curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Compare commits

base: curben:master
Branches Tags
curben:master
curben:2026.3.0
curben:2026.2.0
curben:2026.1.2
curben:2026.1.1
curben:2026.1.0
curben:2025.11.1
curben:2025.11.0
curben:2025.10.1
curben:2025.10.0
curben:2025.9.1
curben:2025.9.0
curben:2025.8.1
curben:2025.8.0
curben:2025.7.0
curben:2025.6.1
curben:2025.6.0
curben:2025.5.0
curben:2025.4.2
curben:2025.4.1
curben:2025.4.0
curben:2025.2.1
curben:2025.2.0
curben:2025.1.1
curben:2025.1.0
curben:2024.12.2
curben:2024.12.1
curben:2024.12.0
curben:2024.11.1
curben:2024.11.0
curben:2024.10.1
curben:2024.10.0
curben:2024.9.1
curben:2024.9.0
curben:2024.8.3
curben:2024.8.2
curben:2024.8.1
curben:2024.8.0
curben:2024.7.3
curben:2024.7.2
curben:2024.7.1
curben:2024.7.0
curben:2024.6.1
curben:2024.6.0
curben:2024.5.0
curben:2024.4.1
curben:2024.4.0
curben:2024.3.0
curben:2024.2.1
curben:2024.2.0
curben:2024.1.5
curben:2024.1.4
curben:2024.1.3
curben:2024.1.2
curben:2024.1.1
curben:2024.1.0
curben:2023.10.0
curben:2023.8.2
curben:2023.8.1
curben:2023.8.0
curben:2023.7.3
curben:2023.7.2
curben:2023.7.1
curben:2023.7.0
curben:2023.6.1
curben:2023.6.0
curben:2023.5.1
curben:2023.5.0
curben:2023.4.2
curben:2023.4.1
curben:2023.4.0
curben:2023.3.1
curben:2023.3.0
curben:2023.2.2
curben:2023.2.1
curben:2023.2.0
curben:2023.1.0
curben:2022.12.1
curben:2022.12.0
curben:2022.11.1
curben:2022.11.0
curben:2022.10.3
curben:2022.10.2
curben:2022.10.1
curben:2022.10.0
curben:2022.9.1
curben:2022.9.0
curben:2022.8.4
curben:2022.8.3
curben:2022.8.2
curben:2022.8.1
curben:2022.8.0
curben:2022.7.1
curben:2022.7.0
curben:2022.6.3
curben:2022.6.2
curben:2022.6.1
curben:2022.6.0
curben:2022.5.3
curben:2022.5.2
curben:2022.5.1
curben:2022.5.0
curben:2022.4.1
curben:2022.4.0
curben:2022.3.4
curben:2022.3.3
curben:2022.3.2
curben:2022.3.1
curben:2022.3.0
curben:2022.2.2
curben:2022.2.1
curben:2022.2.0
curben:2022.1.3
curben:2022.1.2
curben:2022.1.1
curben:2022.1.0
curben:2021.12.4
curben:2021.12.3
curben:2021.12.2
curben:2021.12.1
curben:2021.12.0
curben:2021.11.0
curben:2021.10.5
curben:2021.10.4
curben:2021.10.3
curben:2021.10.2
curben:2021.10.1
curben:2021.10.0
curben:2021.9.2
curben:2021.9.1
curben:2021.9.0
curben:2021.8.7
curben:2021.8.6
curben:2021.8.5
curben:2021.8.4
curben:2021.8.3
curben:2021.8.2
curben:2021.8.1
curben:2021.8.0
curben:2021.7.4
curben:2021.7.3
curben:2021.7.2
curben:2021.7.1
curben:2021.7.0
curben:2021.6.0
curben:2021.5.10
curben:2021.5.9
curben:2021.5.8
curben:2021.5.7
curben:2021.5.6
curben:2021.5.5
curben:2021.5.4
curben:2021.5.3
curben:2021.5.2
curben:2021.5.1
curben:2021.5.0
curben:2021.4.0
curben:2021.3.6
curben:2021.3.5
curben:2021.3.4
curben:2021.3.3
curben:2021.3.2
curben:2021.3.1
curben:2021.3.0
curben:2021.2.5
curben:2021.2.4
curben:2021.2.3
curben:2021.2.2
curben:2021.2.1
curben:2021.2.0
curben:2021.1.5
curben:2021.1.4
curben:2021.1.3
curben:2021.1.2
curben:2021.1.1
curben:2021.1.0
curben:2020.12.0
curben:2020.11.11
curben:2020.11.10
curben:2020.11.9
curben:2020.11.8
curben:2020.11.7
curben:2020.11.6
curben:2020.11.5
curben:2020.11.4
curben:2020.11.3
curben:2020.11.2
curben:2020.11.1
curben:2020.11.0
curben:2020.10.2
curben:2020.10.1
curben:2020.10.0
curben:2020.9.3
curben:2020.9.2
curben:2020.9.1
curben:2020.9.0
curben:2020.8.2
curben:2020.8.1
curben:2020.8.0
curben:2020.7.4
curben:2020.7.3
curben:2020.7.2
curben:2020.7.1
curben:2020.7.0
curben:2020.6.6
curben:2020.6.5
curben:2020.6.4
curben:2020.6.3
curben:2020.6.2
curben:2020.6.1
curben:2020.6.0
curben:2020.5.1
curben:2020.5.0
curben:2020.4.0
curben:2020.3.2
curben:2020.3.1
curben:2020.3.0
curben:2020.2.1
curben:2020.2.0
curben:2019.12.0
curben:2019.11.3
curben:2019.11.2
curben:2019.11.1
curben:2019.11.0
curben:2019.10.4
curben:2019.10.3
curben:2019.10.2
curben:2019.10.1
curben:2019.10.0
curben:2019.9.2
curben:2019.9.1
curben:2019.9.0
curben:2019.8.4
curben:2019.8.3
curben:2019.8.1
curben:2019.8.0
curben:2019.7.0
curben:2019.6.0
curben:2019.5.0
curben:2019.4.1
curben:2019.4.0
curben:2019.3.2
curben:2019.3.1
curben:2019.3.0
curben:2019.2.1
curben:2019.2.0
curben:2019.1.0
curben:2018.12.1
curben:2018.12.0
curben:2018.11.0
curben:2018.10.5
curben:2018.10.4
curben:2018.10.3
curben:2018.10.2
curben:2018.10.1
curben:2018.10.0
curben:2018.9.0
curben:2018.8.0
..
compare: curben:2024.11.1
Branches Tags
curben:master
curben:2026.3.0
curben:2026.2.0
curben:2026.1.2
curben:2026.1.1
curben:2026.1.0
curben:2025.11.1
curben:2025.11.0
curben:2025.10.1
curben:2025.10.0
curben:2025.9.1
curben:2025.9.0
curben:2025.8.1
curben:2025.8.0
curben:2025.7.0
curben:2025.6.1
curben:2025.6.0
curben:2025.5.0
curben:2025.4.2
curben:2025.4.1
curben:2025.4.0
curben:2025.2.1
curben:2025.2.0
curben:2025.1.1
curben:2025.1.0
curben:2024.12.2
curben:2024.12.1
curben:2024.12.0
curben:2024.11.1
curben:2024.11.0
curben:2024.10.1
curben:2024.10.0
curben:2024.9.1
curben:2024.9.0
curben:2024.8.3
curben:2024.8.2
curben:2024.8.1
curben:2024.8.0
curben:2024.7.3
curben:2024.7.2
curben:2024.7.1
curben:2024.7.0
curben:2024.6.1
curben:2024.6.0
curben:2024.5.0
curben:2024.4.1
curben:2024.4.0
curben:2024.3.0
curben:2024.2.1
curben:2024.2.0
curben:2024.1.5
curben:2024.1.4
curben:2024.1.3
curben:2024.1.2
curben:2024.1.1
curben:2024.1.0
curben:2023.10.0
curben:2023.8.2
curben:2023.8.1
curben:2023.8.0
curben:2023.7.3
curben:2023.7.2
curben:2023.7.1
curben:2023.7.0
curben:2023.6.1
curben:2023.6.0
curben:2023.5.1
curben:2023.5.0
curben:2023.4.2
curben:2023.4.1
curben:2023.4.0
curben:2023.3.1
curben:2023.3.0
curben:2023.2.2
curben:2023.2.1
curben:2023.2.0
curben:2023.1.0
curben:2022.12.1
curben:2022.12.0
curben:2022.11.1
curben:2022.11.0
curben:2022.10.3
curben:2022.10.2
curben:2022.10.1
curben:2022.10.0
curben:2022.9.1
curben:2022.9.0
curben:2022.8.4
curben:2022.8.3
curben:2022.8.2
curben:2022.8.1
curben:2022.8.0
curben:2022.7.1
curben:2022.7.0
curben:2022.6.3
curben:2022.6.2
curben:2022.6.1
curben:2022.6.0
curben:2022.5.3
curben:2022.5.2
curben:2022.5.1
curben:2022.5.0
curben:2022.4.1
curben:2022.4.0
curben:2022.3.4
curben:2022.3.3
curben:2022.3.2
curben:2022.3.1
curben:2022.3.0
curben:2022.2.2
curben:2022.2.1
curben:2022.2.0
curben:2022.1.3
curben:2022.1.2
curben:2022.1.1
curben:2022.1.0
curben:2021.12.4
curben:2021.12.3
curben:2021.12.2
curben:2021.12.1
curben:2021.12.0
curben:2021.11.0
curben:2021.10.5
curben:2021.10.4
curben:2021.10.3
curben:2021.10.2
curben:2021.10.1
curben:2021.10.0
curben:2021.9.2
curben:2021.9.1
curben:2021.9.0
curben:2021.8.7
curben:2021.8.6
curben:2021.8.5
curben:2021.8.4
curben:2021.8.3
curben:2021.8.2
curben:2021.8.1
curben:2021.8.0
curben:2021.7.4
curben:2021.7.3
curben:2021.7.2
curben:2021.7.1
curben:2021.7.0
curben:2021.6.0
curben:2021.5.10
curben:2021.5.9
curben:2021.5.8
curben:2021.5.7
curben:2021.5.6
curben:2021.5.5
curben:2021.5.4
curben:2021.5.3
curben:2021.5.2
curben:2021.5.1
curben:2021.5.0
curben:2021.4.0
curben:2021.3.6
curben:2021.3.5
curben:2021.3.4
curben:2021.3.3
curben:2021.3.2
curben:2021.3.1
curben:2021.3.0
curben:2021.2.5
curben:2021.2.4
curben:2021.2.3
curben:2021.2.2
curben:2021.2.1
curben:2021.2.0
curben:2021.1.5
curben:2021.1.4
curben:2021.1.3
curben:2021.1.2
curben:2021.1.1
curben:2021.1.0
curben:2020.12.0
curben:2020.11.11
curben:2020.11.10
curben:2020.11.9
curben:2020.11.8
curben:2020.11.7
curben:2020.11.6
curben:2020.11.5
curben:2020.11.4
curben:2020.11.3
curben:2020.11.2
curben:2020.11.1
curben:2020.11.0
curben:2020.10.2
curben:2020.10.1
curben:2020.10.0
curben:2020.9.3
curben:2020.9.2
curben:2020.9.1
curben:2020.9.0
curben:2020.8.2
curben:2020.8.1
curben:2020.8.0
curben:2020.7.4
curben:2020.7.3
curben:2020.7.2
curben:2020.7.1
curben:2020.7.0
curben:2020.6.6
curben:2020.6.5
curben:2020.6.4
curben:2020.6.3
curben:2020.6.2
curben:2020.6.1
curben:2020.6.0
curben:2020.5.1
curben:2020.5.0
curben:2020.4.0
curben:2020.3.2
curben:2020.3.1
curben:2020.3.0
curben:2020.2.1
curben:2020.2.0
curben:2019.12.0
curben:2019.11.3
curben:2019.11.2
curben:2019.11.1
curben:2019.11.0
curben:2019.10.4
curben:2019.10.3
curben:2019.10.2
curben:2019.10.1
curben:2019.10.0
curben:2019.9.2
curben:2019.9.1
curben:2019.9.0
curben:2019.8.4
curben:2019.8.3
curben:2019.8.1
curben:2019.8.0
curben:2019.7.0
curben:2019.6.0
curben:2019.5.0
curben:2019.4.1
curben:2019.4.0
curben:2019.3.2
curben:2019.3.1
curben:2019.3.0
curben:2019.2.1
curben:2019.2.0
curben:2019.1.0
curben:2018.12.1
curben:2018.12.0
curben:2018.11.0
curben:2018.10.5
curben:2018.10.4
curben:2018.10.3
curben:2018.10.2
curben:2018.10.1
curben:2018.10.0
curben:2018.9.0
curben:2018.8.0

No commits in common. "master" and "2024.11.1" have entirely different histories.
master ... 2024.11.1

1643 changed files with 97379 additions and 123748 deletions
Show Stats Expand all files Collapse all files

151
.ci/apt-internal.gitlab-ci.yml
View File

@ -1,151 +0,0 @@
.register_inputs: &register_inputs
stage: release-internal
runOnBranches: "^master$"
COMPONENT: "common"
.register_inputs_stable_bookworm: &register_inputs_stable_bookworm
<<: *register_inputs
runOnChangesTo: ['RELEASE_NOTES']
FLAVOR: "bookworm"
SERIES: "stable"
.register_inputs_stable_trixie: &register_inputs_stable_trixie
<<: *register_inputs
runOnChangesTo: ['RELEASE_NOTES']
FLAVOR: "trixie"
SERIES: "stable"
.register_inputs_next_bookworm: &register_inputs_next_bookworm
<<: *register_inputs
FLAVOR: "bookworm"
SERIES: next
.register_inputs_next_trixie: &register_inputs_next_trixie
<<: *register_inputs
FLAVOR: "trixie"
SERIES: next
################################################
### Generate Debian Package for Internal APT ###
################################################
.cloudflared-apt-build: &cloudflared_apt_build
stage: package
needs:
- ci-image-get-image-ref
- linux-packaging # For consistency, we only run this job after we knew we could build the packages for external delivery
image: $BUILD_IMAGE
cache: {}
script:
- make cloudflared-deb
artifacts:
paths:
- cloudflared*.deb
##############
### Stable ###
##############
cloudflared-amd64-stable:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-release]
variables: &amd64-stable-vars
GOOS: linux
GOARCH: amd64
FIPS: true
ORIGINAL_NAME: true
CGO_ENABLED: 1
cloudflared-arm64-stable:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-release]
variables: &arm64-stable-vars
GOOS: linux
GOARCH: arm64
FIPS: false # TUN-7595
ORIGINAL_NAME: true
CGO_ENABLED: 1
############
### Next ###
############
cloudflared-amd64-next:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *amd64-stable-vars
NIGHTLY: true
cloudflared-arm64-next:
<<: *cloudflared_apt_build
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *arm64-stable-vars
NIGHTLY: true
include:
- local: .ci/commons.gitlab-ci.yml
##########################################
### Publish Packages to Internal Repos ###
##########################################
# Bookworm AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_bookworm
jobPrefix: cloudflared-bookworm-amd64
needs: &amd64-stable ["cloudflared-amd64-stable"]
# Bookworm ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_bookworm
jobPrefix: cloudflared-bookworm-arm64
needs: &arm64-stable ["cloudflared-arm64-stable"]
# Trixie AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_trixie
jobPrefix: cloudflared-trixie-amd64
needs: *amd64-stable
# Trixie ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_stable_trixie
jobPrefix: cloudflared-trixie-arm64
needs: *arm64-stable
##################################################
### Publish Nightly Packages to Internal Repos ###
##################################################
# Bookworm AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_bookworm
jobPrefix: cloudflared-nightly-bookworm-amd64
needs: &amd64-next ['cloudflared-amd64-next']
# Bookworm ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_bookworm
jobPrefix: cloudflared-nightly-bookworm-arm64
needs: &arm64-next ['cloudflared-arm64-next']
# Trixie AMD64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_trixie
jobPrefix: cloudflared-nightly-trixie-amd64
needs: *amd64-next
# Trixie ARM64
- component: $CI_SERVER_FQDN/cloudflare/ci/apt-register/register@~latest
inputs:
<<: *register_inputs_next_trixie
jobPrefix: cloudflared-nightly-trixie-arm64
needs: *arm64-next

