// download immediately and restart after starting (in the case that there is an upgrade available).
 func (a *AutoUpdater) Run(ctx context.Context) error {
 	ticker := time.NewTicker(a.configurable.freq)
 	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
 		updateOutcome := loggedUpdate(a.log, updateOptions{updateDisabled: !a.configurable.enabled})
 		if updateOutcome.Updated {
-			Init(updateOutcome.Version)
+			buildInfo.CloudflaredVersion = updateOutcome.Version
 			if IsSysV() {
 				// SysV doesn't have a mechanism to keep service alive, we have to restart the process
 				a.log.Info().Msg("Restarting service managed by SysV...")
 				pid, err := a.listeners.StartProcess()
 				if err != nil {
 					a.log.Err(err).Msg("Unable to restart server automatically")
-					return &statusErr{err: err}
+					return &statusError{err: err}
 				}
 				// stop old process after autoupdate. Otherwise we create a new process
 				// after each update
@@ -254,24 +264,8 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
 		} else if updateOutcome.UserMessage != "" {
 			a.log.Warn().Msg(updateOutcome.UserMessage)
 		}
-
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		case newConfigurable := <-a.updateConfigChan:
-			ticker.Stop()
-			a.configurable = newConfigurable
-			ticker = time.NewTicker(a.configurable.freq)
-			// Check if there is new version of cloudflared after receiving new AutoUpdaterConfigurable
-		case <-ticker.C:
 	}
 }
-}
-
-// Update is the method to pass new AutoUpdaterConfigurable to a running AutoUpdater. It is safe to be called concurrently
-func (a *AutoUpdater) Update(updateDisabled bool, newFreq time.Duration) {
-	a.updateConfigChan <- createUpdateConfig(updateDisabled, newFreq, a.log)
-}
 
 func isAutoupdateEnabled(log *zerolog.Logger, updateDisabled bool, updateFreq time.Duration) bool {
 	if !supportAutoUpdate(log) {

cmd/cloudflared/updater/update_test.go

@@ -9,8 +9,14 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/urfave/cli/v2"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
+func init() {
+	Init(cliutil.GetBuildInfo("TEST", "TEST"))
+}
+
 func TestDisabledAutoUpdater(t *testing.T) {
 	listeners := &gracenet.Net{}
 	log := zerolog.Nop()

cmd/cloudflared/updater/workers_service.go

@@ -3,6 +3,7 @@ package updater
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"runtime"
 )
@@ -79,6 +80,10 @@ func (s *WorkersService) Check() (CheckResult, error) {
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode != 200 {
+		return nil, fmt.Errorf("unable to check for update: %d", resp.StatusCode)
+	}
+
 	var v VersionResponse
 	if err := json.NewDecoder(resp.Body).Decode(&v); err != nil {
 		return nil, err

cmd/cloudflared/updater/workers_update.go

@@ -3,7 +3,6 @@ package updater
 import (
 	"archive/tar"
 	"compress/gzip"
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
@@ -11,11 +10,15 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"runtime"
-	"strings"
 	"text/template"
 	"time"
+
+	"github.com/getsentry/sentry-go"
+
+	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
 )
 
 const (
@@ -27,9 +30,9 @@ const (
 	// start the service
 	// exit with code 0 if we've reached this point indicating success.
 	windowsUpdateCommandTemplate = `sc stop cloudflared >nul 2>&1
+del "{{.OldPath}}"
 rename "{{.TargetPath}}" {{.OldName}}
 rename "{{.NewPath}}" {{.BinaryName}}
-del "{{.OldPath}}"
 sc start cloudflared >nul 2>&1
 exit /b 0`
 	batchFileName = "cfd_update.bat"
@@ -86,8 +89,25 @@ func (v *WorkersVersion) Apply() error {
 		return err
 	}
 
-	// check that the file is what is expected
-	if err := isValidChecksum(v.checksum, newFilePath); err != nil {
+	downloadSum, err := cliutil.FileChecksum(newFilePath)
+	if err != nil {
+		return err
+	}
+
+	// Check that the file downloaded matches what is expected.
+	if v.checksum != downloadSum {
+		return errors.New("checksum validation failed")
+	}
+
+	// Check if the currently running version has the same checksum
+	if downloadSum == buildInfo.Checksum {
+		// Currently running binary matches the downloaded binary so we have no reason to update. This is
+		// typically unexpected, as such we emit a sentry event.
+		localHub := sentry.CurrentHub().Clone()
+		err := errors.New("checksum validation matches currently running process")
+		localHub.CaptureException(err)
+		// Make sure to cleanup the new downloaded file since we aren't upgrading versions.
+		os.Remove(newFilePath)
 		return err
 	}
 
@@ -114,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
 
 	if err := os.Rename(newFilePath, v.targetPath); err != nil {
 		//attempt rollback
-		os.Rename(oldFilePath, v.targetPath)
+		_ = os.Rename(oldFilePath, v.targetPath)
 		return err
 	}
 	os.Remove(oldFilePath)
@@ -161,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
 		tr := tar.NewReader(gr)
 
 		// advance the reader pass the header, which will be the single binary file
-		tr.Next()
+		_, _ = tr.Next()
 
 		r = tr
 	}
@@ -178,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
 
 // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
 func isCompressedFile(urlstring string) bool {
-	if strings.HasSuffix(urlstring, ".tgz") {
+	if path.Ext(urlstring) == ".tgz" {
 		return true
 	}
 
@@ -186,28 +206,7 @@ func isCompressedFile(urlstring string) bool {
 	if err != nil {
 		return false
 	}
-	return strings.HasSuffix(u.Path, ".tgz")
-}
-
-// checks if the checksum in the json response matches the checksum of the file download
-func isValidChecksum(checksum, filePath string) error {
-	f, err := os.Open(filePath)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	h := sha256.New()
-	if _, err := io.Copy(h, f); err != nil {
-		return err
-	}
-
-	hash := fmt.Sprintf("%x", h.Sum(nil))
-
-	if checksum != hash {
-		return errors.New("checksum validation failed")
-	}
-	return nil
+	return path.Ext(u.Path) == ".tgz"
 }
 
 // writeBatchFile writes a batch file out to disk
@@ -250,7 +249,6 @@ func runWindowsBatch(batchFile string) error {
 		if exitError, ok := err.(*exec.ExitError); ok {
 			return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
 		}
-
 	}
 	return err
 }

cmd/cloudflared/windows_service.go

@@ -26,7 +26,7 @@ import (
 const (
 	windowsServiceName        = "Cloudflared"
 	windowsServiceDescription = "Cloudflared agent"
-	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
+	windowsServiceUrl         = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/"
 
 	recoverActionDelay      = time.Second * 20
 	failureCountResetPeriod = time.Hour * 24

component-tests/README.md

@@ -1,9 +1,9 @@
 # Requirements
-1. Python 3.7 or later with packages in the given `requirements.txt`
-   - E.g. with conda:
-   - `conda create -n component-tests python=3.7`  
-   - `conda activate component-tests`
-   - `pip3 install -r requirements.txt`
+1. Python 3.10 or later with packages in the given `requirements.txt`
+   - E.g. with venv:
+   - `python3 -m venv ./.venv`  
+   - `source ./.venv/bin/activate`
+   - `python3 -m pip install -r requirements.txt`
 