31
.ci/ci-image.gitlab-ci.yml
View File

@ -1,31 +0,0 @@
# Builds a custom CI Image when necessary
include:
#####################################################
############## Build and Push CI Image ##############
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
inputs:
stage: pre-build
jobPrefix: ci-image
runOnChangesTo: [".ci/image/**"]
runOnMR: true
runOnBranches: '^master$'
commentImageRefs: false
runner: vm-linux-x86-4cpu-8gb
EXTRA_DIB_ARGS: "--manifest=.ci/image/.docker-images"
#####################################################
## Resolve the image reference for downstream jobs ##
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/get-image-ref@~latest
inputs:
stage: pre-build
jobPrefix: ci-image
runOnMR: true
runOnBranches: '^master$'
IMAGE_PATH: "$REGISTRY_HOST/stash/tun/cloudflared/ci-image/master"
VARIABLE_NAME: BUILD_IMAGE
needs:
- job: ci-image-build-push-image
optional: true

45
.ci/commons.gitlab-ci.yml
View File

@ -1,45 +0,0 @@
## A set of predefined rules to use on the different jobs
.default-rules:
# Rules to run the job only on the master branch
run-on-master:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: on_success
- when: never
# Rules to run the job only on merge requests
run-on-mr:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: on_success
- when: never
# Rules to run the job on merge_requests and master branch
run-always:
- if: $CI_COMMIT_TAG
when: never
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH != null && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: on_success
- when: never
# Rules to run the job only when a release happens
run-on-release:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
changes:
- 'RELEASE_NOTES'
when: on_success
- when: never
.component-tests:
image: $BUILD_IMAGE
rules:
- !reference [.default-rules, run-always]
variables:
COMPONENT_TESTS_CONFIG: component-test-config.yaml
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiBjbG91ZGZsYXJlZC5leGUKY3JlZGVudGlhbHNfZmlsZTogY3JlZC5qc29uCm9yaWdpbmNlcnQ6IGNlcnQucGVtCnpvbmVfZG9tYWluOiBhcmdvdHVubmVsdGVzdC5jb20Kem9uZV90YWc6IDQ4Nzk2ZjFlNzBiYjc2NjljMjliYjUxYmEyODJiZjY1
secrets:
DNS_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/component_tests_token/data@kv
file: false
COMPONENT_TESTS_ORIGINCERT:
vault: gitlab/cloudflare/tun/cloudflared/_dev/component_tests_cert_pem/data@kv
file: false
cache: {}

17
.ci/github.gitlab-ci.yml
View File

@ -1,17 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
######################################
### Sync master branch with Github ###
######################################
push-github:
stage: sync
rules:
- !reference [.default-rules, run-on-master]
script:
- ./.ci/scripts/github-push.sh
secrets:
CLOUDFLARED_DEPLOY_SSH_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cloudflared_github_ssh/data@kv
file: false
cache: {}

2
.ci/image/.docker-images
View File

@ -1,2 +0,0 @@
images:
- name: ci-image

39
.ci/image/Dockerfile
View File

@ -1,39 +0,0 @@
ARG CLOUDFLARE_DOCKER_REGISTRY_HOST
FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/trixie/main:2026.1.0@sha256:e32092fd01520f5ae7de1fa6bb5a721720900ebeaa48e98f36f6f86168833cd7
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install --no-install-recommends --allow-downgrades -y \
build-essential \
git \
go-boring=1.24.13-1 \
libffi-dev \
procps \
python3-dev \
python3-pip \
python3-setuptools \
python3-venv \
# tool to create msi packages
wixl \
# install ruby and rpm which are required to install fpm package builder
rpm \
ruby \
ruby-dev \
rubygems \
# create deb and rpm repository files
reprepro \
createrepo-c \
# gcc for cross architecture compilation in arm
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross && \
rm -rf /var/lib/apt/lists/* && \
# Install fpm gem
gem install fpm --no-document && \
# Initialize rpm repository, SQL Lite DB
mkdir -p /var/lib/rpm && \
rpm --initdb && \
chmod -R 777 /var/lib/rpm && \
# Create work directory
mkdir -p opt
WORKDIR /opt

122
.ci/linux.gitlab-ci.yml
View File

@ -1,122 +0,0 @@
.golang-inputs: &golang_inputs
runOnMR: true
runOnBranches: "^master$"
outputDir: artifacts
runner: linux-x86-8cpu-16gb
stage: build
golangVersion: "boring-1.24"
imageVersion: "3462-0b23466e0715@sha256:42e8533370666a2463041572293a79e1449001ef803a993e6a860be00858c806"
CGO_ENABLED: 1
.default-packaging-job: &packaging-job-defaults
stage: package
needs:
- ci-image-get-image-ref
rules:
- !reference [.default-rules, run-on-master]
image: $BUILD_IMAGE
cache: {}
artifacts:
paths:
- artifacts/*
include:
###################
### Linux Build ###
###################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
jobPrefix: linux-build
GOLANG_MAKE_TARGET: ci-build
########################
### Linux FIPS Build ###
########################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
jobPrefix: linux-fips-build
GOLANG_MAKE_TARGET: ci-fips-build
#################
### Unit Tests ##
#################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
stage: test
jobPrefix: test
GOLANG_MAKE_TARGET: ci-test
######################
### Unit Tests FIPS ##
######################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
stage: test
jobPrefix: test-fips
GOLANG_MAKE_TARGET: ci-fips-test
#################
### Vuln Check ##
#################
- component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest
inputs:
<<: *golang_inputs
runOnBranches: "^$"
stage: validate
jobPrefix: vulncheck
GOLANG_MAKE_TARGET: vulncheck
#################################
### Run Linux Component Tests ###
#################################
linux-component-tests: &linux-component-tests
stage: test
extends: .component-tests
needs:
- ci-image-get-image-ref
- linux-build-boring-make
script:
- ./.ci/scripts/component-tests.sh
variables: &component-tests-variables
CI: 1
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkCmNyZWRlbnRpYWxzX2ZpbGU6IGNyZWQuanNvbgpvcmlnaW5jZXJ0OiBjZXJ0LnBlbQp6b25lX2RvbWFpbjogYXJnb3R1bm5lbHRlc3QuY29tCnpvbmVfdGFnOiA0ODc5NmYxZTcwYmI3NjY5YzI5YmI1MWJhMjgyYmY2NQ==
tags:
- linux-x86-8cpu-16gb
artifacts:
reports:
junit: report.xml
######################################
### Run Linux FIPS Component Tests ###
######################################
linux-component-tests-fips:
<<: *linux-component-tests
needs:
- ci-image-get-image-ref
- linux-fips-build-boring-make
variables:
<<: *component-tests-variables
COMPONENT_TESTS_FIPS: 1
################################
####### Linux Packaging ########
################################
linux-packaging:
<<: *packaging-job-defaults
parallel:
matrix:
- ARCH: ["386", "amd64", "arm", "armhf", "arm64"]
script:
- ./.ci/scripts/linux/build-packages.sh ${ARCH}
################################
##### Linux FIPS Packaging #####
################################
linux-packaging-fips:
<<: *packaging-job-defaults
script:
- ./.ci/scripts/linux/build-packages-fips.sh

66
.ci/mac.gitlab-ci.yml
View File

@ -1,66 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
###############################
### Defaults for Mac Builds ###
###############################
.mac-build-defaults: &mac-build-defaults
rules:
- !reference [.default-rules, run-on-mr]
tags:
- "macstadium-${RUNNER_ARCH}"
parallel:
matrix:
- RUNNER_ARCH: [arm, intel]
cache: {}
######################################
### Build Cloudflared Mac Binaries ###
######################################
macos-build-cloudflared: &mac-build
<<: *mac-build-defaults
stage: build
artifacts:
paths:
- artifacts/*
script:
- '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
- '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
- ARCH=$(uname -m)
- echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
- ./.ci/scripts/mac/install-go.sh "$MAC_GO_VERSION"
- BUILD_SCRIPT=.ci/scripts/mac/build.sh
- if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
- set -euo pipefail
- echo "Executing ${BUILD_SCRIPT}"
- exec ${BUILD_SCRIPT}
###############################################
### Build and Sign Cloudflared Mac Binaries ###
###############################################
macos-build-and-sign-cloudflared:
<<: *mac-build
rules:
- !reference [.default-rules, run-on-master]
secrets:
APPLE_DEV_CA_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert_v2/data@kv
file: false
CFD_CODE_SIGN_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data@kv
file: false
CFD_CODE_SIGN_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data@kv
file: false
CFD_CODE_SIGN_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data@kv
file: false
CFD_INSTALLER_CERT:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data@kv
file: false
CFD_INSTALLER_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data@kv
file: false
CFD_INSTALLER_PASS:
vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data@kv
file: false

133
.ci/release.gitlab-ci.yml
View File

@ -1,133 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
######################################
### Build and Push DockerHub Image ###
######################################
- component: $CI_SERVER_FQDN/cloudflare/ci/docker-image/build-push-image@~latest
inputs:
stage: release
jobPrefix: docker-hub
runOnMR: false
runOnBranches: '^master$'
runOnChangesTo: ['RELEASE_NOTES']
needs:
- generate-version-file
- release-cloudflared-to-r2
commentImageRefs: false
runner: vm-linux-x86-4cpu-8gb
# Based on if the CI reference is protected or not the CI component will
# either use _BRANCH or _PROD, therefore, to prevent the pipelines from failing
# we simply set both to the same value.
DOCKER_USER_BRANCH: &docker-hub-user svcgithubdockerhubcloudflar045
DOCKER_PASSWORD_BRANCH: &docker-hub-password gitlab/cloudflare/tun/cloudflared/_dev/dockerhub/svc_password/data
DOCKER_USER_PROD: *docker-hub-user
DOCKER_PASSWORD_PROD: *docker-hub-password
EXTRA_DIB_ARGS: --overwrite
.default-release-job: &release-job-defaults
stage: release
image: $BUILD_IMAGE
cache:
paths:
- .cache/pip
variables: &release-job-variables
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
# KV Vars
KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
KV_ACCOUNT: &cf-account 5ab4e9dfbd435d24068829fda0077963
# R2 Vars
R2_BUCKET: cloudflared-pkgs
R2_ACCOUNT_ID: *cf-account
# APT and RPM Repository Vars
GPG_PUBLIC_KEY_URL: "https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://pkg.cloudflare.com/cloudflared"
BINARY_NAME: cloudflared
secrets:
KV_API_TOKEN:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
file: false
API_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
file: false
R2_CLIENT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_id@kv
file: false
R2_CLIENT_SECRET:
vault: gitlab/cloudflare/tun/cloudflared/_dev/_terraform_atlantis/r2_api_token/client_secret@kv
file: false
LINUX_SIGNING_PUBLIC_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v1/private_key@kv
file: false
LINUX_SIGNING_PUBLIC_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/public_key@kv
file: false
LINUX_SIGNING_PRIVATE_KEY_2:
vault: gitlab/cloudflare/tun/cloudflared/_dev/gpg_v2/private_key@kv
file: false
###########################################
### Push Cloudflared Binaries to Github ###
###########################################
release-cloudflared-to-github:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
- linux-packaging
- linux-packaging-fips
- macos-build-and-sign-cloudflared
- windows-package-sign
script:
- ./.ci/scripts/release-target.sh github-release
#########################################
### Upload Cloudflared Binaries to R2 ###
#########################################
release-cloudflared-to-r2:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
- release-cloudflared-to-github
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#################################################
### Upload Cloudflared Nightly Binaries to R2 ###
#################################################
release-cloudflared-nightly-to-r2:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-master]
variables:
<<: *release-job-variables
R2_BUCKET: cloudflared-pkgs-next
GPG_PUBLIC_KEY_URL: "https://next.pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg"
PKG_URL: "https://next.pkg.cloudflare.com/cloudflared"
needs:
- ci-image-get-image-ref
- linux-packaging # We only release non-FIPS binaries to R2
script:
- ./.ci/scripts/release-target.sh r2-linux-release
#############################
### Generate Version File ###
#############################
generate-version-file:
<<: *release-job-defaults
rules:
- !reference [.default-rules, run-on-release]
needs:
- ci-image-get-image-ref
script:
- make generate-docker-version
artifacts:
paths:
- versions

25
.ci/scripts/component-tests.sh
View File

@ -1,25 +0,0 @@
#!/bin/bash
set -e -u -o pipefail
# Fetch cloudflared from the artifacts folder
mv ./artifacts/cloudflared ./cloudflared
python3 -m venv env
. env/bin/activate
pip install --upgrade -r component-tests/requirements.txt
# Creates and routes a Named Tunnel for this build. Also constructs
# config file from env vars.
python3 component-tests/setup.py --type create
# Define the cleanup function
cleanup() {
# The Named Tunnel is deleted and its route unprovisioned here.
python3 component-tests/setup.py --type cleanup
}
# The trap will call the cleanup function on script exit
trap cleanup EXIT
pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml

13
.ci/scripts/fmt-check.sh
View File

@ -1,13 +0,0 @@
#!/bin/bash
set -e -u -o pipefail
OUTPUT=$(go run -mod=readonly golang.org/x/tools/cmd/goimports@v0.30.0 -l -d -local github.com/cloudflare/cloudflared $(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc))
if [ -n "$OUTPUT" ] ; then
PAGER=$(which colordiff || echo cat)
echo
echo "Code formatting issues found, use 'make fmt' to correct them"
echo
echo "$OUTPUT" | $PAGER
exit 1
fi

31
.ci/scripts/github-push.sh
View File

@ -1,31 +0,0 @@
#!/bin/bash
set -e -u -o pipefail
BRANCH="master"
TMP_PATH="$PWD/tmp"
PRIVATE_KEY_PATH="$TMP_PATH/github-deploy-key"
PUBLIC_KEY_GITHUB_PATH="$TMP_PATH/github.pub"
mkdir -p $TMP_PATH
# Setup Private Key
echo "$CLOUDFLARED_DEPLOY_SSH_KEY" > $PRIVATE_KEY_PATH
chmod 400 $PRIVATE_KEY_PATH
# Download GitHub Public Key for KnownHostsFile
ssh-keyscan -t ed25519 github.com > $PUBLIC_KEY_GITHUB_PATH
# Setup git ssh command with the right configurations
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=$PUBLIC_KEY_GITHUB_PATH -o IdentitiesOnly=yes -i $PRIVATE_KEY_PATH"
# Add GitHub as a new remote
git remote add github git@github.com:cloudflare/cloudflared.git || true
# GitLab doesn't pull branch references, instead it creates a new one on each pipeline.
# Therefore, we need to manually fetch the reference to then push it to GitHub.
git fetch origin $BRANCH:$BRANCH
git push -u github $BRANCH
if TAG="$(git describe --tags --exact-match 2>/dev/null)"; then
git push -u github "$TAG"
fi

60
.ci/scripts/linux/build-packages.sh
View File

@ -1,60 +0,0 @@
#!/bin/bash
set -e -u -o pipefail
# Check if architecture argument is provided
if [ $# -eq 0 ]; then
echo "Error: Architecture argument is required"
echo "Usage: $0 <architecture>"
exit 1
fi
# Parameters
arch=$1
# Get Version
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# Disable FIPS module in go-boring
export GOEXPERIMENT=noboringcrypto
export CGO_ENABLED=0
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
export TARGET_OS=linux
unset TARGET_ARM
export TARGET_ARCH=$arch
## Support for arm platforms without hardware FPU enabled
if [[ $arch == arm ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=5
fi
## Support for armhf builds
if [[ $arch == armhf ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=7
fi
make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch
if [ $arch == "amd64" ];then
RPMARCH="x86_64"
fi
if [ $arch == "arm64" ]; then
RPMARCH="aarch64"
fi
make cloudflared-rpm
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch

228
.ci/scripts/mac/build.sh
View File

@ -1,228 +0,0 @@
#!/bin/bash
set -exo pipefail
if [[ "$(uname)" != "Darwin" ]] ; then
echo "This should be run on macOS"
exit 1
fi
if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
then
echo "TARGET_ARCH must be amd64 or arm64"
exit 1
fi
go version
export GO111MODULE=on
# build 'cloudflared-darwin-amd64.tgz'
mkdir -p artifacts
TARGET_DIRECTORY=".build"
BINARY_NAME="cloudflared"
VERSION=$(git describe --tags --always --dirty="-dev")
PRODUCT="cloudflared"
APPLE_CA_CERT="apple_dev_ca.cert"
CODE_SIGN_PRIV="code_sign.p12"
CODE_SIGN_CERT="code_sign.cer"
INSTALLER_PRIV="installer.p12"
INSTALLER_CERT="installer.cer"
BUNDLE_ID="com.cloudflare.cloudflared"
SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
export PATH="$PATH:/usr/local/bin"
FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
mkdir -p ../src/github.com/cloudflare/
cp -r . ../src/github.com/cloudflare/cloudflared
cd ../src/github.com/cloudflare/cloudflared
# Imports certificates to the Apple KeyChain
import_certificate() {
local CERTIFICATE_NAME=$1
local CERTIFICATE_ENV_VAR=$2
local CERTIFICATE_FILE_NAME=$3
echo "Importing $CERTIFICATE_NAME"
if [[ ! -z "$CERTIFICATE_ENV_VAR" ]]; then
# write certificate to disk and then import it keychain
echo -n -e ${CERTIFICATE_ENV_VAR} | base64 -D > ${CERTIFICATE_FILE_NAME}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
local out=$(security import ${CERTIFICATE_FILE_NAME} -T /usr/bin/pkgbuild -A 2>&1) || true
local exitcode=$?
# delete the certificate from disk
rm -rf ${CERTIFICATE_FILE_NAME}
if [ -n "$out" ]; then
if [ $exitcode -eq 0 ]; then
echo "$out"
else
if [ "$out" != "${SEC_DUP_MSG}" ]; then
echo "$out" >&2
exit $exitcode
else
echo "already imported code signing certificate"
fi
fi
fi
fi
}
create_cloudflared_build_keychain() {
# Reusing the private key password as the keychain key
local PRIVATE_KEY_PASS=$1
# Create keychain only if it doesn't already exist
if [ ! -f "$HOME/Library/Keychains/cloudflared_build_keychain.keychain-db" ]; then
security create-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
else
echo "Keychain already exists: cloudflared_build_keychain"
fi
# Append temp keychain to the user domain
security list-keychains -d user -s cloudflared_build_keychain $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout
security set-keychain-settings cloudflared_build_keychain
# Unlock keychain so it doesn't require password
security unlock-keychain -p "$PRIVATE_KEY_PASS" cloudflared_build_keychain
}
# Imports private keys to the Apple KeyChain
import_private_keys() {
local PRIVATE_KEY_NAME=$1
local PRIVATE_KEY_ENV_VAR=$2
local PRIVATE_KEY_FILE_NAME=$3
local PRIVATE_KEY_PASS=$4
echo "Importing $PRIVATE_KEY_NAME"
if [[ ! -z "$PRIVATE_KEY_ENV_VAR" ]]; then
if [[ ! -z "$PRIVATE_KEY_PASS" ]]; then
# write private key to disk and then import it keychain
echo -n -e ${PRIVATE_KEY_ENV_VAR} | base64 -D > ${PRIVATE_KEY_FILE_NAME}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
local out=$(security import ${PRIVATE_KEY_FILE_NAME} -k cloudflared_build_keychain -P "$PRIVATE_KEY_PASS" -T /usr/bin/pkgbuild -A -P "${PRIVATE_KEY_PASS}" 2>&1) || true
local exitcode=$?
rm -rf ${PRIVATE_KEY_FILE_NAME}
if [ -n "$out" ]; then
if [ $exitcode -eq 0 ]; then
echo "$out"
else
if [ "$out" != "${SEC_DUP_MSG}" ]; then
echo "$out" >&2
exit $exitcode
fi
fi
fi
fi
fi
}
# Create temp keychain only for this build
create_cloudflared_build_keychain "${CFD_CODE_SIGN_PASS}"
# Add Apple Root Developer certificate to the key chain
import_certificate "Apple Developer CA" "${APPLE_DEV_CA_CERT}" "${APPLE_CA_CERT}"
# Add code signing private key to the key chain
import_private_keys "Developer ID Application" "${CFD_CODE_SIGN_KEY}" "${CODE_SIGN_PRIV}" "${CFD_CODE_SIGN_PASS}"
# Add code signing certificate to the key chain
import_certificate "Developer ID Application" "${CFD_CODE_SIGN_CERT}" "${CODE_SIGN_CERT}"
# Add package signing private key to the key chain
import_private_keys "Developer ID Installer" "${CFD_INSTALLER_KEY}" "${INSTALLER_PRIV}" "${CFD_INSTALLER_PASS}"
# Add package signing certificate to the key chain
import_certificate "Developer ID Installer" "${CFD_INSTALLER_CERT}" "${INSTALLER_CERT}"
# get the code signing certificate name
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
else
if [[ -n "$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
else
CODE_SIGN_NAME=""
fi
fi
# get the package signing certificate name
if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
else
if [[ -n "$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" cloudflared_build_keychain | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
else
PKG_SIGN_NAME=""
fi
fi
# cleanup the build directory because the previous execution might have failed without cleaning up.
rm -rf "${TARGET_DIRECTORY}"
export TARGET_OS="darwin"
GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
# This allows apple tools to use the certificates in the keychain without requiring password input.
# This command always needs to run after the certificates have been loaded into the keychain
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
security set-key-partition-list -S apple-tool:,apple: -s -k "${CFD_CODE_SIGN_PASS}" cloudflared_build_keychain
fi
# sign the cloudflared binary
if [[ ! -z "$CODE_SIGN_NAME" ]]; then
codesign --keychain $HOME/Library/Keychains/cloudflared_build_keychain.keychain-db -s "${CODE_SIGN_NAME}" -fv --options runtime --timestamp ${BINARY_NAME}
# notarize the binary
# TODO: TUN-5789
fi
ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
# creating build directory
rm -rf $ARCH_TARGET_DIRECTORY
mkdir -p "${ARCH_TARGET_DIRECTORY}"
mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
# copy cloudflared into the build directory
cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
# compress cloudflared into a tar and gzipped file
tar czf "$FILENAME" "${BINARY_NAME}"
# build the installer package
if [[ ! -z "$PKG_SIGN_NAME" ]]; then
pkgbuild --identifier com.cloudflare.${PRODUCT} \
--version ${VERSION} \
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
--root ${ARCH_TARGET_DIRECTORY}/contents \
--install-location /usr/local/bin \
--keychain cloudflared_build_keychain \
--sign "${PKG_SIGN_NAME}" \
${PKGNAME}
# notarize the package
# TODO: TUN-5789
else
pkgbuild --identifier com.cloudflare.${PRODUCT} \
--version ${VERSION} \
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
--root ${ARCH_TARGET_DIRECTORY}/contents \
--install-location /usr/local/bin \
${PKGNAME}
fi
# cleanup build directory because this script is not ran within containers,
# which might lead to future issues in subsequent runs.
rm -rf "${TARGET_DIRECTORY}"
# cleanup the keychain
security default-keychain -d user -s login.keychain-db
security list-keychains -d user -s login.keychain-db
security delete-keychain cloudflared_build_keychain

14
.ci/scripts/mac/install-go.sh
View File

@ -1,14 +0,0 @@
rm -rf /tmp/go
export GOCACHE=/tmp/gocache
rm -rf $GOCACHE
if [ -z "$1" ]
then
echo "No go version supplied"
fi
brew install "$1"
go version
which go
go env

18
.ci/scripts/release-target.sh
View File

@ -1,18 +0,0 @@
#!/bin/bash
set -e -u -o pipefail
# Check if a make target is provided as an argument
if [ $# -eq 0 ]; then
echo "Error: Make target argument is required"
echo "Usage: $0 <make-target>"
exit 1
fi
MAKE_TARGET=$1
python3 -m venv venv
source venv/bin/activate
# Our release scripts are written in python, so we should install their dependecies here.
pip install pynacl==1.4.0 pygithub==1.55 boto3==1.42.30 python-gnupg==0.4.9
make $MAKE_TARGET

53
.ci/scripts/vuln-check.sh
View File

@ -1,53 +0,0 @@
#!/bin/bash
set -e -u
# Define the file to store the list of vulnerabilities to ignore.
IGNORE_FILE=".vulnignore"
go version
# Check if the ignored vulnerabilities file exists. If not, create an empty one.
if [ ! -f "$IGNORE_FILE" ]; then
touch "$IGNORE_FILE"
echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE"
echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >>"$IGNORE_FILE"
echo "# You can also add comments on the same line after the ID." >>"$IGNORE_FILE"
echo "" >>"$IGNORE_FILE"
fi
# Run govulncheck and capture its output.
VULN_OUTPUT=$(go run -mod=readonly golang.org/x/vuln/cmd/govulncheck@latest ./... || true)
# Print the govuln output
echo "====================================="
echo "Full Output of govulncheck:"
echo "====================================="
echo "$VULN_OUTPUT"
echo "====================================="
echo "End of govulncheck Output"
echo "====================================="
# Process the ignore file to remove comments and empty lines.
# The 'cut' command gets the vulnerability ID and removes anything after the '#'.
# The 'grep' command filters out empty lines and lines starting with '#'.
CLEAN_IGNORES=$(grep -v '^\s*#' "$IGNORE_FILE" | cut -d'#' -f1 | sed 's/ //g' | sort -u || true)
# Filter out the ignored vulnerabilities.
UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability' || true)
# If the list of ignored vulnerabilities is not empty, filter them out.
if [ -n "$CLEAN_IGNORES" ]; then
UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true)
fi
# If there are any vulnerabilities that were not in our ignore list, print them and exit with an error.
if [ -n "$UNIGNORED_VULNS" ]; then
echo "🚨 Found new, unignored vulnerabilities:"
echo "-------------------------------------"
echo "$UNIGNORED_VULNS"
echo "-------------------------------------"
echo "Exiting with an error. ❌"
exit 1
else
echo "🎉 No new vulnerabilities found. All clear! ✨"
exit 0
fi

29
.ci/scripts/windows/builds.ps1
View File

@ -1,29 +0,0 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$env:TARGET_OS = "windows"
$env:LOCAL_OS = "windows"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
New-Item -Path ".\artifacts" -ItemType Directory
Write-Output "Building for amd64"
$env:TARGET_ARCH = "amd64"
$env:LOCAL_ARCH = "amd64"
$env:CGO_ENABLED = 1
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
# Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-amd64.exe
Write-Output "Building for 386"
$env:TARGET_ARCH = "386"
$env:LOCAL_ARCH = "386"
$env:CGO_ENABLED = 0
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
## Sign build
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\cloudflared.exe
copy .\cloudflared.exe .\artifacts\cloudflared-windows-386.exe

40
.ci/scripts/windows/component-test.ps1
View File

@ -1,40 +0,0 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$env:TARGET_OS = "windows"
$env:LOCAL_OS = "windows"
$env:TARGET_ARCH = "amd64"
$env:LOCAL_ARCH = "amd64"
$env:CGO_ENABLED = 1
python --version
python -m pip --version
Write-Host "Building cloudflared"
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
Write-Host "Running unit tests"
# Not testing with race detector because of https://github.com/golang/go/issues/61058
# We already test it on other platforms
go test -failfast -v -mod=vendor ./...
if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
# On Gitlab runners we need to add all of this addresses to the NO_PROXY list in order for the tests to run.
$env:NO_PROXY = "pypi.org,files.pythonhosted.org,api.cloudflare.com,argotunneltest.com,argotunnel.com,trycloudflare.com,${env:NO_PROXY}"
Write-Host "No Proxy: ${env:NO_PROXY}"
Write-Host "Running component tests"
try {
python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
python component-tests/setup.py --type create
python -m pytest component-tests -o log_cli=true --log-cli-level=INFO --junit-xml=report.xml
if ($LASTEXITCODE -ne 0) {
throw "Failed component tests"
}
} finally {
python component-tests/setup.py --type cleanup
}

69
.ci/scripts/windows/go-wrapper.ps1
View File

@ -1,69 +0,0 @@
Param(
[string]$GoVersion,
[string]$ScriptToExecute
)
# The script is a wrapper that downloads a specific version
# of go, adds it to the PATH and executes a script with that go
# version in the path.
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
# Get the path to the system's temporary directory.
$tempPath = [System.IO.Path]::GetTempPath()
# Create a unique name for the new temporary folder.
$folderName = "go_" + (Get-Random)
# Join the temp path and the new folder name to create the full path.
$fullPath = Join-Path -Path $tempPath -ChildPath $folderName
# Store the current value of PATH environment variable.
$oldPath = $env:Path
# Use a try...finally block to ensure the temporrary folder and PATH are cleaned up.
try {
# Create the temporary folder.
Write-Host "Creating temporary folder at: $fullPath"
$newTempFolder = New-Item -ItemType Directory -Path $fullPath -Force
# Download go
$url = "https://go.dev/dl/$GoVersion.windows-amd64.zip"
$destinationFile = Join-Path -Path $newTempFolder.FullName -ChildPath "go$GoVersion.windows-amd64.zip"
Write-Host "Downloading go from: $url"
Invoke-WebRequest -Uri $url -OutFile $destinationFile
Write-Host "File downloaded to: $destinationFile"
# Unzip the downloaded file.
Write-Host "Unzipping the file..."
Expand-Archive -Path $destinationFile -DestinationPath $newTempFolder.FullName -Force
Write-Host "File unzipped successfully."
# Define the go/bin path wich is inside the temporary folder
$goBinPath = Join-Path -Path $fullPath -ChildPath "go\bin"
# Add the go/bin path to the PATH environment variable.
$env:Path = "$goBinPath;$($env:Path)"
Write-Host "Added $goBinPath to the environment PATH."
go env
go version
& $ScriptToExecute
} finally {
# Cleanup: Remove the path from the environment variable and then the temporary folder.
Write-Host "Starting cleanup..."
$env:Path = $oldPath
Write-Host "Reverted changes in the environment PATH."
# Remove the temporary folder and its contents.
if (Test-Path -Path $fullPath) {
Remove-Item -Path $fullPath -Recurse -Force
Write-Host "Temporary folder and its contents have been removed."
} else {
Write-Host "Temporary folder does not exist, no cleanup needed."
}
}

26
.ci/scripts/windows/sign-msi.ps1
View File

@ -1,26 +0,0 @@
# Sign Windows artifacts using azuretool
# This script processes MSI files from the artifacts directory
$ErrorActionPreference = "Stop"
# Define paths
$ARTIFACT_DIR = "artifacts"
$TIMESTAMP_RFC3161 = "http://timestamp.digicert.com"
Write-Host "Looking for Windows artifacts to sign in $ARTIFACT_DIR..."
# Find all Windows MSI files
$msiFiles = Get-ChildItem -Path $ARTIFACT_DIR -Filter "cloudflared-windows-*.msi" -ErrorAction SilentlyContinue
if ($msiFiles.Count -eq 0) {
Write-Host "No Windows MSI files found in $ARTIFACT_DIR"
exit 1
}
Write-Host "Found $($msiFiles.Count) file(s) to sign:"
foreach ($file in $msiFiles) {
Write-Host "Running azuretool sign for $($file.Name)"
azuresigntool.exe sign -kvu $env:KEY_VAULT_URL -kvi "$env:KEY_VAULT_CLIENT_ID" -kvs "$env:KEY_VAULT_SECRET" -kvc "$env:KEY_VAULT_CERTIFICATE" -kvt "$env:KEY_VAULT_TENANT_ID" -tr "$TIMESTAMP_RFC3161" -d "Cloudflare Tunnel Daemon" .\\$ARTIFACT_DIR\\$($file.Name)
}
Write-Host "Signing process completed"