 2. Create a config yaml file, for example:
 ```

component-tests/test_pq.py

@@ -1,7 +1,6 @@
-from util import LOGGER, nofips, start_cloudflared, wait_tunnel_ready
+from util import LOGGER, start_cloudflared, wait_tunnel_ready
 
 
-@nofips
 class TestPostQuantum:
     def _extra_config(self):
         config = {
@@ -12,6 +11,11 @@ class TestPostQuantum:
     def test_post_quantum(self, tmp_path, component_tests_config):
         config = component_tests_config(self._extra_config())
         LOGGER.debug(config)
-        with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--post-quantum"], new_process=True):
-            wait_tunnel_ready(tunnel_url=config.get_url(),
-                              require_min_connections=1)
+        with start_cloudflared(
+            tmp_path,
+            config,
+            cfd_pre_args=["tunnel", "--ha-connections", "1"],
+            cfd_args=["run", "--post-quantum"],
+            new_process=True,
+        ):
+            wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)

component-tests/test_tail.py

@@ -47,7 +47,12 @@ class TestTail:
             url = cfd_cli.get_management_wsurl("logs", config, config_path)
             async with connect(url, open_timeout=5, close_timeout=5) as websocket:
                 # send start_streaming
-                await websocket.send('{"type": "start_streaming"}')
+                await websocket.send(json.dumps({
+                    "type": "start_streaming",
+                    "filters": {
+                        "events": ["http"]
+                    }
+                }))
                 # send some http requests to the tunnel to trigger some logs
                 await generate_and_validate_http_events(websocket, config.get_url(), 10)
                 # send stop_streaming
@@ -99,7 +104,8 @@ class TestTail:
                 await websocket.send(json.dumps({
                     "type": "start_streaming",
                     "filters": {
-                        "sampling": 0.5
+                        "sampling": 0.5,
+                        "events": ["http"]
                     }
                 }))
                 # don't expect any http logs

component-tests/test_termination.py

@@ -45,6 +45,7 @@ class TestTermination:
             with connected:
                 connected.wait(self.timeout)
             # Send signal after the SSE connection is established
+            with self.within_grace_period():
                 self.terminate_by_signal(cloudflared, signal)
                 self.wait_eyeball_thread(
                     in_flight_req, self.grace_period + self.timeout)
@@ -66,7 +67,7 @@ class TestTermination:
 
             with connected:
                 connected.wait(self.timeout)
-            with self.within_grace_period():
+            with self.within_grace_period(has_connection=False):
                 # Send signal after the SSE connection is established
                 self.terminate_by_signal(cloudflared, signal)
                 self.wait_eyeball_thread(in_flight_req, self.grace_period)
@@ -78,7 +79,7 @@ class TestTermination:
         with start_cloudflared(
                 tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True, capture_output=False) as cloudflared:
             wait_tunnel_ready(tunnel_url=config.get_url())
-            with self.within_grace_period():
+            with self.within_grace_period(has_connection=False):
                 self.terminate_by_signal(cloudflared, signal)
 
     def terminate_by_signal(self, cloudflared, sig):
@@ -92,13 +93,21 @@ class TestTermination:
 
     # Using this context asserts logic within the context is executed within grace period
     @contextmanager
-    def within_grace_period(self):
+    def within_grace_period(self, has_connection=True):
         try:
             start = time.time()
             yield
         finally:
+
+            # If the request takes longer than the grace period then we need to wait at most the grace period.
+            # If the request fell within the grace period cloudflared can close earlier, but to ensure that it doesn't
+            # close immediately we add a minimum boundary. If cloudflared shutdown in less than 1s it's likely that
+            # it shutdown as soon as it received SIGINT. The only way cloudflared can close immediately is if it has no
+            # in-flight requests
+            minimum = 1 if has_connection else 0
             duration = time.time() - start
-            assert duration < self.grace_period
+            # Here we truncate to ensure that we don't fail on minute differences like 10.1 instead of 10
+            assert minimum <= int(duration) <= self.grace_period
 
     def stream_request(self, config, connected, early_terminate):
         expected_terminate_message = "502 Bad Gateway"

config/configuration.go

@@ -155,7 +155,7 @@ func FindOrCreateConfigPath() string {
 // i.e. it fails if a user specifies both --url and --unix-socket
 func ValidateUnixSocket(c *cli.Context) (string, error) {
 	if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
-		return "", errors.New("--unix-socket must be used exclusivly.")
+		return "", errors.New("--unix-socket must be used exclusively.")
 	}
 	return c.String("unix-socket"), nil
 }
@@ -260,6 +260,7 @@ type Configuration struct {
 
 type WarpRoutingConfig struct {
 	ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
+	MaxActiveFlows *uint64         `yaml:"maxActiveFlows" json:"maxActiveFlows,omitempty"`
 	TCPKeepAlive   *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
 }
 

connection/connection.go

@@ -27,22 +27,35 @@ const (
 	MaxConcurrentStreams   = math.MaxUint32
 
 	contentTypeHeader      = "content-type"
+	contentLengthHeader    = "content-length"
+	transferEncodingHeader = "transfer-encoding"
+
 	sseContentType     = "text/event-stream"
 	grpcContentType    = "application/grpc"
+	sseJsonContentType = "application/x-ndjson"
+
+	chunkTransferEncoding = "chunked"
 )
 
 var (
 	switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
-	flushableContentTypes = []string{sseContentType, grpcContentType}
+	flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
 )
 
+// TunnelConnection represents the connection to the edge.
+// The Serve method is provided to allow clients to handle any errors from the connection encountered during
+// processing of the connection. Cancelling of the context provided to Serve will close the connection.
+type TunnelConnection interface {
+	Serve(ctx context.Context) error
+}
+
 type Orchestrator interface {
 	UpdateConfig(version int32, config []byte) *pogs.UpdateConfigurationResponse
 	GetConfigJSON() ([]byte, error)
 	GetOriginProxy() (OriginProxy, error)
 }
 
-type NamedTunnelProperties struct {
+type TunnelProperties struct {
 	Credentials    Credentials
 	Client         pogs.ClientInfo
 	QuickTunnelUrl string
@@ -53,6 +66,7 @@ type Credentials struct {
 	AccountTag   string
 	TunnelSecret []byte
 	TunnelID     uuid.UUID
+	Endpoint     string
 }
 
 func (c *Credentials) Auth() pogs.TunnelAuth {
@@ -67,13 +81,16 @@ type TunnelToken struct {
 	AccountTag   string    `json:"a"`
 	TunnelSecret []byte    `json:"s"`
 	TunnelID     uuid.UUID `json:"t"`
+	Endpoint     string    `json:"e,omitempty"`
 }
 
 func (t TunnelToken) Credentials() Credentials {
+	// nolint: gosimple
 	return Credentials{
 		AccountTag:   t.AccountTag,
 		TunnelSecret: t.TunnelSecret,
 		TunnelID:     t.TunnelID,
+		Endpoint:     t.Endpoint,
 	}
 }
 
@@ -263,6 +280,22 @@ type ConnectedFuse interface {
 // Helper method to let the caller know what content-types should require a flush on every
 // write to a ResponseWriter.
 func shouldFlush(headers http.Header) bool {
+	// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.
+	// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good
+	// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`
+	// are streams, and therefore, should be flushed right away to the eyeball.
+	// References:
+	// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1
+	// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1
+	if contentLength := headers.Get(contentLengthHeader); contentLength == "" {
+		return true
+	}
+	if transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != "" {
+		transferEncoding = strings.ToLower(transferEncoding)
+		if strings.Contains(transferEncoding, chunkTransferEncoding) {
+			return true
+		}
+	}
 	if contentType := headers.Get(contentTypeHeader); contentType != "" {
 		contentType = strings.ToLower(contentType)
 		for _, c := range flushableContentTypes {
@@ -271,7 +304,6 @@ func shouldFlush(headers http.Header) bool {
 			}
 		}
 	}
-
 	return false
 }
 

connection/connection_test.go

@@ -2,13 +2,19 @@ package connection
 
 import (
 	"context"
+	"crypto/rand"
 	"fmt"
 	"io"
-	"math/rand"
+	"math/big"
 	"net/http"
+	"testing"
 	"time"
 
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/require"
+
+	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	"github.com/cloudflare/cloudflared/stream"
 	"github.com/cloudflare/cloudflared/tracing"
@@ -77,7 +83,7 @@ func (moc *mockOriginProxy) ProxyHTTP(
 			return wsFlakyEndpoint(w, req)
 		default:
 			originRespEndpoint(w, http.StatusNotFound, []byte("ws endpoint not found"))
-			return fmt.Errorf("Unknwon websocket endpoint %s", req.URL.Path)
+			return fmt.Errorf("unknown websocket endpoint %s", req.URL.Path)
 		}
 	}
 	switch req.URL.Path {
@@ -95,7 +101,6 @@ func (moc *mockOriginProxy) ProxyHTTP(
 		originRespEndpoint(w, http.StatusNotFound, []byte("page not found"))
 	}
 	return nil
-
 }
 
 func (moc *mockOriginProxy) ProxyTCP(
@@ -103,6 +108,10 @@ func (moc *mockOriginProxy) ProxyTCP(
 	rwa ReadWriteAcker,
 	r *TCPRequest,
 ) error {
+	if r.CfTraceID == "flow-rate-limited" {
+		return pkgerrors.Wrap(cfdflow.ErrTooManyActiveFlows, "tcp flow rate limited")
+	}
+
 	return nil
 }
 
@@ -178,7 +187,8 @@ func wsFlakyEndpoint(w ResponseWriter, r *http.Request) error {
 
 	wsConn := websocket.NewConn(wsCtx, NewHTTPResponseReadWriterAcker(w, w.(http.Flusher), r), &log)
 
-	closedAfter := time.Millisecond * time.Duration(rand.Intn(50))
+	rInt, _ := rand.Int(rand.Reader, big.NewInt(50))
+	closedAfter := time.Millisecond * time.Duration(rInt.Int64())
 	originConn := &flakyConn{closeAt: time.Now().Add(closedAfter)}
 	stream.Pipe(wsConn, originConn, &log)
 	cancel()
@@ -201,3 +211,48 @@ func (mcf mockConnectedFuse) Connected() {}
 func (mcf mockConnectedFuse) IsConnected() bool {
 	return true
 }
+
+func TestShouldFlushHeaders(t *testing.T) {
+	tests := []struct {
+		headers     map[string]string
+		shouldFlush bool
+	}{
+		{
+			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "1"},
+			shouldFlush: false,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "text/html", contentLengthHeader: "1"},
+			shouldFlush: false,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "text/event-stream", contentLengthHeader: "1"},
+			shouldFlush: true,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "application/grpc", contentLengthHeader: "1"},
+			shouldFlush: true,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "application/x-ndjson", contentLengthHeader: "1"},
+			shouldFlush: true,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "application/json"},
+			shouldFlush: true,
+		},
+		{
+			headers:     map[string]string{contentTypeHeader: "application/json", contentLengthHeader: "-1", transferEncodingHeader: "chunked"},
+			shouldFlush: true,
+		},
+	}
+
+	for _, test := range tests {
+		headers := http.Header{}
+		for k, v := range test.headers {
+			headers.Add(k, v)
+		}
+
+		require.Equal(t, test.shouldFlush, shouldFlush(headers))
+	}
+}

connection/control.go

@@ -6,25 +6,27 @@ import (
 	"net"
 	"time"
 
-	"github.com/rs/zerolog"
+	"github.com/pkg/errors"
 
 	"github.com/cloudflare/cloudflared/management"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
-// RPCClientFunc derives a named tunnel rpc client that can then be used to register and unregister connections.
-type RPCClientFunc func(context.Context, io.ReadWriteCloser, *zerolog.Logger) NamedTunnelRPCClient
+// registerClient derives a named tunnel rpc client that can then be used to register and unregister connections.
+type registerClientFunc func(context.Context, io.ReadWriteCloser, time.Duration) tunnelrpc.RegistrationClient
 
 type controlStream struct {
 	observer *Observer
 
 	connectedFuse    ConnectedFuse
-	namedTunnelProperties *NamedTunnelProperties
+	tunnelProperties *TunnelProperties
 	connIndex        uint8
 	edgeAddress      net.IP
 	protocol         Protocol
 
-	newRPCClientFunc RPCClientFunc
+	registerClientFunc registerClientFunc
+	registerTimeout    time.Duration
 
 	gracefulShutdownC <-chan struct{}
 	gracePeriod       time.Duration
@@ -34,7 +36,7 @@ type controlStream struct {
 // ControlStreamHandler registers connections with origintunneld and initiates graceful shutdown.
 type ControlStreamHandler interface {
 	// ServeControlStream handles the control plane of the transport in the current goroutine calling this
-	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *tunnelpogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
+	ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error
 	// IsStopped tells whether the method above has finished
 	IsStopped() bool
 }
@@ -47,22 +49,24 @@ type TunnelConfigJSONGetter interface {
 func NewControlStream(
 	observer *Observer,
 	connectedFuse ConnectedFuse,
-	namedTunnelConfig *NamedTunnelProperties,
+	tunnelProperties *TunnelProperties,
 	connIndex uint8,
 	edgeAddress net.IP,
-	newRPCClientFunc RPCClientFunc,
+	registerClientFunc registerClientFunc,
+	registerTimeout time.Duration,
 	gracefulShutdownC <-chan struct{},
 	gracePeriod time.Duration,
 	protocol Protocol,
 ) ControlStreamHandler {
-	if newRPCClientFunc == nil {
-		newRPCClientFunc = newRegistrationRPCClient
+	if registerClientFunc == nil {
+		registerClientFunc = tunnelrpc.NewRegistrationClient
 	}
 	return &controlStream{
 		observer:           observer,
 		connectedFuse:      connectedFuse,
-		namedTunnelProperties: namedTunnelConfig,
-		newRPCClientFunc:      newRPCClientFunc,
+		tunnelProperties:   tunnelProperties,
+		registerClientFunc: registerClientFunc,
+		registerTimeout:    registerTimeout,
 		connIndex:          connIndex,
 		edgeAddress:        edgeAddress,
 		gracefulShutdownC:  gracefulShutdownC,
@@ -74,53 +78,72 @@ func NewControlStream(
 func (c *controlStream) ServeControlStream(
 	ctx context.Context,
 	rw io.ReadWriteCloser,
-	connOptions *tunnelpogs.ConnectionOptions,
+	connOptions *pogs.ConnectionOptions,
 	tunnelConfigGetter TunnelConfigJSONGetter,
 ) error {
-	rpcClient := c.newRPCClientFunc(ctx, rw, c.observer.log)
+	registrationClient := c.registerClientFunc(ctx, rw, c.registerTimeout)
 
-	registrationDetails, err := rpcClient.RegisterConnection(ctx, c.namedTunnelProperties, connOptions, c.connIndex, c.edgeAddress, c.observer)
+	registrationDetails, err := registrationClient.RegisterConnection(
+		ctx,
+		c.tunnelProperties.Credentials.Auth(),
+		c.tunnelProperties.Credentials.TunnelID,
+		connOptions,
+		c.connIndex,
+		c.edgeAddress)
 	if err != nil {
-		rpcClient.Close()
-		return err
+		defer registrationClient.Close()
+		if err.Error() == DuplicateConnectionError {
+			c.observer.metrics.regFail.WithLabelValues("dup_edge_conn", "registerConnection").Inc()
+			return errDuplicationConnection
 		}
+		c.observer.metrics.regFail.WithLabelValues("server_error", "registerConnection").Inc()
+		return serverRegistrationErrorFromRPC(err)
+	}
+	c.observer.metrics.regSuccess.WithLabelValues("registerConnection").Inc()
 
 	c.observer.logConnected(registrationDetails.UUID, c.connIndex, registrationDetails.Location, c.edgeAddress, c.protocol)
-	c.observer.sendConnectedEvent(c.connIndex, c.protocol, registrationDetails.Location)
+	c.observer.sendConnectedEvent(c.connIndex, c.protocol, registrationDetails.Location, c.edgeAddress)
 	c.connectedFuse.Connected()
 
 	// if conn index is 0 and tunnel is not remotely managed, then send local ingress rules configuration
 	if c.connIndex == 0 && !registrationDetails.TunnelIsRemotelyManaged {
 		if tunnelConfig, err := tunnelConfigGetter.GetConfigJSON(); err == nil {
-			if err := rpcClient.SendLocalConfiguration(ctx, tunnelConfig, c.observer); err != nil {
+			if err := registrationClient.SendLocalConfiguration(ctx, tunnelConfig); err != nil {
+				c.observer.metrics.localConfigMetrics.pushesErrors.Inc()
 				c.observer.log.Err(err).Msg("unable to send local configuration")
 			}
+			c.observer.metrics.localConfigMetrics.pushes.Inc()
 		} else {
 			c.observer.log.Err(err).Msg("failed to obtain current configuration")
 		}
 	}
 
-	c.waitForUnregister(ctx, rpcClient)
-	return nil
+	return c.waitForUnregister(ctx, registrationClient)
 }
 
-func (c *controlStream) waitForUnregister(ctx context.Context, rpcClient NamedTunnelRPCClient) {
+func (c *controlStream) waitForUnregister(ctx context.Context, registrationClient tunnelrpc.RegistrationClient) error {
 	// wait for connection termination or start of graceful shutdown
-	defer rpcClient.Close()
+	defer registrationClient.Close()
+	var shutdownError error
 	select {
 	case <-ctx.Done():
+		shutdownError = ctx.Err()
 		break
 	case <-c.gracefulShutdownC:
 		c.stoppedGracefully = true
 	}
 
 	c.observer.sendUnregisteringEvent(c.connIndex)
-	rpcClient.GracefulShutdown(ctx, c.gracePeriod)
+	err := registrationClient.GracefulShutdown(ctx, c.gracePeriod)
+	if err != nil {
+		return errors.Wrap(err, "Error shutting down control stream")
+	}
 	c.observer.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Uint8(LogFieldConnIndex, c.connIndex).
 		IPAddr(LogFieldIPAddress, c.edgeAddress).
 		Msg("Unregistered tunnel connection")
+	return shutdownError
 }
 
 func (c *controlStream) IsStopped() bool {

connection/errors.go

@@ -2,7 +2,6 @@ package connection
 
 import (
 	"github.com/cloudflare/cloudflared/edgediscovery"
-	"github.com/cloudflare/cloudflared/h2mux"
 	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
@@ -71,8 +70,6 @@ func isHandshakeErrRecoverable(err error, connIndex uint8, observer *Observer) b
 	switch err.(type) {
 	case edgediscovery.DialError:
 		log.Error().Msg("Connection unable to dial edge")
-	case h2mux.MuxerHandshakeError:
-		log.Error().Msg("Connection handshake with edge server failed")
 	default:
 		log.Error().Msg("Connection failed")
 		return false

connection/event.go

@@ -1,5 +1,7 @@
 package connection
 
+import "net"
+
 // Event is something that happened to a connection, e.g. disconnection or registration.
 type Event struct {
 	Index       uint8
@@ -7,6 +9,7 @@ type Event struct {
 	Location    string
 	Protocol    Protocol
 	URL         string
+	EdgeAddress net.IP
 }
 
 // Status is the status of a connection.

connection/h2mux.go

@@ -1,32 +0,0 @@
-package connection
-
-import (
-	"time"
-
-	"github.com/rs/zerolog"
-
-	"github.com/cloudflare/cloudflared/h2mux"
-)
-
-const (
-	muxerTimeout = 5 * time.Second
-)
-
-type MuxerConfig struct {
-	HeartbeatInterval  time.Duration
-	MaxHeartbeats      uint64
-	CompressionSetting h2mux.CompressionSetting
-	MetricsUpdateFreq  time.Duration
-}
-
-func (mc *MuxerConfig) H2MuxerConfig(h h2mux.MuxedStreamHandler, log *zerolog.Logger) *h2mux.MuxerConfig {
-	return &h2mux.MuxerConfig{
-		Timeout:            muxerTimeout,
-		Handler:            h,
-		IsClient:           true,
-		HeartbeatInterval:  mc.HeartbeatInterval,
-		MaxHeartbeats:      mc.MaxHeartbeats,
-		Log:                log,
-		CompressionQuality: mc.CompressionSetting,
-	}
-}

connection/h2mux_header.go

@@ -1,128 +0,0 @@
-package connection
-
-import (
-	"fmt"
-	"net/http"
-	"net/url"
-	"strconv"
-	"strings"
-
-	"github.com/pkg/errors"
-
-	"github.com/cloudflare/cloudflared/h2mux"
-)
-
-// H2RequestHeadersToH1Request converts the HTTP/2 headers coming from origintunneld
-// to an HTTP/1 Request object destined for the local origin web service.
-// This operation includes conversion of the pseudo-headers into their closest
-// HTTP/1 equivalents. See https://tools.ietf.org/html/rfc7540#section-8.1.2.3
-func H2RequestHeadersToH1Request(h2 []h2mux.Header, h1 *http.Request) error {
-	for _, header := range h2 {
-		name := strings.ToLower(header.Name)
-		if !IsH2muxControlRequestHeader(name) {
-			continue
-		}
-
-		switch name {
-		case ":method":
-			h1.Method = header.Value
-		case ":scheme":
-			// noop - use the preexisting scheme from h1.URL
-		case ":authority":
-			// Otherwise the host header will be based on the origin URL
-			h1.Host = header.Value
-		case ":path":
-			// We don't want to be an "opinionated" proxy, so ideally we would use :path as-is.
-			// However, this HTTP/1 Request object belongs to the Go standard library,
-			// whose URL package makes some opinionated decisions about the encoding of
-			// URL characters: see the docs of https://godoc.org/net/url#URL,
-			// in particular the EscapedPath method https://godoc.org/net/url#URL.EscapedPath,
-			// which is always used when computing url.URL.String(), whether we'd like it or not.
-			//
-			// Well, not *always*. We could circumvent this by using url.URL.Opaque. But
-			// that would present unusual difficulties when using an HTTP proxy: url.URL.Opaque
-			// is treated differently when HTTP_PROXY is set!
-			// See https://github.com/golang/go/issues/5684#issuecomment-66080888
-			//
-			// This means we are subject to the behavior of net/url's function `shouldEscape`
-			// (as invoked with mode=encodePath): https://github.com/golang/go/blob/go1.12.7/src/net/url/url.go#L101
-
-			if header.Value == "*" {
-				h1.URL.Path = "*"
-				continue
-			}
-			// Due to the behavior of validation.ValidateUrl, h1.URL may
-			// already have a partial value, with or without a trailing slash.
-			base := h1.URL.String()
-			base = strings.TrimRight(base, "/")
-			// But we know :path begins with '/', because we handled '*' above - see RFC7540
-			requestURL, err := url.Parse(base + header.Value)
-			if err != nil {
-				return errors.Wrap(err, fmt.Sprintf("invalid path '%v'", header.Value))
-			}
-			h1.URL = requestURL
-		case "content-length":
-			contentLength, err := strconv.ParseInt(header.Value, 10, 64)
-			if err != nil {
-				return fmt.Errorf("unparseable content length")
-			}
-			h1.ContentLength = contentLength
-		case RequestUserHeaders:
-			// Do not forward the serialized headers to the origin -- deserialize them, and ditch the serialized version
-			// Find and parse user headers serialized into a single one
-			userHeaders, err := DeserializeHeaders(header.Value)
-			if err != nil {
-				return errors.Wrap(err, "Unable to parse user headers")
-			}
-			for _, userHeader := range userHeaders {
-				h1.Header.Add(userHeader.Name, userHeader.Value)
-			}
-		default:
-			// All other control headers shall just be proxied transparently
-			h1.Header.Add(header.Name, header.Value)
-		}
-	}
-
-	return nil
-}
-
-func H1ResponseToH2ResponseHeaders(status int, h1 http.Header) (h2 []h2mux.Header) {
-	h2 = []h2mux.Header{
-		{Name: ":status", Value: strconv.Itoa(status)},
-	}
-	userHeaders := make(http.Header, len(h1))
-	for header, values := range h1 {
-		h2name := strings.ToLower(header)
-		if h2name == "content-length" {
-			// This header has meaning in HTTP/2 and will be used by the edge,
-			// so it should be sent as an HTTP/2 response header.
-
-			// Since these are http2 headers, they're required to be lowercase
-			h2 = append(h2, h2mux.Header{Name: "content-length", Value: values[0]})
-		} else if !IsH2muxControlResponseHeader(h2name) || IsWebsocketClientHeader(h2name) {
-			// User headers, on the other hand, must all be serialized so that
-			// HTTP/2 header validation won't be applied to HTTP/1 header values
-			userHeaders[header] = values
-		}
-	}
-
-	// Perform user header serialization and set them in the single header
-	h2 = append(h2, h2mux.Header{Name: ResponseUserHeaders, Value: SerializeHeaders(userHeaders)})
-	return h2
-}
-
-// IsH2muxControlRequestHeader is called in the direction of eyeball -> origin.
-func IsH2muxControlRequestHeader(headerName string) bool {
-	return headerName == "content-length" ||
-		headerName == "connection" || headerName == "upgrade" || // Websocket request headers
-		strings.HasPrefix(headerName, ":") ||
-		strings.HasPrefix(headerName, "cf-")
-}
-
-// IsH2muxControlResponseHeader is called in the direction of eyeball <- origin.
-func IsH2muxControlResponseHeader(headerName string) bool {
-	return headerName == "content-length" ||
-		strings.HasPrefix(headerName, ":") ||
-		strings.HasPrefix(headerName, "cf-int-") ||
-		strings.HasPrefix(headerName, "cf-cloudflared-")
-}

connection/h2mux_header_test.go

@@ -1,642 +0,0 @@
-package connection
-
-import (
-	"fmt"
-	"math/rand"
-	"net/http"
-	"net/url"
-	"reflect"
-	"regexp"
-	"strings"
-	"testing"
-	"testing/quick"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/cloudflare/cloudflared/h2mux"
-)
-
-type ByName []h2mux.Header
-
-func (a ByName) Len() int      { return len(a) }
-func (a ByName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
-func (a ByName) Less(i, j int) bool {
-	if a[i].Name == a[j].Name {
-		return a[i].Value < a[j].Value
-	}
-
-	return a[i].Name < a[j].Name
-}
-
-func TestH2RequestHeadersToH1Request_RegularHeaders(t *testing.T) {
-	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
-
-	mockHeaders := http.Header{
-		"Mock header 1": {"Mock value 1"},
-		"Mock header 2": {"Mock value 2"},
-	}
-
-	headersConversionErr := H2RequestHeadersToH1Request(createSerializedHeaders(RequestUserHeaders, mockHeaders), request)
-
-	assert.True(t, reflect.DeepEqual(mockHeaders, request.Header))
-	assert.NoError(t, headersConversionErr)
-}
-
-func createSerializedHeaders(headersField string, headers http.Header) []h2mux.Header {
-	return []h2mux.Header{{
-		Name:  headersField,
-		Value: SerializeHeaders(headers),
-	}}
-}
-
-func TestH2RequestHeadersToH1Request_NoHeaders(t *testing.T) {
-	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
-
-	emptyHeaders := make(http.Header)
-	headersConversionErr := H2RequestHeadersToH1Request(
-		[]h2mux.Header{{
-			Name:  RequestUserHeaders,
-			Value: SerializeHeaders(emptyHeaders),
-		}},
-		request,
-	)
-
-	assert.True(t, reflect.DeepEqual(emptyHeaders, request.Header))
-	assert.NoError(t, headersConversionErr)
-}
-
-func TestH2RequestHeadersToH1Request_InvalidHostPath(t *testing.T) {
-	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
-	assert.NoError(t, err)
-
-	mockRequestHeaders := []h2mux.Header{
-		{Name: ":path", Value: "//bad_path/"},
-		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
-	}
-
-	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
-
-	assert.Equal(t, http.Header{
-		"Mock header": []string{"Mock value"},
-	}, request.Header)
-
-	assert.Equal(t, "http://example.com//bad_path/", request.URL.String())
-
-	assert.NoError(t, headersConversionErr)
-}
-
-func TestH2RequestHeadersToH1Request_HostPathWithQuery(t *testing.T) {
-	request, err := http.NewRequest(http.MethodGet, "http://example.com/", nil)
-	assert.NoError(t, err)
-
-	mockRequestHeaders := []h2mux.Header{
-		{Name: ":path", Value: "/?query=mock%20value"},
-		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
-	}
-
-	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
-
-	assert.Equal(t, http.Header{
-		"Mock header": []string{"Mock value"},
-	}, request.Header)
-
-	assert.Equal(t, "http://example.com/?query=mock%20value", request.URL.String())
-
-	assert.NoError(t, headersConversionErr)
-}
-
-func TestH2RequestHeadersToH1Request_HostPathWithURLEncoding(t *testing.T) {
-	request, err := http.NewRequest(http.MethodGet, "http://example.com/", nil)
-	assert.NoError(t, err)
-
-	mockRequestHeaders := []h2mux.Header{
-		{Name: ":path", Value: "/mock%20path"},
-		{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
-	}
-
-	headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
-
-	assert.Equal(t, http.Header{
-		"Mock header": []string{"Mock value"},
-	}, request.Header)
-
-	assert.Equal(t, "http://example.com/mock%20path", request.URL.String())
-
-	assert.NoError(t, headersConversionErr)
-}
-
-func TestH2RequestHeadersToH1Request_WeirdURLs(t *testing.T) {
-	type testCase struct {
-		path string
-		want string
-	}
-	testCases := []testCase{
-		{
-			path: "",
-			want: "",
-		},
-		{
-			path: "/",
-			want: "/",
-		},
-		{
-			path: "//",
-			want: "//",
-		},
-		{
-			path: "/test",
-			want: "/test",
-		},
-		{
-			path: "//test",
-			want: "//test",
-		},
-		{
-			// https://github.com/cloudflare/cloudflared/issues/81
-			path: "//test/",
-			want: "//test/",
-		},
-		{
-			path: "/%2Ftest",
-			want: "/%2Ftest",
-		},
-		{
-			path: "//%20test",
-			want: "//%20test",
-		},
-		{
-			// https://github.com/cloudflare/cloudflared/issues/124
-			path: "/test?get=somthing%20a",
-			want: "/test?get=somthing%20a",
-		},
-		{
-			path: "/%20",
-			want: "/%20",
-		},
-		{
-			// stdlib's EscapedPath() will always percent-encode ' '
-			path: "/ ",
-			want: "/%20",
-		},
-		{
-			path: "/ a ",
-			want: "/%20a%20",
-		},
-		{
-			path: "/a%20b",
-			want: "/a%20b",
-		},
-		{
-			path: "/foo/bar;param?query#frag",
-			want: "/foo/bar;param?query#frag",
-		},
-		{
-			// stdlib's EscapedPath() will always percent-encode non-ASCII chars
-			path: "/a␠b",
-			want: "/a%E2%90%A0b",
-		},
-		{
-			path: "/a-umlaut-ä",
-			want: "/a-umlaut-%C3%A4",
-		},
-		{
-			path: "/a-umlaut-%C3%A4",
-			want: "/a-umlaut-%C3%A4",
-		},
-		{
-			path: "/a-umlaut-%c3%a4",
-			want: "/a-umlaut-%c3%a4",
-		},
-		{
-			// here the second '#' is treated as part of the fragment
-			path: "/a#b#c",
-			want: "/a#b%23c",
-		},
-		{
-			path: "/a#b␠c",
-			want: "/a#b%E2%90%A0c",
-		},
-		{
-			path: "/a#b%20c",
-			want: "/a#b%20c",
-		},
-		{
-			path: "/a#b c",
-			want: "/a#b%20c",
-		},
-		{
-			// stdlib's EscapedPath() will always percent-encode '\'
-			path: "/\\",
-			want: "/%5C",
-		},
-		{
-			path: "/a\\",
-			want: "/a%5C",
-		},
-		{
-			path: "/a,b.c.",
-			want: "/a,b.c.",
-		},
-		{
-			path: "/.",
-			want: "/.",
-		},
-		{
-			// stdlib's EscapedPath() will always percent-encode '`'
-			path: "/a`",
-			want: "/a%60",
-		},
-		{
-			path: "/a[0]",
-			want: "/a[0]",
-		},
-		{
-			path: "/?a[0]=5 &b[]=",
-			want: "/?a[0]=5 &b[]=",
-		},
-		{
-			path: "/?a=%22b%20%22",