114
.ci/windows.gitlab-ci.yml
View File

@ -1,114 +0,0 @@
include:
- local: .ci/commons.gitlab-ci.yml
###################################
### Defaults for Windows Builds ###
###################################
.windows-build-defaults: &windows-build-defaults
rules:
- !reference [.default-rules, run-always]
tags:
- windows-x86
cache: {}
##########################################
### Build Cloudflared Windows Binaries ###
##########################################
windows-build-cloudflared:
<<: *windows-build-defaults
stage: build
script:
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\builds.ps1"
artifacts:
paths:
- artifacts/*
######################################################
### Load Environment Variables for Component Tests ###
######################################################
windows-load-env-variables:
stage: pre-build
extends: .component-tests
script:
- echo "COMPONENT_TESTS_CONFIG=$COMPONENT_TESTS_CONFIG" >> windows.env
- echo "COMPONENT_TESTS_CONFIG_CONTENT=$COMPONENT_TESTS_CONFIG_CONTENT" >> windows.env
- echo "DNS_API_TOKEN=$DNS_API_TOKEN" >> windows.env
# We have to encode the `COMPONENT_TESTS_ORIGINCERT` secret, because it content is a file, otherwise we can't export it using gitlab
- echo "COMPONENT_TESTS_ORIGINCERT=$(echo "$COMPONENT_TESTS_ORIGINCERT" | base64 -w0)" >> windows.env
- echo "KEY_VAULT_URL=$KEY_VAULT_URL" >> windows.env
- echo "KEY_VAULT_CLIENT_ID=$KEY_VAULT_CLIENT_ID" >> windows.env
- echo "KEY_VAULT_TENANT_ID=$KEY_VAULT_TENANT_ID" >> windows.env
- echo "KEY_VAULT_SECRET=$KEY_VAULT_SECRET" >> windows.env
- echo "KEY_VAULT_CERTIFICATE=$KEY_VAULT_CERTIFICATE" >> windows.env
variables:
COMPONENT_TESTS_CONFIG_CONTENT: Y2xvdWRmbGFyZWRfYmluYXJ5OiAuL2Nsb3VkZmxhcmVkLmV4ZQpjcmVkZW50aWFsc19maWxlOiBjcmVkLmpzb24Kb3JpZ2luY2VydDogY2VydC5wZW0Kem9uZV9kb21haW46IGFyZ290dW5uZWx0ZXN0LmNvbQp6b25lX3RhZzogNDg3OTZmMWU3MGJiNzY2OWMyOWJiNTFiYTI4MmJmNjU=
secrets:
KEY_VAULT_URL:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_url@kv
file: false
KEY_VAULT_CLIENT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_client_id@kv
file: false
KEY_VAULT_TENANT_ID:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/app_info/key_vault_tenant_id@kv
file: false
KEY_VAULT_SECRET:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/secret/key_vault_secret@kv
file: false
KEY_VAULT_CERTIFICATE:
vault: gitlab/cloudflare/tun/cloudflared/_dev/azure_vault/certificate/key_vault_certificate@kv
file: false
artifacts:
access: 'none'
reports:
dotenv: windows.env
###################################
### Run Windows Component Tests ###
###################################
windows-component-tests-cloudflared:
<<: *windows-build-defaults
stage: test
needs: ["windows-load-env-variables"]
script:
# We have to decode the secret we encoded on the `windows-load-env-variables` job
- $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT))
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1"
artifacts:
reports:
junit: report.xml
################################
### Package Windows Binaries ###
################################
windows-package:
rules:
- !reference [.default-rules, run-on-master]
stage: package
needs:
- ci-image-get-image-ref
- windows-build-cloudflared
image: $BUILD_IMAGE
script:
- .ci/scripts/package-windows.sh
cache: {}
artifacts:
paths:
- artifacts/*
#############################
### Sign Windows Binaries ###
#############################
windows-package-sign:
<<: *windows-build-defaults
rules:
- !reference [.default-rules, run-on-master]
stage: package
needs:
- windows-package
- windows-load-env-variables
script:
- powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\sign-msi.ps1"
artifacts:
paths:
- artifacts/*

1
.gitignore vendored
View File

@ -18,4 +18,3 @@ ssh_server_tests/.env
/.cover /.cover
built_artifacts/ built_artifacts/
component-tests/.venv component-tests/.venv
/artifacts

69
.gitlab-ci.yml
View File

@ -1,69 +0,0 @@
variables:
GO_VERSION: "1.24.13"
MAC_GO_VERSION: "go@$GO_VERSION"
WIN_GO_VERSION: "go$GO_VERSION"
GIT_DEPTH: "0"
default:
id_tokens:
VAULT_ID_TOKEN:
aud: https://vault.cfdata.org
stages:
[
sync,
pre-build,
build,
validate,
test,
package,
release,
release-internal,
review,
]
include:
#####################################################
########## Import Commons Configurations ############
#####################################################
- local: .ci/commons.gitlab-ci.yml
#####################################################
########### Sync Repository with Github #############
#####################################################
- local: .ci/github.gitlab-ci.yml
#####################################################
############# Build or Fetch CI Image ###############
#####################################################
- local: .ci/ci-image.gitlab-ci.yml
#####################################################
################## Linux Builds ###################
#####################################################
- local: .ci/linux.gitlab-ci.yml
#####################################################
################## Windows Builds ###################
#####################################################
- local: .ci/windows.gitlab-ci.yml
#####################################################
################### macOS Builds ####################
#####################################################
- local: .ci/mac.gitlab-ci.yml
#####################################################
################# Release Packages ##################
#####################################################
- local: .ci/release.gitlab-ci.yml
#####################################################
########## Release Packages Internally ##############
#####################################################
- local: .ci/apt-internal.gitlab-ci.yml
#####################################################
############## Manual Claude Review #################
#####################################################
- component: $CI_SERVER_FQDN/cloudflare/ci/ai/review@~latest

89
.golangci.yaml
View File

@ -1,89 +0,0 @@
linters:
enable:
# Some of the linters below are commented out. We should uncomment and start running them, but they return
# too many problems to fix in one commit. Something for later.
- asasalint # Check for pass []any as any in variadic func(...any).
- asciicheck # Checks that all code identifiers does not have non-ASCII symbols in the name.
- bidichk # Checks for dangerous unicode character sequences.
- bodyclose # Checks whether HTTP response body is closed successfully.
- decorder # Check declaration order and count of types, constants, variables and functions.
- dogsled # Checks assignments with too many blank identifiers (e.g. x, , , _, := f()).
- dupl # Tool for code clone detection.
- dupword # Checks for duplicate words in the source code.
- durationcheck # Check for two durations multiplied together.
- errcheck # Errcheck is a program for checking for unchecked errors in Go code. These unchecked errors can be critical bugs in some cases.
- errname # Checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error.
- exhaustive # Check exhaustiveness of enum switch statements.
- gofmt # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification.
- goimports # Check import statements are formatted according to the 'goimport' command. Reformat imports in autofix mode.
- gosec # Inspects source code for security problems.
- gosimple # Linter for Go source code that specializes in simplifying code.
- govet # Vet examines Go source code and reports suspicious constructs. It is roughly the same as 'go vet' and uses its passes.
- ineffassign # Detects when assignments to existing variables are not used.
- importas # Enforces consistent import aliases.
- misspell # Finds commonly misspelled English words.
- prealloc # Finds slice declarations that could potentially be pre-allocated.
- promlinter # Check Prometheus metrics naming via promlint.
- sloglint # Ensure consistent code style when using log/slog.
- sqlclosecheck # Checks that sql.Rows, sql.Stmt, sqlx.NamedStmt, pgx.Query are closed.
- staticcheck # It's a set of rules from staticcheck. It's not the same thing as the staticcheck binary.
- usetesting # Reports uses of functions with replacement inside the testing package.
- testableexamples # Linter checks if examples are testable (have an expected output).
- testifylint # Checks usage of github.com/stretchr/testify.
- tparallel # Tparallel detects inappropriate usage of t.Parallel() method in your Go test codes.
- unconvert # Remove unnecessary type conversions.
- unused # Checks Go code for unused constants, variables, functions and types.
- wastedassign # Finds wasted assignment statements.
- whitespace # Whitespace is a linter that checks for unnecessary newlines at the start and end of functions, if, for, etc.
- zerologlint # Detects the wrong usage of zerolog that a user forgets to dispatch with Send or Msg.
# Other linters are disabled, list of all is here: https://golangci-lint.run/usage/linters/
run:
timeout: 5m
modules-download-mode: vendor
# output configuration options
output:
formats:
- format: 'colored-line-number'
print-issued-lines: true
print-linter-name: true
issues:
# Maximum issues count per one linter.
# Set to 0 to disable.
# Default: 50
max-issues-per-linter: 50
# Maximum count of issues with the same text.
# Set to 0 to disable.
# Default: 3
max-same-issues: 15
# Show only new issues: if there are unstaged changes or untracked files,
# only those changes are analyzed, else only changes in HEAD~ are analyzed.
# It's a super-useful option for integration of golangci-lint into existing large codebase.
# It's not practical to fix all existing issues at the moment of integration:
# much better don't allow issues in new code.
#
# Default: false
new: true
# Show only new issues created after git revision `REV`.
# Default: ""
new-from-rev: ac34f94d423273c8fa8fdbb5f2ac60e55f2c77d5
# Show issues in any part of update files (requires new-from-rev or new-from-patch).
# Default: false
whole-files: true
# Which dirs to exclude: issues from them won't be reported.
# Can use regexp here: `generated.*`, regexp is applied on full path,
# including the path prefix if one is set.
# Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
# "/" will be replaced by current OS file path separator to properly work on Windows.
# Default: []
exclude-dirs:
- vendor
linters-settings:
# Check exhaustiveness of enum switch statements.
exhaustive:
# Presence of "default" case in switch statements satisfies exhaustiveness,
# even if all enum members are not listed.
# Default: false
default-signifies-exhaustive: true

8
.teamcity/install-cloudflare-go.sh vendored Executable file
View File

@ -0,0 +1,8 @@
# !/usr/bin/env bash
cd /tmp
git clone -q https://github.com/cloudflare/go
cd go/src
# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
./make.bash

195
.teamcity/mac/build.sh vendored Executable file
View File

@ -0,0 +1,195 @@
#!/bin/bash
set -exo pipefail
if [[ "$(uname)" != "Darwin" ]] ; then
echo "This should be run on macOS"
exit 1
fi
if [[ "amd64" != "${TARGET_ARCH}" && "arm64" != "${TARGET_ARCH}" ]]
then
echo "TARGET_ARCH must be amd64 or arm64"
exit 1
fi
go version
export GO111MODULE=on
# build 'cloudflared-darwin-amd64.tgz'
mkdir -p artifacts
TARGET_DIRECTORY=".build"
BINARY_NAME="cloudflared"
VERSION=$(git describe --tags --always --dirty="-dev")
PRODUCT="cloudflared"
CODE_SIGN_PRIV="code_sign.p12"
CODE_SIGN_CERT="code_sign.cer"
INSTALLER_PRIV="installer.p12"
INSTALLER_CERT="installer.cer"
BUNDLE_ID="com.cloudflare.cloudflared"
SEC_DUP_MSG="security: SecKeychainItemImport: The specified item already exists in the keychain."
export PATH="$PATH:/usr/local/bin"
FILENAME="$(pwd)/artifacts/cloudflared-darwin-$TARGET_ARCH.tgz"
PKGNAME="$(pwd)/artifacts/cloudflared-$TARGET_ARCH.pkg"
mkdir -p ../src/github.com/cloudflare/
cp -r . ../src/github.com/cloudflare/cloudflared
cd ../src/github.com/cloudflare/cloudflared
# Add code signing private key to the key chain
if [[ ! -z "$CFD_CODE_SIGN_KEY" ]]; then
if [[ ! -z "$CFD_CODE_SIGN_PASS" ]]; then
# write private key to disk and then import it keychain
echo -n -e ${CFD_CODE_SIGN_KEY} | base64 -D > ${CODE_SIGN_PRIV}
# we set || true here and for every `security import invoke` because the "duplicate SecKeychainItemImport" error
# will cause set -e to exit 1. It is okay we do this because we deliberately handle this error in the lines below.
out=$(security import ${CODE_SIGN_PRIV} -A -P "${CFD_CODE_SIGN_PASS}" 2>&1) || true
exitcode=$?
if [ -n "$out" ]; then
if [ $exitcode -eq 0 ]; then
echo "$out"
else
if [ "$out" != "${SEC_DUP_MSG}" ]; then
echo "$out" >&2
exit $exitcode
fi
fi
fi
rm ${CODE_SIGN_PRIV}
fi
fi
# Add code signing certificate to the key chain
if [[ ! -z "$CFD_CODE_SIGN_CERT" ]]; then
# write certificate to disk and then import it keychain
echo -n -e ${CFD_CODE_SIGN_CERT} | base64 -D > ${CODE_SIGN_CERT}
out1=$(security import ${CODE_SIGN_CERT} -A 2>&1) || true
exitcode1=$?
if [ -n "$out1" ]; then
if [ $exitcode1 -eq 0 ]; then
echo "$out1"
else
if [ "$out1" != "${SEC_DUP_MSG}" ]; then
echo "$out1" >&2
exit $exitcode1
else
echo "already imported code signing certificate"
fi
fi
fi
rm ${CODE_SIGN_CERT}
fi
# Add package signing private key to the key chain
if [[ ! -z "$CFD_INSTALLER_KEY" ]]; then
if [[ ! -z "$CFD_INSTALLER_PASS" ]]; then
# write private key to disk and then import it into the keychain
echo -n -e ${CFD_INSTALLER_KEY} | base64 -D > ${INSTALLER_PRIV}
out2=$(security import ${INSTALLER_PRIV} -A -P "${CFD_INSTALLER_PASS}" 2>&1) || true
exitcode2=$?
if [ -n "$out2" ]; then
if [ $exitcode2 -eq 0 ]; then
echo "$out2"
else
if [ "$out2" != "${SEC_DUP_MSG}" ]; then
echo "$out2" >&2
exit $exitcode2
fi
fi
fi
rm ${INSTALLER_PRIV}
fi
fi
# Add package signing certificate to the key chain
if [[ ! -z "$CFD_INSTALLER_CERT" ]]; then
# write certificate to disk and then import it keychain
echo -n -e ${CFD_INSTALLER_CERT} | base64 -D > ${INSTALLER_CERT}
out3=$(security import ${INSTALLER_CERT} -A 2>&1) || true
exitcode3=$?
if [ -n "$out3" ]; then
if [ $exitcode3 -eq 0 ]; then
echo "$out3"
else
if [ "$out3" != "${SEC_DUP_MSG}" ]; then
echo "$out3" >&2
exit $exitcode3
else
echo "already imported installer certificate"
fi
fi
fi
rm ${INSTALLER_CERT}
fi
# get the code signing certificate name
if [[ ! -z "$CFD_CODE_SIGN_NAME" ]]; then
CODE_SIGN_NAME="${CFD_CODE_SIGN_NAME}"
else
if [[ -n "$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)" ]]; then
CODE_SIGN_NAME=$(security find-certificate -c "Developer ID Application" | cut -d'"' -f 4 -s | grep "Developer ID Application:" | head -1)
else
CODE_SIGN_NAME=""
fi
fi
# get the package signing certificate name
if [[ ! -z "$CFD_INSTALLER_NAME" ]]; then
PKG_SIGN_NAME="${CFD_INSTALLER_NAME}"
else
if [[ -n "$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)" ]]; then
PKG_SIGN_NAME=$(security find-certificate -c "Developer ID Installer" | cut -d'"' -f 4 -s | grep "Developer ID Installer:" | head -1)
else
PKG_SIGN_NAME=""
fi
fi
# cleanup the build directory because the previous execution might have failed without cleaning up.
rm -rf "${TARGET_DIRECTORY}"
export TARGET_OS="darwin"
GOCACHE="$PWD/../../../../" GOPATH="$PWD/../../../../" CGO_ENABLED=1 make cloudflared
# sign the cloudflared binary
if [[ ! -z "$CODE_SIGN_NAME" ]]; then
codesign -s "${CODE_SIGN_NAME}" -f -v --timestamp --options runtime ${BINARY_NAME}
# notarize the binary
# TODO: TUN-5789
fi
ARCH_TARGET_DIRECTORY="${TARGET_DIRECTORY}/${TARGET_ARCH}-build"
# creating build directory
rm -rf $ARCH_TARGET_DIRECTORY
mkdir -p "${ARCH_TARGET_DIRECTORY}"
mkdir -p "${ARCH_TARGET_DIRECTORY}/contents"
cp -r ".mac_resources/scripts" "${ARCH_TARGET_DIRECTORY}/scripts"
# copy cloudflared into the build directory
cp ${BINARY_NAME} "${ARCH_TARGET_DIRECTORY}/contents/${PRODUCT}"
# compress cloudflared into a tar and gzipped file
tar czf "$FILENAME" "${BINARY_NAME}"
# build the installer package
if [[ ! -z "$PKG_SIGN_NAME" ]]; then
pkgbuild --identifier com.cloudflare.${PRODUCT} \
--version ${VERSION} \
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
--root ${ARCH_TARGET_DIRECTORY}/contents \
--install-location /usr/local/bin \
--sign "${PKG_SIGN_NAME}" \
${PKGNAME}
# notarize the package
# TODO: TUN-5789
else
pkgbuild --identifier com.cloudflare.${PRODUCT} \
--version ${VERSION} \
--scripts ${ARCH_TARGET_DIRECTORY}/scripts \
--root ${ARCH_TARGET_DIRECTORY}/contents \
--install-location /usr/local/bin \
${PKGNAME}
fi
# cleanup build directory because this script is not ran within containers,
# which might lead to future issues in subsequent runs.
rm -rf "${TARGET_DIRECTORY}"