-			want: "/?a=%22b%20%22",
-		},
-	}
-
-	for index, testCase := range testCases {
-		requestURL := "https://example.com"
-
-		request, err := http.NewRequest(http.MethodGet, requestURL, nil)
-		assert.NoError(t, err)
-
-		mockRequestHeaders := []h2mux.Header{
-			{Name: ":path", Value: testCase.path},
-			{Name: RequestUserHeaders, Value: SerializeHeaders(http.Header{"Mock header": {"Mock value"}})},
-		}
-
-		headersConversionErr := H2RequestHeadersToH1Request(mockRequestHeaders, request)
-		assert.NoError(t, headersConversionErr)
-
-		assert.Equal(t,
-			http.Header{
-				"Mock header": []string{"Mock value"},
-			},
-			request.Header)
-
-		assert.Equal(t,
-			"https://example.com"+testCase.want,
-			request.URL.String(),
-			"Failed URL index: %v %#v", index, testCase)
-	}
-}
-
-func TestH2RequestHeadersToH1Request_QuickCheck(t *testing.T) {
-	config := &quick.Config{
-		Values: func(args []reflect.Value, rand *rand.Rand) {
-			args[0] = reflect.ValueOf(randomHTTP2Path(t, rand))
-		},
-	}
-
-	type testOrigin struct {
-		url string
-
-		expectedScheme   string
-		expectedBasePath string
-	}
-	testOrigins := []testOrigin{
-		{
-			url:              "http://origin.hostname.example.com:8080",
-			expectedScheme:   "http",
-			expectedBasePath: "http://origin.hostname.example.com:8080",
-		},
-		{
-			url:              "http://origin.hostname.example.com:8080/",
-			expectedScheme:   "http",
-			expectedBasePath: "http://origin.hostname.example.com:8080",
-		},
-		{
-			url:              "http://origin.hostname.example.com:8080/api",
-			expectedScheme:   "http",
-			expectedBasePath: "http://origin.hostname.example.com:8080/api",
-		},
-		{
-			url:              "http://origin.hostname.example.com:8080/api/",
-			expectedScheme:   "http",
-			expectedBasePath: "http://origin.hostname.example.com:8080/api",
-		},
-		{
-			url:              "https://origin.hostname.example.com:8080/api",
-			expectedScheme:   "https",
-			expectedBasePath: "https://origin.hostname.example.com:8080/api",
-		},
-	}
-
-	// use multiple schemes to demonstrate that the URL is based on the
-	// origin's scheme, not the :scheme header
-	for _, testScheme := range []string{"http", "https"} {
-		for _, testOrigin := range testOrigins {
-			assertion := func(testPath string) bool {
-				const expectedMethod = "POST"
-				const expectedHostname = "request.hostname.example.com"
-
-				h2 := []h2mux.Header{
-					{Name: ":method", Value: expectedMethod},
-					{Name: ":scheme", Value: testScheme},
-					{Name: ":authority", Value: expectedHostname},
-					{Name: ":path", Value: testPath},
-					{Name: RequestUserHeaders, Value: ""},
-				}
-				h1, err := http.NewRequest("GET", testOrigin.url, nil)
-				require.NoError(t, err)
-
-				err = H2RequestHeadersToH1Request(h2, h1)
-				return assert.NoError(t, err) &&
-					assert.Equal(t, expectedMethod, h1.Method) &&
-					assert.Equal(t, expectedHostname, h1.Host) &&
-					assert.Equal(t, testOrigin.expectedScheme, h1.URL.Scheme) &&
-					assert.Equal(t, testOrigin.expectedBasePath+testPath, h1.URL.String())
-			}
-			err := quick.Check(assertion, config)
-			assert.NoError(t, err)
-		}
-	}
-}
-
-func randomASCIIPrintableChar(rand *rand.Rand) int {
-	// smallest printable ASCII char is 32, largest is 126
-	const startPrintable = 32
-	const endPrintable = 127
-	return startPrintable + rand.Intn(endPrintable-startPrintable)
-}
-
-// randomASCIIText generates an ASCII string, some of whose characters may be
-// percent-encoded. Its "logical length" (ignoring percent-encoding) is
-// between 1 and `maxLength`.
-func randomASCIIText(rand *rand.Rand, minLength int, maxLength int) string {
-	length := minLength + rand.Intn(maxLength)
-	var result strings.Builder
-	for i := 0; i < length; i++ {
-		c := randomASCIIPrintableChar(rand)
-
-		// 1/4 chance of using percent encoding when not necessary
-		if c == '%' || rand.Intn(4) == 0 {
-			result.WriteString(fmt.Sprintf("%%%02X", c))
-		} else {
-			result.WriteByte(byte(c))
-		}
-	}
-	return result.String()
-}
-
-// Calls `randomASCIIText` and ensures the result is a valid URL path,
-// i.e. one that can pass unchanged through url.URL.String()
-func randomHTTP1Path(t *testing.T, rand *rand.Rand, minLength int, maxLength int) string {
-	text := randomASCIIText(rand, minLength, maxLength)
-	re, err := regexp.Compile("[^/;,]*")
-	require.NoError(t, err)
-	return "/" + re.ReplaceAllStringFunc(text, url.PathEscape)
-}
-
-// Calls `randomASCIIText` and ensures the result is a valid URL query,
-// i.e. one that can pass unchanged through url.URL.String()
-func randomHTTP1Query(rand *rand.Rand, minLength int, maxLength int) string {
-	text := randomASCIIText(rand, minLength, maxLength)
-	return "?" + strings.ReplaceAll(text, "#", "%23")
-}
-
-// Calls `randomASCIIText` and ensures the result is a valid URL fragment,
-// i.e. one that can pass unchanged through url.URL.String()
-func randomHTTP1Fragment(t *testing.T, rand *rand.Rand, minLength int, maxLength int) string {
-	text := randomASCIIText(rand, minLength, maxLength)
-	u, err := url.Parse("#" + text)
-	require.NoError(t, err)
-	return u.String()
-}
-
-// Assemble a random :path pseudoheader that is legal by Go stdlib standards
-// (i.e. all characters will satisfy "net/url".shouldEscape for their respective locations)
-func randomHTTP2Path(t *testing.T, rand *rand.Rand) string {
-	result := randomHTTP1Path(t, rand, 1, 64)
-	if rand.Intn(2) == 1 {
-		result += randomHTTP1Query(rand, 1, 32)
-	}
-	if rand.Intn(2) == 1 {
-		result += randomHTTP1Fragment(t, rand, 1, 16)
-	}
-	return result
-}
-
-func stdlibHeaderToH2muxHeader(headers http.Header) (h2muxHeaders []h2mux.Header) {
-	for name, values := range headers {
-		for _, value := range values {
-			h2muxHeaders = append(h2muxHeaders, h2mux.Header{Name: name, Value: value})
-		}
-	}
-
-	return h2muxHeaders
-}
-
-func TestParseRequestHeaders(t *testing.T) {
-	mockUserHeadersToSerialize := http.Header{
-		"Mock-Header-One":   {"1", "1.5"},
-		"Mock-Header-Two":   {"2"},
-		"Mock-Header-Three": {"3"},
-	}
-
-	mockHeaders := []h2mux.Header{
-		{Name: "One", Value: "1"}, // will be dropped
-		{Name: "Cf-Two", Value: "cf-value-1"},
-		{Name: "Cf-Two", Value: "cf-value-2"},
-		{Name: RequestUserHeaders, Value: SerializeHeaders(mockUserHeadersToSerialize)},
-	}
-
-	expectedHeaders := []h2mux.Header{
-		{Name: "Cf-Two", Value: "cf-value-1"},
-		{Name: "Cf-Two", Value: "cf-value-2"},
-		{Name: "Mock-Header-One", Value: "1"},
-		{Name: "Mock-Header-One", Value: "1.5"},
-		{Name: "Mock-Header-Two", Value: "2"},
-		{Name: "Mock-Header-Three", Value: "3"},
-	}
-	h1 := &http.Request{
-		Header: make(http.Header),
-	}
-	err := H2RequestHeadersToH1Request(mockHeaders, h1)
-	assert.NoError(t, err)
-	assert.ElementsMatch(t, expectedHeaders, stdlibHeaderToH2muxHeader(h1.Header))
-}
-
-func TestIsH2muxControlRequestHeader(t *testing.T) {
-	controlRequestHeaders := []string{
-		// Anything that begins with cf-
-		"cf-sample-header",
-
-		// Any http2 pseudoheader
-		":sample-pseudo-header",
-
-		// content-length is a special case, it has to be there
-		// for some requests to work (per the HTTP2 spec)
-		"content-length",
-
-		// Websocket request headers
-		"connection",
-		"upgrade",
-	}
-
-	for _, header := range controlRequestHeaders {
-		assert.True(t, IsH2muxControlRequestHeader(header))
-	}
-}
-
-func TestIsH2muxControlResponseHeader(t *testing.T) {
-	controlResponseHeaders := []string{
-		// Anything that begins with cf-int- or cf-cloudflared-
-		"cf-int-sample-header",
-		"cf-cloudflared-sample-header",
-
-		// Any http2 pseudoheader
-		":sample-pseudo-header",
-
-		// content-length is a special case, it has to be there
-		// for some requests to work (per the HTTP2 spec)
-		"content-length",
-	}
-
-	for _, header := range controlResponseHeaders {
-		assert.True(t, IsH2muxControlResponseHeader(header))
-	}
-}
-
-func TestIsNotH2muxControlRequestHeader(t *testing.T) {
-	notControlRequestHeaders := []string{
-		"mock-header",
-		"another-sample-header",
-	}
-
-	for _, header := range notControlRequestHeaders {
-		assert.False(t, IsH2muxControlRequestHeader(header))
-	}
-}
-
-func TestIsNotH2muxControlResponseHeader(t *testing.T) {
-	notControlResponseHeaders := []string{
-		"mock-header",
-		"another-sample-header",
-		"upgrade",
-		"connection",
-		"cf-whatever", // On the response path, we only want to filter cf-int- and cf-cloudflared-
-	}
-
-	for _, header := range notControlResponseHeaders {
-		assert.False(t, IsH2muxControlResponseHeader(header))
-	}
-}
-
-func TestH1ResponseToH2ResponseHeaders(t *testing.T) {
-	mockHeaders := http.Header{
-		"User-header-one":       {""},
-		"User-header-two":       {"1", "2"},
-		"cf-header":             {"cf-value"},
-		"cf-int-header":         {"cf-int-value"},
-		"cf-cloudflared-header": {"cf-cloudflared-value"},
-		"Content-Length":        {"123"},
-	}
-	mockResponse := http.Response{
-		StatusCode: 200,
-		Header:     mockHeaders,
-	}
-
-	headers := H1ResponseToH2ResponseHeaders(mockResponse.StatusCode, mockResponse.Header)
-
-	serializedHeadersIndex := -1
-	for i, header := range headers {
-		if header.Name == ResponseUserHeaders {
-			serializedHeadersIndex = i
-			break
-		}
-	}
-	assert.NotEqual(t, -1, serializedHeadersIndex)
-	actualControlHeaders := append(
-		headers[:serializedHeadersIndex],
-		headers[serializedHeadersIndex+1:]...,
-	)
-	expectedControlHeaders := []h2mux.Header{
-		{Name: ":status", Value: "200"},
-		{Name: "content-length", Value: "123"},
-	}
-
-	assert.ElementsMatch(t, expectedControlHeaders, actualControlHeaders)
-
-	actualUserHeaders, err := DeserializeHeaders(headers[serializedHeadersIndex].Value)
-	expectedUserHeaders := []h2mux.Header{
-		{Name: "User-header-one", Value: ""},
-		{Name: "User-header-two", Value: "1"},
-		{Name: "User-header-two", Value: "2"},
-		{Name: "cf-header", Value: "cf-value"},
-	}
-	assert.NoError(t, err)
-	assert.ElementsMatch(t, expectedUserHeaders, actualUserHeaders)
-}
-
-// The purpose of this test is to check that our code and the http.Header
-// implementation don't throw validation errors about header size
-func TestHeaderSize(t *testing.T) {
-	largeValue := randSeq(5 * 1024 * 1024) // 5Mb
-	largeHeaders := http.Header{
-		"User-header": {largeValue},
-	}
-	mockResponse := http.Response{
-		StatusCode: 200,
-		Header:     largeHeaders,
-	}
-
-	serializedHeaders := H1ResponseToH2ResponseHeaders(mockResponse.StatusCode, mockResponse.Header)
-	request, err := http.NewRequest(http.MethodGet, "https://example.com/", nil)
-	assert.NoError(t, err)
-	for _, header := range serializedHeaders {
-		request.Header.Set(header.Name, header.Value)
-	}
-
-	for _, header := range serializedHeaders {
-		if header.Name != ResponseUserHeaders {
-			continue
-		}
-
-		deserializedHeaders, err := DeserializeHeaders(header.Value)
-		assert.NoError(t, err)
-		assert.Equal(t, largeValue, deserializedHeaders[0].Value)
-	}
-}
-
-func randSeq(n int) string {
-	randomizer := rand.New(rand.NewSource(17))
-	var letters = []rune(":;,+/=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
-	b := make([]rune, n)
-	for i := range b {
-		b[i] = letters[randomizer.Intn(len(letters))]
-	}
-	return string(b)
-}
-
-func BenchmarkH1ResponseToH2ResponseHeaders(b *testing.B) {
-	ser := "eC1mb3J3YXJkZWQtcHJvdG8:aHR0cHM;dXBncmFkZS1pbnNlY3VyZS1yZXF1ZXN0cw:MQ;YWNjZXB0LWxhbmd1YWdl:ZW4tVVMsZW47cT0wLjkscnU7cT0wLjg;YWNjZXB0LWVuY29kaW5n:Z3ppcA;eC1mb3J3YXJkZWQtZm9y:MTczLjI0NS42MC42;dXNlci1hZ2VudA:TW96aWxsYS81LjAgKE1hY2ludG9zaDsgSW50ZWwgTWFjIE9TIFggMTBfMTRfNikgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzg0LjAuNDE0Ny44OSBTYWZhcmkvNTM3LjM2;c2VjLWZldGNoLW1vZGU:bmF2aWdhdGU;Y2RuLWxvb3A:Y2xvdWRmbGFyZQ;c2VjLWZldGNoLWRlc3Q:ZG9jdW1lbnQ;c2VjLWZldGNoLXVzZXI:PzE;c2VjLWZldGNoLXNpdGU:bm9uZQ;Y29va2ll:X19jZmR1aWQ9ZGNkOWZjOGNjNWMxMzE0NTMyYTFkMjhlZDEyOWRhOTYwMTU2OTk1MTYzNDsgX19jZl9ibT1mYzY2MzMzYzAzZmM0MWFiZTZmOWEyYzI2ZDUwOTA0YzIxYzZhMTQ2LTE1OTU2MjIzNDEtMTgwMC1BZTVzS2pIU2NiWGVFM05mMUhrTlNQMG1tMHBLc2pQWkloVnM1Z2g1SkNHQkFhS1UxVDB2b003alBGN3FjMHVSR2NjZGcrWHdhL1EzbTJhQzdDVU4xZ2M9;YWNjZXB0:dGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2Uvd2VicCxpbWFnZS9hcG5nLCovKjtxPTAuOCxhcHBsaWNhdGlvbi9zaWduZWQtZXhjaGFuZ2U7dj1iMztxPTAuOQ"
-	h2, _ := DeserializeHeaders(ser)
-	h1 := make(http.Header)
-	for _, header := range h2 {
-		h1.Add(header.Name, header.Value)
-	}
-	h1.Add("Content-Length", "200")
-	h1.Add("Cf-Something", "Else")
-	h1.Add("Upgrade", "websocket")
-
-	h1resp := &http.Response{
-		StatusCode: 200,
-		Header:     h1,
-	}
-
-	b.ReportAllocs()
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		_ = H1ResponseToH2ResponseHeaders(h1resp.StatusCode, h1resp.Header)
-	}
-}

connection/header.go

@@ -7,33 +7,40 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-
-	"github.com/cloudflare/cloudflared/h2mux"
 )
 
 var (
-	// h2mux-style special headers
+	// internal special headers
 	RequestUserHeaders  = "cf-cloudflared-request-headers"
 	ResponseUserHeaders = "cf-cloudflared-response-headers"
 	ResponseMetaHeader  = "cf-cloudflared-response-meta"
 
-	// h2mux-style special headers
+	// internal special headers
 	CanonicalResponseUserHeaders = http.CanonicalHeaderKey(ResponseUserHeaders)
 	CanonicalResponseMetaHeader  = http.CanonicalHeaderKey(ResponseMetaHeader)
 )
 
 var (
 	// pre-generate possible values for res
-	responseMetaHeaderCfd    = mustInitRespMetaHeader("cloudflared")
-	responseMetaHeaderOrigin = mustInitRespMetaHeader("origin")
+	responseMetaHeaderCfd                = mustInitRespMetaHeader("cloudflared", false)
+	responseMetaHeaderCfdFlowRateLimited = mustInitRespMetaHeader("cloudflared", true)
+	responseMetaHeaderOrigin             = mustInitRespMetaHeader("origin", false)
 )
 
+// HTTPHeader is a custom header struct that expects only ever one value for the header.
+// This structure is used to serialize the headers and attach them to the HTTP2 request when proxying.
+type HTTPHeader struct {
+	Name  string
+	Value string
+}
+
 type responseMetaHeader struct {
 	Source          string `json:"src"`
+	FlowRateLimited bool   `json:"flow_rate_limited,omitempty"`
 }
 
-func mustInitRespMetaHeader(src string) string {
-	header, err := json.Marshal(responseMetaHeader{Source: src})
+func mustInitRespMetaHeader(src string, flowRateLimited bool) string {
+	header, err := json.Marshal(responseMetaHeader{Source: src, FlowRateLimited: flowRateLimited})
 	if err != nil {
 		panic(fmt.Sprintf("Failed to serialize response meta header = %s, err: %v", src, err))
 	}
@@ -104,10 +111,10 @@ func SerializeHeaders(h1Headers http.Header) string {
 }
 
 // Deserialize headers serialized by `SerializeHeader`
-func DeserializeHeaders(serializedHeaders string) ([]h2mux.Header, error) {
+func DeserializeHeaders(serializedHeaders string) ([]HTTPHeader, error) {
 	const unableToDeserializeErr = "Unable to deserialize headers"
 
-	var deserialized []h2mux.Header
+	deserialized := make([]HTTPHeader, 0)
 	for _, serializedPair := range strings.Split(serializedHeaders, ";") {
 		if len(serializedPair) == 0 {
 			continue
@@ -130,7 +137,7 @@ func DeserializeHeaders(serializedHeaders string) ([]h2mux.Header, error) {
 			return nil, errors.Wrap(err, unableToDeserializeErr)
 		}
 
-		deserialized = append(deserialized, h2mux.Header{
+		deserialized = append(deserialized, HTTPHeader{
 			Name:  string(deserializedName),
 			Value: string(deserializedValue),
 		})

connection/header_test.go

@@ -46,18 +46,40 @@ func TestSerializeHeaders(t *testing.T) {
 	assert.NoError(t, err)
 
 	assert.Equal(t, 13, len(deserializedHeaders))
-	h2muxExpectedHeaders := stdlibHeaderToH2muxHeader(mockHeaders)
+	expectedHeaders := headerToReqHeader(mockHeaders)
 
 	sort.Sort(ByName(deserializedHeaders))
-	sort.Sort(ByName(h2muxExpectedHeaders))
+	sort.Sort(ByName(expectedHeaders))
 
 	assert.True(
 		t,
-		reflect.DeepEqual(h2muxExpectedHeaders, deserializedHeaders),
-		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, h2muxExpectedHeaders),
+		reflect.DeepEqual(expectedHeaders, deserializedHeaders),
+		fmt.Sprintf("got = %#v, want = %#v\n", deserializedHeaders, expectedHeaders),
 	)
 }
 
+type ByName []HTTPHeader
+
+func (a ByName) Len() int      { return len(a) }
+func (a ByName) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+func (a ByName) Less(i, j int) bool {
+	if a[i].Name == a[j].Name {
+		return a[i].Value < a[j].Value
+	}
+
+	return a[i].Name < a[j].Name
+}
+
+func headerToReqHeader(headers http.Header) (reqHeaders []HTTPHeader) {
+	for name, values := range headers {
+		for _, value := range values {
+			reqHeaders = append(reqHeaders, HTTPHeader{Name: name, Value: value})
+		}
+	}
+
+	return reqHeaders
+}
+
 func TestSerializeNoHeaders(t *testing.T) {
 	request, err := http.NewRequest(http.MethodGet, "http://example.com", nil)
 	assert.NoError(t, err)

connection/http2.go

@@ -16,8 +16,10 @@ import (
 	"github.com/rs/zerolog"
 	"golang.org/x/net/http2"
 
+	cfdflow "github.com/cloudflare/cloudflared/flow"
+
 	"github.com/cloudflare/cloudflared/tracing"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 // note: these constants are exported so we can reuse them in the edge-side code
@@ -37,11 +39,9 @@ type HTTP2Connection struct {
 	conn         net.Conn
 	server       *http2.Server
 	orchestrator Orchestrator
-	connOptions  *tunnelpogs.ConnectionOptions
+	connOptions  *pogs.ConnectionOptions
 	observer     *Observer
 	connIndex    uint8
-	// newRPCClientFunc allows us to mock RPCs during testing
-	newRPCClientFunc func(context.Context, io.ReadWriteCloser, *zerolog.Logger) NamedTunnelRPCClient
 
 	log                  *zerolog.Logger
 	activeRequestsWG     sync.WaitGroup
@@ -54,7 +54,7 @@ type HTTP2Connection struct {
 func NewHTTP2Connection(
 	conn net.Conn,
 	orchestrator Orchestrator,
-	connOptions *tunnelpogs.ConnectionOptions,
+	connOptions *pogs.ConnectionOptions,
 	observer *Observer,
 	connIndex uint8,
 	controlStreamHandler ControlStreamHandler,
@@ -69,7 +69,6 @@ func NewHTTP2Connection(
 		connOptions:          connOptions,
 		observer:             observer,
 		connIndex:            connIndex,
-		newRPCClientFunc:     newRegistrationRPCClient,
 		controlStreamHandler: controlStreamHandler,
 		log:                  log,
 	}
@@ -159,7 +158,7 @@ func (c *HTTP2Connection) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		c.log.Error().Err(requestErr).Msg("failed to serve incoming request")
 
 		// WriteErrorResponse will return false if status was already written. we need to abort handler.
-		if !respWriter.WriteErrorResponse() {
+		if !respWriter.WriteErrorResponse(requestErr) {
 			c.log.Debug().Msg("Handler aborted due to failure to write error response after status already sent")
 			panic(http.ErrAbortHandler)
 		}
@@ -212,8 +211,9 @@ func NewHTTP2RespWriter(r *http.Request, w http.ResponseWriter, connType Type, l
 			w:   w,
 			log: log,
 		}
-		respWriter.WriteErrorResponse()
-		return nil, fmt.Errorf("%T doesn't implement http.Flusher", w)
+		err := fmt.Errorf("%T doesn't implement http.Flusher", w)
+		respWriter.WriteErrorResponse(err)
+		return nil, err
 	}
 
 	return &http2RespWriter{
@@ -298,7 +298,7 @@ func (rp *http2RespWriter) WriteHeader(status int) {
 		rp.log.Warn().Msg("WriteHeader after hijack")
 		return
 	}
-	rp.WriteRespHeaders(status, rp.respHeaders)
+	_ = rp.WriteRespHeaders(status, rp.respHeaders)
 }
 
 func (rp *http2RespWriter) hijacked() bool {
@@ -331,12 +331,16 @@ func (rp *http2RespWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return conn, readWriter, nil
 }
 
-func (rp *http2RespWriter) WriteErrorResponse() bool {
+func (rp *http2RespWriter) WriteErrorResponse(err error) bool {
 	if rp.statusWritten {
 		return false
 	}
 
+	if errors.Is(err, cfdflow.ErrTooManyActiveFlows) {
+		rp.setResponseMetaHeader(responseMetaHeaderCfdFlowRateLimited)
+	} else {
 		rp.setResponseMetaHeader(responseMetaHeaderCfd)
+	}
 	rp.w.WriteHeader(http.StatusBadGateway)
 	rp.statusWritten = true
 
@@ -388,8 +392,7 @@ func determineHTTP2Type(r *http.Request) Type {
 func handleMissingRequestParts(connType Type, r *http.Request) {
 	if connType == TypeHTTP {
 		// http library has no guarantees that we receive a filled URL. If not, then we fill it, as we reuse the request
-		// for proxying. We use the same values as we used to in h2mux. For proxying they should not matter since we
-		// control the dialer on every egress proxied.
+		// for proxying. For proxying they should not matter since we control the dialer on every egress proxied.
 		if len(r.URL.Scheme) == 0 {
 			r.URL.Scheme = "http"
 		}

connection/http2_test.go

@@ -20,8 +20,10 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 
+	"github.com/cloudflare/cloudflared/tracing"
+
+	"github.com/cloudflare/cloudflared/tunnelrpc"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
 )
 
 var (
@@ -36,10 +38,11 @@ func newTestHTTP2Connection() (*HTTP2Connection, net.Conn) {
 	controlStream := NewControlStream(
 		obs,
 		mockConnectedFuse{},
-		&NamedTunnelProperties{},
+		&TunnelProperties{},
 		connIndex,
 		nil,
 		nil,
+		1*time.Second,
 		nil,
 		1*time.Second,
 		HTTP2,
@@ -64,19 +67,18 @@ func TestHTTP2ConfigurationSet(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
 	require.NoError(t, err)
 
-	endpoint := fmt.Sprintf("http://localhost:8080/ok")
 	reqBody := []byte(`{
 "version": 2, 
 "config": {"warp-routing": {"enabled": true},  "originRequest" : {"connectTimeout": 10}, "ingress" : [ {"hostname": "test", "service": "https://localhost:8000" } , {"service": "http_status:404"} ]}}
 `)
 	reader := bytes.NewReader(reqBody)
-	req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint, reader)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPut, "http://localhost:8080/ok", reader)
 	require.NoError(t, err)
 	req.Header.Set(InternalUpgradeHeader, ConfigurationUpdate)
 
@@ -84,11 +86,11 @@ func TestHTTP2ConfigurationSet(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 	bdy, err := io.ReadAll(resp.Body)
+	defer resp.Body.Close()
 	require.NoError(t, err)
 	assert.Equal(t, `{"lastAppliedVersion":2,"err":null}`, string(bdy))
 	cancel()
 	wg.Wait()
-
 }
 
 func TestServeHTTP(t *testing.T) {
@@ -133,7 +135,7 @@ func TestServeHTTP(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
@@ -152,6 +154,7 @@ func TestServeHTTP(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, test.expectedBody, respBody)
 		}
+		_ = resp.Body.Close()
 		if test.isProxyError {
 			require.Equal(t, responseMetaHeaderCfd, resp.Header.Get(ResponseMetaHeader))
 		} else {
@@ -168,31 +171,32 @@ type mockNamedTunnelRPCClient struct {
 	unregistered chan struct{}
 }
 
-func (mc mockNamedTunnelRPCClient) SendLocalConfiguration(c context.Context, config []byte, observer *Observer) error {
+func (mc mockNamedTunnelRPCClient) SendLocalConfiguration(c context.Context, config []byte) error {
 	return nil
 }
 
 func (mc mockNamedTunnelRPCClient) RegisterConnection(
-	c context.Context,
-	properties *NamedTunnelProperties,
-	options *tunnelpogs.ConnectionOptions,
+	ctx context.Context,
+	auth pogs.TunnelAuth,
+	tunnelID uuid.UUID,
+	options *pogs.ConnectionOptions,
 	connIndex uint8,
 	edgeAddress net.IP,
-	observer *Observer,
-) (*tunnelpogs.ConnectionDetails, error) {
+) (*pogs.ConnectionDetails, error) {
 	if mc.shouldFail != nil {
 		return nil, mc.shouldFail
 	}
 	close(mc.registered)
-	return &tunnelpogs.ConnectionDetails{
+	return &pogs.ConnectionDetails{
 		Location:                "LIS",
 		UUID:                    uuid.New(),
 		TunnelIsRemotelyManaged: false,
 	}, nil
 }
 
-func (mc mockNamedTunnelRPCClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) {
+func (mc mockNamedTunnelRPCClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) error {
 	close(mc.unregistered)
+	return nil
 }
 
 func (mockNamedTunnelRPCClient) Close() {}
@@ -203,8 +207,8 @@ type mockRPCClientFactory struct {
 	unregistered chan struct{}
 }
 
-func (mf *mockRPCClientFactory) newMockRPCClient(context.Context, io.ReadWriteCloser, *zerolog.Logger) NamedTunnelRPCClient {
-	return mockNamedTunnelRPCClient{
+func (mf *mockRPCClientFactory) newMockRPCClient(context.Context, io.ReadWriteCloser, time.Duration) tunnelrpc.RegistrationClient {
+	return &mockNamedTunnelRPCClient{
 		shouldFail:   mf.shouldFail,
 		registered:   mf.registered,
 		unregistered: mf.unregistered,
@@ -279,10 +283,11 @@ func TestServeWS(t *testing.T) {
 
 	respBody, err := wsutil.ReadServerBinary(respWriter.RespBody())
 	require.NoError(t, err)
-	require.Equal(t, data, respBody, fmt.Sprintf("Expect %s, got %s", string(data), string(respBody)))
+	require.Equal(t, data, respBody, "expect %s, got %s", string(data), string(respBody))
 
 	cancel()
 	resp := respWriter.Result()
+	defer resp.Body.Close()
 	// http2RespWriter should rewrite status 101 to 200
 	require.Equal(t, http.StatusOK, resp.StatusCode)
 	require.Equal(t, responseMetaHeaderOrigin, resp.Header.Get(ResponseMetaHeader))
@@ -302,7 +307,7 @@ func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 	serverDone := make(chan struct{})
 	go func() {
 		defer close(serverDone)
-		cfdHTTP2Conn.Serve(ctx)
+		_ = cfdHTTP2Conn.Serve(ctx)
 	}()
 
 	edgeTransport := http2.Transport{}
@@ -317,13 +322,16 @@ func TestNoWriteAfterServeHTTPReturns(t *testing.T) {
 			readPipe, writePipe := io.Pipe()
 			reqCtx, reqCancel := context.WithCancel(ctx)
 			req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, "http://localhost:8080/ws/flaky", readPipe)
-			require.NoError(t, err)
+			assert.NoError(t, err)
+
 			req.Header.Set(InternalUpgradeHeader, WebsocketUpgrade)
 
 			resp, err := edgeHTTP2Conn.RoundTrip(req)
-			require.NoError(t, err)
+			assert.NoError(t, err)
+			_ = resp.Body.Close()
+
 			// http2RespWriter should rewrite status 101 to 200
-			require.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
 
 			wg.Add(1)
 			go func() {
@@ -360,10 +368,11 @@ func TestServeControlStream(t *testing.T) {
 	controlStream := NewControlStream(
 		obs,
 		mockConnectedFuse{},
-		&NamedTunnelProperties{},
+		&TunnelProperties{},
 		1,
 		nil,
 		rpcClientFactory.newMockRPCClient,
+		1*time.Second,
 		nil,
 		1*time.Second,
 		HTTP2,
@@ -375,7 +384,7 @@ func TestServeControlStream(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@@ -388,7 +397,8 @@ func TestServeControlStream(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		edgeHTTP2Conn.RoundTrip(req)
+		// nolint: bodyclose
+		_, _ = edgeHTTP2Conn.RoundTrip(req)
 	}()
 
 	<-rpcClientFactory.registered
@@ -412,10 +422,11 @@ func TestFailRegistration(t *testing.T) {
 	controlStream := NewControlStream(
 		obs,
 		mockConnectedFuse{},
-		&NamedTunnelProperties{},
+		&TunnelProperties{},
 		http2Conn.connIndex,
 		nil,
 		rpcClientFactory.newMockRPCClient,
+		1*time.Second,
 		nil,
 		1*time.Second,
 		HTTP2,
@@ -427,7 +438,7 @@ func TestFailRegistration(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@@ -438,9 +449,10 @@ func TestFailRegistration(t *testing.T) {
 	require.NoError(t, err)
 	resp, err := edgeHTTP2Conn.RoundTrip(req)
 	require.NoError(t, err)
+	defer resp.Body.Close()
 	require.Equal(t, http.StatusBadGateway, resp.StatusCode)
 
-	assert.NotNil(t, http2Conn.controlStreamErr)
+	require.Error(t, http2Conn.controlStreamErr)
 	cancel()
 	wg.Wait()
 }
@@ -460,10 +472,11 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	controlStream := NewControlStream(
 		obs,
 		mockConnectedFuse{},
-		&NamedTunnelProperties{},
+		&TunnelProperties{},
 		http2Conn.connIndex,
 		nil,
 		rpcClientFactory.newMockRPCClient,
+		1*time.Second,
 		shutdownC,
 		1*time.Second,
 		HTTP2,
@@ -476,7 +489,7 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080/", nil)
@@ -489,6 +502,7 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
+		// nolint: bodyclose
 		_, _ = edgeHTTP2Conn.RoundTrip(req)
 	}()
 
@@ -519,6 +533,36 @@ func TestGracefulShutdownHTTP2(t *testing.T) {
 	})
 }
 
+func TestServeTCP_RateLimited(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	http2Conn, edgeConn := newTestHTTP2Connection()
+
+	var wg sync.WaitGroup
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		_ = http2Conn.Serve(ctx)
+	}()
+
+	edgeHTTP2Conn, err := testTransport.NewClientConn(edgeConn)
+	require.NoError(t, err)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:8080", nil)
+	require.NoError(t, err)
+	req.Header.Set(InternalTCPProxySrcHeader, "tcp")
+	req.Header.Set(tracing.TracerContextName, "flow-rate-limited")
+
+	resp, err := edgeHTTP2Conn.RoundTrip(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusBadGateway, resp.StatusCode)
+	require.Equal(t, responseMetaHeaderCfdFlowRateLimited, resp.Header.Get(ResponseMetaHeader))
+
+	cancel()
+	wg.Wait()
+}
+
 func benchmarkServeHTTP(b *testing.B, test testRequest) {
 	http2Conn, edgeConn := newTestHTTP2Connection()
 
@@ -527,7 +571,7 @@ func benchmarkServeHTTP(b *testing.B, test testRequest) {
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
-		http2Conn.Serve(ctx)
+		_ = http2Conn.Serve(ctx)
 	}()
 
 	endpoint := fmt.Sprintf("http://localhost:8080/%s", test.endpoint)

connection/metrics.go

@@ -2,11 +2,8 @@ package connection
 
 import (
 	"sync"
-	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
-
-	"github.com/cloudflare/cloudflared/h2mux"
 )
 
 const (
@@ -16,34 +13,12 @@ const (
 	configSubsystem  = "config"
 )
 
-type muxerMetrics struct {
-	rtt              *prometheus.GaugeVec
-	rttMin           *prometheus.GaugeVec
-	rttMax           *prometheus.GaugeVec
-	receiveWindowAve *prometheus.GaugeVec
-	sendWindowAve    *prometheus.GaugeVec
-	receiveWindowMin *prometheus.GaugeVec
-	receiveWindowMax *prometheus.GaugeVec
-	sendWindowMin    *prometheus.GaugeVec
-	sendWindowMax    *prometheus.GaugeVec
-	inBoundRateCurr  *prometheus.GaugeVec
-	inBoundRateMin   *prometheus.GaugeVec
-	inBoundRateMax   *prometheus.GaugeVec
-	outBoundRateCurr *prometheus.GaugeVec
-	outBoundRateMin  *prometheus.GaugeVec
-	outBoundRateMax  *prometheus.GaugeVec
-	compBytesBefore  *prometheus.GaugeVec
-	compBytesAfter   *prometheus.GaugeVec
-	compRateAve      *prometheus.GaugeVec
-}
-
 type localConfigMetrics struct {
 	pushes       prometheus.Counter
 	pushesErrors prometheus.Counter
 }
 
 type tunnelMetrics struct {
-	timerRetries    prometheus.Gauge
 	serverLocations *prometheus.GaugeVec
 	// locationLock is a mutex for oldServerLocations
 	locationLock sync.Mutex
@@ -54,7 +29,6 @@ type tunnelMetrics struct {