10
.teamcity/mac/install-cloudflare-go.sh vendored Executable file
View File

@ -0,0 +1,10 @@
rm -rf /tmp/go
export GOCACHE=/tmp/gocache
rm -rf $GOCACHE
./.teamcity/install-cloudflare-go.sh
export PATH="/tmp/go/bin:$PATH"
go version
which go
go env

12
.ci/scripts/package-windows.sh → .teamcity/package-windows.sh vendored
View File

@ -1,25 +1,19 @@
#!/bin/bash
set -e -u -o pipefail
python3 -m venv env
. env/bin/activate
pip install pynacl==1.4.0 pygithub==1.55
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*") VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION echo $VERSION
export TARGET_OS=windows export TARGET_OS=windows
# This controls the directory the built artifacts go into # This controls the directory the built artifacts go into
export BUILT_ARTIFACT_DIR=artifacts/ export BUILT_ARTIFACT_DIR=built_artifacts/
export FINAL_ARTIFACT_DIR=artifacts/ export FINAL_ARTIFACT_DIR=artifacts/
mkdir -p $BUILT_ARTIFACT_DIR mkdir -p $BUILT_ARTIFACT_DIR
mkdir -p $FINAL_ARTIFACT_DIR mkdir -p $FINAL_ARTIFACT_DIR
windowsArchs=("amd64" "386") windowsArchs=("amd64" "386")
for arch in ${windowsArchs[@]}; do for arch in ${windowsArchs[@]}; do
export TARGET_ARCH=$arch export TARGET_ARCH=$arch
# Copy .exe from artifacts directory # Copy exe into final directory
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe ./cloudflared.exe
make cloudflared-msi make cloudflared-msi
# Copy msi into final directory # Copy msi into final directory
mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi mv cloudflared-$VERSION-$arch.msi $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.msi
cp $BUILT_ARTIFACT_DIR/cloudflared-windows-$arch.exe $FINAL_ARTIFACT_DIR/cloudflared-windows-$arch.exe
done done

28
.teamcity/windows/builds.ps1 vendored Normal file
View File

@ -0,0 +1,28 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
# Relative path to working directory
$CloudflaredDirectory = "go\src\github.com\cloudflare\cloudflared"
cd $CloudflaredDirectory
Write-Output "Building for amd64"
$env:TARGET_OS = "windows"
$env:CGO_ENABLED = 1
$env:TARGET_ARCH = "amd64"
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
go env
go version
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for amd64" }
copy .\cloudflared.exe .\cloudflared-windows-amd64.exe
Write-Output "Building for 386"
$env:CGO_ENABLED = 0
$env:TARGET_ARCH = "386"
make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared for 386" }
copy .\cloudflared.exe .\cloudflared-windows-386.exe

47
.teamcity/windows/component-test.ps1 vendored Normal file
View File

@ -0,0 +1,47 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$WorkingDirectory = Get-Location
$CloudflaredDirectory = "$WorkingDirectory\go\src\github.com\cloudflare\cloudflared"
go env
go version
$env:TARGET_OS = "windows"
$env:CGO_ENABLED = 1
$env:TARGET_ARCH = "amd64"
$env:Path = "$Env:Temp\go\bin;$($env:Path)"
python --version
python -m pip --version
cd $CloudflaredDirectory
go env
go version
Write-Output "Building cloudflared"
& make cloudflared
if ($LASTEXITCODE -ne 0) { throw "Failed to build cloudflared" }
echo $LASTEXITCODE
Write-Output "Running unit tests"
# Not testing with race detector because of https://github.com/golang/go/issues/61058
# We already test it on other platforms
& go test -failfast -mod=vendor ./...
if ($LASTEXITCODE -ne 0) { throw "Failed unit tests" }
Write-Output "Running component tests"
python -m pip --disable-pip-version-check install --upgrade -r component-tests/requirements.txt --use-pep517
python component-tests/setup.py --type create
python -m pytest component-tests -o log_cli=true --log-cli-level=INFO
if ($LASTEXITCODE -ne 0) {
python component-tests/setup.py --type cleanup
throw "Failed component tests"
}
python component-tests/setup.py --type cleanup

16
.teamcity/windows/install-cloudflare-go.ps1 vendored Normal file
View File

@ -0,0 +1,16 @@
Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
Write-Output "Downloading cloudflare go..."
Set-Location "$Env:Temp"
git clone -q https://github.com/cloudflare/go
Write-Output "Building go..."
cd go/src
# https://github.com/cloudflare/go/tree/f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38 is version go1.22.5-devel-cf
git checkout -q f4334cdc0c3f22a3bfdd7e66f387e3ffc65a5c38
& ./make.bat
Write-Output "Installed"

20
.teamcity/windows/install-go-msi.ps1 vendored Normal file
View File

@ -0,0 +1,20 @@
$ErrorActionPreference = "Stop"
$ProgressPreference = "SilentlyContinue"
$GoMsiVersion = "go1.22.5.windows-amd64.msi"
Write-Output "Downloading go installer..."
Set-Location "$Env:Temp"
(New-Object System.Net.WebClient).DownloadFile(
"https://go.dev/dl/$GoMsiVersion",
"$Env:Temp\$GoMsiVersion"
)
Write-Output "Installing go..."
Install-Package "$Env:Temp\$GoMsiVersion" -Force
# Go installer updates global $PATH
go env
Write-Output "Installed"

2
.vulnignore
View File

@ -1,2 +0,0 @@
# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line.
# You can also add comments on the same line after the ID.

251
AGENTS.md
View File

@ -1,251 +0,0 @@
# Cloudflared
Cloudflare's command-line tool and networking daemon written in Go.
Production-grade tunneling and network connectivity services used by millions of
developers and organizations worldwide.
## Essential Commands
### Build & Test (Always run before commits)
```bash
# Full development check (run before any commit)
make test lint
# Build for current platform
make cloudflared
# Run all unit tests with coverage
make test
make cover
# Run specific test
go test -run TestFunctionName ./path/to/package
# Run tests with race detection
go test -race ./...
```
### Platform-Specific Builds
```bash
# Linux
TARGET_OS=linux TARGET_ARCH=amd64 make cloudflared
# Windows
TARGET_OS=windows TARGET_ARCH=amd64 make cloudflared
# macOS ARM64
TARGET_OS=darwin TARGET_ARCH=arm64 make cloudflared
# FIPS compliant build
FIPS=true make cloudflared
```
### Code Quality & Formatting
```bash
# Run linter (38+ enabled linters)
make lint
# Auto-fix formatting
make fmt
gofmt -w .
goimports -w .
# Security scanning
make vet
# Component tests (Python integration tests)
cd component-tests && python -m pytest test_file.py::test_function_name
```
## Project Knowledge
### Package Structure
- Use meaningful package names that reflect functionality
- Package names should be lowercase, single words when possible
- Avoid generic names like `util`, `common`, `helper`
### Function and Method Guidelines
```go
// Good: Clear purpose, proper error handling
func (c *Connection) HandleRequest(ctx context.Context, req *http.Request) error {
if req == nil {
return errors.New("request cannot be nil")
}
// Implementation...
return nil
}
```
### Error Handling
- Always handle errors explicitly, never ignore them
- Use `fmt.Errorf` for error wrapping
- Create meaningful error messages with context
- Use error variables for common errors
```go
// Good error handling patterns
if err != nil {
return fmt.Errorf("failed to process connection: %w", err)
}
```
### Logging Standards
- Use `github.com/rs/zerolog` for structured logging
- Include relevant context fields
- Use appropriate log levels (Debug, Info, Warn, Error)
```go
logger.Info().
Str("tunnelID", tunnel.ID).
Int("connIndex", connIndex).
Msg("Connection established")
```
### Testing Patterns
- Use `github.com/stretchr/testify` for assertions
- Test files end with `_test.go`
- Use table-driven tests for multiple scenarios
- Always use `t.Parallel()` for parallel-safe tests
- Use meaningful test names that describe behavior
```go
func TestMetricsListenerCreation(t *testing.T) {
t.Parallel()
// Test implementation
assert.Equal(t, expected, actual)
require.NoError(t, err)
}
```
### Constants and Variables
```go
const (
MaxGracePeriod = time.Minute * 3
MaxConcurrentStreams = math.MaxUint32
LogFieldConnIndex = "connIndex"
)
var (
// Group related variables
switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType}
)
```
### Type Definitions
- Define interfaces close to their usage
- Keep interfaces small and focused
- Use descriptive names for complex types
```go
type TunnelConnection interface {
Serve(ctx context.Context) error
}
type TunnelProperties struct {
Credentials Credentials
QuickTunnelUrl string
}
```
## Key Architectural Patterns
### Context Usage
- Always accept `context.Context` as first parameter for long-running operations
- Respect context cancellation in loops and blocking operations
- Pass context through call chains
### Concurrency
- Use channels for goroutine communication
- Protect shared state with mutexes
- Prefer `sync.RWMutex` for read-heavy workloads
### Configuration
- Use structured configuration with validation
- Support both file-based and CLI flag configuration
- Provide sensible defaults
### Metrics and Observability
- Instrument code with Prometheus metrics
- Use OpenTelemetry for distributed tracing
- Include structured logging with relevant context
## Boundaries
### ✅ Always Do
- Run `make test lint` before any commit
- Handle all errors explicitly with proper context
- Use `github.com/rs/zerolog` for all logging
- Add `t.Parallel()` to all parallel-safe tests
- Follow the import grouping conventions
- Use meaningful variable and function names
- Include context.Context for long-running operations
- Close resources in defer statements
### ⚠️ Ask First Before
- Adding new dependencies to go.mod
- Modifying CI/CD configuration files
- Changing build system or Makefile
- Modifying component test infrastructure
- Adding new linter rules or changing golangci-lint config
- Making breaking changes to public APIs
- Changing logging levels or structured logging fields
### 🚫 Never Do
- Ignore errors without explicit handling (`_ = err`)
- Use generic package names (`util`, `helper`, `common`)
- Commit code that fails `make test lint`
- Use `fmt.Print*` instead of structured logging
- Modify vendor dependencies directly
- Commit secrets, credentials, or sensitive data
- Use deprecated or unsafe Go patterns
- Skip testing for new functionality
- Remove existing tests unless they're genuinely invalid
## Dependencies Management
- Use Go modules (`go.mod`) exclusively
- Vendor dependencies for reproducible builds
- Keep dependencies up-to-date and secure
- Prefer standard library when possible
- Cloudflared uses a fork of quic-go always check release notes before bumping
this dependency.
## Security Considerations
- FIPS compliance support available
- Vulnerability scanning integrated in CI
- Credential handling follows security best practices
- Network security with TLS/QUIC protocols
- Regular security audits and updates
- Post quantum encryption
## Common Patterns to Follow
1. **Graceful shutdown**: Always implement proper cleanup
2. **Resource management**: Close resources in defer statements
3. **Error propagation**: Wrap errors with meaningful context
4. **Configuration validation**: Validate inputs early
5. **Logging consistency**: Use structured logging throughout
6. **Testing coverage**: Aim for comprehensive test coverage
7. **Documentation**: Comment exported functions and types
Remember: This is a mission-critical networking tool used in production by many
organizations. Code quality, security, and reliability are paramount.

29
CHANGES.md
View File

@ -1,30 +1,3 @@
## 2026.2.0
### Breaking Change
- Removes the `proxy-dns` feature from cloudflared. This feature allowed running a local DNS over HTTPS (DoH) proxy.
Users who relied on this functionality should migrate to alternative solutions.
Removed commands and flags:
- `cloudflared proxy-dns`
- `cloudflared tunnel proxy-dns`
- `--proxy-dns`, `--proxy-dns-port`, `--proxy-dns-address`, `--proxy-dns-upstream`, `--proxy-dns-max-upstream-conns`, `--proxy-dns-bootstrap`
- `resolver` section in configuration file
## 2025.7.1
### Notices
- `cloudflared` will no longer officially support Debian and Ubuntu distros that reached end-of-life: `buster`, `bullseye`, `impish`, `trusty`.
## 2025.1.1
### New Features
- This release introduces the use of new Post Quantum curves and the ability to use Post Quantum curves when running tunnels with the QUIC protocol this applies to non-FIPS and FIPS builds.
## 2024.12.2
### New Features
- This release introduces the ability to collect troubleshooting information from one instance of cloudflared running on the local machine. The command can be executed as `cloudflared tunnel diag`.
## 2024.12.1
### Notices
- The use of the `--metrics` is still honoured meaning that if this flag is set the metrics server will try to bind it, however, this version includes a change that makes the metrics server bind to a port with a semi-deterministic approach. If the metrics flag is not present the server will bind to the first available port of the range 20241 to 20245. In case of all ports being unavailable then the fallback is to bind to a random port.
## 2024.10.0 ## 2024.10.0
### Bug Fixes ### Bug Fixes
- We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received. - We fixed a bug related to `--grace-period`. Tunnels that use QUIC as transport weren't abiding by this waiting period before forcefully closing the connections to the edge. From now on, both QUIC and HTTP2 tunnels will wait for either the grace period to end (defaults to 30 seconds) or until the last in-flight request is handled. Users that wish to maintain the previous behavior should set `--grace-period` to 0 if `--protocol` is set to `quic`. This will force `cloudflared` to shutdown as soon as either SIGTERM or SIGINT is received.
@ -292,7 +265,7 @@ of uptime. Previous cloudflared versions will soon be unable to run legacy tempo
### Bug Fixes ### Bug Fixes
- Tunnel create and delete commands no longer use path to credentials from the configuration file. - Tunnel create and delete commands no longer use path to credentials from the configuration file.
If you need to place tunnel credentials file at a specific location, you must use `--credentials-file` flag. If you need ot place tunnel credentials file at a specific location, you must use `--credentials-file` flag.
- Access ssh-gen creates properly named keys for SSH short lived certs. - Access ssh-gen creates properly named keys for SSH short lived certs.

25
Dockerfile
View File

@ -1,37 +1,32 @@
# use a builder image for building cloudflare # use a builder image for building cloudflare
ARG TARGET_GOOS ARG TARGET_GOOS
ARG TARGET_GOARCH ARG TARGET_GOARCH
FROM golang:1.24.13 AS builder FROM golang:1.22.5 as builder
ENV GO111MODULE=on \ ENV GO111MODULE=on \
CGO_ENABLED=0 \ CGO_ENABLED=0 \
TARGET_GOOS=${TARGET_GOOS} \ TARGET_GOOS=${TARGET_GOOS} \
TARGET_GOARCH=${TARGET_GOARCH} \ TARGET_GOARCH=${TARGET_GOARCH}
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
# which changes how cloudflared binds the metrics server
CONTAINER_BUILD=1
WORKDIR /go/src/github.com/cloudflare/cloudflared/ WORKDIR /go/src/github.com/cloudflare/cloudflared/
# copy our sources into the builder image # copy our sources into the builder image
COPY . . COPY . .
RUN .teamcity/install-cloudflare-go.sh
# compile cloudflared # compile cloudflared
RUN make cloudflared RUN PATH="/tmp/go/bin:$PATH" make cloudflared
# use a distroless base image with glibc # use a distroless base image with glibc
FROM gcr.io/distroless/base-debian13:nonroot FROM gcr.io/distroless/base-debian11:nonroot
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared" LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
# copy our compiled binary # copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user # run as non-privileged user
# We need to use numeric user id's because Kubernetes doesn't support strings: USER nonroot
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container # command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"] ENTRYPOINT ["cloudflared", "--no-autoupdate"]

20
Dockerfile.amd64
View File

@ -1,32 +1,28 @@
# use a builder image for building cloudflare # use a builder image for building cloudflare
FROM golang:1.24.13 AS builder FROM golang:1.22.5 as builder
ENV GO111MODULE=on \ ENV GO111MODULE=on \
CGO_ENABLED=0 \ CGO_ENABLED=0
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
# which changes how cloudflared binds the metrics server
CONTAINER_BUILD=1
WORKDIR /go/src/github.com/cloudflare/cloudflared/ WORKDIR /go/src/github.com/cloudflare/cloudflared/
# copy our sources into the builder image # copy our sources into the builder image
COPY . . COPY . .
RUN .teamcity/install-cloudflare-go.sh
# compile cloudflared # compile cloudflared
RUN GOOS=linux GOARCH=amd64 make cloudflared RUN GOOS=linux GOARCH=amd64 PATH="/tmp/go/bin:$PATH" make cloudflared
# use a distroless base image with glibc # use a distroless base image with glibc
FROM gcr.io/distroless/base-debian13:nonroot FROM gcr.io/distroless/base-debian11:nonroot
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared" LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
# copy our compiled binary # copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user # run as non-privileged user
# We need to use numeric user id's because Kubernetes doesn't support strings: USER nonroot
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container # command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"] ENTRYPOINT ["cloudflared", "--no-autoupdate"]

20
Dockerfile.arm64
View File

@ -1,32 +1,28 @@
# use a builder image for building cloudflare # use a builder image for building cloudflare
FROM golang:1.24.13 AS builder FROM golang:1.22.5 as builder
ENV GO111MODULE=on \ ENV GO111MODULE=on \
CGO_ENABLED=0 \ CGO_ENABLED=0
# the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual
# which changes how cloudflared binds the metrics server
CONTAINER_BUILD=1
WORKDIR /go/src/github.com/cloudflare/cloudflared/ WORKDIR /go/src/github.com/cloudflare/cloudflared/
# copy our sources into the builder image # copy our sources into the builder image
COPY . . COPY . .
RUN .teamcity/install-cloudflare-go.sh
# compile cloudflared # compile cloudflared
RUN GOOS=linux GOARCH=arm64 make cloudflared RUN GOOS=linux GOARCH=arm64 PATH="/tmp/go/bin:$PATH" make cloudflared
# use a distroless base image with glibc # use a distroless base image with glibc
FROM gcr.io/distroless/base-debian13:nonroot-arm64 FROM gcr.io/distroless/base-debian11:nonroot-arm64
LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared" LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
# copy our compiled binary # copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as nonroot user # run as non-privileged user
# We need to use numeric user id's because Kubernetes doesn't support strings: USER nonroot
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container # command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"] ENTRYPOINT ["cloudflared", "--no-autoupdate"]

95
Makefile
View File

@ -24,22 +24,12 @@ else
DEB_PACKAGE_NAME := $(BINARY_NAME) DEB_PACKAGE_NAME := $(BINARY_NAME)
endif endif
# Use git in windows since we don't have access to the `date` tool DATE := $(shell date -u '+%Y-%m-%d-%H%M UTC')
ifeq ($(TARGET_OS), windows)
DATE := $(shell git log -1 --format="%ad" --date=format-local:'%Y-%m-%dT%H:%M UTC' -- RELEASE_NOTES)
else
DATE := $(shell date -u -r RELEASE_NOTES '+%Y-%m-%d-%H:%M UTC')
endif
VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)" VERSION_FLAGS := -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"
ifdef PACKAGE_MANAGER ifdef PACKAGE_MANAGER
VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)" VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/cmd/cloudflared/updater.BuiltForPackageManager=$(PACKAGE_MANAGER)"
endif endif
ifdef CONTAINER_BUILD
VERSION_FLAGS := $(VERSION_FLAGS) -X "github.com/cloudflare/cloudflared/metrics.Runtime=virtual"
endif
LINK_FLAGS := LINK_FLAGS :=
ifeq ($(FIPS), true) ifeq ($(FIPS), true)
LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS) LINK_FLAGS := -linkmode=external -extldflags=-static $(LINK_FLAGS)
@ -62,6 +52,8 @@ PACKAGE_DIR := $(CURDIR)/packaging
PREFIX := /usr PREFIX := /usr
INSTALL_BINDIR := $(PREFIX)/bin/ INSTALL_BINDIR := $(PREFIX)/bin/
INSTALL_MANDIR := $(PREFIX)/share/man/man1/ INSTALL_MANDIR := $(PREFIX)/share/man/man1/
CF_GO_PATH := /tmp/go
PATH := $(CF_GO_PATH)/bin:$(PATH)
LOCAL_ARCH ?= $(shell uname -m) LOCAL_ARCH ?= $(shell uname -m)
ifneq ($(GOARCH),) ifneq ($(GOARCH),)
@ -70,8 +62,6 @@ else ifeq ($(LOCAL_ARCH),x86_64)
TARGET_ARCH ?= amd64 TARGET_ARCH ?= amd64
else ifeq ($(LOCAL_ARCH),amd64) else ifeq ($(LOCAL_ARCH),amd64)
TARGET_ARCH ?= amd64 TARGET_ARCH ?= amd64
else ifeq ($(LOCAL_ARCH),386)
TARGET_ARCH ?= 386
else ifeq ($(LOCAL_ARCH),i686) else ifeq ($(LOCAL_ARCH),i686)
TARGET_ARCH ?= amd64 TARGET_ARCH ?= amd64
else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8) else ifeq ($(shell echo $(LOCAL_ARCH) | head -c 5),armv8)
@ -119,7 +109,7 @@ ifneq ($(TARGET_ARM), )
ARM_COMMAND := GOARM=$(TARGET_ARM) ARM_COMMAND := GOARM=$(TARGET_ARM)
endif endif
ifeq ($(TARGET_ARM), 7) ifeq ($(TARGET_ARM), 7)
PACKAGE_ARCH := armhf PACKAGE_ARCH := armhf
else else
PACKAGE_ARCH := $(TARGET_ARCH) PACKAGE_ARCH := $(TARGET_ARCH)
@ -128,8 +118,6 @@ endif
#for FIPS compliance, FPM defaults to MD5. #for FIPS compliance, FPM defaults to MD5.
RPM_DIGEST := --rpm-digest sha256 RPM_DIGEST := --rpm-digest sha256
GO_TEST_LOG_OUTPUT = /tmp/gotest.log
.PHONY: all .PHONY: all
all: cloudflared test all: cloudflared test
@ -137,17 +125,15 @@ all: cloudflared test
clean: clean:
go clean go clean
.PHONY: vulncheck
vulncheck:
@./.ci/scripts/vuln-check.sh
.PHONY: cloudflared .PHONY: cloudflared
cloudflared: cloudflared:
ifeq ($(FIPS), true) ifeq ($(FIPS), true)
$(info Building cloudflared with go-fips) $(info Building cloudflared with go-fips)
cp -f fips/fips.go.linux-amd64 cmd/cloudflared/fips.go
endif endif
GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared GOOS=$(TARGET_OS) GOARCH=$(TARGET_ARCH) $(ARM_COMMAND) go build -mod=vendor $(GO_BUILD_TAGS) $(LDFLAGS) $(IMPORT_PATH)/cmd/cloudflared
ifeq ($(FIPS), true) ifeq ($(FIPS), true)
rm -f cmd/cloudflared/fips.go
./check-fips.sh cloudflared ./check-fips.sh cloudflared
endif endif
@ -162,9 +148,11 @@ generate-docker-version:
.PHONY: test .PHONY: test
test: vet test: vet
$Q go test -json -v -mod=vendor -race $(LDFLAGS) ./... 2>&1 | tee $(GO_TEST_LOG_OUTPUT) ifndef CI
ifneq ($(FIPS), true) go test -v -mod=vendor -race $(LDFLAGS) ./...
@go run -mod=readonly github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest -input $(GO_TEST_LOG_OUTPUT) else
@mkdir -p .cover
go test -v -mod=vendor -race $(LDFLAGS) -coverprofile=".cover/c.out" ./...
endif endif
.PHONY: cover .PHONY: cover
@ -182,17 +170,26 @@ fuzz:
@go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet @go test -fuzz=FuzzIPDecoder -fuzztime=600s ./packet
@go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet @go test -fuzz=FuzzICMPDecoder -fuzztime=600s ./packet
@go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3 @go test -fuzz=FuzzSessionWrite -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzSessionRead -fuzztime=600s ./quic/v3 @go test -fuzz=FuzzSessionServe -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3 @go test -fuzz=FuzzRegistrationDatagram -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3 @go test -fuzz=FuzzPayloadDatagram -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3 @go test -fuzz=FuzzRegistrationResponseDatagram -fuzztime=600s ./quic/v3
@go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing @go test -fuzz=FuzzNewIdentity -fuzztime=600s ./tracing
@go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation @go test -fuzz=FuzzNewAccessValidator -fuzztime=600s ./validation
.PHONY: install-go
install-go:
rm -rf ${CF_GO_PATH}
./.teamcity/install-cloudflare-go.sh
.PHONY: cleanup-go
cleanup-go:
rm -rf ${CF_GO_PATH}
cloudflared.1: cloudflared_man_template cloudflared.1: cloudflared_man_template
sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1 sed -e 's/\$${VERSION}/$(VERSION)/; s/\$${DATE}/$(DATE)/' cloudflared_man_template > cloudflared.1
install: cloudflared cloudflared.1 install: install-go cloudflared cloudflared.1 cleanup-go
mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR) mkdir -p $(DESTDIR)$(INSTALL_BINDIR) $(DESTDIR)$(INSTALL_MANDIR)
install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared install -m755 cloudflared $(DESTDIR)$(INSTALL_BINDIR)/cloudflared
install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1 install -m644 cloudflared.1 $(DESTDIR)$(INSTALL_MANDIR)/cloudflared.1
@ -221,6 +218,10 @@ cloudflared-deb: cloudflared cloudflared.1
cloudflared-rpm: cloudflared cloudflared.1 cloudflared-rpm: cloudflared cloudflared.1
$(call build_package,rpm) $(call build_package,rpm)
.PHONY: cloudflared-pkg
cloudflared-pkg: cloudflared cloudflared.1
$(call build_package,osxpkg)
.PHONY: cloudflared-msi .PHONY: cloudflared-msi
cloudflared-msi: cloudflared-msi:
wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs wixl --define Version=$(VERSION) --define Path=$(EXECUTABLE_PATH) --output cloudflared-$(VERSION)-$(TARGET_ARCH).msi cloudflared.wxs
@ -231,18 +232,13 @@ github-release-dryrun:
.PHONY: github-release .PHONY: github-release
github-release: github-release:
python3 github_release.py --path $(PWD)/artifacts/ --release-version $(VERSION) python3 github_release.py --path $(PWD)/built_artifacts --release-version $(VERSION)
python3 github_message.py --release-version $(VERSION) python3 github_message.py --release-version $(VERSION)
.PHONY: r2-linux-release .PHONY: r2-linux-release
r2-linux-release: r2-linux-release:
python3 ./release_pkgs.py python3 ./release_pkgs.py
.PHONY: r2-next-linux-release
# Publishes to a separate R2 repository during GPG key rollover, using dual-key signing.
r2-next-linux-release:
python3 ./release_pkgs.py --upload-repo-file
.PHONY: capnp .PHONY: capnp
capnp: capnp:
which capnp # https://capnproto.org/install.html which capnp # https://capnproto.org/install.html
@ -251,41 +247,8 @@ capnp:
.PHONY: vet .PHONY: vet
vet: vet:
$Q go vet -mod=vendor github.com/cloudflare/cloudflared/... go vet -mod=vendor github.com/cloudflare/cloudflared/...
.PHONY: fmt .PHONY: fmt
fmt: fmt:
@goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto) goimports -l -w -local github.com/cloudflare/cloudflared $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
@go fmt $$(go list -mod=vendor -f '{{.Dir}}' -a ./... | fgrep -v tunnelrpc/proto)
.PHONY: fmt-check
fmt-check:
@./.ci/scripts/fmt-check.sh
.PHONY: lint
lint:
@golangci-lint run
.PHONY: mocks
mocks:
go generate mocks/mockgen.go
.PHONY: ci-build
ci-build:
@GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
@mkdir -p artifacts
@mv cloudflared artifacts/cloudflared
.PHONY: ci-fips-build
ci-fips-build:
@FIPS=true GOOS=linux GOARCH=amd64 $(MAKE) cloudflared
@mkdir -p artifacts
@mv cloudflared artifacts/cloudflared
.PHONY: ci-test
ci-test: fmt-check lint test
@go run -mod=readonly github.com/jstemmer/go-junit-report/v2@latest -in $(GO_TEST_LOG_OUTPUT) -parser gojson -out report.xml -set-exit-code
.PHONY: ci-fips-test
ci-fips-test:
@FIPS=true $(MAKE) ci-test