 	regFail    *prometheus.CounterVec
 	rpcFail    *prometheus.CounterVec
 
-	muxerMetrics        *muxerMetrics
 	tunnelsHA           tunnelsForHA
 	userHostnamesCounts *prometheus.CounterVec
 
@@ -92,252 +66,6 @@ func newLocalConfigMetrics() *localConfigMetrics {
 	}
 }
 
-func newMuxerMetrics() *muxerMetrics {
-	rtt := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "rtt",
-			Help:      "Round-trip time in millisecond",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(rtt)
-
-	rttMin := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "rtt_min",
-			Help:      "Shortest round-trip time in millisecond",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(rttMin)
-
-	rttMax := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "rtt_max",
-			Help:      "Longest round-trip time in millisecond",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(rttMax)
-
-	receiveWindowAve := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "receive_window_ave",
-			Help:      "Average receive window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(receiveWindowAve)
-
-	sendWindowAve := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "send_window_ave",
-			Help:      "Average send window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(sendWindowAve)
-
-	receiveWindowMin := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "receive_window_min",
-			Help:      "Smallest receive window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(receiveWindowMin)
-
-	receiveWindowMax := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "receive_window_max",
-			Help:      "Largest receive window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(receiveWindowMax)
-
-	sendWindowMin := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "send_window_min",
-			Help:      "Smallest send window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(sendWindowMin)
-
-	sendWindowMax := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "send_window_max",
-			Help:      "Largest send window size in bytes",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(sendWindowMax)
-
-	inBoundRateCurr := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "inbound_bytes_per_sec_curr",
-			Help:      "Current inbounding bytes per second, 0 if there is no incoming connection",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(inBoundRateCurr)
-
-	inBoundRateMin := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "inbound_bytes_per_sec_min",
-			Help:      "Minimum non-zero inbounding bytes per second",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(inBoundRateMin)
-
-	inBoundRateMax := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "inbound_bytes_per_sec_max",
-			Help:      "Maximum inbounding bytes per second",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(inBoundRateMax)
-
-	outBoundRateCurr := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "outbound_bytes_per_sec_curr",
-			Help:      "Current outbounding bytes per second, 0 if there is no outgoing traffic",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(outBoundRateCurr)
-
-	outBoundRateMin := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "outbound_bytes_per_sec_min",
-			Help:      "Minimum non-zero outbounding bytes per second",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(outBoundRateMin)
-
-	outBoundRateMax := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "outbound_bytes_per_sec_max",
-			Help:      "Maximum outbounding bytes per second",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(outBoundRateMax)
-
-	compBytesBefore := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "comp_bytes_before",
-			Help:      "Bytes sent via cross-stream compression, pre compression",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(compBytesBefore)
-
-	compBytesAfter := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "comp_bytes_after",
-			Help:      "Bytes sent via cross-stream compression, post compression",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(compBytesAfter)
-
-	compRateAve := prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: muxerSubsystem,
-			Name:      "comp_rate_ave",
-			Help:      "Average outbound cross-stream compression ratio",
-		},
-		[]string{"connection_id"},
-	)
-	prometheus.MustRegister(compRateAve)
-
-	return &muxerMetrics{
-		rtt:              rtt,
-		rttMin:           rttMin,
-		rttMax:           rttMax,
-		receiveWindowAve: receiveWindowAve,
-		sendWindowAve:    sendWindowAve,
-		receiveWindowMin: receiveWindowMin,
-		receiveWindowMax: receiveWindowMax,
-		sendWindowMin:    sendWindowMin,
-		sendWindowMax:    sendWindowMax,
-		inBoundRateCurr:  inBoundRateCurr,
-		inBoundRateMin:   inBoundRateMin,
-		inBoundRateMax:   inBoundRateMax,
-		outBoundRateCurr: outBoundRateCurr,
-		outBoundRateMin:  outBoundRateMin,
-		outBoundRateMax:  outBoundRateMax,
-		compBytesBefore:  compBytesBefore,
-		compBytesAfter:   compBytesAfter,
-		compRateAve:      compRateAve,
-	}
-}
-
-func (m *muxerMetrics) update(connectionID string, metrics *h2mux.MuxerMetrics) {
-	m.rtt.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTT))
-	m.rttMin.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTTMin))
-	m.rttMax.WithLabelValues(connectionID).Set(convertRTTMilliSec(metrics.RTTMax))
-	m.receiveWindowAve.WithLabelValues(connectionID).Set(metrics.ReceiveWindowAve)
-	m.sendWindowAve.WithLabelValues(connectionID).Set(metrics.SendWindowAve)
-	m.receiveWindowMin.WithLabelValues(connectionID).Set(float64(metrics.ReceiveWindowMin))
-	m.receiveWindowMax.WithLabelValues(connectionID).Set(float64(metrics.ReceiveWindowMax))
-	m.sendWindowMin.WithLabelValues(connectionID).Set(float64(metrics.SendWindowMin))
-	m.sendWindowMax.WithLabelValues(connectionID).Set(float64(metrics.SendWindowMax))
-	m.inBoundRateCurr.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateCurr))
-	m.inBoundRateMin.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateMin))
-	m.inBoundRateMax.WithLabelValues(connectionID).Set(float64(metrics.InBoundRateMax))
-	m.outBoundRateCurr.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateCurr))
-	m.outBoundRateMin.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateMin))
-	m.outBoundRateMax.WithLabelValues(connectionID).Set(float64(metrics.OutBoundRateMax))
-	m.compBytesBefore.WithLabelValues(connectionID).Set(float64(metrics.CompBytesBefore.Value()))
-	m.compBytesAfter.WithLabelValues(connectionID).Set(float64(metrics.CompBytesAfter.Value()))
-	m.compRateAve.WithLabelValues(connectionID).Set(float64(metrics.CompRateAve()))
-}
-
-func convertRTTMilliSec(t time.Duration) float64 {
-	return float64(t / time.Millisecond)
-}
-
 // Metrics that can be collected without asking the edge
 func initTunnelMetrics() *tunnelMetrics {
 	maxConcurrentRequestsPerTunnel := prometheus.NewGaugeVec(
@@ -351,15 +79,6 @@ func initTunnelMetrics() *tunnelMetrics {
 	)
 	prometheus.MustRegister(maxConcurrentRequestsPerTunnel)
 
-	timerRetries := prometheus.NewGauge(
-		prometheus.GaugeOpts{
-			Namespace: MetricsNamespace,
-			Subsystem: TunnelSubsystem,
-			Name:      "timer_retries",
-			Help:      "Unacknowledged heart beats count",
-		})
-	prometheus.MustRegister(timerRetries)
-
 	serverLocations := prometheus.NewGaugeVec(
 		prometheus.GaugeOpts{
 			Namespace: MetricsNamespace,
@@ -416,10 +135,8 @@ func initTunnelMetrics() *tunnelMetrics {
 	prometheus.MustRegister(registerSuccess)
 
 	return &tunnelMetrics{
-		timerRetries:        timerRetries,
 		serverLocations:     serverLocations,
 		oldServerLocations:  make(map[string]string),
-		muxerMetrics:        newMuxerMetrics(),
 		tunnelsHA:           newTunnelsForHA(),
 		regSuccess:          registerSuccess,
 		regFail:             registerFail,
@@ -429,10 +146,6 @@ func initTunnelMetrics() *tunnelMetrics {
 	}
 }
 
-func (t *tunnelMetrics) updateMuxerMetrics(connectionID string, metrics *h2mux.MuxerMetrics) {
-	t.muxerMetrics.update(connectionID, metrics)
-}
-
 func (t *tunnelMetrics) registerServerLocation(connectionID, loc string) {
 	t.locationLock.Lock()
 	defer t.locationLock.Unlock()

connection/observer.go

@@ -47,7 +47,6 @@ func (o *Observer) RegisterSink(sink EventSink) {
 }
 
 func (o *Observer) logConnected(connectionID uuid.UUID, connIndex uint8, location string, address net.IP, protocol Protocol) {
-	o.sendEvent(Event{Index: connIndex, EventType: Connected, Location: location})
 	o.log.Info().
 		Int(management.EventTypeKey, int(management.Cloudflared)).
 		Str(LogFieldConnectionID, connectionID.String()).
@@ -63,8 +62,8 @@ func (o *Observer) sendRegisteringEvent(connIndex uint8) {
 	o.sendEvent(Event{Index: connIndex, EventType: RegisteringTunnel})
 }
 
-func (o *Observer) sendConnectedEvent(connIndex uint8, protocol Protocol, location string) {
-	o.sendEvent(Event{Index: connIndex, EventType: Connected, Protocol: protocol, Location: location})
+func (o *Observer) sendConnectedEvent(connIndex uint8, protocol Protocol, location string, edgeAddress net.IP) {
+	o.sendEvent(Event{Index: connIndex, EventType: Connected, Protocol: protocol, Location: location, EdgeAddress: edgeAddress})
 }
 
 func (o *Observer) SendURL(url string) {

connection/protocol.go

@@ -13,8 +13,8 @@ import (
 
 const (
 	AvailableProtocolFlagMessage = "Available protocols: 'auto' - automatically chooses the best protocol over time (the default; and also the recommended one); 'quic' - based on QUIC, relying on UDP egress to Cloudflare edge; 'http2' - using Go's HTTP2 library, relying on TCP egress to Cloudflare edge"
-	// edgeH2muxTLSServerName is the server name to establish h2mux connection with edge
-	edgeH2muxTLSServerName = "cftunnel.com"
+	// edgeH2muxTLSServerName is the server name to establish h2mux connection with edge (unused, but kept for legacy reference).
+	_ = "cftunnel.com"
 	// edgeH2TLSServerName is the server name to establish http2 connection with edge
 	edgeH2TLSServerName = "h2.cftunnel.com"
 	// edgeQUICServerName is the server name to establish quic connection with edge.
@@ -24,11 +24,9 @@ const (
 	ResolveTTL = time.Hour
 )
 
-var (
 // ProtocolList represents a list of supported protocols for communication with the edge
 // in order of precedence for remote percentage fetcher.
-	ProtocolList = []Protocol{QUIC, HTTP2}
-)
+var ProtocolList = []Protocol{QUIC, HTTP2}
 
 type Protocol int64
 
@@ -58,7 +56,7 @@ func (p Protocol) String() string {
 	case QUIC:
 		return "quic"
 	default:
-		return fmt.Sprintf("unknown protocol")
+		return "unknown protocol"
 	}
 }
 
@@ -246,11 +244,11 @@ func NewProtocolSelector(
 		return newRemoteProtocolSelector(fetchedProtocol, ProtocolList, threshold, protocolFetcher, resolveTTL, log), nil
 	}
 
-	return nil, fmt.Errorf("Unknown protocol %s, %s", protocolFlag, AvailableProtocolFlagMessage)
+	return nil, fmt.Errorf("unknown protocol %s, %s", protocolFlag, AvailableProtocolFlagMessage)
 }
 
 func switchThreshold(accountTag string) int32 {
 	h := fnv.New32a()
 	_, _ = h.Write([]byte(accountTag))
-	return int32(h.Sum32() % 100)
+	return int32(h.Sum32() % 100) // nolint: gosec
 }

connection/quic.go

@@ -1,49 +1,16 @@
 package connection
 
 import (
-	"bufio"
 	"context"
 	"crypto/tls"
 	"fmt"
-	"io"
 	"net"
-	"net/http"
 	"net/netip"
 	"runtime"
-	"strconv"
-	"strings"
 	"sync"
-	"sync/atomic"
-	"time"
 
-	"github.com/google/uuid"
-	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
-	"go.opentelemetry.io/otel/attribute"
-	"go.opentelemetry.io/otel/trace"
-	"golang.org/x/sync/errgroup"
-
-	"github.com/cloudflare/cloudflared/datagramsession"
-	"github.com/cloudflare/cloudflared/ingress"
-	"github.com/cloudflare/cloudflared/management"
-	"github.com/cloudflare/cloudflared/packet"
-	quicpogs "github.com/cloudflare/cloudflared/quic"
-	"github.com/cloudflare/cloudflared/tracing"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-)
-
-const (
-	// HTTPHeaderKey is used to get or set http headers in QUIC ALPN if the underlying proxy connection type is HTTP.
-	HTTPHeaderKey = "HttpHeader"
-	// HTTPMethodKey is used to get or set http method in QUIC ALPN if the underlying proxy connection type is HTTP.
-	HTTPMethodKey = "HttpMethod"
-	// HTTPHostKey is used to get or set http Method in QUIC ALPN if the underlying proxy connection type is HTTP.
-	HTTPHostKey = "HttpHost"
-
-	QUICMetadataFlowID = "FlowID"
-	// emperically this capacity has been working well
-	demuxChanCapacity = 16
 )
 
 var (
@@ -51,46 +18,21 @@ var (
 	portMapMutex     sync.Mutex
 )
 
-// QUICConnection represents the type that facilitates Proxying via QUIC streams.
-type QUICConnection struct {
-	session      quic.Connection
-	logger       *zerolog.Logger
-	orchestrator Orchestrator
-	// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer
-	sessionManager datagramsession.Manager
-	// datagramMuxer mux/demux datagrams from quic connection
-	datagramMuxer        *quicpogs.DatagramMuxerV2
-	packetRouter         *ingress.PacketRouter
-	controlStreamHandler ControlStreamHandler
-	connOptions          *tunnelpogs.ConnectionOptions
-	connIndex            uint8
-
-	udpUnregisterTimeout time.Duration
-	streamWriteTimeout   time.Duration
-}
-
-// NewQUICConnection returns a new instance of QUICConnection.
-func NewQUICConnection(
+func DialQuic(
 	ctx context.Context,
 	quicConfig *quic.Config,
-	edgeAddr net.Addr,
+	tlsConfig *tls.Config,
+	edgeAddr netip.AddrPort,
 	localAddr net.IP,
 	connIndex uint8,
-	tlsConfig *tls.Config,
-	orchestrator Orchestrator,
-	connOptions *tunnelpogs.ConnectionOptions,
-	controlStreamHandler ControlStreamHandler,
 	logger *zerolog.Logger,
-	packetRouterConfig *ingress.GlobalRouterConfig,
-	udpUnregisterTimeout time.Duration,
-	streamWriteTimeout time.Duration,
-) (*QUICConnection, error) {
-	udpConn, err := createUDPConnForConnIndex(connIndex, localAddr, logger)
+) (quic.Connection, error) {
+	udpConn, err := createUDPConnForConnIndex(connIndex, localAddr, edgeAddr, logger)
 	if err != nil {
 		return nil, err
 	}
 
-	session, err := quic.Dial(ctx, udpConn, edgeAddr, tlsConfig, quicConfig)
+	conn, err := quic.Dial(ctx, udpConn, net.UDPAddrFromAddrPort(edgeAddr), tlsConfig, quicConfig)
 	if err != nil {
 		// close the udp server socket in case of error connecting to the edge
 		udpConn.Close()
@@ -98,540 +40,22 @@ func NewQUICConnection(
 	}
 
 	// wrap the session, so that the UDPConn is closed after session is closed.
-	session = &wrapCloseableConnQuicConnection{
-		session,
+	conn = &wrapCloseableConnQuicConnection{
+		conn,
 		udpConn,
 	}
-
-	sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)
-	datagramMuxer := quicpogs.NewDatagramMuxerV2(session, logger, sessionDemuxChan)
-	sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)
-	packetRouter := ingress.NewPacketRouter(packetRouterConfig, datagramMuxer, logger)
-
-	return &QUICConnection{
-		session:              session,
-		orchestrator:         orchestrator,
-		logger:               logger,
-		sessionManager:       sessionManager,
-		datagramMuxer:        datagramMuxer,
-		packetRouter:         packetRouter,
-		controlStreamHandler: controlStreamHandler,
-		connOptions:          connOptions,
-		connIndex:            connIndex,
-		udpUnregisterTimeout: udpUnregisterTimeout,
-		streamWriteTimeout:   streamWriteTimeout,
-	}, nil
-}
-
-// Serve starts a QUIC session that begins accepting streams.
-func (q *QUICConnection) Serve(ctx context.Context) error {
-	// origintunneld assumes the first stream is used for the control plane
-	controlStream, err := q.session.OpenStream()
-	if err != nil {
-		return fmt.Errorf("failed to open a registration control stream: %w", err)
-	}
-
-	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
-	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
-	// connection).
-	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
-	// other goroutine as fast as possible.
-	ctx, cancel := context.WithCancel(ctx)
-	errGroup, ctx := errgroup.WithContext(ctx)
-
-	// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
-	// stream is already fully registered before the other goroutines can proceed.
-	errGroup.Go(func() error {
-		defer cancel()
-		return q.serveControlStream(ctx, controlStream)
-	})
-	errGroup.Go(func() error {
-		defer cancel()
-		return q.acceptStream(ctx)
-	})
-	errGroup.Go(func() error {
-		defer cancel()
-		return q.sessionManager.Serve(ctx)
-	})
-	errGroup.Go(func() error {
-		defer cancel()
-		return q.datagramMuxer.ServeReceive(ctx)
-	})
-	errGroup.Go(func() error {
-		defer cancel()
-		return q.packetRouter.Serve(ctx)
-	})
-
-	return errGroup.Wait()
-}
-
-func (q *QUICConnection) serveControlStream(ctx context.Context, controlStream quic.Stream) error {
-	// This blocks until the control plane is done.
-	err := q.controlStreamHandler.ServeControlStream(ctx, controlStream, q.connOptions, q.orchestrator)
-	if err != nil {
-		// Not wrapping error here to be consistent with the http2 message.
-		return err
-	}
-
-	return nil
-}
-
-// Close closes the session with no errors specified.
-func (q *QUICConnection) Close() {
-	q.session.CloseWithError(0, "")
-}
-
-func (q *QUICConnection) acceptStream(ctx context.Context) error {
-	defer q.Close()
-	for {
-		quicStream, err := q.session.AcceptStream(ctx)
-		if err != nil {
-			// context.Canceled is usually a user ctrl+c. We don't want to log an error here as it's intentional.
-			if errors.Is(err, context.Canceled) || q.controlStreamHandler.IsStopped() {
-				return nil
-			}
-			return fmt.Errorf("failed to accept QUIC stream: %w", err)
-		}
-		go q.runStream(quicStream)
-	}
-}
-
-func (q *QUICConnection) runStream(quicStream quic.Stream) {
-	ctx := quicStream.Context()
-	stream := quicpogs.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)
-	defer stream.Close()
-
-	// we are going to fuse readers/writers from stream <- cloudflared -> origin, and we want to guarantee that
-	// code executed in the code path of handleStream don't trigger an earlier close to the downstream write stream.
-	// So, we wrap the stream with a no-op write closer and only this method can actually close write side of the stream.
-	// A call to close will simulate a close to the read-side, which will fail subsequent reads.
-	noCloseStream := &nopCloserReadWriter{ReadWriteCloser: stream}
-	if err := q.handleStream(ctx, noCloseStream); err != nil {
-		q.logger.Debug().Err(err).Msg("Failed to handle QUIC stream")
-
-		// if we received an error at this level, then close write side of stream with an error, which will result in
-		// RST_STREAM frame.
-		quicStream.CancelWrite(0)
-	}
-}
-
-func (q *QUICConnection) handleStream(ctx context.Context, stream io.ReadWriteCloser) error {
-	signature, err := quicpogs.DetermineProtocol(stream)
-	if err != nil {
-		return err
-	}
-	switch signature {
-	case quicpogs.DataStreamProtocolSignature:
-		reqServerStream, err := quicpogs.NewRequestServerStream(stream, signature)
-		if err != nil {
-			return err
-		}
-		return q.handleDataStream(ctx, reqServerStream)
-	case quicpogs.RPCStreamProtocolSignature:
-		rpcStream, err := quicpogs.NewRPCServerStream(stream, signature)
-		if err != nil {
-			return err
-		}
-		return q.handleRPCStream(rpcStream)
-	default:
-		return fmt.Errorf("unknown protocol %v", signature)
-	}
-}
-
-func (q *QUICConnection) handleDataStream(ctx context.Context, stream *quicpogs.RequestServerStream) error {
-	request, err := stream.ReadConnectRequestData()
-	if err != nil {
-		return err
-	}
-
-	if err, connectResponseSent := q.dispatchRequest(ctx, stream, err, request); err != nil {
-		q.logger.Err(err).Str("type", request.Type.String()).Str("dest", request.Dest).Msg("Request failed")
-
-		// if the connectResponse was already sent and we had an error, we need to propagate it up, so that the stream is
-		// closed with an RST_STREAM frame
-		if connectResponseSent {
-			return err
-		}
-
-		if writeRespErr := stream.WriteConnectResponseData(err); writeRespErr != nil {
-			return writeRespErr
-		}
-	}
-
-	return nil
-}
-
-// dispatchRequest will dispatch the request depending on the type and returns an error if it occurs.
-// More importantly, it also tells if the during processing of the request the ConnectResponse metadata was sent downstream.
-// This is important since it informs
-func (q *QUICConnection) dispatchRequest(ctx context.Context, stream *quicpogs.RequestServerStream, err error, request *quicpogs.ConnectRequest) (error, bool) {
-	originProxy, err := q.orchestrator.GetOriginProxy()
-	if err != nil {
-		return err, false
-	}
-
-	switch request.Type {
-	case quicpogs.ConnectionTypeHTTP, quicpogs.ConnectionTypeWebsocket:
-		tracedReq, err := buildHTTPRequest(ctx, request, stream, q.connIndex, q.logger)
-		if err != nil {
-			return err, false
-		}
-		w := newHTTPResponseAdapter(stream)
-		return originProxy.ProxyHTTP(&w, tracedReq, request.Type == quicpogs.ConnectionTypeWebsocket), w.connectResponseSent
-
-	case quicpogs.ConnectionTypeTCP:
-		rwa := &streamReadWriteAcker{RequestServerStream: stream}
-		metadata := request.MetadataMap()
-		return originProxy.ProxyTCP(ctx, rwa, &TCPRequest{
-			Dest:      request.Dest,
-			FlowID:    metadata[QUICMetadataFlowID],
-			CfTraceID: metadata[tracing.TracerContextName],
-			ConnIndex: q.connIndex,
-		}), rwa.connectResponseSent
-	default:
-		return errors.Errorf("unsupported error type: %s", request.Type), false
-	}
-}
-
-func (q *QUICConnection) handleRPCStream(rpcStream *quicpogs.RPCServerStream) error {
-	if err := rpcStream.Serve(q, q, q.logger); err != nil {
-		q.logger.Err(err).Msg("failed handling RPC stream")
-	}
-
-	return nil
-}
-
-// RegisterUdpSession is the RPC method invoked by edge to register and run a session
-func (q *QUICConnection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*tunnelpogs.RegisterUdpSessionResponse, error) {
-	traceCtx := tracing.NewTracedContext(ctx, traceContext, q.logger)
-	ctx, registerSpan := traceCtx.Tracer().Start(traceCtx, "register-session", trace.WithAttributes(
-		attribute.String("session-id", sessionID.String()),
-		attribute.String("dst", fmt.Sprintf("%s:%d", dstIP, dstPort)),
-	))
-	log := q.logger.With().Int(management.EventTypeKey, int(management.UDP)).Logger()
-	// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
-	// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
-	originProxy, err := ingress.DialUDP(dstIP, dstPort)
-	if err != nil {
-		log.Err(err).Msgf("Failed to create udp proxy to %s:%d", dstIP, dstPort)
-		tracing.EndWithErrorStatus(registerSpan, err)
-		return nil, err
-	}
-	registerSpan.SetAttributes(
-		attribute.Bool("socket-bind-success", true),
-		attribute.String("src", originProxy.LocalAddr().String()),
-	)
-
-	session, err := q.sessionManager.RegisterSession(ctx, sessionID, originProxy)
-	if err != nil {
-		originProxy.Close()
-		log.Err(err).Str("sessionID", sessionID.String()).Msgf("Failed to register udp session")
-		tracing.EndWithErrorStatus(registerSpan, err)
-		return nil, err
-	}
-
-	go q.serveUDPSession(session, closeAfterIdleHint)
-
-	log.Debug().
-		Str("sessionID", sessionID.String()).
-		Str("src", originProxy.LocalAddr().String()).
-		Str("dst", fmt.Sprintf("%s:%d", dstIP, dstPort)).
-		Msgf("Registered session")
-	tracing.End(registerSpan)
-
-	resp := tunnelpogs.RegisterUdpSessionResponse{
-		Spans: traceCtx.GetProtoSpans(),
-	}
-
-	return &resp, nil
-}
-
-func (q *QUICConnection) serveUDPSession(session *datagramsession.Session, closeAfterIdleHint time.Duration) {
-	ctx := q.session.Context()
-	closedByRemote, err := session.Serve(ctx, closeAfterIdleHint)
-	// If session is terminated by remote, then we know it has been unregistered from session manager and edge
-	if !closedByRemote {
-		if err != nil {
-			q.closeUDPSession(ctx, session.ID, err.Error())
-		} else {
-			q.closeUDPSession(ctx, session.ID, "terminated without error")
-		}
-	}
-	q.logger.Debug().Err(err).
-		Int(management.EventTypeKey, int(management.UDP)).
-		Str("sessionID", session.ID.String()).
-		Msg("Session terminated")
-}
-
-// closeUDPSession first unregisters the session from session manager, then it tries to unregister from edge
-func (q *QUICConnection) closeUDPSession(ctx context.Context, sessionID uuid.UUID, message string) {
-	q.sessionManager.UnregisterSession(ctx, sessionID, message, false)
-	quicStream, err := q.session.OpenStream()
-	if err != nil {
-		// Log this at debug because this is not an error if session was closed due to lost connection
-		// with edge
-		q.logger.Debug().Err(err).
-			Int(management.EventTypeKey, int(management.UDP)).
-			Str("sessionID", sessionID.String()).
-			Msgf("Failed to open quic stream to unregister udp session with edge")
-		return
-	}
-
-	stream := quicpogs.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)
-	defer stream.Close()
-	rpcClientStream, err := quicpogs.NewRPCClientStream(ctx, stream, q.udpUnregisterTimeout, q.logger)
-	if err != nil {
-		// Log this at debug because this is not an error if session was closed due to lost connection
-		// with edge
-		q.logger.Err(err).Str("sessionID", sessionID.String()).
-			Msgf("Failed to open rpc stream to unregister udp session with edge")
-		return
-	}
-	defer rpcClientStream.Close()
-
-	if err := rpcClientStream.UnregisterUdpSession(ctx, sessionID, message); err != nil {
-		q.logger.Err(err).Str("sessionID", sessionID.String()).
-			Msgf("Failed to unregister udp session with edge")
-	}
-}
-
-// UnregisterUdpSession is the RPC method invoked by edge to unregister and terminate a sesssion
-func (q *QUICConnection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {
-	return q.sessionManager.UnregisterSession(ctx, sessionID, message, true)
-}
-
-// UpdateConfiguration is the RPC method invoked by edge when there is a new configuration
-func (q *QUICConnection) UpdateConfiguration(ctx context.Context, version int32, config []byte) *tunnelpogs.UpdateConfigurationResponse {
-	return q.orchestrator.UpdateConfig(version, config)
-}
-
-// streamReadWriteAcker is a light wrapper over QUIC streams with a callback to send response back to
-// the client.
-type streamReadWriteAcker struct {
-	*quicpogs.RequestServerStream
-	connectResponseSent bool
-}
-
-// AckConnection acks response back to the proxy.
-func (s *streamReadWriteAcker) AckConnection(tracePropagation string) error {
-	metadata := []quicpogs.Metadata{}
-	// Only add tracing if provided by origintunneld
-	if tracePropagation != "" {
-		metadata = append(metadata, quicpogs.Metadata{
-			Key: tracing.CanonicalCloudflaredTracingHeader,
-			Val: tracePropagation,
-		})
-	}
-	s.connectResponseSent = true
-	return s.WriteConnectResponseData(nil, metadata...)
-}
-
-// httpResponseAdapter translates responses written by the HTTP Proxy into ones that can be used in QUIC.
-type httpResponseAdapter struct {
-	*quicpogs.RequestServerStream
-	headers             http.Header
-	connectResponseSent bool
-}
-
-func newHTTPResponseAdapter(s *quicpogs.RequestServerStream) httpResponseAdapter {
-	return httpResponseAdapter{RequestServerStream: s, headers: make(http.Header)}
-}
-
-func (hrw *httpResponseAdapter) AddTrailer(trailerName, trailerValue string) {
-	// we do not support trailers over QUIC
-}
-
-func (hrw *httpResponseAdapter) WriteRespHeaders(status int, header http.Header) error {
-	metadata := make([]quicpogs.Metadata, 0)
-	metadata = append(metadata, quicpogs.Metadata{Key: "HttpStatus", Val: strconv.Itoa(status)})
-	for k, vv := range header {
-		for _, v := range vv {
-			httpHeaderKey := fmt.Sprintf("%s:%s", HTTPHeaderKey, k)
-			metadata = append(metadata, quicpogs.Metadata{Key: httpHeaderKey, Val: v})
-		}
-	}
-
-	return hrw.WriteConnectResponseData(nil, metadata...)
-}
-
-func (hrw *httpResponseAdapter) Write(p []byte) (int, error) {
-	// Make sure to send WriteHeader response if not called yet
-	if !hrw.connectResponseSent {
-		hrw.WriteRespHeaders(http.StatusOK, hrw.headers)
-	}
-	return hrw.RequestServerStream.Write(p)
-}
-
-func (hrw *httpResponseAdapter) Header() http.Header {
-	return hrw.headers
-}
-
-// This is a no-op Flush because this adapter is over a quic.Stream and we don't need Flush here.
-func (hrw *httpResponseAdapter) Flush() {}
-
-func (hrw *httpResponseAdapter) WriteHeader(status int) {
-	hrw.WriteRespHeaders(status, hrw.headers)
-}
-
-func (hrw *httpResponseAdapter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	conn := &localProxyConnection{hrw.ReadWriteCloser}
-	readWriter := bufio.NewReadWriter(
-		bufio.NewReader(hrw.ReadWriteCloser),
-		bufio.NewWriter(hrw.ReadWriteCloser),
-	)
-	return conn, readWriter, nil
-}
-
-func (hrw *httpResponseAdapter) WriteErrorResponse(err error) {
-	hrw.WriteConnectResponseData(err, quicpogs.Metadata{Key: "HttpStatus", Val: strconv.Itoa(http.StatusBadGateway)})
-}
-
-func (hrw *httpResponseAdapter) WriteConnectResponseData(respErr error, metadata ...quicpogs.Metadata) error {
-	hrw.connectResponseSent = true
-	return hrw.RequestServerStream.WriteConnectResponseData(respErr, metadata...)
-}
-
-func buildHTTPRequest(
-	ctx context.Context,
-	connectRequest *quicpogs.ConnectRequest,
-	body io.ReadCloser,
-	connIndex uint8,
-	log *zerolog.Logger,
-) (*tracing.TracedHTTPRequest, error) {
-	metadata := connectRequest.MetadataMap()
-	dest := connectRequest.Dest
-	method := metadata[HTTPMethodKey]
-	host := metadata[HTTPHostKey]
-	isWebsocket := connectRequest.Type == quicpogs.ConnectionTypeWebsocket
-
-	req, err := http.NewRequestWithContext(ctx, method, dest, body)
-	if err != nil {
-		return nil, err
-	}
-
-	req.Host = host
-	for _, metadata := range connectRequest.Metadata {
-		if strings.Contains(metadata.Key, HTTPHeaderKey) {
-			// metadata.Key is off the format httpHeaderKey:<HTTPHeader>
-			httpHeaderKey := strings.Split(metadata.Key, ":")
-			if len(httpHeaderKey) != 2 {
-				return nil, fmt.Errorf("header Key: %s malformed", metadata.Key)
-			}
-			req.Header.Add(httpHeaderKey[1], metadata.Val)
-		}
-	}
-	// Go's http.Client automatically sends chunked request body if this value is not set on the
-	// *http.Request struct regardless of header:
-	// https://go.googlesource.com/go/+/go1.8rc2/src/net/http/transfer.go#154.
-	if err := setContentLength(req); err != nil {
-		return nil, fmt.Errorf("Error setting content-length: %w", err)
-	}
-
-	// Go's client defaults to chunked encoding after a 200ms delay if the following cases are true:
-	//   * the request body blocks