54
README.md
View File

@ -3,14 +3,14 @@
Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins. Contains the command-line client for Cloudflare Tunnel, a tunneling daemon that proxies traffic from the Cloudflare network to your origins.
This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you This daemon sits between Cloudflare network and your origin (e.g. a webserver). Cloudflare attracts client requests and sends them to you
via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible. via this daemon, without requiring you to poke holes on your firewall --- your origin can remain as closed as possible.
Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel) of the Cloudflare Docs. Extensive documentation can be found in the [Cloudflare Tunnel section](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) of the Cloudflare Docs.
All usages related with proxying to your origins are available under `cloudflared tunnel help`. All usages related with proxying to your origins are available under `cloudflared tunnel help`.
You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic You can also use `cloudflared` to access Tunnel origins (that are protected with `cloudflared tunnel`) for TCP traffic
at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc. at Layer 4 (i.e., not HTTP/websocket), which is relevant for use cases such as SSH, RDP, etc.
Such usages are available under `cloudflared access help`. Such usages are available under `cloudflared access help`.
You can instead use [WARP client](https://developers.cloudflare.com/warp-client/) You can instead use [WARP client](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/private-networks)
to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side. to access private origins behind Tunnels for Layer 4 traffic without requiring `cloudflared access` commands on the client side.
@ -19,64 +19,40 @@ to access private origins behind Tunnels for Layer 4 traffic without requiring `
Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a Before you use Cloudflare Tunnel, you'll need to complete a few steps in the Cloudflare dashboard: you need to add a
website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private website to your Cloudflare account. Note that today it is possible to use Tunnel without a website (e.g. for private
routing), but for legacy reasons this requirement is still necessary: routing), but for legacy reasons this requirement is still necessary:
1. [Add a website to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) 1. [Add a website to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/201720164-Creating-a-Cloudflare-account-and-adding-a-website)
2. [Change your domain nameservers to Cloudflare](https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/) 2. [Change your domain nameservers to Cloudflare](https://support.cloudflare.com/hc/en-us/articles/205195708)
## Installing `cloudflared` ## Installing `cloudflared`
Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository. Downloads are available as standalone binaries, a Docker image, and Debian, RPM, and Homebrew packages. You can also find releases [here](https://github.com/cloudflare/cloudflared/releases) on the `cloudflared` GitHub repository.
* You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases) * You can [install on macOS](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#macos) via Homebrew or by downloading the [latest Darwin amd64 release](https://github.com/cloudflare/cloudflared/releases)
* Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#linux) * Binaries, Debian, and RPM packages for Linux [can be found here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#linux)
* A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared) * A Docker image of `cloudflared` is [available on DockerHub](https://hub.docker.com/r/cloudflare/cloudflared)
* You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#windows) * You can install on Windows machines with the [steps here](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation#windows)
* To build from source, install the required version of go, mentioned in the [Development](#development) section below. Then you can run `make cloudflared`. * To build from source, first you need to download the go toolchain by running `./.teamcity/install-cloudflare-go.sh` and follow the output. Then you can run `make cloudflared`
User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/ User documentation for Cloudflare Tunnel can be found at https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
## Creating Tunnels and routing traffic ## Creating Tunnels and routing traffic
Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins. Once installed, you can authenticate `cloudflared` into your Cloudflare account and begin creating Tunnels to serve traffic to your origins.
* Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) * Create a Tunnel with [these instructions](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/create-tunnel)
* Route traffic to that Tunnel: * Route traffic to that Tunnel:
* Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) * Via public [DNS records in Cloudflare](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/dns)
* Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/public-load-balancers/) * Or via a public hostname guided by a [Cloudflare Load Balancer](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/routing-to-tunnel/lb)
* Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/) * Or from [WARP client private traffic](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/)
## TryCloudflare ## TryCloudflare
Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/trycloudflare/). Want to test Cloudflare Tunnel before adding a website to Cloudflare? You can do so with TryCloudflare using the documentation [available here](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/).
## Deprecated versions ## Deprecated versions
Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/update-cloudflared/). Cloudflare currently supports versions of cloudflared that are **within one year** of the most recent release. Breaking changes unrelated to feature availability may be introduced that will impact versions released more than one year ago. You can read more about upgrading cloudflared in our [developer documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/#updating-cloudflared).
For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1. For example, as of January 2023 Cloudflare will support cloudflared version 2023.1.1 to cloudflared 2022.1.1.
## Development
### Requirements
- [GNU Make](https://www.gnu.org/software/make/)
- [capnp](https://capnproto.org/install.html)
- [go >= 1.24](https://go.dev/doc/install)
- Optional tools:
- [capnpc-go](https://pkg.go.dev/zombiezen.com/go/capnproto2/capnpc-go)
- [goimports](https://pkg.go.dev/golang.org/x/tools/cmd/goimports)
- [golangci-lint](https://github.com/golangci/golangci-lint)
- [gomocks](https://pkg.go.dev/go.uber.org/mock)
### Build
To build cloudflared locally run `make cloudflared`
### Test
To locally run the tests run `make test`
### Linting
To format the code and keep a good code quality use `make fmt` and `make lint`
### Mocks
After changes on interfaces you might need to regenerate the mocks, so run `make mock`

207
RELEASE_NOTES
View File

@ -1,210 +1,3 @@
2026.3.0
- 2026-03-05 TUN-10292: Add cloudflared management token command
- 2026-03-03 chore: Addressing small fixes and typos
- 2026-03-03 fix: Update go-sentry and go-oidc to address CVE's
- 2026-02-24 TUN-10258: add agents.md
- 2026-02-23 TUN-10267: Update mods to fix CVE GO-2026-4394
- 2026-02-20 TUN-10247: Update tail command to use /management/logs endpoint
- 2026-02-11 TUN-9858: Add more information to proxy-dns removal message
2026.2.0
- 2026-02-06 TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341
- 2026-02-02 TUN-9858: Remove proxy-dns feature from cloudflared
2026.1.2
- 2026-01-23 Revert "TUN-9863: Update pipelines to use cloudflared EV Certificate"
- 2026-01-21 Revert "TUN-9886 notarize cloudflared"
- 2025-12-12 TUN-9886 notarize cloudflared
2026.1.1
- 2026-01-19 fix: Update boto3 to run on trixie
- 2026-01-19 fix: Fix wixl bundling tool for windows msi packages
- 2026-01-19 fix: rpm bundling and rpm key import
2026.1.0
- 2026-01-13 TUN-10162: Update go to 1.24.11 and Debian distroless to debian13
- 2025-11-21 Replace jira.cfops.it with jira.cfdata.org in connection/http2_test.go
- 2025-11-19 TUN-9863: Update pipelines to use cloudflared EV Certificate
- 2025-11-07 TUN-9800: Migrate apt internal builds to Gitlab
- 2025-11-04 TUN-9998: Don't need to read origin cert to determine if the endpoint is fedramp
- 2025-10-13 TUN-9910: Make the metadata key to carry HTTP status over QUIC transport a constant
2025.11.1
- 2025-11-07 TUN-9800: Fix docker hub push step
2025.11.0
- 2025-11-06 TUN-9863: Introduce Code Signing for Windows Builds
- 2025-11-06 TUN-9800: Prefix gitlab steps with operating system
- 2025-11-04 chore: Update cloudflared signing key name in index.html
- 2025-10-31 chore: add claude review
- 2025-10-31 Chore: Update documentation links in README
- 2025-10-31 TUN-9800: Add pipelines for linux packaging
2025.10.1
- 2025-10-30 chore: Update ci image to use goboring 1.24.9
- 2025-10-28 TUN-9849: Add cf-proxy-* to control response headers
- 2025-10-24 TUN-9961: Add pkg.cloudflared.com index.html to git repo
- 2025-10-23 TUN-9954: Update from go1.24.6 to go1.24.9
- 2025-10-23 Fix systemd service installation hanging
- 2025-10-21 TUN-9941: Use new GPG key for RPM builds
- 2025-10-21 TUN-9941: Fix typo causing r2-release-next deployment to fail
- 2025-10-21 TUN-9941: Lookup correct key for RPM signature
- 2025-10-15 TUN-9919: Make RPM postinstall scriplet idempotent
- 2025-10-14 TUN-9916: Fix the cloudflared binary path used in the component test
2025.10.0
- 2025-10-14 chore: Fix upload of RPM repo file during double signing
- 2025-10-13 TUN-9882: Bump datagram v3 write channel capacity
- 2025-10-10 chore: Fix import of GPG keys when two keys are provided
- 2025-10-10 chore: Fix parameter order when uploading RPM .repo file to R2
- 2025-10-10 TUN-9883: Add new datagram v3 feature flag
- 2025-10-09 chore: Force usage of go-boring 1.24
- 2025-10-08 TUN-9882: Improve metrics for datagram v3
- 2025-10-07 GRC-16749: Add fedramp tags to catalog
- 2025-10-07 TUN-9882: Add buffers for UDP and ICMP datagrams in datagram v3
- 2025-10-07 TUN-9882: Add write deadline for UDP origin writes
- 2025-09-29 TUN-9776: Support signing Debian packages with two keys for rollover
- 2025-09-22 TUN-9800: Add pipeline to sync between gitlab and github repos
2025.9.1
- 2025-09-22 TUN-9855: Create script to ignore vulnerabilities from govuln check
- 2025-09-19 TUN-9852: Remove fmt.Println from cloudflared access command
2025.9.0
- 2025-09-15 TUN-9820: Add support for FedRAMP in originRequest Access config
- 2025-09-11 TUN-9800: Migrate cloudflared-ci pipelines to Gitlab CI
- 2025-09-04 TUN-9803: Add windows builds to gitlab-ci
- 2025-08-27 TUN-9755: Set endpoint in tunnel credentials when generating locally managed tunnel with a Fed token
2025.8.1
- 2025-08-19 AUTH-7480 update fed callback url for login helper
- 2025-08-19 CUSTESC-53681: Correct QUIC connection management for datagram handlers
- 2025-08-12 AUTH-7260: Add support for login interstitial auto closure
2025.8.0
- 2025-08-07 vuln: Fix GO-2025-3770 vulnerability
- 2025-07-23 TUN-9583: set proper url and hostname for cloudflared tail command
- 2025-07-07 TUN-9542: Remove unsupported Debian-based releases
2025.7.0
- 2025-07-03 TUN-9540: Use numeric user id for Dockerfiles
- 2025-07-01 TUN-9161: Remove P256Kyber768Draft00PQKex curve from nonFips curve preferences
- 2025-07-01 TUN-9531: Bump go-boring from 1.24.2 to 1.24.4
- 2025-07-01 TUN-9511: Add metrics for virtual DNS origin
- 2025-06-30 TUN-9470: Add OriginDialerService to include TCP
- 2025-06-30 TUN-9473: Add --dns-resolver-addrs flag
- 2025-06-27 TUN-9472: Add virtual DNS service
- 2025-06-23 TUN-9469: Centralize UDP origin proxy dialing as ingress service
2025.6.1
- 2025-06-16 TUN-9467: add vulncheck to cloudflared
- 2025-06-16 TUN-9495: Remove references to cloudflare-go
- 2025-06-16 TUN-9371: Add logging format as JSON
- 2025-06-12 TUN-9467: bump coredns to solve CVE
2025.6.0
- 2025-06-06 TUN-9016: update go to 1.24
- 2025-06-05 TUN-9171: Use `is_default_network` instead of `is_default` to create vnet's
2025.5.0
- 2025-05-14 TUN-9319: Add dynamic loading of features to connections via ConnectionOptionsSnapshot
- 2025-05-13 TUN-9322: Add metric for unsupported RPC commands for datagram v3
- 2025-05-07 TUN-9291: Remove dynamic reloading of features for datagram v3
2025.4.2
- 2025-04-30 chore: Do not use gitlab merge request pipelines
- 2025-04-30 DEVTOOLS-16383: Create GitlabCI pipeline to release Mac builds
- 2025-04-24 TUN-9255: Improve flush on write conditions in http2 tunnel type to match what is done on the edge
- 2025-04-10 SDLC-3727 - Adding FIPS status to backstage
2025.4.0
- 2025-04-02 Fix broken links in `cmd/cloudflared/*.go` related to running tunnel as a service
- 2025-04-02 chore: remove repetitive words
- 2025-04-01 Fix messages to point to one.dash.cloudflare.com
- 2025-04-01 feat: emit explicit errors for the `service` command on unsupported OSes
- 2025-04-01 Use RELEASE_NOTES date instead of build date
- 2025-04-01 chore: Update tunnel configuration link in the readme
- 2025-04-01 fix: expand home directory for credentials file
- 2025-04-01 fix: Use path and filepath operation appropriately
- 2025-04-01 feat: Adds a new command line for tunnel run for token file
- 2025-04-01 chore: fix linter rules
- 2025-03-17 TUN-9101: Don't ignore errors on `cloudflared access ssh`
- 2025-03-06 TUN-9089: Pin go import to v0.30.0, v0.31.0 requires go 1.23
2025.2.1
- 2025-02-26 TUN-9016: update base-debian to v12
- 2025-02-25 TUN-8960: Connect to FED API GW based on the OriginCert's endpoint
- 2025-02-25 TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field
- 2025-02-13 SDLC-3762: Remove backstage.io/source-location from catalog-info.yaml
- 2025-02-06 TUN-8914: Create a flags module to group all cloudflared cli flags
2025.2.0
- 2025-02-03 TUN-8914: Add a new configuration to locally override the max-active-flows
- 2025-02-03 Bump x/crypto to 0.31.0
2025.1.1
- 2025-01-30 TUN-8858: update go to 1.22.10 and include quic-go FIPS changes
- 2025-01-30 TUN-8855: fix lint issues
- 2025-01-30 TUN-8855: Update PQ curve preferences
- 2025-01-30 TUN-8857: remove restriction for using FIPS and PQ
- 2025-01-30 TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge
- 2025-01-22 TUN-8904: Rename Connect Response Flow Rate Limited metadata
- 2025-01-21 AUTH-6633 Fix cloudflared access login + warp as auth
- 2025-01-20 TUN-8861: Add session limiter to UDP session manager
- 2025-01-20 TUN-8861: Rename Session Limiter to Flow Limiter
- 2025-01-17 TUN-8900: Add import of Apple Developer Certificate Authority to macOS Pipeline
- 2025-01-17 TUN-8871: Accept login flag to authenticate with Fedramp environment
- 2025-01-16 TUN-8866: Add linter to cloudflared repository
- 2025-01-14 TUN-8861: Add session limiter to TCP session manager
- 2025-01-13 TUN-8861: Add configuration for active sessions limiter
- 2025-01-09 TUN-8848: Don't treat connection shutdown as an error condition when RPC server is done
2025.1.0
- 2025-01-06 TUN-8842: Add Ubuntu Noble and 'any' debian distributions to release script
- 2025-01-06 TUN-8807: Add support_datagram_v3 to remote feature rollout
- 2024-12-20 TUN-8829: add CONTAINER_BUILD to dockerfiles
2024.12.2
- 2024-12-19 TUN-8822: Prevent concurrent usage of ICMPDecoder
- 2024-12-18 TUN-8818: update changes document to reflect newly added diag subcommand
- 2024-12-17 TUN-8817: Increase close session channel by one since there are two writers
- 2024-12-13 TUN-8797: update CHANGES.md with note about semi-deterministic approach used to bind metrics server
- 2024-12-13 TUN-8724: Add CLI command for diagnostic procedure
- 2024-12-11 TUN-8786: calculate cli flags once for the diagnostic procedure
- 2024-12-11 TUN-8792: Make diag/system endpoint always return a JSON
- 2024-12-10 TUN-8783: fix log collectors for the diagnostic procedure
- 2024-12-10 TUN-8785: include the icmp sources in the diag's tunnel state
- 2024-12-10 TUN-8784: Set JSON encoder options to print formatted JSON when writing diag files
2024.12.1
- 2024-12-10 TUN-8795: update createrepo to createrepo_c to fix the release_pkgs.py script
2024.12.0
- 2024-12-09 TUN-8640: Add ICMP support for datagram V3
- 2024-12-09 TUN-8789: make python package installation consistent
- 2024-12-06 TUN-8781: Add Trixie, drop Buster. Default to Bookworm
- 2024-12-05 TUN-8775: Make sure the session Close can only be called once
- 2024-12-04 TUN-8725: implement diagnostic procedure
- 2024-12-04 TUN-8767: include raw output from network collector in diagnostic zipfile
- 2024-12-04 TUN-8770: add cli configuration and tunnel configuration to diagnostic zipfile
- 2024-12-04 TUN-8768: add job report to diagnostic zipfile
- 2024-12-03 TUN-8726: implement compression routine to be used in diagnostic procedure
- 2024-12-03 TUN-8732: implement port selection algorithm
- 2024-12-03 TUN-8762: fix argument order when invoking tracert and modify network info output parsing.
- 2024-12-03 TUN-8769: fix k8s log collector arguments
- 2024-12-03 TUN-8727: extend client to include function to get cli configuration and tunnel configuration
- 2024-11-29 TUN-8729: implement network collection for diagnostic procedure
- 2024-11-29 TUN-8727: implement metrics, runtime, system, and tunnelstate in diagnostic http client
- 2024-11-27 TUN-8733: add log collection for docker
- 2024-11-27 TUN-8734: add log collection for kubernetes
- 2024-11-27 TUN-8640: Refactor ICMPRouter to support new ICMPResponders
- 2024-11-26 TUN-8735: add managed/local log collection
- 2024-11-25 TUN-8728: implement diag/tunnel endpoint
- 2024-11-25 TUN-8730: implement diag/configuration
- 2024-11-22 TUN-8737: update metrics server port selection
- 2024-11-22 TUN-8731: Implement diag/system endpoint
- 2024-11-21 TUN-8748: Migrated datagram V3 flows to use migrated context
2024.11.1 2024.11.1
- 2024-11-18 Add cloudflared tunnel ready command - 2024-11-18 Add cloudflared tunnel ready command
- 2024-11-14 Make metrics a requirement for tunnel ready command - 2024-11-14 Make metrics a requirement for tunnel ready command