-	//   * the content length is not set (or set to -1)
-	//   * the method doesn't usually have a body (GET, HEAD, DELETE, ...)
-	//   * there is no transfer-encoding=chunked already set.
-	// So, if transfer cannot be chunked and content length is 0, we dont set a request body.
-	if !isWebsocket && !isTransferEncodingChunked(req) && req.ContentLength == 0 {
-		req.Body = http.NoBody
-	}
-	stripWebsocketUpgradeHeader(req)
-
-	// Check for tracing on request
-	tracedReq := tracing.NewTracedHTTPRequest(req, connIndex, log)
-	return tracedReq, err
-}
-
-func setContentLength(req *http.Request) error {
-	var err error
-	if contentLengthStr := req.Header.Get("Content-Length"); contentLengthStr != "" {
-		req.ContentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
-	}
-	return err
-}
-
-func isTransferEncodingChunked(req *http.Request) bool {
-	transferEncodingVal := req.Header.Get("Transfer-Encoding")
-	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding suggests that this can be a comma
-	// separated value as well.
-	return strings.Contains(strings.ToLower(transferEncodingVal), "chunked")
-}
-
-// A helper struct that guarantees a call to close only affects read side, but not write side.
-type nopCloserReadWriter struct {
-	io.ReadWriteCloser
-
-	// for use by Read only
-	// we don't need a memory barrier here because there is an implicit assumption that
-	// Read calls can't happen concurrently by different go-routines.
-	sawEOF bool
-	// should be updated and read using atomic primitives.
-	// value is read in Read method and written in Close method, which could be done by different
-	// go-routines.
-	closed uint32
-}
-
-func (np *nopCloserReadWriter) Read(p []byte) (n int, err error) {
-	if np.sawEOF {
-		return 0, io.EOF
-	}
-
-	if atomic.LoadUint32(&np.closed) > 0 {
-		return 0, fmt.Errorf("closed by handler")
-	}
-
-	n, err = np.ReadWriteCloser.Read(p)
-	if err == io.EOF {
-		np.sawEOF = true
-	}
-
-	return
-}
-
-func (np *nopCloserReadWriter) Close() error {
-	atomic.StoreUint32(&np.closed, 1)
-
-	return nil
-}
-
-// muxerWrapper wraps DatagramMuxerV2 to satisfy the packet.FunnelUniPipe interface
-type muxerWrapper struct {
-	muxer *quicpogs.DatagramMuxerV2
-}
-
-func (rp *muxerWrapper) SendPacket(dst netip.Addr, pk packet.RawPacket) error {
-	return rp.muxer.SendPacket(quicpogs.RawPacket(pk))
-}
-
-func (rp *muxerWrapper) ReceivePacket(ctx context.Context) (packet.RawPacket, error) {
-	pk, err := rp.muxer.ReceivePacket(ctx)
-	if err != nil {
-		return packet.RawPacket{}, err
-	}
-	rawPacket, ok := pk.(quicpogs.RawPacket)
-	if ok {
-		return packet.RawPacket(rawPacket), nil
-	}
-	return packet.RawPacket{}, fmt.Errorf("unexpected packet type %+v", pk)
-}
-
-func (rp *muxerWrapper) Close() error {
-	return nil
+	return conn, nil
 }
 
-func createUDPConnForConnIndex(connIndex uint8, localIP net.IP, logger *zerolog.Logger) (*net.UDPConn, error) {
+func createUDPConnForConnIndex(connIndex uint8, localIP net.IP, edgeIP netip.AddrPort, logger *zerolog.Logger) (*net.UDPConn, error) {
 	portMapMutex.Lock()
 	defer portMapMutex.Unlock()
 
-	if localIP == nil {
-		localIP = net.IPv4zero
-	}
-
 	listenNetwork := "udp"
-	// https://github.com/quic-go/quic-go/issues/3793 DF bit cannot be set for dual stack listener on OSX
+	// https://github.com/quic-go/quic-go/issues/3793 DF bit cannot be set for dual stack listener ("udp") on macOS,
+	// to set the DF bit properly, the network string needs to be specific to the IP family.
 	if runtime.GOOS == "darwin" {
-		if localIP.To4() != nil {
+		if edgeIP.Addr().Is4() {
 			listenNetwork = "udp4"
 		} else {
 			listenNetwork = "udp6"

connection/quic_connection.go

@@ -0,0 +1,429 @@
+package connection
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/quic-go/quic-go"
+	"github.com/rs/zerolog"
+	"golang.org/x/sync/errgroup"
+
+	cfdflow "github.com/cloudflare/cloudflared/flow"
+
+	cfdquic "github.com/cloudflare/cloudflared/quic"
+	"github.com/cloudflare/cloudflared/tracing"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	rpcquic "github.com/cloudflare/cloudflared/tunnelrpc/quic"
+)
+
+const (
+	// HTTPHeaderKey is used to get or set http headers in QUIC ALPN if the underlying proxy connection type is HTTP.
+	HTTPHeaderKey = "HttpHeader"
+	// HTTPMethodKey is used to get or set http method in QUIC ALPN if the underlying proxy connection type is HTTP.
+	HTTPMethodKey = "HttpMethod"
+	// HTTPHostKey is used to get or set http host in QUIC ALPN if the underlying proxy connection type is HTTP.
+	HTTPHostKey = "HttpHost"
+
+	QUICMetadataFlowID = "FlowID"
+)
+
+// quicConnection represents the type that facilitates Proxying via QUIC streams.
+type quicConnection struct {
+	conn                 quic.Connection
+	logger               *zerolog.Logger
+	orchestrator         Orchestrator
+	datagramHandler      DatagramSessionHandler
+	controlStreamHandler ControlStreamHandler
+	connOptions          *pogs.ConnectionOptions
+	connIndex            uint8
+
+	rpcTimeout         time.Duration
+	streamWriteTimeout time.Duration
+	gracePeriod        time.Duration
+}
+
+// NewTunnelConnection takes a [quic.Connection] to wrap it for use with cloudflared application logic.
+func NewTunnelConnection(
+	ctx context.Context,
+	conn quic.Connection,
+	connIndex uint8,
+	orchestrator Orchestrator,
+	datagramSessionHandler DatagramSessionHandler,
+	controlStreamHandler ControlStreamHandler,
+	connOptions *pogs.ConnectionOptions,
+	rpcTimeout time.Duration,
+	streamWriteTimeout time.Duration,
+	gracePeriod time.Duration,
+	logger *zerolog.Logger,
+) (TunnelConnection, error) {
+	return &quicConnection{
+		conn:                 conn,
+		logger:               logger,
+		orchestrator:         orchestrator,
+		datagramHandler:      datagramSessionHandler,
+		controlStreamHandler: controlStreamHandler,
+		connOptions:          connOptions,
+		connIndex:            connIndex,
+		rpcTimeout:           rpcTimeout,
+		streamWriteTimeout:   streamWriteTimeout,
+		gracePeriod:          gracePeriod,
+	}, nil
+}
+
+// Serve starts a QUIC connection that begins accepting streams.
+func (q *quicConnection) Serve(ctx context.Context) error {
+	// The edge assumes the first stream is used for the control plane
+	controlStream, err := q.conn.OpenStream()
+	if err != nil {
+		return fmt.Errorf("failed to open a registration control stream: %w", err)
+	}
+
+	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
+	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
+	// connection).
+	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
+	// other goroutine as fast as possible.
+	ctx, cancel := context.WithCancel(ctx)
+	errGroup, ctx := errgroup.WithContext(ctx)
+
+	// In the future, if cloudflared can autonomously push traffic to the edge, we have to make sure the control
+	// stream is already fully registered before the other goroutines can proceed.
+	errGroup.Go(func() error {
+		// err is equal to nil if we exit due to unregistration. If that happens we want to wait the full
+		// amount of the grace period, allowing requests to finish before we cancel the context, which will
+		// make cloudflared exit.
+		if err := q.serveControlStream(ctx, controlStream); err == nil {
+			if q.gracePeriod > 0 {
+				// In Go1.23 this can be removed and replaced with time.Ticker
+				// see https://pkg.go.dev/time#Tick
+				ticker := time.NewTicker(q.gracePeriod)
+				defer ticker.Stop()
+				select {
+				case <-ctx.Done():
+				case <-ticker.C:
+				}
+			}
+		}
+		cancel()
+		return err
+	})
+	errGroup.Go(func() error {
+		defer cancel()
+		return q.acceptStream(ctx)
+	})
+	errGroup.Go(func() error {
+		defer cancel()
+		return q.datagramHandler.Serve(ctx)
+	})
+
+	return errGroup.Wait()
+}
+
+// serveControlStream will serve the RPC; blocking until the control plane is done.
+func (q *quicConnection) serveControlStream(ctx context.Context, controlStream quic.Stream) error {
+	return q.controlStreamHandler.ServeControlStream(ctx, controlStream, q.connOptions, q.orchestrator)
+}
+
+// Close the connection with no errors specified.
+func (q *quicConnection) Close() {
+	_ = q.conn.CloseWithError(0, "")
+}
+
+func (q *quicConnection) acceptStream(ctx context.Context) error {
+	defer q.Close()
+	for {
+		quicStream, err := q.conn.AcceptStream(ctx)
+		if err != nil {
+			// context.Canceled is usually a user ctrl+c. We don't want to log an error here as it's intentional.
+			if errors.Is(err, context.Canceled) || q.controlStreamHandler.IsStopped() {
+				return nil
+			}
+			return fmt.Errorf("failed to accept QUIC stream: %w", err)
+		}
+		go q.runStream(quicStream)
+	}
+}
+
+func (q *quicConnection) runStream(quicStream quic.Stream) {
+	ctx := quicStream.Context()
+	stream := cfdquic.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)
+	defer stream.Close()
+
+	// we are going to fuse readers/writers from stream <- cloudflared -> origin, and we want to guarantee that
+	// code executed in the code path of handleStream don't trigger an earlier close to the downstream write stream.
+	// So, we wrap the stream with a no-op write closer and only this method can actually close write side of the stream.
+	// A call to close will simulate a close to the read-side, which will fail subsequent reads.
+	noCloseStream := &nopCloserReadWriter{ReadWriteCloser: stream}
+	ss := rpcquic.NewCloudflaredServer(q.handleDataStream, q.datagramHandler, q, q.rpcTimeout)
+	if err := ss.Serve(ctx, noCloseStream); err != nil {
+		q.logger.Debug().Err(err).Msg("Failed to handle QUIC stream")
+
+		// if we received an error at this level, then close write side of stream with an error, which will result in
+		// RST_STREAM frame.
+		quicStream.CancelWrite(0)
+	}
+}
+
+func (q *quicConnection) handleDataStream(ctx context.Context, stream *rpcquic.RequestServerStream) error {
+	request, err := stream.ReadConnectRequestData()
+	if err != nil {
+		return err
+	}
+
+	if err, connectResponseSent := q.dispatchRequest(ctx, stream, request); err != nil {
+		q.logger.Err(err).Str("type", request.Type.String()).Str("dest", request.Dest).Msg("Request failed")
+
+		// if the connectResponse was already sent and we had an error, we need to propagate it up, so that the stream is
+		// closed with an RST_STREAM frame
+		if connectResponseSent {
+			return err
+		}
+
+		var metadata []pogs.Metadata
+		// Check the type of error that was throw and add metadata that will help identify it on OTD.
+		if errors.Is(err, cfdflow.ErrTooManyActiveFlows) {
+			metadata = append(metadata, pogs.ErrorFlowConnectRateLimitedMetadata)
+		}
+
+		if writeRespErr := stream.WriteConnectResponseData(err, metadata...); writeRespErr != nil {
+			return writeRespErr
+		}
+	}
+
+	return nil
+}
+
+// dispatchRequest will dispatch the request to the origin depending on the type and returns an error if it occurs.
+// Also returns if the connect response was sent to the downstream during processing of the origin request.
+func (q *quicConnection) dispatchRequest(ctx context.Context, stream *rpcquic.RequestServerStream, request *pogs.ConnectRequest) (err error, connectResponseSent bool) {
+	originProxy, err := q.orchestrator.GetOriginProxy()
+	if err != nil {
+		return err, false
+	}
+
+	switch request.Type {
+	case pogs.ConnectionTypeHTTP, pogs.ConnectionTypeWebsocket:
+		tracedReq, err := buildHTTPRequest(ctx, request, stream, q.connIndex, q.logger)
+		if err != nil {
+			return err, false
+		}
+		w := newHTTPResponseAdapter(stream)
+		return originProxy.ProxyHTTP(&w, tracedReq, request.Type == pogs.ConnectionTypeWebsocket), w.connectResponseSent
+
+	case pogs.ConnectionTypeTCP:
+		rwa := &streamReadWriteAcker{RequestServerStream: stream}
+		metadata := request.MetadataMap()
+		return originProxy.ProxyTCP(ctx, rwa, &TCPRequest{
+			Dest:      request.Dest,
+			FlowID:    metadata[QUICMetadataFlowID],
+			CfTraceID: metadata[tracing.TracerContextName],
+			ConnIndex: q.connIndex,
+		}), rwa.connectResponseSent
+	default:
+		return errors.Errorf("unsupported error type: %s", request.Type), false
+	}
+}
+
+// UpdateConfiguration is the RPC method invoked by edge when there is a new configuration
+func (q *quicConnection) UpdateConfiguration(ctx context.Context, version int32, config []byte) *pogs.UpdateConfigurationResponse {
+	return q.orchestrator.UpdateConfig(version, config)
+}
+
+// streamReadWriteAcker is a light wrapper over QUIC streams with a callback to send response back to
+// the client.
+type streamReadWriteAcker struct {
+	*rpcquic.RequestServerStream
+	connectResponseSent bool
+}
+
+// AckConnection acks response back to the proxy.
+func (s *streamReadWriteAcker) AckConnection(tracePropagation string) error {
+	metadata := []pogs.Metadata{}
+	// Only add tracing if provided by the edge request
+	if tracePropagation != "" {
+		metadata = append(metadata, pogs.Metadata{
+			Key: tracing.CanonicalCloudflaredTracingHeader,
+			Val: tracePropagation,
+		})
+	}
+	s.connectResponseSent = true
+	return s.WriteConnectResponseData(nil, metadata...)
+}
+
+// httpResponseAdapter translates responses written by the HTTP Proxy into ones that can be used in QUIC.
+type httpResponseAdapter struct {
+	*rpcquic.RequestServerStream
+	headers             http.Header
+	connectResponseSent bool
+}
+
+func newHTTPResponseAdapter(s *rpcquic.RequestServerStream) httpResponseAdapter {
+	return httpResponseAdapter{RequestServerStream: s, headers: make(http.Header)}
+}
+
+func (hrw *httpResponseAdapter) AddTrailer(trailerName, trailerValue string) {
+	// we do not support trailers over QUIC
+}
+
+func (hrw *httpResponseAdapter) WriteRespHeaders(status int, header http.Header) error {
+	metadata := make([]pogs.Metadata, 0)
+	metadata = append(metadata, pogs.Metadata{Key: "HttpStatus", Val: strconv.Itoa(status)})
+	for k, vv := range header {
+		for _, v := range vv {
+			httpHeaderKey := fmt.Sprintf("%s:%s", HTTPHeaderKey, k)
+			metadata = append(metadata, pogs.Metadata{Key: httpHeaderKey, Val: v})
+		}
+	}
+
+	return hrw.WriteConnectResponseData(nil, metadata...)
+}
+
+func (hrw *httpResponseAdapter) Write(p []byte) (int, error) {
+	// Make sure to send WriteHeader response if not called yet
+	if !hrw.connectResponseSent {
+		_ = hrw.WriteRespHeaders(http.StatusOK, hrw.headers)
+	}
+	return hrw.RequestServerStream.Write(p)
+}
+
+func (hrw *httpResponseAdapter) Header() http.Header {
+	return hrw.headers
+}
+
+// This is a no-op Flush because this adapter is over a quic.Stream and we don't need Flush here.
+func (hrw *httpResponseAdapter) Flush() {}
+
+func (hrw *httpResponseAdapter) WriteHeader(status int) {
+	_ = hrw.WriteRespHeaders(status, hrw.headers)
+}
+
+func (hrw *httpResponseAdapter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	conn := &localProxyConnection{hrw.ReadWriteCloser}
+	readWriter := bufio.NewReadWriter(
+		bufio.NewReader(hrw.ReadWriteCloser),
+		bufio.NewWriter(hrw.ReadWriteCloser),
+	)
+	return conn, readWriter, nil
+}
+
+func (hrw *httpResponseAdapter) WriteErrorResponse(err error) {
+	_ = hrw.WriteConnectResponseData(err, pogs.Metadata{Key: "HttpStatus", Val: strconv.Itoa(http.StatusBadGateway)})
+}
+
+func (hrw *httpResponseAdapter) WriteConnectResponseData(respErr error, metadata ...pogs.Metadata) error {
+	hrw.connectResponseSent = true
+	return hrw.RequestServerStream.WriteConnectResponseData(respErr, metadata...)
+}
+
+func buildHTTPRequest(
+	ctx context.Context,
+	connectRequest *pogs.ConnectRequest,
+	body io.ReadCloser,
+	connIndex uint8,
+	log *zerolog.Logger,
+) (*tracing.TracedHTTPRequest, error) {
+	metadata := connectRequest.MetadataMap()
+	dest := connectRequest.Dest
+	method := metadata[HTTPMethodKey]
+	host := metadata[HTTPHostKey]
+	isWebsocket := connectRequest.Type == pogs.ConnectionTypeWebsocket
+
+	req, err := http.NewRequestWithContext(ctx, method, dest, body)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Host = host
+	for _, metadata := range connectRequest.Metadata {
+		if strings.Contains(metadata.Key, HTTPHeaderKey) {
+			// metadata.Key is off the format httpHeaderKey:<HTTPHeader>
+			httpHeaderKey := strings.Split(metadata.Key, ":")
+			if len(httpHeaderKey) != 2 {
+				return nil, fmt.Errorf("header Key: %s malformed", metadata.Key)
+			}
+			req.Header.Add(httpHeaderKey[1], metadata.Val)
+		}
+	}
+	// Go's http.Client automatically sends chunked request body if this value is not set on the
+	// *http.Request struct regardless of header:
+	// https://go.googlesource.com/go/+/go1.8rc2/src/net/http/transfer.go#154.
+	if err := setContentLength(req); err != nil {
+		return nil, fmt.Errorf("Error setting content-length: %w", err)
+	}
+
+	// Go's client defaults to chunked encoding after a 200ms delay if the following cases are true:
+	//   * the request body blocks
+	//   * the content length is not set (or set to -1)
+	//   * the method doesn't usually have a body (GET, HEAD, DELETE, ...)
+	//   * there is no transfer-encoding=chunked already set.
+	// So, if transfer cannot be chunked and content length is 0, we dont set a request body.
+	if !isWebsocket && !isTransferEncodingChunked(req) && req.ContentLength == 0 {
+		req.Body = http.NoBody
+	}
+	stripWebsocketUpgradeHeader(req)
+
+	// Check for tracing on request
+	tracedReq := tracing.NewTracedHTTPRequest(req, connIndex, log)
+	return tracedReq, err
+}
+
+func setContentLength(req *http.Request) error {
+	var err error
+	if contentLengthStr := req.Header.Get("Content-Length"); contentLengthStr != "" {
+		req.ContentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
+	}
+	return err
+}
+
+func isTransferEncodingChunked(req *http.Request) bool {
+	transferEncodingVal := req.Header.Get("Transfer-Encoding")
+	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Transfer-Encoding suggests that this can be a comma
+	// separated value as well.
+	return strings.Contains(strings.ToLower(transferEncodingVal), "chunked")
+}
+
+// A helper struct that guarantees a call to close only affects read side, but not write side.
+type nopCloserReadWriter struct {
+	io.ReadWriteCloser
+
+	// for use by Read only
+	// we don't need a memory barrier here because there is an implicit assumption that
+	// Read calls can't happen concurrently by different go-routines.
+	sawEOF bool
+	// should be updated and read using atomic primitives.
+	// value is read in Read method and written in Close method, which could be done by different
+	// go-routines.
+	closed uint32
+}
+
+func (np *nopCloserReadWriter) Read(p []byte) (n int, err error) {
+	if np.sawEOF {
+		return 0, io.EOF
+	}
+
+	if atomic.LoadUint32(&np.closed) > 0 {
+		return 0, fmt.Errorf("closed by handler")
+	}
+
+	n, err = np.ReadWriteCloser.Read(p)
+	if err == io.EOF {
+		np.sawEOF = true
+	}
+
+	return
+}
+
+func (np *nopCloserReadWriter) Close() error {
+	atomic.StoreUint32(&np.closed, 1)
+
+	return nil
+}

connection/quic_connection_test.go

@@ -3,34 +3,45 @@ package connection
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
+	"math/big"
 	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
-	"os"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/gobwas/ws/wsutil"
 	"github.com/google/uuid"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/net/nettest"
+
+	cfdflow "github.com/cloudflare/cloudflared/flow"
 
 	"github.com/cloudflare/cloudflared/datagramsession"
-	quicpogs "github.com/cloudflare/cloudflared/quic"
+	"github.com/cloudflare/cloudflared/ingress"
+	"github.com/cloudflare/cloudflared/packet"
+	cfdquic "github.com/cloudflare/cloudflared/quic"
 	"github.com/cloudflare/cloudflared/tracing"
 	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	rpcquic "github.com/cloudflare/cloudflared/tunnelrpc/quic"
 )
 
 var (
-	testTLSServerConfig = quicpogs.GenerateTLSConfig()
+	testTLSServerConfig = GenerateTLSConfig()
 	testQUICConfig      = &quic.Config{
 		KeepAlivePeriod: 5 * time.Second,
 		EnableDatagrams: true,
@@ -45,21 +56,22 @@ var _ ReadWriteAcker = (*streamReadWriteAcker)(nil)
 func TestQUICServer(t *testing.T) {
 	// This is simply a sample websocket frame message.
 	wsBuf := &bytes.Buffer{}
-	wsutil.WriteClientBinary(wsBuf, []byte("Hello"))
+	err := wsutil.WriteClientBinary(wsBuf, []byte("Hello"))
+	require.NoError(t, err)
 
 	var tests = []struct {
 		desc             string
 		dest             string
-		connectionType   quicpogs.ConnectionType
-		metadata         []quicpogs.Metadata
+		connectionType   pogs.ConnectionType
+		metadata         []pogs.Metadata
 		message          []byte
 		expectedResponse []byte
 	}{
 		{
 			desc:           "test http proxy",
 			dest:           "/ok",
-			connectionType: quicpogs.ConnectionTypeHTTP,
-			metadata: []quicpogs.Metadata{
+			connectionType: pogs.ConnectionTypeHTTP,
+			metadata: []pogs.Metadata{
 				{
 					Key: "HttpHeader:Cf-Ray",
 					Val: "123123123",
@@ -78,8 +90,8 @@ func TestQUICServer(t *testing.T) {
 		{
 			desc:           "test http body request streaming",
 			dest:           "/slow_echo_body",
-			connectionType: quicpogs.ConnectionTypeHTTP,
-			metadata: []quicpogs.Metadata{
+			connectionType: pogs.ConnectionTypeHTTP,
+			metadata: []pogs.Metadata{
 				{
 					Key: "HttpHeader:Cf-Ray",
 					Val: "123123123",
@@ -103,8 +115,8 @@ func TestQUICServer(t *testing.T) {
 		{
 			desc:           "test ws proxy",
 			dest:           "/ws/echo",
-			connectionType: quicpogs.ConnectionTypeWebsocket,
-			metadata: []quicpogs.Metadata{
+			connectionType: pogs.ConnectionTypeWebsocket,
+			metadata: []pogs.Metadata{
 				{
 					Key: "HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade",
 					Val: "Websocket",
@@ -127,8 +139,8 @@ func TestQUICServer(t *testing.T) {
 		},
 		{
 			desc:             "test tcp proxy",
-			connectionType:   quicpogs.ConnectionTypeTCP,
-			metadata:         []quicpogs.Metadata{},
+			connectionType:   pogs.ConnectionTypeTCP,
+			metadata:         []pogs.Metadata{},
 			message:          []byte("Here is some tcp data"),
 			expectedResponse: []byte("Here is some tcp data"),
 		},
@@ -150,17 +162,19 @@ func TestQUICServer(t *testing.T) {
 
 			serverDone := make(chan struct{})
 			go func() {
+				// nolint: testifylint
 				quicServer(
 					ctx, t, quicListener, test.dest, test.connectionType, test.metadata, test.message, test.expectedResponse,
 				)
 				close(serverDone)
 			}()
 
-			qc := testQUICConnection(udpListener.LocalAddr(), t, uint8(i))
+			// nolint: gosec
+			tunnelConn, _ := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), uint8(i))
 
 			connDone := make(chan struct{})
 			go func() {
-				qc.Serve(ctx)
+				_ = tunnelConn.Serve(ctx)
 				close(connDone)
 			}()
 
@@ -175,7 +189,7 @@ type fakeControlStream struct {
 	ControlStreamHandler
 }
 
-func (fakeControlStream) ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *tunnelpogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error {
+func (fakeControlStream) ServeControlStream(ctx context.Context, rw io.ReadWriteCloser, connOptions *pogs.ConnectionOptions, tunnelConfigGetter TunnelConfigJSONGetter) error {
 	<-ctx.Done()
 	return nil
 }
@@ -188,8 +202,8 @@ func quicServer(
 	t *testing.T,
 	listener *quic.Listener,
 	dest string,
-	connectionType quicpogs.ConnectionType,
-	metadata []quicpogs.Metadata,
+	connectionType pogs.ConnectionType,
+	metadata []pogs.Metadata,
 	message []byte,
 	expectedResponse []byte,
 ) {
@@ -198,9 +212,9 @@ func quicServer(
 
 	quicStream, err := session.OpenStreamSync(context.Background())
 	require.NoError(t, err)
-	stream := quicpogs.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)
+	stream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)
 
-	reqClientStream := quicpogs.RequestClientStream{ReadWriteCloser: stream}
+	reqClientStream := rpcquic.RequestClientStream{ReadWriteCloser: stream}
 	err = reqClientStream.WriteConnectRequestData(dest, connectionType, metadata...)
 	require.NoError(t, err)
 
@@ -246,14 +260,14 @@ func (moc *mockOriginProxyWithRequest) ProxyHTTP(w ResponseWriter, tr *tracing.T
 	case "/ok":
 		originRespEndpoint(w, http.StatusOK, []byte(http.StatusText(http.StatusOK)))
 	case "/slow_echo_body":
-		time.Sleep(5)
+		time.Sleep(5 * time.Nanosecond)
 		fallthrough
 	case "/echo_body":
 		resp := &http.Response{
 			StatusCode: http.StatusOK,
 		}
 		_ = w.WriteRespHeaders(resp.StatusCode, resp.Header)
-		io.Copy(w, r.Body)
+		_, _ = io.Copy(w, r.Body)
 	case "/error":
 		return fmt.Errorf("Failed to proxy to origin")
 	default:
@@ -265,15 +279,15 @@ func (moc *mockOriginProxyWithRequest) ProxyHTTP(w ResponseWriter, tr *tracing.T
 func TestBuildHTTPRequest(t *testing.T) {
 	var tests = []struct {
 		name           string
-		connectRequest *quicpogs.ConnectRequest
+		connectRequest *pogs.ConnectRequest
 		body           io.ReadCloser
 		req            *http.Request
 	}{
 		{
 			name: "check if http.Request is built correctly with content length",
-			connectRequest: &quicpogs.ConnectRequest{
+			connectRequest: &pogs.ConnectRequest{
 				Dest: "http://test.com",
-				Metadata: []quicpogs.Metadata{
+				Metadata: []pogs.Metadata{
 					{
 						Key: "HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade",
 						Val: "Websocket",
@@ -317,9 +331,9 @@ func TestBuildHTTPRequest(t *testing.T) {
 		},
 		{
 			name: "if content length isn't part of request headers, then it's not set",
-			connectRequest: &quicpogs.ConnectRequest{
+			connectRequest: &pogs.ConnectRequest{
 				Dest: "http://test.com",
-				Metadata: []quicpogs.Metadata{
+				Metadata: []pogs.Metadata{
 					{
 						Key: "HttpHeader:Cf-Cloudflared-Proxy-Connection-Upgrade",
 						Val: "Websocket",
@@ -358,9 +372,9 @@ func TestBuildHTTPRequest(t *testing.T) {
 		},
 		{
 			name: "if content length is 0, but transfer-encoding is chunked, body is not nil",
-			connectRequest: &quicpogs.ConnectRequest{
+			connectRequest: &pogs.ConnectRequest{
 				Dest: "http://test.com",
-				Metadata: []quicpogs.Metadata{
+				Metadata: []pogs.Metadata{
 					{
 						Key: "HttpHeader:Another-Header",
 						Val: "Misc",
@@ -400,9 +414,9 @@ func TestBuildHTTPRequest(t *testing.T) {
 		},
 		{
 			name: "if content length is 0, but transfer-encoding is gzip,chunked, body is not nil",
-			connectRequest: &quicpogs.ConnectRequest{
+			connectRequest: &pogs.ConnectRequest{
 				Dest: "http://test.com",
-				Metadata: []quicpogs.Metadata{
+				Metadata: []pogs.Metadata{
 					{
 						Key: "HttpHeader:Another-Header",
 						Val: "Misc",
@@ -442,10 +456,10 @@ func TestBuildHTTPRequest(t *testing.T) {
 		},
 		{
 			name: "if content length is 0, and connect request is a websocket, body is not nil",
-			connectRequest: &quicpogs.ConnectRequest{
-				Type: quicpogs.ConnectionTypeWebsocket,
+			connectRequest: &pogs.ConnectRequest{
+				Type: pogs.ConnectionTypeWebsocket,
 				Dest: "http://test.com",
-				Metadata: []quicpogs.Metadata{
+				Metadata: []pogs.Metadata{
 					{
 						Key: "HttpHeader:Another-Header",
 						Val: "Misc",
@@ -485,16 +499,20 @@ func TestBuildHTTPRequest(t *testing.T) {
 		test := test // capture range variable
 		t.Run(test.name, func(t *testing.T) {
 			req, err := buildHTTPRequest(context.Background(), test.connectRequest, test.body, 0, &log)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			test.req = test.req.WithContext(req.Context())
-			assert.Equal(t, test.req, req.Request)
+			require.Equal(t, test.req, req.Request)
 		})
 	}
 }
 
 func (moc *mockOriginProxyWithRequest) ProxyTCP(ctx context.Context, rwa ReadWriteAcker, tcpRequest *TCPRequest) error {
-	rwa.AckConnection("")
-	io.Copy(rwa, rwa)
+	if tcpRequest.Dest == "rate-limit-me" {
+		return pkgerrors.Wrap(cfdflow.ErrTooManyActiveFlows, "failed tcp stream")
+	}
+
+	_ = rwa.AckConnection("")
+	_, _ = io.Copy(rwa, rwa)
 	return nil
 }
 
@@ -507,27 +525,30 @@ func TestServeUDPSession(t *testing.T) {
 	defer udpListener.Close()
 
 	ctx, cancel := context.WithCancel(context.Background())
-	val := udpListener.LocalAddr()
 
 	// Establish QUIC connection with edge
 	edgeQUICSessionChan := make(chan quic.Connection)
 	go func() {
 		earlyListener, err := quic.Listen(udpListener, testTLSServerConfig, testQUICConfig)
-		require.NoError(t, err)
+		assert.NoError(t, err)
 
 		edgeQUICSession, err := earlyListener.Accept(ctx)
-		require.NoError(t, err)
+		assert.NoError(t, err)
+
 		edgeQUICSessionChan <- edgeQUICSession
 	}()
 
 	// Random index to avoid reusing port
-	qc := testQUICConnection(val, t, 28)
-	go qc.Serve(ctx)
+	tunnelConn, datagramConn := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), 28)
+	go func() {
+		_ = tunnelConn.Serve(ctx)
+	}()
 
 	edgeQUICSession := <-edgeQUICSessionChan
-	serveSession(ctx, qc, edgeQUICSession, closedByOrigin, io.EOF.Error(), t)
-	serveSession(ctx, qc, edgeQUICSession, closedByTimeout, datagramsession.SessionIdleErr(time.Millisecond*50).Error(), t)
-	serveSession(ctx, qc, edgeQUICSession, closedByRemote, "eyeball closed connection", t)
+
+	serveSession(ctx, datagramConn, edgeQUICSession, closedByOrigin, io.EOF.Error(), t)
+	serveSession(ctx, datagramConn, edgeQUICSession, closedByTimeout, datagramsession.SessionIdleErr(time.Millisecond*50).Error(), t)
+	serveSession(ctx, datagramConn, edgeQUICSession, closedByRemote, "eyeball closed connection", t)
 	cancel()
 }
 
@@ -537,14 +558,14 @@ func TestNopCloserReadWriterCloseBeforeEOF(t *testing.T) {
 
 	n, err := readerWriter.Read(buffer)
 	require.NoError(t, err)
-	require.Equal(t, n, 5)
+	require.Equal(t, 5, n)
 
 	// close
 	require.NoError(t, readerWriter.Close())
 
 	// read should get error
 	n, err = readerWriter.Read(buffer)
-	require.Equal(t, n, 0)
+	require.Equal(t, 0, n)
 	require.Equal(t, err, fmt.Errorf("closed by handler"))
 }
 
@@ -554,7 +575,7 @@ func TestNopCloserReadWriterCloseAfterEOF(t *testing.T) {
 
 	n, err := readerWriter.Read(buffer)
 	require.NoError(t, err)
-	require.Equal(t, n, 9)
+	require.Equal(t, 9, n)
 
 	// force another read to read eof
 	_, err = readerWriter.Read(buffer)
@@ -565,13 +586,78 @@ func TestNopCloserReadWriterCloseAfterEOF(t *testing.T) {
 
 	// read should get EOF still
 	n, err = readerWriter.Read(buffer)
-	require.Equal(t, n, 0)
+	require.Equal(t, 0, n)
 	require.Equal(t, err, io.EOF)
 }
 
 func TestCreateUDPConnReuseSourcePort(t *testing.T) {
+	edgeIPv4 := netip.MustParseAddrPort("0.0.0.0:0")
+	edgeIPv6 := netip.MustParseAddrPort("[::]:0")
+
+	// We assume the test environment has access to an IPv4 interface
+	testCreateUDPConnReuseSourcePortForEdgeIP(t, edgeIPv4)
+
+	if nettest.SupportsIPv6() {
+		testCreateUDPConnReuseSourcePortForEdgeIP(t, edgeIPv6)
+	}
+}
+
+// TestTCPProxy_FlowRateLimited tests if the pogs.ConnectResponse returns the expected error and metadata, when a
+// new flow is rate limited.
+func TestTCPProxy_FlowRateLimited(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Start a UDP Listener for QUIC.
+	udpAddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	udpListener, err := net.ListenUDP(udpAddr.Network(), udpAddr)
+	require.NoError(t, err)
+	defer udpListener.Close()
+
+	quicTransport := &quic.Transport{Conn: udpListener, ConnectionIDLength: 16}
+	quicListener, err := quicTransport.Listen(testTLSServerConfig, testQUICConfig)
+	require.NoError(t, err)
+
+	serverDone := make(chan struct{})
+	go func() {
+		defer close(serverDone)
+
+		session, err := quicListener.Accept(ctx)
+		assert.NoError(t, err)
+
+		quicStream, err := session.OpenStreamSync(context.Background())
+		assert.NoError(t, err)
+		stream := cfdquic.NewSafeStreamCloser(quicStream, defaultQUICTimeout, &log)
+
+		reqClientStream := rpcquic.RequestClientStream{ReadWriteCloser: stream}
+		err = reqClientStream.WriteConnectRequestData("rate-limit-me", pogs.ConnectionTypeTCP)
+		assert.NoError(t, err)
+
+		response, err := reqClientStream.ReadConnectResponseData()
+		assert.NoError(t, err)
+
+		// Got Rate Limited
+		assert.NotEmpty(t, response.Error)
+		assert.Contains(t, response.Metadata, pogs.ErrorFlowConnectRateLimitedMetadata)
+	}()
+
+	tunnelConn, _ := testTunnelConnection(t, netip.MustParseAddrPort(udpListener.LocalAddr().String()), uint8(0))
+
+	connDone := make(chan struct{})
+	go func() {
+		defer close(connDone)
+		_ = tunnelConn.Serve(ctx)
+	}()
+
+	<-serverDone
+	cancel()
+	<-connDone
+}
+
+func testCreateUDPConnReuseSourcePortForEdgeIP(t *testing.T, edgeIP netip.AddrPort) {
 	logger := zerolog.Nop()
-	conn, err := createUDPConnForConnIndex(0, nil, &logger)
+	conn, err := createUDPConnForConnIndex(0, nil, edgeIP, &logger)
 	require.NoError(t, err)
 
 	getPortFunc := func(conn *net.UDPConn) int {
@@ -585,41 +671,41 @@ func TestCreateUDPConnReuseSourcePort(t *testing.T) {
 	conn.Close()
 
 	// should get the same port as before.
-	conn, err = createUDPConnForConnIndex(0, nil, &logger)
+	conn, err = createUDPConnForConnIndex(0, nil, edgeIP, &logger)
 	require.NoError(t, err)
 	require.Equal(t, initialPort, getPortFunc(conn))
 
 	// new index, should get a different port
-	conn1, err := createUDPConnForConnIndex(1, nil, &logger)
+	conn1, err := createUDPConnForConnIndex(1, nil, edgeIP, &logger)
 	require.NoError(t, err)
 	require.NotEqual(t, initialPort, getPortFunc(conn1))
 
 	// not closing the conn and trying to obtain a new conn for same index should give a different random port
-	conn, err = createUDPConnForConnIndex(0, nil, &logger)
+	conn, err = createUDPConnForConnIndex(0, nil, edgeIP, &logger)
 	require.NoError(t, err)
 	require.NotEqual(t, initialPort, getPortFunc(conn))
 }
 
-func serveSession(ctx context.Context, qc *QUICConnection, edgeQUICSession quic.Connection, closeType closeReason, expectedReason string, t *testing.T) {
+func serveSession(ctx context.Context, datagramConn *datagramV2Connection, edgeQUICSession quic.Connection, closeType closeReason, expectedReason string, t *testing.T) {
 	var (
 		payload = []byte(t.Name())
 	)
 	sessionID := uuid.New()
 	cfdConn, originConn := net.Pipe()
 	// Registers and run a new session
-	session, err := qc.sessionManager.RegisterSession(ctx, sessionID, cfdConn)
+	session, err := datagramConn.sessionManager.RegisterSession(ctx, sessionID, cfdConn)
 	require.NoError(t, err)
 
 	sessionDone := make(chan struct{})
 	go func() {
-		qc.serveUDPSession(session, time.Millisecond*50)
+		datagramConn.serveUDPSession(session, time.Millisecond*50)
 		close(sessionDone)
 	}()
 
 	// Send a message to the quic session on edge side, it should be deumx to this datagram v2 session
-	muxedPayload, err := quicpogs.SuffixSessionID(sessionID, payload)
+	muxedPayload, err := cfdquic.SuffixSessionID(sessionID, payload)
 	require.NoError(t, err)
-	muxedPayload, err = quicpogs.SuffixType(muxedPayload, quicpogs.DatagramTypeUDP)
+	muxedPayload, err = cfdquic.SuffixType(muxedPayload, cfdquic.DatagramTypeUDP)
 	require.NoError(t, err)
 
 	err = edgeQUICSession.SendDatagram(muxedPayload)
@@ -636,7 +722,7 @@ func serveSession(ctx context.Context, qc *QUICConnection, edgeQUICSession quic.
 	case closedByOrigin:
 		originConn.Close()
 	case closedByRemote:
-		err = qc.UnregisterUdpSession(ctx, sessionID, expectedReason)
+		err = datagramConn.UnregisterUdpSession(ctx, sessionID, expectedReason)
 		require.NoError(t, err)
 	case closedByTimeout:
 	}
@@ -649,6 +735,7 @@ func serveSession(ctx context.Context, qc *QUICConnection, edgeQUICSession quic.
 			unregisterReason:     expectedReason,
 			calledUnregisterChan: unregisterFromEdgeChan,
 		}
+		// nolint: testifylint
 		go runRPCServer(ctx, edgeQUICSession, sessionRPCServer, nil, t)
 
 		<-unregisterFromEdgeChan
@@ -665,7 +752,7 @@ const (
 	closedByTimeout
 )
 
-func runRPCServer(ctx context.Context, session quic.Connection, sessionRPCServer tunnelpogs.SessionManager, configRPCServer tunnelpogs.ConfigurationManager, t *testing.T) {
+func runRPCServer(ctx context.Context, session quic.Connection, sessionRPCServer pogs.SessionManager, configRPCServer pogs.ConfigurationManager, t *testing.T) {
 	stream, err := session.AcceptStream(ctx)
 	require.NoError(t, err)
 
@@ -674,13 +761,15 @@ func runRPCServer(ctx context.Context, session quic.Connection, sessionRPCServer
 		stream, err = session.AcceptStream(ctx)
 		require.NoError(t, err)
 	}
-	protocol, err := quicpogs.DetermineProtocol(stream)
-	assert.NoError(t, err)
-	rpcServerStream, err := quicpogs.NewRPCServerStream(stream, protocol)
-	assert.NoError(t, err)
-
-	log := zerolog.New(os.Stdout)
-	err = rpcServerStream.Serve(sessionRPCServer, configRPCServer, &log)
+	ss := rpcquic.NewCloudflaredServer(
+		func(_ context.Context, _ *rpcquic.RequestServerStream) error {
+			return nil
+		},
+		sessionRPCServer,
+		configRPCServer,
+		10*time.Second,
+	)
+	err = ss.Serve(ctx, stream)
 	assert.NoError(t, err)
 }
 
@@ -705,32 +794,63 @@ func (s mockSessionRPCServer) UnregisterUdpSession(ctx context.Context, sessionI
 	return nil
 }
 
-func testQUICConnection(udpListenerAddr net.Addr, t *testing.T, index uint8) *QUICConnection {
+func testTunnelConnection(t *testing.T, serverAddr netip.AddrPort, index uint8) (TunnelConnection, *datagramV2Connection) {
 	tlsClientConfig := &tls.Config{
+		// nolint: gosec
 		InsecureSkipVerify: true,
 		NextProtos:         []string{"argotunnel"},
 	}
 	// Start a mock httpProxy
-	log := zerolog.New(os.Stdout)
+	log := zerolog.New(io.Discard)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	qc, err := NewQUICConnection(
+
+	// Dial the QUIC connection to the edge
+	conn, err := DialQuic(
 		ctx,
 		testQUICConfig,
-		udpListenerAddr,
-		nil,
-		index,
 		tlsClientConfig,
-		&mockOrchestrator{originProxy: &mockOriginProxyWithRequest{}},
-		&tunnelpogs.ConnectionOptions{},
-		fakeControlStream{},
+		serverAddr,
+		nil, // connect on a random port
+		index,
 		&log,
-		nil,
-		5*time.Second,
-		0*time.Second,
 	)
 	require.NoError(t, err)
-	return qc
+
+	// Start a session manager for the connection
+	sessionDemuxChan := make(chan *packet.Session, 4)
+	datagramMuxer := cfdquic.NewDatagramMuxerV2(conn, &log, sessionDemuxChan)
+	sessionManager := datagramsession.NewManager(&log, datagramMuxer.SendToSession, sessionDemuxChan)
+	var connIndex uint8 = 0
+	packetRouter := ingress.NewPacketRouter(nil, datagramMuxer, connIndex, &log)
+
+	datagramConn := &datagramV2Connection{
+		conn,
+		index,
+		sessionManager,
+		cfdflow.NewLimiter(0),
+		datagramMuxer,
+		packetRouter,
+		15 * time.Second,
+		0 * time.Second,
+		&log,
+	}
+
+	tunnelConn, err := NewTunnelConnection(
+		ctx,
+		conn,
+		index,
+		&mockOrchestrator{originProxy: &mockOriginProxyWithRequest{}},
+		datagramConn,
+		fakeControlStream{},
+		&pogs.ConnectionOptions{},
+		15*time.Second,
+		0*time.Second,
+		0*time.Second,
+		&log,
+	)
+	require.NoError(t, err)
+	return tunnelConn, datagramConn
 }
 
 type mockReaderNoopWriter struct {
@@ -744,3 +864,29 @@ func (m *mockReaderNoopWriter) Write(p []byte) (n int, err error) {
 func (m *mockReaderNoopWriter) Close() error {
 	return nil
 }
+
+// GenerateTLSConfig sets up a bare-bones TLS config for a QUIC server
+func GenerateTLSConfig() *tls.Config {
+	// nolint: gosec
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	if err != nil {
+		panic(err)
+	}
+	template := x509.Certificate{SerialNumber: big.NewInt(1)}
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+	if err != nil {
+		panic(err)
+	}
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		panic(err)
+	}
+	// nolint: gosec
+	return &tls.Config{
+		Certificates: []tls.Certificate{tlsCert},
+		NextProtos:   []string{"argotunnel"},
+	}
+}

connection/quic_datagram_v2.go

@@ -0,0 +1,226 @@
+package connection
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"time"
+
+	"github.com/google/uuid"
+	pkgerrors "github.com/pkg/errors"
+	"github.com/quic-go/quic-go"
+	"github.com/rs/zerolog"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/sync/errgroup"
+
+	cfdflow "github.com/cloudflare/cloudflared/flow"
+
+	"github.com/cloudflare/cloudflared/datagramsession"
+	"github.com/cloudflare/cloudflared/ingress"
+	"github.com/cloudflare/cloudflared/management"
+	"github.com/cloudflare/cloudflared/packet"
+	cfdquic "github.com/cloudflare/cloudflared/quic"
+	"github.com/cloudflare/cloudflared/tracing"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+	rpcquic "github.com/cloudflare/cloudflared/tunnelrpc/quic"
+)
+
+const (
+	// emperically this capacity has been working well
+	demuxChanCapacity = 16
+)
+
+// DatagramSessionHandler is a service that can serve datagrams for a connection and handle sessions from incoming
+// connection streams.
+type DatagramSessionHandler interface {
+	Serve(context.Context) error
+
+	pogs.SessionManager
+}
+
+type datagramV2Connection struct {
+	conn  quic.Connection
+	index uint8
+
+	// sessionManager tracks active sessions. It receives datagrams from quic connection via datagramMuxer
+	sessionManager datagramsession.Manager
+	// flowLimiter tracks active sessions across the tunnel and limits new sessions if they are above the limit.
+	flowLimiter cfdflow.Limiter
+
+	// datagramMuxer mux/demux datagrams from quic connection
+	datagramMuxer *cfdquic.DatagramMuxerV2
+	packetRouter  *ingress.PacketRouter
+
+	rpcTimeout         time.Duration
+	streamWriteTimeout time.Duration
+
+	logger *zerolog.Logger
+}
+
+func NewDatagramV2Connection(ctx context.Context,
+	conn quic.Connection,
+	icmpRouter ingress.ICMPRouter,
+	index uint8,
+	rpcTimeout time.Duration,
+	streamWriteTimeout time.Duration,
+	flowLimiter cfdflow.Limiter,
+	logger *zerolog.Logger,
+) DatagramSessionHandler {
+	sessionDemuxChan := make(chan *packet.Session, demuxChanCapacity)
+	datagramMuxer := cfdquic.NewDatagramMuxerV2(conn, logger, sessionDemuxChan)
+	sessionManager := datagramsession.NewManager(logger, datagramMuxer.SendToSession, sessionDemuxChan)
+	packetRouter := ingress.NewPacketRouter(icmpRouter, datagramMuxer, index, logger)
+
+	return &datagramV2Connection{
+		conn:               conn,
+		index:              index,
+		sessionManager:     sessionManager,
+		flowLimiter:        flowLimiter,
+		datagramMuxer:      datagramMuxer,
+		packetRouter:       packetRouter,
+		rpcTimeout:         rpcTimeout,
+		streamWriteTimeout: streamWriteTimeout,
+		logger:             logger,
+	}
+}
+
+func (d *datagramV2Connection) Serve(ctx context.Context) error {
+	// If either goroutine returns nil error, we rely on this cancellation to make sure the other goroutine exits
+	// as fast as possible as well. Nil error means we want to exit for good (caller code won't retry serving this
+	// connection).
+	// If either goroutine returns a non nil error, then the error group cancels the context, thus also canceling the
+	// other goroutine as fast as possible.
+	ctx, cancel := context.WithCancel(ctx)
+	errGroup, ctx := errgroup.WithContext(ctx)
+
+	errGroup.Go(func() error {
+		defer cancel()
+		return d.sessionManager.Serve(ctx)
+	})
+	errGroup.Go(func() error {
+		defer cancel()
+		return d.datagramMuxer.ServeReceive(ctx)
+	})
+	errGroup.Go(func() error {
+		defer cancel()
+		return d.packetRouter.Serve(ctx)
+	})
+
+	return errGroup.Wait()
+}
+
+// RegisterUdpSession is the RPC method invoked by edge to register and run a session
+func (q *datagramV2Connection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*tunnelpogs.RegisterUdpSessionResponse, error) {
+	traceCtx := tracing.NewTracedContext(ctx, traceContext, q.logger)
+	ctx, registerSpan := traceCtx.Tracer().Start(traceCtx, "register-session", trace.WithAttributes(
+		attribute.String("session-id", sessionID.String()),
+		attribute.String("dst", fmt.Sprintf("%s:%d", dstIP, dstPort)),
+	))
+	log := q.logger.With().Int(management.EventTypeKey, int(management.UDP)).Logger()
+
+	// Try to start a new session
+	if err := q.flowLimiter.Acquire(management.UDP.String()); err != nil {
+		log.Warn().Msgf("Too many concurrent sessions being handled, rejecting udp proxy to %s:%d", dstIP, dstPort)
+
+		err := pkgerrors.Wrap(err, "failed to start udp session due to rate limiting")
+		tracing.EndWithErrorStatus(registerSpan, err)
+		return nil, err
+	}
+
+	// Each session is a series of datagram from an eyeball to a dstIP:dstPort.
+	// (src port, dst IP, dst port) uniquely identifies a session, so it needs a dedicated connected socket.
+	originProxy, err := ingress.DialUDP(dstIP, dstPort)
+	if err != nil {
+		log.Err(err).Msgf("Failed to create udp proxy to %s:%d", dstIP, dstPort)
+		tracing.EndWithErrorStatus(registerSpan, err)
+		q.flowLimiter.Release()
+		return nil, err
+	}
+	registerSpan.SetAttributes(
+		attribute.Bool("socket-bind-success", true),
+		attribute.String("src", originProxy.LocalAddr().String()),
+	)
+
+	session, err := q.sessionManager.RegisterSession(ctx, sessionID, originProxy)
+	if err != nil {
+		originProxy.Close()
+		log.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).Msgf("Failed to register udp session")
+		tracing.EndWithErrorStatus(registerSpan, err)
+		q.flowLimiter.Release()
+		return nil, err
+	}
+
+	go func() {
+		defer q.flowLimiter.Release() // we do the release here, instead of inside the `serveUDPSession` just to keep all acquire/release calls in the same method.
+		q.serveUDPSession(session, closeAfterIdleHint)
+	}()
+
+	log.Debug().
+		Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).
+		Str("src", originProxy.LocalAddr().String()).
+		Str("dst", fmt.Sprintf("%s:%d", dstIP, dstPort)).
+		Msgf("Registered session")
+	tracing.End(registerSpan)
+
+	resp := tunnelpogs.RegisterUdpSessionResponse{
+		Spans: traceCtx.GetProtoSpans(),
+	}
+
+	return &resp, nil
+}
+
+// UnregisterUdpSession is the RPC method invoked by edge to unregister and terminate a sesssion
+func (q *datagramV2Connection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {
+	return q.sessionManager.UnregisterSession(ctx, sessionID, message, true)
+}
+
+func (q *datagramV2Connection) serveUDPSession(session *datagramsession.Session, closeAfterIdleHint time.Duration) {
+	ctx := q.conn.Context()
+	closedByRemote, err := session.Serve(ctx, closeAfterIdleHint)
+	// If session is terminated by remote, then we know it has been unregistered from session manager and edge
+	if !closedByRemote {
+		if err != nil {
+			q.closeUDPSession(ctx, session.ID, err.Error())
+		} else {
+			q.closeUDPSession(ctx, session.ID, "terminated without error")
+		}
+	}
+	q.logger.Debug().Err(err).
+		Int(management.EventTypeKey, int(management.UDP)).
+		Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(session.ID)).
+		Msg("Session terminated")
+}
+
+// closeUDPSession first unregisters the session from session manager, then it tries to unregister from edge
+func (q *datagramV2Connection) closeUDPSession(ctx context.Context, sessionID uuid.UUID, message string) {
+	_ = q.sessionManager.UnregisterSession(ctx, sessionID, message, false)
+	quicStream, err := q.conn.OpenStream()
+	if err != nil {
+		// Log this at debug because this is not an error if session was closed due to lost connection
+		// with edge
+		q.logger.Debug().Err(err).
+			Int(management.EventTypeKey, int(management.UDP)).
+			Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).
+			Msgf("Failed to open quic stream to unregister udp session with edge")
+		return
+	}
+
+	stream := cfdquic.NewSafeStreamCloser(quicStream, q.streamWriteTimeout, q.logger)
+	defer stream.Close()
+	rpcClientStream, err := rpcquic.NewSessionClient(ctx, stream, q.rpcTimeout)
+	if err != nil {
+		// Log this at debug because this is not an error if session was closed due to lost connection
+		// with edge
+		q.logger.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).
+			Msgf("Failed to open rpc stream to unregister udp session with edge")
+		return
+	}
+	defer rpcClientStream.Close()
+
+	if err := rpcClientStream.UnregisterUdpSession(ctx, sessionID, message); err != nil {
+		q.logger.Err(err).Str(datagramsession.LogFieldSessionID, datagramsession.FormatSessionID(sessionID)).
+			Msgf("Failed to unregister udp session with edge")
+	}
+}

connection/quic_datagram_v2_test.go

@@ -0,0 +1,96 @@
+package connection
+
+import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/quic-go/quic-go"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
+
+	cfdflow "github.com/cloudflare/cloudflared/flow"
+	"github.com/cloudflare/cloudflared/mocks"
+)
+
+type mockQuicConnection struct {
+}
+
+func (m *mockQuicConnection) AcceptStream(_ context.Context) (quic.Stream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) AcceptUniStream(_ context.Context) (quic.ReceiveStream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) OpenStream() (quic.Stream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) OpenStreamSync(_ context.Context) (quic.Stream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) OpenUniStream() (quic.SendStream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) OpenUniStreamSync(_ context.Context) (quic.SendStream, error) {
+	return nil, nil
+}
+
+func (m *mockQuicConnection) LocalAddr() net.Addr {
+	return nil
+}
+
+func (m *mockQuicConnection) RemoteAddr() net.Addr {
+	return nil
+}
+
+func (m *mockQuicConnection) CloseWithError(_ quic.ApplicationErrorCode, s string) error {
+	return nil
+}
+
+func (m *mockQuicConnection) Context() context.Context {
+	return nil
+}
+
+func (m *mockQuicConnection) ConnectionState() quic.ConnectionState {
+	panic("not meant to be called")
+}
+
+func (m *mockQuicConnection) SendDatagram(_ []byte) error {
+	return nil
+}
+
+func (m *mockQuicConnection) ReceiveDatagram(_ context.Context) ([]byte, error) {
+	return nil, nil
+}
+
+func TestRateLimitOnNewDatagramV2UDPSession(t *testing.T) {
+	log := zerolog.Nop()
+	conn := &mockQuicConnection{}
+	ctrl := gomock.NewController(t)
+	flowLimiterMock := mocks.NewMockLimiter(ctrl)
+
+	datagramConn := NewDatagramV2Connection(
+		context.Background(),
+		conn,
+		nil,
+		0,
+		0*time.Second,
+		0*time.Second,
+		flowLimiterMock,
+		&log,
+	)
+
+	flowLimiterMock.EXPECT().Acquire("udp").Return(cfdflow.ErrTooManyActiveFlows)
+	flowLimiterMock.EXPECT().Release().Times(0)
+
+	_, err := datagramConn.RegisterUdpSession(context.Background(), uuid.New(), net.IPv4(0, 0, 0, 0), 1000, 1*time.Second, "")
+	require.ErrorIs(t, err, cfdflow.ErrTooManyActiveFlows)
+}

connection/quic_datagram_v3.go

@@ -0,0 +1,69 @@
+package connection
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"github.com/quic-go/quic-go"
+	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/ingress"
+	"github.com/cloudflare/cloudflared/management"
+	cfdquic "github.com/cloudflare/cloudflared/quic/v3"
+	"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
+)
+
+var (
+	ErrUnsupportedRPCUDPRegistration   = errors.New("datagram v3 does not support RegisterUdpSession RPC")
+	ErrUnsupportedRPCUDPUnregistration = errors.New("datagram v3 does not support UnregisterUdpSession RPC")
+)
+
+type datagramV3Connection struct {
+	conn  quic.Connection
+	index uint8
+	// datagramMuxer mux/demux datagrams from quic connection
+	datagramMuxer cfdquic.DatagramConn
+	metrics       cfdquic.Metrics
+	logger        *zerolog.Logger
+}
+
+func NewDatagramV3Connection(ctx context.Context,
+	conn quic.Connection,
+	sessionManager cfdquic.SessionManager,
+	icmpRouter ingress.ICMPRouter,
+	index uint8,
+	metrics cfdquic.Metrics,
+	logger *zerolog.Logger,
+) DatagramSessionHandler {
+	log := logger.
+		With().
+		Int(management.EventTypeKey, int(management.UDP)).
+		Uint8(LogFieldConnIndex, index).
+		Logger()
+	datagramMuxer := cfdquic.NewDatagramConn(conn, sessionManager, icmpRouter, index, metrics, &log)
+
+	return &datagramV3Connection{
+		conn,
+		index,
+		datagramMuxer,
+		metrics,
+		logger,
+	}
+}
+
+func (d *datagramV3Connection) Serve(ctx context.Context) error {
+	return d.datagramMuxer.Serve(ctx)
+}
+
+func (d *datagramV3Connection) RegisterUdpSession(ctx context.Context, sessionID uuid.UUID, dstIP net.IP, dstPort uint16, closeAfterIdleHint time.Duration, traceContext string) (*pogs.RegisterUdpSessionResponse, error) {
+	d.metrics.UnsupportedRemoteCommand(d.index, "register_udp_session")
+	return nil, ErrUnsupportedRPCUDPRegistration
+}
+
+func (d *datagramV3Connection) UnregisterUdpSession(ctx context.Context, sessionID uuid.UUID, message string) error {
+	d.metrics.UnsupportedRemoteCommand(d.index, "unregister_udp_session")
+	return ErrUnsupportedRPCUDPUnregistration
+}

connection/rpc.go

@@ -1,153 +0,0 @@
-package connection
-
-import (
-	"context"
-	"io"
-	"net"
-	"time"
-
-	"github.com/rs/zerolog"
-	"zombiezen.com/go/capnproto2/rpc"
-
-	"github.com/cloudflare/cloudflared/tunnelrpc"
-	tunnelpogs "github.com/cloudflare/cloudflared/tunnelrpc/pogs"
-)
-
-type tunnelServerClient struct {
-	client    tunnelpogs.TunnelServer_PogsClient
-	transport rpc.Transport
-}
-
-// NewTunnelRPCClient creates and returns a new RPC client, which will communicate using a stream on the given muxer.
-// This method is exported for supervisor to call Authenticate RPC
-func NewTunnelServerClient(
-	ctx context.Context,
-	stream io.ReadWriteCloser,
-	log *zerolog.Logger,
-) *tunnelServerClient {
-	transport := tunnelrpc.NewTransportLogger(log, rpc.StreamTransport(stream))
-	conn := rpc.NewConn(
-		transport,
-		tunnelrpc.ConnLog(log),
-	)
-	registrationClient := tunnelpogs.RegistrationServer_PogsClient{Client: conn.Bootstrap(ctx), Conn: conn}
-	return &tunnelServerClient{
-		client:    tunnelpogs.TunnelServer_PogsClient{RegistrationServer_PogsClient: registrationClient, Client: conn.Bootstrap(ctx), Conn: conn},
-		transport: transport,
-	}
-}
-
-func (tsc *tunnelServerClient) Authenticate(ctx context.Context, classicTunnel *ClassicTunnelProperties, registrationOptions *tunnelpogs.RegistrationOptions) (tunnelpogs.AuthOutcome, error) {
-	authResp, err := tsc.client.Authenticate(ctx, classicTunnel.OriginCert, classicTunnel.Hostname, registrationOptions)
-	if err != nil {
-		return nil, err
-	}
-	return authResp.Outcome(), nil
-}
-
-func (tsc *tunnelServerClient) Close() {
-	// Closing the client will also close the connection
-	_ = tsc.client.Close()
-	_ = tsc.transport.Close()
-}
-
-type NamedTunnelRPCClient interface {
-	RegisterConnection(
-		c context.Context,
-		config *NamedTunnelProperties,
-		options *tunnelpogs.ConnectionOptions,
-		connIndex uint8,
-		edgeAddress net.IP,
-		observer *Observer,
-	) (*tunnelpogs.ConnectionDetails, error)
-	SendLocalConfiguration(
-		c context.Context,
-		config []byte,
-		observer *Observer,
-	) error
-	GracefulShutdown(ctx context.Context, gracePeriod time.Duration)
-	Close()
-}
-
-type registrationServerClient struct {
-	client    tunnelpogs.RegistrationServer_PogsClient
-	transport rpc.Transport
-}
-
-func newRegistrationRPCClient(
-	ctx context.Context,
-	stream io.ReadWriteCloser,
-	log *zerolog.Logger,
-) NamedTunnelRPCClient {
-	transport := tunnelrpc.NewTransportLogger(log, rpc.StreamTransport(stream))
-	conn := rpc.NewConn(
-		transport,
-		tunnelrpc.ConnLog(log),
-	)
-	return &registrationServerClient{
-		client:    tunnelpogs.RegistrationServer_PogsClient{Client: conn.Bootstrap(ctx), Conn: conn},
-		transport: transport,
-	}
-}
-
-func (rsc *registrationServerClient) RegisterConnection(
-	ctx context.Context,
-	properties *NamedTunnelProperties,
-	options *tunnelpogs.ConnectionOptions,
-	connIndex uint8,
-	edgeAddress net.IP,
-	observer *Observer,
-) (*tunnelpogs.ConnectionDetails, error) {
-	conn, err := rsc.client.RegisterConnection(
-		ctx,
-		properties.Credentials.Auth(),
-		properties.Credentials.TunnelID,
-		connIndex,
-		options,
-	)
-	if err != nil {
-		if err.Error() == DuplicateConnectionError {
-			observer.metrics.regFail.WithLabelValues("dup_edge_conn", "registerConnection").Inc()
-			return nil, errDuplicationConnection
-		}
-		observer.metrics.regFail.WithLabelValues("server_error", "registerConnection").Inc()
-		return nil, serverRegistrationErrorFromRPC(err)
-	}
-
-	observer.metrics.regSuccess.WithLabelValues("registerConnection").Inc()
-
-	return conn, nil
-}
-
-func (rsc *registrationServerClient) SendLocalConfiguration(ctx context.Context, config []byte, observer *Observer) (err error) {
-	observer.metrics.localConfigMetrics.pushes.Inc()
-	defer func() {
-		if err != nil {
-			observer.metrics.localConfigMetrics.pushesErrors.Inc()
-		}
-	}()
-
-	return rsc.client.SendLocalConfiguration(ctx, config)
-}
-
-func (rsc *registrationServerClient) GracefulShutdown(ctx context.Context, gracePeriod time.Duration) {
-	ctx, cancel := context.WithTimeout(ctx, gracePeriod)
-	defer cancel()
-	_ = rsc.client.UnregisterConnection(ctx)
-}
-
-func (rsc *registrationServerClient) Close() {
-	// Closing the client will also close the connection
-	_ = rsc.client.Close()
-	// Closing the transport also closes the stream
-	_ = rsc.transport.Close()
-}
-
-type rpcName string
-
-const (
-	register     rpcName = "register"
-	reconnect    rpcName = "reconnect"
-	unregister   rpcName = "unregister"
-	authenticate rpcName = " authenticate"
-)

credentials/credentials.go

@@ -9,6 +9,7 @@ import (
 
 const (
 	logFieldOriginCertPath = "originCertPath"
+	FedEndpoint            = "fed"
 )
 
 type User struct {
@@ -32,6 +33,10 @@ func (c User) CertPath() string {
 	return c.certPath
 }
 
+func (c User) IsFEDEndpoint() bool {
+	return c.cert.Endpoint == FedEndpoint
+}
+
 // Client uses the user credentials to create a Cloudflare API client
 func (c *User) Client(apiURL string, userAgent string, log *zerolog.Logger) (cfapi.Client, error) {
 	if apiURL == "" {
@@ -45,7 +50,6 @@ func (c *User) Client(apiURL string, userAgent string, log *zerolog.Logger) (cfa
 		userAgent,
 		log,
 	)
-
 	if err != nil {
 		return nil, err
 	}

credentials/credentials_test.go

@@ -3,7 +3,7 @@ package credentials
 import (
 	"io/fs"
 	"os"
-	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -13,8 +13,8 @@ func TestCredentialsRead(t *testing.T) {
 	file, err := os.ReadFile("test-cloudflare-tunnel-cert-json.pem")
 	require.NoError(t, err)
 	dir := t.TempDir()
-	certPath := path.Join(dir, originCertFile)
-	os.WriteFile(certPath, file, fs.ModePerm)
+	certPath := filepath.Join(dir, originCertFile)
+	_ = os.WriteFile(certPath, file, fs.ModePerm)
 	user, err := Read(certPath, &nopLog)
 	require.NoError(t, err)
 	require.Equal(t, certPath, user.CertPath())

credentials/origin_cert.go

@@ -1,11 +1,13 @@
 package credentials
 
 import (
+	"bytes"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/mitchellh/go-homedir"
 	"github.com/rs/zerolog"
@@ -15,19 +17,30 @@ import (
 
 const (
 	DefaultCredentialFile = "cert.pem"
-	OriginCertFlag        = "origincert"
 )
 
-type namedTunnelToken struct {
+type OriginCert struct {
 	ZoneID    string `json:"zoneID"`
 	AccountID string `json:"accountID"`
 	APIToken  string `json:"apiToken"`
+	Endpoint  string `json:"endpoint,omitempty"`
 }
 
-type OriginCert struct {
-	ZoneID    string
-	APIToken  string
-	AccountID string
+func (oc *OriginCert) UnmarshalJSON(data []byte) error {
+	var aux struct {
+		ZoneID    string `json:"zoneID"`
+		AccountID string `json:"accountID"`
+		APIToken  string `json:"apiToken"`
+		Endpoint  string `json:"endpoint,omitempty"`
+	}
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return fmt.Errorf("error parsing OriginCert: %v", err)
+	}
+	oc.ZoneID = aux.ZoneID
+	oc.AccountID = aux.AccountID
+	oc.APIToken = aux.APIToken
+	oc.Endpoint = strings.ToLower(aux.Endpoint)
+	return nil
 }
 
 // FindDefaultOriginCertPath returns the first path that contains a cert.pem file. If none of the
@@ -42,40 +55,56 @@ func FindDefaultOriginCertPath() string {
 	return ""
 }
 
+func DecodeOriginCert(blocks []byte) (*OriginCert, error) {
+	return decodeOriginCert(blocks)
+}
+
+func (cert *OriginCert) EncodeOriginCert() ([]byte, error) {
+	if cert == nil {
+		return nil, fmt.Errorf("originCert cannot be nil")
+	}
+	buffer, err := json.Marshal(cert)
+	if err != nil {
+		return nil, fmt.Errorf("originCert marshal failed: %v", err)
+	}
+	block := pem.Block{
+		Type:    "ARGO TUNNEL TOKEN",
+		Headers: map[string]string{},
+		Bytes:   buffer,
+	}
+	var out bytes.Buffer
+	err = pem.Encode(&out, &block)
+	if err != nil {
+		return nil, fmt.Errorf("pem encoding failed: %v", err)
+	}
+	return out.Bytes(), nil
+}
+
 func decodeOriginCert(blocks []byte) (*OriginCert, error) {
 	if len(blocks) == 0 {
-		return nil, fmt.Errorf("Cannot decode empty certificate")
+		return nil, fmt.Errorf("cannot decode empty certificate")
 	}
 	originCert := OriginCert{}
 	block, rest := pem.Decode(blocks)
-	for {
-		if block == nil {
-			break
-		}
+	for block != nil {
 		switch block.Type {
 		case "PRIVATE KEY", "CERTIFICATE":
 			// this is for legacy purposes.
-			break
 		case "ARGO TUNNEL TOKEN":
 			if originCert.ZoneID != "" || originCert.APIToken != "" {
-				return nil, fmt.Errorf("Found multiple tokens in the certificate")
+				return nil, fmt.Errorf("found multiple tokens in the certificate")
 			}
 			// The token is a string,
 			// Try the newer JSON format
-			ntt := namedTunnelToken{}
-			if err := json.Unmarshal(block.Bytes, &ntt); err == nil {
-				originCert.ZoneID = ntt.ZoneID
-				originCert.APIToken = ntt.APIToken
-				originCert.AccountID = ntt.AccountID
-			}
+			_ = json.Unmarshal(block.Bytes, &originCert)
 		default:
-			return nil, fmt.Errorf("Unknown block %s in the certificate", block.Type)
+			return nil, fmt.Errorf("unknown block %s in the certificate", block.Type)
 		}
 		block, rest = pem.Decode(rest)
 	}
 
 	if originCert.ZoneID == "" || originCert.APIToken == "" {
-		return nil, fmt.Errorf("Missing token in the certificate")
+		return nil, fmt.Errorf("missing token in the certificate")
 	}
 
 	return &originCert, nil

credentials/origin_cert_test.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
-	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/rs/zerolog"
@@ -16,27 +16,25 @@ const (
 	originCertFile = "cert.pem"
 )
 
-var (
-	nopLog = zerolog.Nop().With().Logger()
-)
+var nopLog = zerolog.Nop().With().Logger()
 
 func TestLoadOriginCert(t *testing.T) {
 	cert, err := decodeOriginCert([]byte{})
-	assert.Equal(t, fmt.Errorf("Cannot decode empty certificate"), err)
+	assert.Equal(t, fmt.Errorf("cannot decode empty certificate"), err)
 	assert.Nil(t, cert)
 
 	blocks, err := os.ReadFile("test-cert-unknown-block.pem")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	cert, err = decodeOriginCert(blocks)
-	assert.Equal(t, fmt.Errorf("Unknown block RSA PRIVATE KEY in the certificate"), err)
+	assert.Equal(t, fmt.Errorf("unknown block RSA PRIVATE KEY in the certificate"), err)
 	assert.Nil(t, cert)
 }
 
 func TestJSONArgoTunnelTokenEmpty(t *testing.T) {
 	blocks, err := os.ReadFile("test-cert-no-token.pem")
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	cert, err := decodeOriginCert(blocks)
-	assert.Equal(t, fmt.Errorf("Missing token in the certificate"), err)
+	assert.Equal(t, fmt.Errorf("missing token in the certificate"), err)
 	assert.Nil(t, cert)
 }
 
@@ -52,51 +50,21 @@ func TestJSONArgoTunnelToken(t *testing.T) {
 
 func CloudflareTunnelTokenTest(t *testing.T, path string) {
 	blocks, err := os.ReadFile(path)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	cert, err := decodeOriginCert(blocks)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.NotNil(t, cert)
 	assert.Equal(t, "7b0a4d77dfb881c1a3b7d61ea9443e19", cert.ZoneID)
 	key := "test-service-key"
 	assert.Equal(t, key, cert.APIToken)
 }
 
-type mockFile struct {
-	path string
-	data []byte
-	err  error
-}
-
-type mockFileSystem struct {
-	files map[string]mockFile
-}
-
-func newMockFileSystem(files ...mockFile) *mockFileSystem {
-	fs := mockFileSystem{map[string]mockFile{}}
-	for _, f := range files {
-		fs.files[f.path] = f
-	}
-	return &fs
-}
-
-func (fs *mockFileSystem) ReadFile(path string) ([]byte, error) {
-	if f, ok := fs.files[path]; ok {
-		return f.data, f.err
-	}
-	return nil, os.ErrNotExist
-}
-
-func (fs *mockFileSystem) ValidFilePath(path string) bool {
-	_, exists := fs.files[path]
-	return exists
-}
-
 func TestFindOriginCert_Valid(t *testing.T) {
 	file, err := os.ReadFile("test-cloudflare-tunnel-cert-json.pem")
 	require.NoError(t, err)
 	dir := t.TempDir()
-	certPath := path.Join(dir, originCertFile)
-	os.WriteFile(certPath, file, fs.ModePerm)
+	certPath := filepath.Join(dir, originCertFile)
+	_ = os.WriteFile(certPath, file, fs.ModePerm)
 	path, err := FindOriginCert(certPath, &nopLog)
 	require.NoError(t, err)
 	require.Equal(t, certPath, path)
@@ -104,7 +72,32 @@ func TestFindOriginCert_Valid(t *testing.T) {
 
 func TestFindOriginCert_Missing(t *testing.T) {
 	dir := t.TempDir()
-	certPath := path.Join(dir, originCertFile)
+	certPath := filepath.Join(dir, originCertFile)
 	_, err := FindOriginCert(certPath, &nopLog)
 	require.Error(t, err)
 }
+
+func TestEncodeDecodeOriginCert(t *testing.T) {
+	cert := OriginCert{
+		ZoneID:    "zone",
+		AccountID: "account",
+		APIToken:  "token",
+		Endpoint:  "FED",
+	}
+	blocks, err := cert.EncodeOriginCert()
+	require.NoError(t, err)
+	decodedCert, err := DecodeOriginCert(blocks)
+	require.NoError(t, err)
+	assert.NotNil(t, cert)
+	assert.Equal(t, "zone", decodedCert.ZoneID)
+	assert.Equal(t, "account", decodedCert.AccountID)
+	assert.Equal(t, "token", decodedCert.APIToken)
+	assert.Equal(t, FedEndpoint, decodedCert.Endpoint)
+}
+
+func TestEncodeDecodeNilOriginCert(t *testing.T) {
+	var cert *OriginCert
+	blocks, err := cert.EncodeOriginCert()
+	assert.Equal(t, fmt.Errorf("originCert cannot be nil"), err)
+	require.Nil(t, blocks)
+}

credentials/test-cert-unknown-block.pem

@@ -87,3 +87,4 @@ M2i4QoOFcSKIG+v4SuvgEJHgG8vGvxh2qlSxnMWuPV+7/1P5ATLqDj1PlKms+BNR
 y7sc5AT9PclkL3Y9MNzOu0LXyBkGYcl8M0EQfLv9VPbWT+NXiMg/O2CHiT02pAAz
 uQicoQq3yzeQh20wtrtaXzTNmA==
 -----END RSA PRIVATE KEY-----
+

datagramsession/manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -20,8 +21,15 @@ const (
 
 var (
 	errSessionManagerClosed = fmt.Errorf("session manager closed")
+	LogFieldSessionID       = "sessionID"
 )
 
+func FormatSessionID(sessionID uuid.UUID) string {
+	sessionIDStr := sessionID.String()
+	sessionIDStr = strings.ReplaceAll(sessionIDStr, "-", "")
+	return sessionIDStr
+}
+
 // Manager defines the APIs to manage sessions from the same transport.
 type Manager interface {
 	// Serve starts the event loop
@@ -127,7 +135,7 @@ func (m *manager) registerSession(ctx context.Context, registration *registerSes
 func (m *manager) newSession(id uuid.UUID, dstConn io.ReadWriteCloser) *Session {
 	logger := m.log.With().
 		Int(management.EventTypeKey, int(management.UDP)).
-		Str("sessionID", id.String()).Logger()
+		Str(LogFieldSessionID, FormatSessionID(id)).Logger()
 	return &Session{
 		ID:       id,
 		sendFunc: m.sendFunc,
@@ -174,7 +182,7 @@ func (m *manager) unregisterSession(unregistration *unregisterSessionEvent) {
 func (m *manager) sendToSession(datagram *packet.Session) {
 	session, ok := m.sessions[datagram.ID]
 	if !ok {
-		m.log.Error().Str("sessionID", datagram.ID.String()).Msg("session not found")
+		m.log.Error().Str(LogFieldSessionID, FormatSessionID(datagram.ID)).Msg("session not found")
 		return
 	}
 	// session writes to destination over a connected UDP socket, which should not be blocking, so this call doesn't

datagramsession/metrics.go

@@ -15,7 +15,7 @@ var (
 		Name:      "active_sessions",
 		Help:      "Concurrent count of UDP sessions that are being proxied to any origin",
 	})
-	totalUDPSessions = prometheus.NewGauge(prometheus.GaugeOpts{
+	totalUDPSessions = prometheus.NewCounter(prometheus.CounterOpts{
 		Namespace: namespace,
 		Subsystem: "udp",
 		Name:      "total_sessions",

datagramsession/session.go

@@ -57,7 +57,7 @@ func (s *Session) Serve(ctx context.Context, closeAfterIdle time.Duration) (clos
 		readBuffer := make([]byte, maxPacketSize)
 		for {
 			if closeSession, err := s.dstToTransport(readBuffer); err != nil {
-				if errors.Is(err, net.ErrClosed) {
+				if errors.Is(err, net.ErrClosed) || errors.Is(err, io.EOF) {
 					s.log.Debug().Msg("Destination connection closed")
 				} else {
 					level := zerolog.ErrorLevel
@@ -84,7 +84,7 @@ func (s *Session) waitForCloseCondition(ctx context.Context, closeAfterIdle time
 	// Closing dstConn cancels read so dstToTransport routine in Serve() can return
 	defer s.dstConn.Close()
 	if closeAfterIdle == 0 {
-		// provide deafult is caller doesn't specify one
+		// provide default is caller doesn't specify one
 		closeAfterIdle = defaultCloseIdleAfter
 	}
 

datagramsession/session_test.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 
@@ -54,22 +55,22 @@ func testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.D
 		closedByRemote, err := session.Serve(ctx, closeAfterIdle)
 		switch closeBy {
 		case closeByContext:
-			require.Equal(t, context.Canceled, err)
-			require.False(t, closedByRemote)
+			assert.Equal(t, context.Canceled, err)
+			assert.False(t, closedByRemote)
 		case closeByCallingClose:
-			require.Equal(t, localCloseReason, err)
-			require.Equal(t, localCloseReason.byRemote, closedByRemote)
+			assert.Equal(t, localCloseReason, err)
+			assert.Equal(t, localCloseReason.byRemote, closedByRemote)
 		case closeByTimeout:
-			require.Equal(t, SessionIdleErr(closeAfterIdle), err)
-			require.False(t, closedByRemote)
+			assert.Equal(t, SessionIdleErr(closeAfterIdle), err)
+			assert.False(t, closedByRemote)
 		}
 		close(sessionDone)
 	}()
 
 	go func() {
 		n, err := session.transportToDst(payload)
-		require.NoError(t, err)
-		require.Equal(t, len(payload), n)
+		assert.NoError(t, err)
+		assert.Equal(t, len(payload), n)
 	}()
 
 	readBuffer := make([]byte, len(payload)+1)
@@ -84,6 +85,8 @@ func testSessionReturns(t *testing.T, closeBy closeMethod, closeAfterIdle time.D
 		cancel()
 	case closeByCallingClose:
 		session.close(localCloseReason)
+	default:
+		// ignore
 	}
 
 	<-sessionDone
@@ -128,7 +131,7 @@ func testActiveSessionNotClosed(t *testing.T, readFromDst bool, writeToDst bool)
 	ctx, cancel := context.WithCancel(context.Background())
 	errGroup, ctx := errgroup.WithContext(ctx)
 	errGroup.Go(func() error {
-		session.Serve(ctx, closeAfterIdle)
+		_, _ = session.Serve(ctx, closeAfterIdle)
 		if time.Now().Before(startTime.Add(activeTime)) {
 			return fmt.Errorf("session closed while it's still active")
 		}

dev.Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21.5 as builder
+FROM golang:1.22.10 as builder
 ENV GO111MODULE=on \
   CGO_ENABLED=0
 WORKDIR /go/src/github.com/cloudflare/cloudflared/

diagnostic/client.go

@@ -0,0 +1,216 @@
+package diagnostic
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strconv"
+
+	cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
+)
+
+type httpClient struct {
+	http.Client
+	baseURL *url.URL
+}
+
+func NewHTTPClient() *httpClient {
+	httpTransport := http.Transport{
+		TLSHandshakeTimeout:   defaultTimeout,
+		ResponseHeaderTimeout: defaultTimeout,
+	}
+
+	return &httpClient{
+		http.Client{
+			Transport: &httpTransport,
+			Timeout:   defaultTimeout,
+		},
+		nil,
+	}
+}
+
+func (client *httpClient) SetBaseURL(baseURL *url.URL) {
+	client.baseURL = baseURL
+}
+
+func (client *httpClient) GET(ctx context.Context, endpoint string) (*http.Response, error) {
+	if client.baseURL == nil {
+		return nil, ErrNoBaseURL
+	}
+	url := client.baseURL.JoinPath(endpoint)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating GET request: %w", err)
+	}
+
+	req.Header.Add("Accept", "application/json;version=1")
+
+	response, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("error GET request: %w", err)
+	}
+
+	return response, nil
+}
+
+type LogConfiguration struct {
+	logFile      string
+	logDirectory string
+	uid          int // the uid of the user that started cloudflared
+}
+
+func (client *httpClient) GetLogConfiguration(ctx context.Context) (*LogConfiguration, error) {
+	response, err := client.GET(ctx, cliConfigurationEndpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	defer response.Body.Close()
+
+	var data map[string]string
+	if err := json.NewDecoder(response.Body).Decode(&data); err != nil {
+		return nil, fmt.Errorf("failed to decode body: %w", err)
+	}
+
+	uidStr, exists := data[configurationKeyUID]
+	if !exists {
+		return nil, ErrKeyNotFound
+	}
+
+	uid, err := strconv.Atoi(uidStr)
+	if err != nil {
+		return nil, fmt.Errorf("error convertin pid to int: %w", err)
+	}
+
+	logFile, exists := data[cfdflags.LogFile]
+	if exists {
+		return &LogConfiguration{logFile, "", uid}, nil
+	}
+
+	logDirectory, exists := data[cfdflags.LogDirectory]
+	if exists {
+		return &LogConfiguration{"", logDirectory, uid}, nil
+	}
+
+	// No log configured may happen when cloudflared is executed as a managed service or
+	// when containerized
+	return &LogConfiguration{"", "", uid}, nil
+}
+
+func (client *httpClient) GetMemoryDump(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, memoryDumpEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyToWriter(response, writer)
+}
+
+func (client *httpClient) GetGoroutineDump(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, goroutineDumpEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyToWriter(response, writer)
+}
+
+func (client *httpClient) GetTunnelState(ctx context.Context) (*TunnelState, error) {
+	response, err := client.GET(ctx, tunnelStateEndpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	defer response.Body.Close()
+
+	var state TunnelState
+	if err := json.NewDecoder(response.Body).Decode(&state); err != nil {
+		return nil, fmt.Errorf("failed to decode body: %w", err)
+	}
+
+	return &state, nil
+}
+
+func (client *httpClient) GetSystemInformation(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, systemInformationEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyJSONToWriter(response, writer)
+}
+
+func (client *httpClient) GetMetrics(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, metricsEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyToWriter(response, writer)
+}
+
+func (client *httpClient) GetTunnelConfiguration(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, tunnelConfigurationEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyJSONToWriter(response, writer)
+}
+
+func (client *httpClient) GetCliConfiguration(ctx context.Context, writer io.Writer) error {
+	response, err := client.GET(ctx, cliConfigurationEndpoint)
+	if err != nil {
+		return err
+	}
+
+	return copyJSONToWriter(response, writer)
+}
+
+func copyToWriter(response *http.Response, writer io.Writer) error {
+	defer response.Body.Close()
+
+	_, err := io.Copy(writer, response.Body)
+	if err != nil {
+		return fmt.Errorf("error writing response: %w", err)
+	}
+
+	return nil
+}
+
+func copyJSONToWriter(response *http.Response, writer io.Writer) error {
+	defer response.Body.Close()
+
+	var data interface{}
+
+	decoder := json.NewDecoder(response.Body)
+
+	err := decoder.Decode(&data)
+	if err != nil {
+		return fmt.Errorf("diagnostic client error whilst reading response: %w", err)
+	}
+
+	encoder := newFormattedEncoder(writer)
+
+	err = encoder.Encode(data)
+	if err != nil {
+		return fmt.Errorf("diagnostic client error whilst writing json: %w", err)
+	}
+
+	return nil
+}
+
+type HTTPClient interface {
+	GetLogConfiguration(ctx context.Context) (*LogConfiguration, error)
+	GetMemoryDump(ctx context.Context, writer io.Writer) error
+	GetGoroutineDump(ctx context.Context, writer io.Writer) error
+	GetTunnelState(ctx context.Context) (*TunnelState, error)
+	GetSystemInformation(ctx context.Context, writer io.Writer) error
+	GetMetrics(ctx context.Context, writer io.Writer) error
+	GetCliConfiguration(ctx context.Context, writer io.Writer) error
+	GetTunnelConfiguration(ctx context.Context, writer io.Writer) error
+}

diagnostic/consts.go

@@ -0,0 +1,37 @@
+package diagnostic
+
+import "time"
+
+const (
+	defaultCollectorTimeout    = time.Second * 10       // This const define the timeout value of a collector operation.
+	collectorField             = "collector"            // used for logging purposes
+	systemCollectorName        = "system"               // used for logging purposes
+	tunnelStateCollectorName   = "tunnelState"          // used for logging purposes
+	configurationCollectorName = "configuration"        // used for logging purposes
+	defaultTimeout             = 15 * time.Second       // timeout for the collectors
+	twoWeeksOffset             = -14 * 24 * time.Hour   // maximum offset for the logs
+	logFilename                = "cloudflared_logs.txt" // name of the output log file
+	configurationKeyUID        = "uid"                  // Key used to set and get the UID value from the configuration map
+	tailMaxNumberOfLines       = "10000"                // maximum number of log lines from a virtual runtime (docker or kubernetes)
+
+	// Endpoints used by the diagnostic HTTP Client.
+	cliConfigurationEndpoint    = "/diag/configuration"
+	tunnelStateEndpoint         = "/diag/tunnel"
+	systemInformationEndpoint   = "/diag/system"
+	memoryDumpEndpoint          = "debug/pprof/heap"
+	goroutineDumpEndpoint       = "debug/pprof/goroutine"
+	metricsEndpoint             = "metrics"
+	tunnelConfigurationEndpoint = "/config"
+	// Base for filenames of the diagnostic procedure
+	systemInformationBaseName = "systeminformation.json"
+	metricsBaseName           = "metrics.txt"
+	zipName                   = "cloudflared-diag"
+	heapPprofBaseName         = "heap.pprof"
+	goroutinePprofBaseName    = "goroutine.pprof"
+	networkBaseName           = "network.json"
+	rawNetworkBaseName        = "raw-network.txt"
+	tunnelStateBaseName       = "tunnelstate.json"
+	cliConfigurationBaseName  = "cli-configuration.json"
+	configurationBaseName     = "configuration.json"
+	taskResultBaseName        = "task-result.json"
+)

diagnostic/diagnostic.go

@@ -0,0 +1,561 @@
+package diagnostic
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/rs/zerolog"
+
+	network "github.com/cloudflare/cloudflared/diagnostic/network"
+)
+
+const (
+	taskSuccess                  = "success"
+	taskFailure                  = "failure"
+	jobReportName                = "job report"
+	tunnelStateJobName           = "tunnel state"
+	systemInformationJobName     = "system information"
+	goroutineJobName             = "goroutine profile"
+	heapJobName                  = "heap profile"
+	metricsJobName               = "metrics"
+	logInformationJobName        = "log information"
+	rawNetworkInformationJobName = "raw network information"
+	networkInformationJobName    = "network information"
+	cliConfigurationJobName      = "cli configuration"
+	configurationJobName         = "configuration"
+)
+
+// Struct used to hold the results of different routines executing the network collection.
+type taskResult struct {
+	Result string `json:"result,omitempty"`
+	Err    error  `json:"error,omitempty"`
+	path   string
+}
+
+func (result taskResult) MarshalJSON() ([]byte, error) {
+	s := map[string]string{
+		"result": result.Result,
+	}
+	if result.Err != nil {
+		s["error"] = result.Err.Error()
+	}
+
+	return json.Marshal(s)
+}
+
+// Struct used to hold the results of different routines executing the network collection.
+type networkCollectionResult struct {
+	name string
+	info []*network.Hop
+	raw  string
+	err  error
+}
+
+// This type represents the most common functions from the diagnostic http client
+// functions.
+type collectToWriterFunc func(ctx context.Context, writer io.Writer) error
+
+// This type represents the common denominator among all the collection procedures.
+type collectFunc func(ctx context.Context) (string, error)
+
+// collectJob is an internal struct that denotes holds the information necessary
+// to run a collection job.
+type collectJob struct {
+	jobName string
+	fn      collectFunc
+	bypass  bool
+}
+
+// The Toggles structure denotes the available toggles for the diagnostic procedure.
+// Each toggle enables/disables tasks from the diagnostic.
+type Toggles struct {
+	NoDiagLogs    bool
+	NoDiagMetrics bool
+	NoDiagSystem  bool
+	NoDiagRuntime bool
+	NoDiagNetwork bool
+}
+
+// The Options structure holds every option necessary for
+// the diagnostic procedure to work.
+type Options struct {
+	KnownAddresses []string
+	Address        string
+	ContainerID    string
+	PodID          string
+	Toggles        Toggles
+}
+
+func collectLogs(
+	ctx context.Context,
+	client HTTPClient,
+	diagContainer, diagPod string,
+) (string, error) {
+	var collector LogCollector
+	if diagPod != "" {
+		collector = NewKubernetesLogCollector(diagContainer, diagPod)
+	} else if diagContainer != "" {
+		collector = NewDockerLogCollector(diagContainer)
+	} else {
+		collector = NewHostLogCollector(client)
+	}
+
+	logInformation, err := collector.Collect(ctx)
+	if err != nil {
+		return "", fmt.Errorf("error collecting logs: %w", err)
+	}
+
+	if logInformation.isDirectory {
+		return CopyFilesFromDirectory(logInformation.path)
+	}
+
+	if logInformation.wasCreated {
+		return logInformation.path, nil
+	}
+
+	logHandle, err := os.Open(logInformation.path)
+	if err != nil {
+		return "", fmt.Errorf("error opening log file while collecting logs: %w", err)
+	}
+	defer logHandle.Close()
+
+	outputLogHandle, err := os.Create(filepath.Join(os.TempDir(), logFilename))
+	if err != nil {
+		return "", ErrCreatingTemporaryFile
+	}
+	defer outputLogHandle.Close()
+
+	_, err = io.Copy(outputLogHandle, logHandle)
+	if err != nil {
+		return "", fmt.Errorf("error copying logs while collecting logs: %w", err)
+	}
+
+	return outputLogHandle.Name(), err
+}
+
+func collectNetworkResultRoutine(
+	ctx context.Context,
+	collector network.NetworkCollector,
+	hostname string,
+	useIPv4 bool,
+	results chan networkCollectionResult,
+) {
+	const (
+		hopsNo  = 5
+		timeout = time.Second * 5
+	)
+
+	name := hostname
+
+	if useIPv4 {
+		name += "-v4"
+	} else {
+		name += "-v6"
+	}
+
+	hops, raw, err := collector.Collect(ctx, network.NewTraceOptions(hopsNo, timeout, hostname, useIPv4))
+	results <- networkCollectionResult{name, hops, raw, err}
+}
+
+func gatherNetworkInformation(ctx context.Context) map[string]networkCollectionResult {
+	networkCollector := network.NetworkCollectorImpl{}
+
+	hostAndIPversionPairs := []struct {
+		host  string
+		useV4 bool
+	}{
+		{"region1.v2.argotunnel.com", true},
+		{"region1.v2.argotunnel.com", false},
+		{"region2.v2.argotunnel.com", true},
+		{"region2.v2.argotunnel.com", false},
+	}
+
+	// the number of results is known thus use len to avoid footguns
+	results := make(chan networkCollectionResult, len(hostAndIPversionPairs))
+
+	var wgroup sync.WaitGroup
+
+	for _, item := range hostAndIPversionPairs {
+		wgroup.Add(1)
+
+		go func() {
+			defer wgroup.Done()
+			collectNetworkResultRoutine(ctx, &networkCollector, item.host, item.useV4, results)
+		}()
+	}
+
+	// Wait for routines to end.
+	wgroup.Wait()
+
+	resultMap := make(map[string]networkCollectionResult)
+
+	for range len(hostAndIPversionPairs) {
+		result := <-results
+		resultMap[result.name] = result
+	}
+
+	return resultMap
+}
+
+func networkInformationCollectors() (rawNetworkCollector, jsonNetworkCollector collectFunc) {
+	// The network collector is an operation that takes most of the diagnostic time, thus,
+	// the sync.Once is used to memoize the result of the collector and then create different
+	// outputs.
+	var once sync.Once
+
+	var resultMap map[string]networkCollectionResult
+
+	rawNetworkCollector = func(ctx context.Context) (string, error) {
+		once.Do(func() { resultMap = gatherNetworkInformation(ctx) })
+
+		return rawNetworkInformationWriter(resultMap)
+	}
+	jsonNetworkCollector = func(ctx context.Context) (string, error) {
+		once.Do(func() { resultMap = gatherNetworkInformation(ctx) })
+
+		return jsonNetworkInformationWriter(resultMap)
+	}
+
+	return rawNetworkCollector, jsonNetworkCollector
+}
+
+func rawNetworkInformationWriter(resultMap map[string]networkCollectionResult) (string, error) {
+	networkDumpHandle, err := os.Create(filepath.Join(os.TempDir(), rawNetworkBaseName))
+	if err != nil {
+		return "", ErrCreatingTemporaryFile
+	}
+
+	defer networkDumpHandle.Close()
+
+	var exitErr error
+
+	for k, v := range resultMap {
+		if v.err != nil {
+			if exitErr == nil {
+				exitErr = v.err
+			}
+
+			_, err := networkDumpHandle.WriteString(k + "\nno content\n")
+			if err != nil {
+				return networkDumpHandle.Name(), fmt.Errorf("error writing 'no content' to raw network file: %w", err)
+			}
+		} else {
+			_, err := networkDumpHandle.WriteString(k + "\n" + v.raw + "\n")
+			if err != nil {
+				return networkDumpHandle.Name(), fmt.Errorf("error writing raw network information: %w", err)
+			}
+		}
+	}
+
+	return networkDumpHandle.Name(), exitErr
+}
+
+func jsonNetworkInformationWriter(resultMap map[string]networkCollectionResult) (string, error) {
+	networkDumpHandle, err := os.Create(filepath.Join(os.TempDir(), networkBaseName))
+	if err != nil {
+		return "", ErrCreatingTemporaryFile
+	}
+
+	defer networkDumpHandle.Close()
+
+	encoder := newFormattedEncoder(networkDumpHandle)
+
+	var exitErr error
+
+	jsonMap := make(map[string][]*network.Hop, len(resultMap))
+	for k, v := range resultMap {
+		jsonMap[k] = v.info
+
+		if exitErr == nil && v.err != nil {
+			exitErr = v.err
+		}
+	}
+
+	err = encoder.Encode(jsonMap)
+	if err != nil {
+		return networkDumpHandle.Name(), fmt.Errorf("error encoding network information results: %w", err)
+	}
+
+	return networkDumpHandle.Name(), exitErr
+}
+
+func collectFromEndpointAdapter(collect collectToWriterFunc, fileName string) collectFunc {
+	return func(ctx context.Context) (string, error) {
+		dumpHandle, err := os.Create(filepath.Join(os.TempDir(), fileName))
+		if err != nil {
+			return "", ErrCreatingTemporaryFile
+		}
+		defer dumpHandle.Close()
+
+		err = collect(ctx, dumpHandle)
+		if err != nil {
+			return dumpHandle.Name(), fmt.Errorf("error running collector: %w", err)
+		}
+
+		return dumpHandle.Name(), nil
+	}
+}
+
+func tunnelStateCollectEndpointAdapter(client HTTPClient, tunnel *TunnelState, fileName string) collectFunc {
+	endpointFunc := func(ctx context.Context, writer io.Writer) error {
+		if tunnel == nil {
+			// When the metrics server is not passed the diagnostic will query all known hosts
+			// and get the tunnel state, however, when the metrics server is passed that won't
+			// happen hence the check for nil in this function.
+			tunnelResponse, err := client.GetTunnelState(ctx)
+			if err != nil {
+				return fmt.Errorf("error retrieving tunnel state: %w", err)
+			}
+
+			tunnel = tunnelResponse
+		}
+
+		encoder := newFormattedEncoder(writer)
+
+		err := encoder.Encode(tunnel)
+		if err != nil {
+			return fmt.Errorf("error encoding tunnel state: %w", err)
+		}
+
+		return nil
+	}
+
+	return collectFromEndpointAdapter(endpointFunc, fileName)
+}
+
+// resolveInstanceBaseURL is responsible to
+// resolve the base URL of the instance that should be diagnosed.
+// To resolve the instance it may be necessary to query the
+// /diag/tunnel endpoint of the known instances, thus, if a single
+// instance is found its state is also returned; if multiple instances
+// are found then their states are returned in an array along with an
+// error.
+func resolveInstanceBaseURL(
+	metricsServerAddress string,
+	log *zerolog.Logger,
+	client *httpClient,
+	addresses []string,
+) (*url.URL, *TunnelState, []*AddressableTunnelState, error) {
+	if metricsServerAddress != "" {
+		if !strings.HasPrefix(metricsServerAddress, "http://") {
+			metricsServerAddress = "http://" + metricsServerAddress
+		}
+		url, err := url.Parse(metricsServerAddress)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("provided address is not valid: %w", err)
+		}
+
+		return url, nil, nil, nil
+	}
+
+	tunnelState, foundTunnelStates, err := FindMetricsServer(log, client, addresses)
+	if err != nil {
+		return nil, nil, foundTunnelStates, err
+	}
+
+	return tunnelState.URL, tunnelState.TunnelState, nil, nil
+}
+
+func createJobs(
+	client *httpClient,
+	tunnel *TunnelState,
+	diagContainer string,
+	diagPod string,
+	noDiagSystem bool,
+	noDiagRuntime bool,
+	noDiagMetrics bool,
+	noDiagLogs bool,
+	noDiagNetwork bool,
+) []collectJob {
+	rawNetworkCollectorFunc, jsonNetworkCollectorFunc := networkInformationCollectors()
+	jobs := []collectJob{
+		{
+			jobName: tunnelStateJobName,
+			fn:      tunnelStateCollectEndpointAdapter(client, tunnel, tunnelStateBaseName),
+			bypass:  false,
+		},
+		{
+			jobName: systemInformationJobName,
+			fn:      collectFromEndpointAdapter(client.GetSystemInformation, systemInformationBaseName),
+			bypass:  noDiagSystem,
+		},
+		{
+			jobName: goroutineJobName,
+			fn:      collectFromEndpointAdapter(client.GetGoroutineDump, goroutinePprofBaseName),
+			bypass:  noDiagRuntime,
+		},
+		{
+			jobName: heapJobName,
+			fn:      collectFromEndpointAdapter(client.GetMemoryDump, heapPprofBaseName),
+			bypass:  noDiagRuntime,
+		},
+		{
+			jobName: metricsJobName,
+			fn:      collectFromEndpointAdapter(client.GetMetrics, metricsBaseName),
+			bypass:  noDiagMetrics,
+		},
+		{
+			jobName: logInformationJobName,
+			fn: func(ctx context.Context) (string, error) {
+				return collectLogs(ctx, client, diagContainer, diagPod)
+			},
+			bypass: noDiagLogs,
+		},
+		{
+			jobName: rawNetworkInformationJobName,
+			fn:      rawNetworkCollectorFunc,
+			bypass:  noDiagNetwork,
+		},
+		{
+			jobName: networkInformationJobName,
+			fn:      jsonNetworkCollectorFunc,
+			bypass:  noDiagNetwork,
+		},
+		{
+			jobName: cliConfigurationJobName,
+			fn:      collectFromEndpointAdapter(client.GetCliConfiguration, cliConfigurationBaseName),
+			bypass:  false,
+		},
+		{
+			jobName: configurationJobName,
+			fn:      collectFromEndpointAdapter(client.GetTunnelConfiguration, configurationBaseName),
+			bypass:  false,
+		},
+	}
+
+	return jobs
+}
+
+func createTaskReport(taskReport map[string]taskResult) (string, error) {
+	dumpHandle, err := os.Create(filepath.Join(os.TempDir(), taskResultBaseName))
+	if err != nil {
+		return "", ErrCreatingTemporaryFile
+	}
+	defer dumpHandle.Close()
+
+	encoder := newFormattedEncoder(dumpHandle)
+
+	err = encoder.Encode(taskReport)
+	if err != nil {
+		return "", fmt.Errorf("error encoding task results: %w", err)
+	}
+
+	return dumpHandle.Name(), nil
+}
+
+func runJobs(ctx context.Context, jobs []collectJob, log *zerolog.Logger) map[string]taskResult {
+	jobReport := make(map[string]taskResult, len(jobs))
+
+	for _, job := range jobs {
+		if job.bypass {
+			continue
+		}
+
+		log.Info().Msgf("Collecting %s...", job.jobName)
+		path, err := job.fn(ctx)
+
+		var result taskResult
+		if err != nil {
+			result = taskResult{Result: taskFailure, Err: err, path: path}
+
+			log.Error().Err(err).Msgf("Job: %s finished with error.", job.jobName)
+		} else {
+			result = taskResult{Result: taskSuccess, Err: nil, path: path}
+
+			log.Info().Msgf("Collected %s.", job.jobName)
+		}
+
+		jobReport[job.jobName] = result
+	}
+
+	taskReportName, err := createTaskReport(jobReport)
+
+	var result taskResult
+
+	if err != nil {
+		result = taskResult{
+			Result: taskFailure,
+			path:   taskReportName,
+			Err:    err,
+		}
+	} else {
+		result = taskResult{
+			Result: taskSuccess,
+			path:   taskReportName,
+			Err:    nil,
+		}
+	}
+
+	jobReport[jobReportName] = result
+
+	return jobReport
+}
+
+func RunDiagnostic(
+	log *zerolog.Logger,
+	options Options,
+) ([]*AddressableTunnelState, error) {
+	client := NewHTTPClient()
+
+	baseURL, tunnel, foundTunnels, err := resolveInstanceBaseURL(options.Address, log, client, options.KnownAddresses)
+	if err != nil {
+		return foundTunnels, err
+	}
+
+	log.Info().Msgf("Selected server %s starting diagnostic...", baseURL.String())
+	client.SetBaseURL(baseURL)
+
+	const timeout = 45 * time.Second
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+
+	defer cancel()
+
+	jobs := createJobs(
+		client,
+		tunnel,
+		options.ContainerID,
+		options.PodID,
+		options.Toggles.NoDiagSystem,
+		options.Toggles.NoDiagRuntime,
+		options.Toggles.NoDiagMetrics,
+		options.Toggles.NoDiagLogs,
+		options.Toggles.NoDiagNetwork,
+	)
+
+	jobsReport := runJobs(ctx, jobs, log)
+	paths := make([]string, 0)
+
+	var gerr error
+
+	for _, v := range jobsReport {
+		paths = append(paths, v.path)
+
+		if gerr == nil && v.Err != nil {
+			gerr = v.Err
+		}
+
+		defer func() {
+			if !errors.Is(v.Err, ErrCreatingTemporaryFile) {
+				os.Remove(v.path)
+			}
+		}()
+	}
+
+	zipfile, err := CreateDiagnosticZipFile(zipName, paths)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Info().Msgf("Diagnostic file written: %v", zipfile)
+
+	return nil, gerr
+}

diagnostic/diagnostic_utils.go

@@ -0,0 +1,148 @@
+package diagnostic
+
+import (
+	"archive/zip"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
+)
+
+// CreateDiagnosticZipFile create a zip file with the contents from the all
+// files paths. The files will be written in the root of the zip file.
+// In case of an error occurs after whilst writing to the zip file
+// this will be removed.
+func CreateDiagnosticZipFile(base string, paths []string) (zipFileName string, err error) {
+	// Create a zip file with all files from paths added to the root
+	suffix := time.Now().Format(time.RFC3339)
+	zipFileName = base + "-" + suffix + ".zip"
+	zipFileName = strings.ReplaceAll(zipFileName, ":", "-")
+
+	archive, cerr := os.Create(zipFileName)
+	if cerr != nil {
+		return "", fmt.Errorf("error creating file %s: %w", zipFileName, cerr)
+	}
+
+	archiveWriter := zip.NewWriter(archive)
+
+	defer func() {
+		archiveWriter.Close()
+		archive.Close()
+
+		if err != nil {
+			os.Remove(zipFileName)
+		}
+	}()
+
+	for _, file := range paths {
+		if file == "" {
+			continue
+		}
+
+		var handle *os.File
+
+		handle, err = os.Open(file)
+		if err != nil {
+			return "", fmt.Errorf("error opening file %s: %w", zipFileName, err)
+		}
+
+		defer handle.Close()
+
+		// Keep the base only to not create sub directories in the
+		// zip file.
+		var writer io.Writer
+
+		writer, err = archiveWriter.Create(filepath.Base(file))
+		if err != nil {
+			return "", fmt.Errorf("error creating archive writer from %s: %w", file, err)
+		}
+
+		if _, err = io.Copy(writer, handle); err != nil {
+			return "", fmt.Errorf("error copying file %s: %w", file, err)
+		}
+	}
+
+	zipFileName = archive.Name()
+	return zipFileName, nil
+}
+
+type AddressableTunnelState struct {
+	*TunnelState
+	URL *url.URL
+}
+
+func findMetricsServerPredicate(tunnelID, connectorID uuid.UUID) func(state *TunnelState) bool {
+	if tunnelID != uuid.Nil && connectorID != uuid.Nil {
+		return func(state *TunnelState) bool {
+			return state.ConnectorID == connectorID && state.TunnelID == tunnelID
+		}
+	} else if tunnelID == uuid.Nil && connectorID != uuid.Nil {
+		return func(state *TunnelState) bool {
+			return state.ConnectorID == connectorID
+		}
+	} else if tunnelID != uuid.Nil && connectorID == uuid.Nil {
+		return func(state *TunnelState) bool {
+			return state.TunnelID == tunnelID
+		}
+	}
+
+	return func(*TunnelState) bool {
+		return true
+	}
+}
+
+// The FindMetricsServer will try to find the metrics server url.
+// There are two possible error scenarios:
+// 1. No instance is found which will only return ErrMetricsServerNotFound
+// 2. Multiple instances are found which will return an array of state and ErrMultipleMetricsServerFound
+// In case of success, only the state for the instance is returned.
+func FindMetricsServer(
+	log *zerolog.Logger,
+	client *httpClient,
+	addresses []string,
+) (*AddressableTunnelState, []*AddressableTunnelState, error) {
+	instances := make([]*AddressableTunnelState, 0)
+
+	for _, address := range addresses {
+		url, err := url.Parse("http://" + address)
+		if err != nil {
+			log.Debug().Err(err).Msgf("error parsing address %s", address)
+
+			continue
+		}
+
+		client.SetBaseURL(url)
+
+		state, err := client.GetTunnelState(context.Background())
+		if err == nil {
+			instances = append(instances, &AddressableTunnelState{state, url})
+		} else {
+			log.Debug().Err(err).Msgf("error getting tunnel state from address %s", address)
+		}
+	}
+
+	if len(instances) == 0 {
+		return nil, nil, ErrMetricsServerNotFound
+	}
+
+	if len(instances) == 1 {
+		return instances[0], nil, nil
+	}
+
+	return nil, instances, ErrMultipleMetricsServerFound
+}
+
+// newFormattedEncoder return a JSON encoder with identation
+func newFormattedEncoder(w io.Writer) *json.Encoder {
+	encoder := json.NewEncoder(w)
+	encoder.SetIndent("", "  ")
+	return encoder
+}

diagnostic/diagnostic_utils_test.go

@@ -0,0 +1,147 @@
+package diagnostic_test
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/facebookgo/grace/gracenet"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/cloudflare/cloudflared/diagnostic"
+	"github.com/cloudflare/cloudflared/metrics"
+	"github.com/cloudflare/cloudflared/tunnelstate"
+)
+
+func helperCreateServer(t *testing.T, listeners *gracenet.Net, tunnelID uuid.UUID, connectorID uuid.UUID) func() {
+	t.Helper()
+	listener, err := metrics.CreateMetricsListener(listeners, "localhost:0")
+	require.NoError(t, err)
+	log := zerolog.Nop()
+	tracker := tunnelstate.NewConnTracker(&log)
+	handler := diagnostic.NewDiagnosticHandler(&log, 0, nil, tunnelID, connectorID, tracker, map[string]string{}, []string{})
+	router := http.NewServeMux()
+	router.HandleFunc("/diag/tunnel", handler.TunnelStateHandler)
+	server := &http.Server{
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+		Handler:      router,
+	}
+
+	var wgroup sync.WaitGroup
+
+	wgroup.Add(1)
+
+	go func() {
+		defer wgroup.Done()
+
+		_ = server.Serve(listener)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+
+	cleanUp := func() {
+		_ = server.Shutdown(ctx)
+
+		cancel()
+		wgroup.Wait()
+	}
+
+	return cleanUp
+}
+
+func TestFindMetricsServer_WhenSingleServerIsRunning_ReturnState(t *testing.T) {
+	listeners := gracenet.Net{}
+	tid1 := uuid.New()
+	cid1 := uuid.New()
+
+	cleanUp := helperCreateServer(t, &listeners, tid1, cid1)
+	defer cleanUp()
+
+	log := zerolog.Nop()
+	client := diagnostic.NewHTTPClient()
+	addresses := metrics.GetMetricsKnownAddresses("host")
+	url1, err := url.Parse("http://localhost:20241")
+	require.NoError(t, err)
+
+	tunnel1 := &diagnostic.AddressableTunnelState{
+		TunnelState: &diagnostic.TunnelState{
+			TunnelID:    tid1,
+			ConnectorID: cid1,
+			Connections: nil,
+		},
+		URL: url1,
+	}
+
+	state, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])
+	if err != nil {
+		require.ErrorIs(t, err, diagnostic.ErrMultipleMetricsServerFound)
+	}
+
+	assert.Equal(t, tunnel1, state)
+	assert.Nil(t, tunnels)
+}
+
+func TestFindMetricsServer_WhenMultipleServerAreRunning_ReturnError(t *testing.T) {
+	listeners := gracenet.Net{}
+	tid1 := uuid.New()
+	cid1 := uuid.New()
+	cid2 := uuid.New()
+
+	cleanUp := helperCreateServer(t, &listeners, tid1, cid1)
+	defer cleanUp()
+
+	cleanUp = helperCreateServer(t, &listeners, tid1, cid2)
+	defer cleanUp()
+
+	log := zerolog.Nop()
+	client := diagnostic.NewHTTPClient()
+	addresses := metrics.GetMetricsKnownAddresses("host")
+	url1, err := url.Parse("http://localhost:20241")
+	require.NoError(t, err)
+	url2, err := url.Parse("http://localhost:20242")
+	require.NoError(t, err)
+
+	tunnel1 := &diagnostic.AddressableTunnelState{
+		TunnelState: &diagnostic.TunnelState{
+			TunnelID:    tid1,
+			ConnectorID: cid1,
+			Connections: nil,
+		},
+		URL: url1,
+	}
+	tunnel2 := &diagnostic.AddressableTunnelState{
+		TunnelState: &diagnostic.TunnelState{
+			TunnelID:    tid1,
+			ConnectorID: cid2,
+			Connections: nil,
+		},
+		URL: url2,
+	}
+
+	state, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])
+	if err != nil {
+		require.ErrorIs(t, err, diagnostic.ErrMultipleMetricsServerFound)
+	}
+
+	assert.Nil(t, state)
+	assert.Equal(t, []*diagnostic.AddressableTunnelState{tunnel1, tunnel2}, tunnels)
+}
+
+func TestFindMetricsServer_WhenNoInstanceIsRuning_ReturnError(t *testing.T) {
+	log := zerolog.Nop()
+	client := diagnostic.NewHTTPClient()
+	addresses := metrics.GetMetricsKnownAddresses("host")
+
+	state, tunnels, err := diagnostic.FindMetricsServer(&log, client, addresses[:])
+	require.ErrorIs(t, err, diagnostic.ErrMetricsServerNotFound)
+
+	assert.Nil(t, state)
+	assert.Nil(t, tunnels)
+}

diagnostic/error.go

@@ -0,0 +1,28 @@
+package diagnostic
+
+import (
+	"errors"
+)
+
+var (
+	// Error used when there is no log directory available.
+	ErrManagedLogNotFound = errors.New("managed log directory not found")
+	// Error used when it is not possible to collect logs using the log configuration.
+	ErrLogConfigurationIsInvalid = errors.New("provided log configuration is invalid")
+	// Error used when parsing the fields of the output of collector.
+	ErrInsufficientLines = errors.New("insufficient lines")
+	// Error used when parsing the lines of the output of collector.
+	ErrInsuficientFields = errors.New("insufficient fields")
+	// Error used when given key is not found while parsing KV.
+	ErrKeyNotFound = errors.New("key not found")
+	// Error used when there is no disk volume information available.
+	ErrNoVolumeFound = errors.New("no disk volume information found")
+	// Error user when the base url of the diagnostic client is not provided.
+	ErrNoBaseURL = errors.New("no base url")
+	// Error used when no metrics server is found listening to the known addresses list (check [metrics.GetMetricsKnownAddresses]).
+	ErrMetricsServerNotFound = errors.New("metrics server not found")
+	// Error used when multiple metrics server are found listening to the known addresses list (check [metrics.GetMetricsKnownAddresses]).
+	ErrMultipleMetricsServerFound = errors.New("multiple metrics server found")
+	// Error used when a temporary file creation fails within the diagnostic procedure
+	ErrCreatingTemporaryFile = errors.New("temporary file creation failed")
+)

diagnostic/handlers.go

@@ -0,0 +1,144 @@
+package diagnostic
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
+
+	"github.com/cloudflare/cloudflared/tunnelstate"
+)
+
+type Handler struct {
+	log             *zerolog.Logger
+	timeout         time.Duration
+	systemCollector SystemCollector
+	tunnelID        uuid.UUID
+	connectorID     uuid.UUID
+	tracker         *tunnelstate.ConnTracker
+	cliFlags        map[string]string
+	icmpSources     []string
+}
+
+func NewDiagnosticHandler(
+	log *zerolog.Logger,
+	timeout time.Duration,
+	systemCollector SystemCollector,
+	tunnelID uuid.UUID,
+	connectorID uuid.UUID,
+	tracker *tunnelstate.ConnTracker,
+	cliFlags map[string]string,
+	icmpSources []string,
+) *Handler {
+	logger := log.With().Logger()
+	if timeout == 0 {
+		timeout = defaultCollectorTimeout
+	}
+
+	cliFlags[configurationKeyUID] = strconv.Itoa(os.Getuid())
+	return &Handler{
+		log:             &logger,
+		timeout:         timeout,
+		systemCollector: systemCollector,
+		tunnelID:        tunnelID,
+		connectorID:     connectorID,
+		tracker:         tracker,
+		cliFlags:        cliFlags,
+		icmpSources:     icmpSources,
+	}
+}
+
+func (handler *Handler) InstallEndpoints(router *http.ServeMux) {
+	router.HandleFunc(cliConfigurationEndpoint, handler.ConfigurationHandler)
+	router.HandleFunc(tunnelStateEndpoint, handler.TunnelStateHandler)
+	router.HandleFunc(systemInformationEndpoint, handler.SystemHandler)
+}
+
+type SystemInformationResponse struct {
+	Info *SystemInformation `json:"info"`
+	Err  error              `json:"errors"`
+}
+
+func (handler *Handler) SystemHandler(writer http.ResponseWriter, request *http.Request) {
+	logger := handler.log.With().Str(collectorField, systemCollectorName).Logger()
+	logger.Info().Msg("Collection started")
+
+	defer logger.Info().Msg("Collection finished")
+
+	ctx, cancel := context.WithTimeout(request.Context(), handler.timeout)
+
+	defer cancel()
+
+	info, err := handler.systemCollector.Collect(ctx)
+
+	response := SystemInformationResponse{
+		Info: info,
+		Err:  err,
+	}
+
+	encoder := json.NewEncoder(writer)
+	err = encoder.Encode(response)
+	if err != nil {
+		logger.Error().Err(err).Msgf("error occurred whilst serializing information")
+		writer.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+type TunnelState struct {
+	TunnelID    uuid.UUID                           `json:"tunnelID,omitempty"`
+	ConnectorID uuid.UUID                           `json:"connectorID,omitempty"`
+	Connections []tunnelstate.IndexedConnectionInfo `json:"connections,omitempty"`
+	ICMPSources []string                            `json:"icmp_sources,omitempty"`
+}
+
+func (handler *Handler) TunnelStateHandler(writer http.ResponseWriter, _ *http.Request) {
+	log := handler.log.With().Str(collectorField, tunnelStateCollectorName).Logger()
+	log.Info().Msg("Collection started")
+
+	defer log.Info().Msg("Collection finished")
+
+	body := TunnelState{
+		handler.tunnelID,
+		handler.connectorID,
+		handler.tracker.GetActiveConnections(),
+		handler.icmpSources,
+	}
+	encoder := json.NewEncoder(writer)
+
+	err := encoder.Encode(body)
+	if err != nil {
+		handler.log.Error().Err(err).Msgf("error occurred whilst serializing information")
+		writer.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+func (handler *Handler) ConfigurationHandler(writer http.ResponseWriter, _ *http.Request) {
+	log := handler.log.With().Str(collectorField, configurationCollectorName).Logger()
+	log.Info().Msg("Collection started")
+
+	defer func() {
+		log.Info().Msg("Collection finished")
+	}()
+
+	encoder := json.NewEncoder(writer)
+
+	err := encoder.Encode(handler.cliFlags)
+	if err != nil {
+		handler.log.Error().Err(err).Msgf("error occurred whilst serializing response")
+		writer.WriteHeader(http.StatusInternalServerError)
+	}
+}
+
+func writeResponse(w http.ResponseWriter, bytes []byte, logger *zerolog.Logger) {
+	bytesWritten, err := w.Write(bytes)
+	if err != nil {
+		logger.Error().Err(err).Msg("error occurred writing response")
+	} else if bytesWritten != len(bytes) {
+		logger.Error().Msgf("error incomplete write response %d/%d", bytesWritten, len(bytes))
+	}
+}

diagnostic/handlers_test.go

@@ -0,0 +1,224 @@
+package diagnostic_test
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"runtime"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/cloudflare/cloudflared/connection"
+	"github.com/cloudflare/cloudflared/diagnostic"
+	"github.com/cloudflare/cloudflared/tunnelstate"
+)
+
+type SystemCollectorMock struct {
+	systemInfo *diagnostic.SystemInformation
+	err        error
+}
+
+const (
+	systemInformationKey = "sikey"
+	errorKey             = "errkey"
+)
+
+func newTrackerFromConns(t *testing.T, connections []tunnelstate.IndexedConnectionInfo) *tunnelstate.ConnTracker {
+	t.Helper()
+
+	log := zerolog.Nop()
+	tracker := tunnelstate.NewConnTracker(&log)
+
+	for _, conn := range connections {
+		tracker.OnTunnelEvent(connection.Event{
+			Index:       conn.Index,
+			EventType:   connection.Connected,
+			Protocol:    conn.Protocol,
+			EdgeAddress: conn.EdgeAddress,
+		})
+	}
+
+	return tracker
+}
+
+func (collector *SystemCollectorMock) Collect(context.Context) (*diagnostic.SystemInformation, error) {
+	return collector.systemInfo, collector.err
+}
+
+func TestSystemHandler(t *testing.T) {
+	t.Parallel()
+
+	log := zerolog.Nop()
+	tests := []struct {
+		name       string
+		systemInfo *diagnostic.SystemInformation
+		err        error
+		statusCode int
+	}{
+		{
+			name: "happy path",
+			systemInfo: diagnostic.NewSystemInformation(
+				0, 0, 0, 0,
+				"string", "string", "string", "string",
+				"string", "string",
+				runtime.Version(), runtime.GOARCH, nil,
+			),
+
+			err:        nil,
+			statusCode: http.StatusOK,
+		},
+		{
+			name: "on error and no raw info", systemInfo: nil,
+			err: errors.New("an error"), statusCode: http.StatusOK,
+		},
+	}
+
+	for _, tCase := range tests {
+		t.Run(tCase.name, func(t *testing.T) {
+			t.Parallel()
+			handler := diagnostic.NewDiagnosticHandler(&log, 0, &SystemCollectorMock{
+				systemInfo: tCase.systemInfo,
+				err:        tCase.err,
+			}, uuid.New(), uuid.New(), nil, map[string]string{}, nil)
+			recorder := httptest.NewRecorder()
+			ctx := context.Background()
+			request, err := http.NewRequestWithContext(ctx, http.MethodGet, "/diag/system", nil)
+			require.NoError(t, err)
+			handler.SystemHandler(recorder, request)
+
+			assert.Equal(t, tCase.statusCode, recorder.Code)
+			if tCase.statusCode == http.StatusOK && tCase.systemInfo != nil {
+				var response diagnostic.SystemInformationResponse
+				decoder := json.NewDecoder(recorder.Body)
+				err := decoder.Decode(&response)
+				require.NoError(t, err)
+				assert.Equal(t, tCase.systemInfo, response.Info)
+			}
+		})
+	}
+}
+
+func TestTunnelStateHandler(t *testing.T) {
+	t.Parallel()
+
+	log := zerolog.Nop()
+	tests := []struct {
+		name        string
+		tunnelID    uuid.UUID
+		clientID    uuid.UUID
+		connections []tunnelstate.IndexedConnectionInfo
+		icmpSources []string
+	}{
+		{
+			name:     "case1",
+			tunnelID: uuid.New(),
+			clientID: uuid.New(),
+		},
+		{
+			name:        "case2",
+			tunnelID:    uuid.New(),
+			clientID:    uuid.New(),
+			icmpSources: []string{"172.17.0.3", "::1"},
+			connections: []tunnelstate.IndexedConnectionInfo{{
+				ConnectionInfo: tunnelstate.ConnectionInfo{
+					IsConnected: true,
+					Protocol:    connection.QUIC,
+					EdgeAddress: net.IPv4(100, 100, 100, 100),
+				},
+				Index: 0,
+			}},
+		},
+	}
+
+	for _, tCase := range tests {
+		t.Run(tCase.name, func(t *testing.T) {
+			t.Parallel()
+			tracker := newTrackerFromConns(t, tCase.connections)
+			handler := diagnostic.NewDiagnosticHandler(
+				&log,
+				0,
+				nil,
+				tCase.tunnelID,
+				tCase.clientID,
+				tracker,
+				map[string]string{},
+				tCase.icmpSources,
+			)
+			recorder := httptest.NewRecorder()
+			handler.TunnelStateHandler(recorder, nil)
+			decoder := json.NewDecoder(recorder.Body)
+
+			var response diagnostic.TunnelState
+			err := decoder.Decode(&response)
+			require.NoError(t, err)
+			assert.Equal(t, http.StatusOK, recorder.Code)
+			assert.Equal(t, tCase.tunnelID, response.TunnelID)
+			assert.Equal(t, tCase.clientID, response.ConnectorID)
+			assert.Equal(t, tCase.connections, response.Connections)
+			assert.Equal(t, tCase.icmpSources, response.ICMPSources)
+		})
+	}
+}
+
+func TestConfigurationHandler(t *testing.T) {
+	t.Parallel()
+
+	log := zerolog.Nop()
+
+	tests := []struct {
+		name     string
+		flags    map[string]string
+		expected map[string]string
+	}{
+		{
+			name:  "empty cli",
+			flags: make(map[string]string),
+			expected: map[string]string{
+				"uid": "0",
+			},
+		},
+		{
+			name: "cli with flags",
+			flags: map[string]string{
+				"b":   "a",
+				"c":   "a",
+				"d":   "a",
+				"uid": "0",
+			},
+			expected: map[string]string{
+				"b":   "a",
+				"c":   "a",
+				"d":   "a",
+				"uid": "0",
+			},
+		},
+	}
+
+	for _, tCase := range tests {
+		t.Run(tCase.name, func(t *testing.T) {
+			t.Parallel()
+
+			var response map[string]string
+
+			handler := diagnostic.NewDiagnosticHandler(&log, 0, nil, uuid.New(), uuid.New(), nil, tCase.flags, nil)
+			recorder := httptest.NewRecorder()
+			handler.ConfigurationHandler(recorder, nil)
+			decoder := json.NewDecoder(recorder.Body)
+			err := decoder.Decode(&response)
+			require.NoError(t, err)
+			_, ok := response["uid"]
+			assert.True(t, ok)
+			delete(tCase.expected, "uid")
+			delete(response, "uid")
+			assert.Equal(t, http.StatusOK, recorder.Code)
+			assert.Equal(t, tCase.expected, response)
+		})
+	}
+}

diagnostic/log_collector.go

@@ -0,0 +1,34 @@
+package diagnostic
+
+import (
+	"context"
+)
+
+// Represents the path of the log file or log directory.
+// This struct is meant to give some ergonimics regarding
+// the logging information.
+type LogInformation struct {
+	path        string // path to a file or directory
+	wasCreated  bool   // denotes if `path` was created
+	isDirectory bool   // denotes if `path` is a directory
+}
+
+func NewLogInformation(
+	path string,
+	wasCreated bool,
+	isDirectory bool,
+) *LogInformation {
+	return &LogInformation{
+		path,
+		wasCreated,
+		isDirectory,
+	}
+}
+
+type LogCollector interface {
+	// This function is responsible for returning a path to a single file
+	// whose contents are the logs of a cloudflared instance.
+	// A new file may be create by a LogCollector, thus, its the caller
+	// responsibility to remove the newly create file.
+	Collect(ctx context.Context) (*LogInformation, error)
+}

diagnostic/log_collector_docker.go

@@ -0,0 +1,47 @@
+package diagnostic
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+)
+
+type DockerLogCollector struct {
+	containerID string // This member identifies the container by identifier or name
+}
+
+func NewDockerLogCollector(containerID string) *DockerLogCollector {
+	return &DockerLogCollector{
+		containerID,
+	}
+}
+
+func (collector *DockerLogCollector) Collect(ctx context.Context) (*LogInformation, error) {
+	tmp := os.TempDir()
+
+	outputHandle, err := os.Create(filepath.Join(tmp, logFilename))
+	if err != nil {
+		return nil, fmt.Errorf("error opening output file: %w", err)
+	}
+
+	defer outputHandle.Close()
+
+	// Calculate 2 weeks ago
+	since := time.Now().Add(twoWeeksOffset).Format(time.RFC3339)
+
+	command := exec.CommandContext(
+		ctx,
+		"docker",
+		"logs",
+		"--tail",
+		tailMaxNumberOfLines,
+		"--since",
+		since,
+		collector.containerID,
+	)
+
+	return PipeCommandOutputToFile(command, outputHandle)
+}

diagnostic/log_collector_host.go

@@ -0,0 +1,105 @@
+package diagnostic
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+)
+
+const (
+	linuxManagedLogsPath          = "/var/log/cloudflared.err"
+	darwinManagedLogsPath         = "/Library/Logs/com.cloudflare.cloudflared.err.log"
+	linuxServiceConfigurationPath = "/etc/systemd/system/cloudflared.service"
+	linuxSystemdPath              = "/run/systemd/system"
+)
+
+type HostLogCollector struct {
+	client HTTPClient
+}
+
+func NewHostLogCollector(client HTTPClient) *HostLogCollector {
+	return &HostLogCollector{
+		client,
+	}
+}
+
+func extractLogsFromJournalCtl(ctx context.Context) (*LogInformation, error) {
+	tmp := os.TempDir()
+
+	outputHandle, err := os.Create(filepath.Join(tmp, logFilename))
+	if err != nil {
+		return nil, fmt.Errorf("error opening output file: %w", err)
+	}
+
+	defer outputHandle.Close()
+
+	command := exec.CommandContext(
+		ctx,
+		"journalctl",
+		"--since",
+		"2 weeks ago",
+		"-u",
+		"cloudflared.service",
+	)
+
+	return PipeCommandOutputToFile(command, outputHandle)
+}
+
+func getServiceLogPath() (string, error) {
+	switch runtime.GOOS {
+	case "darwin":
+		{
+			path := darwinManagedLogsPath
+			if _, err := os.Stat(path); err == nil {
+				return path, nil
+			}
+
+			userHomeDir, err := os.UserHomeDir()
+			if err != nil {
+				return "", fmt.Errorf("error getting user home: %w", err)
+			}
+
+			return filepath.Join(userHomeDir, darwinManagedLogsPath), nil
+		}
+	case "linux":
+		{
+			return linuxManagedLogsPath, nil
+		}
+	default:
+		return "", ErrManagedLogNotFound
+	}
+}
+
+func (collector *HostLogCollector) Collect(ctx context.Context) (*LogInformation, error) {
+	logConfiguration, err := collector.client.GetLogConfiguration(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("error getting log configuration: %w", err)
+	}
+
+	if logConfiguration.uid == 0 {
+		_, statSystemdErr := os.Stat(linuxServiceConfigurationPath)
+
+		_, statServiceConfigurationErr := os.Stat(linuxServiceConfigurationPath)
+		if statSystemdErr == nil && statServiceConfigurationErr == nil && runtime.GOOS == "linux" {
+			return extractLogsFromJournalCtl(ctx)
+		}
+
+		path, err := getServiceLogPath()
+		if err != nil {
+			return nil, err
+		}
+
+		return NewLogInformation(path, false, false), nil
+	}
+
+	if logConfiguration.logFile != "" {
+		return NewLogInformation(logConfiguration.logFile, false, false), nil
+	} else if logConfiguration.logDirectory != "" {
+		return NewLogInformation(logConfiguration.logDirectory, false, true), nil
+	}
+
+	return nil, ErrLogConfigurationIsInvalid
+}

diagnostic/log_collector_kubernetes.go

@@ -0,0 +1,63 @@
+package diagnostic
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"time"
+)
+
+type KubernetesLogCollector struct {
+	containerID string // This member identifies the container by identifier or name
+	pod         string // This member identifies the pod where the container is deployed
+}
+
+func NewKubernetesLogCollector(containerID, pod string) *KubernetesLogCollector {
+	return &KubernetesLogCollector{
+		containerID,
+		pod,
+	}
+}
+
+func (collector *KubernetesLogCollector) Collect(ctx context.Context) (*LogInformation, error) {
+	tmp := os.TempDir()
+	outputHandle, err := os.Create(filepath.Join(tmp, logFilename))
+	if err != nil {
+		return nil, fmt.Errorf("error opening output file: %w", err)
+	}
+
+	defer outputHandle.Close()
+
+	var command *exec.Cmd
+	// Calculate 2 weeks ago
+	since := time.Now().Add(twoWeeksOffset).Format(time.RFC3339)
+	if collector.containerID != "" {
+		command = exec.CommandContext(
+			ctx,
+			"kubectl",
+			"logs",
+			collector.pod,
+			"--since-time",
+			since,
+			"--tail",
+			tailMaxNumberOfLines,
+			"-c",
+			collector.containerID,
+		)
+	} else {
+		command = exec.CommandContext(
+			ctx,
+			"kubectl",
+			"logs",
+			collector.pod,
+			"--since-time",
+			since,
+			"--tail",
+			tailMaxNumberOfLines,
+		)
+	}
+
+	return PipeCommandOutputToFile(command, outputHandle)
+}

diagnostic/log_collector_utils.go

@@ -0,0 +1,109 @@
+package diagnostic
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+func PipeCommandOutputToFile(command *exec.Cmd, outputHandle *os.File) (*LogInformation, error) {
+	stdoutReader, err := command.StdoutPipe()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"error retrieving stdout from command '%s': %w",
+			command.String(),
+			err,
+		)
+	}
+
+	stderrReader, err := command.StderrPipe()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"error retrieving stderr from command '%s': %w",
+			command.String(),
+			err,
+		)
+	}
+
+	if err := command.Start(); err != nil {
+		return nil, fmt.Errorf(
+			"error running command '%s': %w",
+			command.String(),
+			err,
+		)
+	}
+
+	_, err = io.Copy(outputHandle, stdoutReader)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"error copying stdout from %s to file %s: %w",
+			command.String(),
+			outputHandle.Name(),
+			err,
+		)
+	}
+
+	_, err = io.Copy(outputHandle, stderrReader)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"error copying stderr from %s to file %s: %w",
+			command.String(),
+			outputHandle.Name(),
+			err,
+		)
+	}
+
+	if err := command.Wait(); err != nil {
+		return nil, fmt.Errorf(
+			"error waiting from command '%s': %w",
+			command.String(),
+			err,
+		)
+	}
+
+	return NewLogInformation(outputHandle.Name(), true, false), nil
+}
+
+func CopyFilesFromDirectory(path string) (string, error) {
+	// rolling logs have as suffix the current date thus
+	// when iterating the path files they are already in
+	// chronological order
+	files, err := os.ReadDir(path)
+	if err != nil {
+		return "", fmt.Errorf("error reading directory %s: %w", path, err)
+	}
+
+	outputHandle, err := os.Create(filepath.Join(os.TempDir(), logFilename))
+	if err != nil {
+		return "", fmt.Errorf("creating file %s: %w", outputHandle.Name(), err)
+	}
+	defer outputHandle.Close()
+
+	for _, file := range files {
+		logHandle, err := os.Open(filepath.Join(path, file.Name()))
+		if err != nil {
+			return "", fmt.Errorf("error opening file %s:%w", file.Name(), err)
+		}
+		defer logHandle.Close()
+
+		_, err = io.Copy(outputHandle, logHandle)
+		if err != nil {
+			return "", fmt.Errorf("error copying file %s:%w", logHandle.Name(), err)
+		}
+	}
+
+	logHandle, err := os.Open(filepath.Join(path, "cloudflared.log"))
+	if err != nil {
+		return "", fmt.Errorf("error opening file %s:%w", logHandle.Name(), err)
+	}
+	defer logHandle.Close()
+
+	_, err = io.Copy(outputHandle, logHandle)
+	if err != nil {
+		return "", fmt.Errorf("error copying file %s:%w", logHandle.Name(), err)
+	}
+
+	return outputHandle.Name(), nil
+}

diagnostic/network/collector.go

@@ -0,0 +1,77 @@
+package diagnostic
+
+import (
+	"context"
+	"errors"
+	"time"
+)
+
+const MicrosecondsFactor = 1000.0
+
+var ErrEmptyDomain = errors.New("domain must not be empty")
+
+// For now only support ICMP is provided.
+type IPVersion int
+
+const (
+	V4 IPVersion = iota
+	V6 IPVersion = iota
+)
+
+type Hop struct {
+	Hop    uint8           `json:"hop,omitempty"`    // hop number along the route
+	Domain string          `json:"domain,omitempty"` // domain and/or ip of the hop, this field will be '*' if the hop is a timeout
+	Rtts   []time.Duration `json:"rtts,omitempty"`   // RTT measurements in microseconds
+}
+
+type TraceOptions struct {
+	ttl     uint64        // number of hops to perform
+	timeout time.Duration // wait timeout for each response
+	address string        // address to trace
+	useV4   bool
+}
+
+func NewTimeoutHop(
+	hop uint8,
+) *Hop {
+	// Whenever there is a hop in the format of 'N * * *'
+	// it means that the hop in the path didn't answer to
+	// any probe.
+	return NewHop(
+		hop,
+		"*",
+		nil,
+	)
+}
+
+func NewHop(hop uint8, domain string, rtts []time.Duration) *Hop {
+	return &Hop{
+		hop,
+		domain,
+		rtts,
+	}
+}
+
+func NewTraceOptions(
+	ttl uint64,
+	timeout time.Duration,
+	address string,
+	useV4 bool,
+) TraceOptions {
+	return TraceOptions{
+		ttl,
+		timeout,
+		address,
+		useV4,
+	}
+}
+
+type NetworkCollector interface {
+	// Performs a trace route operation with the specified options.
+	// In case the trace fails, it will return a non-nil error and
+	// it may return a string which represents the raw information
+	// obtained.
+	// In case it is successful it will only return an array of Hops
+	// an empty string and a nil error.
+	Collect(ctx context.Context, options TraceOptions) ([]*Hop, string, error)
+}