3
.ci/scripts/linux/build-packages-fips.sh → build-packages-fips.sh
View File

@ -1,5 +1,4 @@
#!/bin/bash #!/bin/bash
set -e -u -o pipefail
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*") VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION echo $VERSION
@ -18,7 +17,7 @@ make cloudflared-deb
mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb mv cloudflared-fips\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-fips-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64. # rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION | sed -r 's/-/_/g') RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH="x86_64" RPMARCH="x86_64"
make cloudflared-rpm make cloudflared-rpm
mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm mv cloudflared-fips-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-fips-linux-$RPMARCH.rpm

48
build-packages.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
VERSION=$(git describe --tags --always --match "[0-9][0-9][0-9][0-9].*.*")
echo $VERSION
# Disable FIPS module in go-boring
export GOEXPERIMENT=noboringcrypto
export CGO_ENABLED=0
# This controls the directory the built artifacts go into
export ARTIFACT_DIR=artifacts/
mkdir -p $ARTIFACT_DIR
linuxArchs=("386" "amd64" "arm" "armhf" "arm64")
export TARGET_OS=linux
for arch in ${linuxArchs[@]}; do
unset TARGET_ARM
export TARGET_ARCH=$arch
## Support for arm platforms without hardware FPU enabled
if [[ $arch == arm ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=5
fi
## Support for armhf builds
if [[ $arch == armhf ]] ; then
export TARGET_ARCH=arm
export TARGET_ARM=7
fi
make cloudflared-deb
mv cloudflared\_$VERSION\_$arch.deb $ARTIFACT_DIR/cloudflared-linux-$arch.deb
# rpm packages invert the - and _ and use x86_64 instead of amd64.
RPMVERSION=$(echo $VERSION|sed -r 's/-/_/g')
RPMARCH=$arch
if [ $arch == "amd64" ];then
RPMARCH="x86_64"
fi
if [ $arch == "arm64" ]; then
RPMARCH="aarch64"
fi
make cloudflared-rpm
mv cloudflared-$RPMVERSION-1.$RPMARCH.rpm $ARTIFACT_DIR/cloudflared-linux-$RPMARCH.rpm
# finally move the linux binary as well.
mv ./cloudflared $ARTIFACT_DIR/cloudflared-linux-$arch
done

15
carrier/carrier.go
View File

@ -26,13 +26,11 @@ const (
) )
type StartOptions struct { type StartOptions struct {
AppInfo *token.AppInfo AppInfo *token.AppInfo
OriginURL string OriginURL string
Headers http.Header Headers http.Header
Host string Host string
TLSClientConfig *tls.Config TLSClientConfig *tls.Config
AutoCloseInterstitial bool
IsFedramp bool
} }
// Connection wraps up all the needed functions to forward over the tunnel // Connection wraps up all the needed functions to forward over the tunnel
@ -48,6 +46,7 @@ type StdinoutStream struct{}
// Read will read from Stdin // Read will read from Stdin
func (c *StdinoutStream) Read(p []byte) (int, error) { func (c *StdinoutStream) Read(p []byte) (int, error) {
return os.Stdin.Read(p) return os.Stdin.Read(p)
} }
// Write will write to Stdout // Write will write to Stdout
@ -140,7 +139,7 @@ func BuildAccessRequest(options *StartOptions, log *zerolog.Logger) (*http.Reque
return nil, err return nil, err
} }
token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, options.AutoCloseInterstitial, options.IsFedramp, log) token, err := token.FetchTokenWithRedirect(req.URL, options.AppInfo, log)
if err != nil { if err != nil {
return nil, err return nil, err
} }

6
catalog-info.yaml
View File

@ -4,6 +4,7 @@ metadata:
name: cloudflared name: cloudflared
description: Client for Cloudflare Tunnels description: Client for Cloudflare Tunnels
annotations: annotations:
backstage.io/source-location: url:https://bitbucket.cfdata.org/projects/TUN/repos/cloudflared/browse
cloudflare.com/software-excellence-opt-in: "true" cloudflare.com/software-excellence-opt-in: "true"
cloudflare.com/jira-project-key: "TUN" cloudflare.com/jira-project-key: "TUN"
cloudflare.com/jira-project-component: "Cloudflare Tunnel" cloudflare.com/jira-project-component: "Cloudflare Tunnel"
@ -13,8 +14,3 @@ spec:
type: "service" type: "service"
lifecycle: "Active" lifecycle: "Active"
owner: "teams/tunnel-teams-routing" owner: "teams/tunnel-teams-routing"
cf:
compliance:
fedramp-high: "pending"
fedramp-moderate: "yes"
FIPS: "required"

20
cfapi/base_client.go
View File

@ -45,7 +45,9 @@ type baseEndpoints struct {
var _ Client = (*RESTClient)(nil) var _ Client = (*RESTClient)(nil)
func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) { func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, log *zerolog.Logger) (*RESTClient, error) {
baseURL = strings.TrimSuffix(baseURL, "/") if strings.HasSuffix(baseURL, "/") {
baseURL = baseURL[:len(baseURL)-1]
}
accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag)) accountLevelEndpoint, err := url.Parse(fmt.Sprintf("%s/accounts/%s/cfd_tunnel", baseURL, accountTag))
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to create account level endpoint") return nil, errors.Wrap(err, "failed to create account level endpoint")
@ -66,7 +68,7 @@ func NewRESTClient(baseURL, accountTag, zoneTag, authToken, userAgent string, lo
TLSHandshakeTimeout: defaultTimeout, TLSHandshakeTimeout: defaultTimeout,
ResponseHeaderTimeout: defaultTimeout, ResponseHeaderTimeout: defaultTimeout,
} }
_ = http2.ConfigureTransport(&httpTransport) http2.ConfigureTransport(&httpTransport)
return &RESTClient{ return &RESTClient{
baseEndpoints: &baseEndpoints{ baseEndpoints: &baseEndpoints{
accountLevel: *accountLevelEndpoint, accountLevel: *accountLevelEndpoint,
@ -159,6 +161,7 @@ func fetchExhaustively[T any](requestFn func(int) (*http.Response, error)) ([]*T
if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount { if envelope.Pagination.Count < envelope.Pagination.PerPage || len(fullResponse) >= envelope.Pagination.TotalCount {
break break
} }
} }
return fullResponse, nil return fullResponse, nil
} }
@ -176,13 +179,14 @@ func fetchPage[T any](requestFn func(int) (*http.Response, error), page int) (*r
} }
var parsedRspBody []*T var parsedRspBody []*T
return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody) return envelope, parsedRspBody, parseResponseBody(envelope, &parsedRspBody)
} }
return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode)) return nil, nil, errors.New(fmt.Sprintf("Failed to fetch page. Server returned: %d", pageResp.StatusCode))
} }
type response struct { type response struct {
Success bool `json:"success,omitempty"` Success bool `json:"success,omitempty"`
Errors []apiError `json:"errors,omitempty"` Errors []apiErr `json:"errors,omitempty"`
Messages []string `json:"messages,omitempty"` Messages []string `json:"messages,omitempty"`
Result json.RawMessage `json:"result,omitempty"` Result json.RawMessage `json:"result,omitempty"`
Pagination Pagination `json:"result_info,omitempty"` Pagination Pagination `json:"result_info,omitempty"`
@ -202,19 +206,19 @@ func (r *response) checkErrors() error {
if len(r.Errors) == 1 { if len(r.Errors) == 1 {
return r.Errors[0] return r.Errors[0]
} }
var messagesBuilder strings.Builder var messages string
for _, e := range r.Errors { for _, e := range r.Errors {
messagesBuilder.WriteString(fmt.Sprintf("%s; ", e)) messages += fmt.Sprintf("%s; ", e)
} }
return fmt.Errorf("API errors: %s", messagesBuilder.String()) return fmt.Errorf("API errors: %s", messages)
} }
type apiError struct { type apiErr struct {
Code json.Number `json:"code,omitempty"` Code json.Number `json:"code,omitempty"`
Message string `json:"message,omitempty"` Message string `json:"message,omitempty"`
} }
func (e apiError) Error() string { func (e apiErr) Error() string {
return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message) return fmt.Sprintf("code: %v, reason: %s", e.Code, e.Message)
} }

2
cfapi/client.go
View File

@ -8,7 +8,7 @@ type TunnelClient interface {
CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error) CreateTunnel(name string, tunnelSecret []byte) (*TunnelWithToken, error)
GetTunnel(tunnelID uuid.UUID) (*Tunnel, error) GetTunnel(tunnelID uuid.UUID) (*Tunnel, error)
GetTunnelToken(tunnelID uuid.UUID) (string, error) GetTunnelToken(tunnelID uuid.UUID) (string, error)
GetManagementToken(tunnelID uuid.UUID, resource ManagementResource) (string, error) GetManagementToken(tunnelID uuid.UUID) (string, error)
DeleteTunnel(tunnelID uuid.UUID, cascade bool) error DeleteTunnel(tunnelID uuid.UUID, cascade bool) error
ListTunnels(filter *TunnelFilter) ([]*Tunnel, error) ListTunnels(filter *TunnelFilter) ([]*Tunnel, error)
ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error) ListActiveClients(tunnelID uuid.UUID) ([]*ActiveClient, error)

40
cfapi/tunnel.go
View File

@ -15,27 +15,6 @@ import (
var ErrTunnelNameConflict = errors.New("tunnel with name already exists") var ErrTunnelNameConflict = errors.New("tunnel with name already exists")
type ManagementResource int
const (
Logs ManagementResource = iota
Admin
HostDetails
)
func (r ManagementResource) String() string {
switch r {
case Logs:
return "logs"
case Admin:
return "admin"
case HostDetails:
return "host_details"
default:
return ""
}
}
type Tunnel struct { type Tunnel struct {
ID uuid.UUID `json:"id"` ID uuid.UUID `json:"id"`
Name string `json:"name"` Name string `json:"name"`
@ -71,6 +50,10 @@ type newTunnel struct {
TunnelSecret []byte `json:"tunnel_secret"` TunnelSecret []byte `json:"tunnel_secret"`
} }
type managementRequest struct {
Resources []string `json:"resources"`
}
type CleanupParams struct { type CleanupParams struct {
queryParams url.Values queryParams url.Values
} }
@ -154,16 +137,15 @@ func (r *RESTClient) GetTunnelToken(tunnelID uuid.UUID) (token string, err error
return "", r.statusCodeToError("get tunnel token", resp) return "", r.statusCodeToError("get tunnel token", resp)
} }
// managementEndpointPath returns the path segment for a management resource endpoint func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID) (token string, err error) {
func managementEndpointPath(tunnelID uuid.UUID, res ManagementResource) string {
return fmt.Sprintf("%v/management/%s", tunnelID, res.String())
}
func (r *RESTClient) GetManagementToken(tunnelID uuid.UUID, res ManagementResource) (token string, err error) {
endpoint := r.baseEndpoints.accountLevel endpoint := r.baseEndpoints.accountLevel
endpoint.Path = path.Join(endpoint.Path, managementEndpointPath(tunnelID, res)) endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/management", tunnelID))
resp, err := r.sendRequest("POST", endpoint, nil) body := &managementRequest{
Resources: []string{"logs"},
}
resp, err := r.sendRequest("POST", endpoint, body)
if err != nil { if err != nil {
return "", errors.Wrap(err, "REST request failed") return "", errors.Wrap(err, "REST request failed")
} }

78
cfapi/tunnel_test.go
View File

@ -2,6 +2,7 @@ package cfapi
import ( import (
"bytes" "bytes"
"fmt"
"net" "net"
"reflect" "reflect"
"strings" "strings"
@ -10,7 +11,6 @@ import (
"github.com/google/uuid" "github.com/google/uuid"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
) )
var loc, _ = time.LoadLocation("UTC") var loc, _ = time.LoadLocation("UTC")
@ -52,6 +52,7 @@ func Test_unmarshalTunnel(t *testing.T) {
} }
func TestUnmarshalTunnelOk(t *testing.T) { func TestUnmarshalTunnelOk(t *testing.T) {
jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}` jsonBody := `{"success": true, "result": {"id": "00000000-0000-0000-0000-000000000000","name":"test","created_at":"0001-01-01T00:00:00Z","connections":[]}}`
expected := Tunnel{ expected := Tunnel{
ID: uuid.Nil, ID: uuid.Nil,
@ -60,11 +61,12 @@ func TestUnmarshalTunnelOk(t *testing.T) {
Connections: []Connection{}, Connections: []Connection{},
} }
actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody))) actual, err := unmarshalTunnel(bytes.NewReader([]byte(jsonBody)))
require.NoError(t, err) assert.NoError(t, err)
require.Equal(t, &expected, actual) assert.Equal(t, &expected, actual)
} }
func TestUnmarshalTunnelErr(t *testing.T) { func TestUnmarshalTunnelErr(t *testing.T) {
tests := []string{ tests := []string{
`abc`, `abc`,
`{"success": true, "result": abc}`, `{"success": true, "result": abc}`,
@ -74,73 +76,7 @@ func TestUnmarshalTunnelErr(t *testing.T) {
for i, test := range tests { for i, test := range tests {
_, err := unmarshalTunnel(bytes.NewReader([]byte(test))) _, err := unmarshalTunnel(bytes.NewReader([]byte(test)))
assert.Error(t, err, "Test #%v failed", i) assert.Error(t, err, fmt.Sprintf("Test #%v failed", i))
}
}
func TestManagementResource_String(t *testing.T) {
tests := []struct {
name string
resource ManagementResource
want string
}{
{
name: "Logs",
resource: Logs,
want: "logs",
},
{
name: "Admin",
resource: Admin,
want: "admin",
},
{
name: "HostDetails",
resource: HostDetails,
want: "host_details",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assert.Equal(t, tt.want, tt.resource.String())
})
}
}
func TestManagementResource_String_Unknown(t *testing.T) {
unknown := ManagementResource(999)
assert.Equal(t, "", unknown.String())
}
func TestManagementEndpointPath(t *testing.T) {
tunnelID := uuid.MustParse("b34cc7ce-925b-46ee-bc23-4cb5c18d8292")
tests := []struct {
name string
resource ManagementResource
want string
}{
{
name: "Logs resource",
resource: Logs,
want: "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/logs",
},
{
name: "Admin resource",
resource: Admin,
want: "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/admin",
},
{
name: "HostDetails resource",
resource: HostDetails,
want: "b34cc7ce-925b-46ee-bc23-4cb5c18d8292/management/host_details",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := managementEndpointPath(tunnelID, tt.resource)
assert.Equal(t, tt.want, got)
})
} }
} }
@ -161,6 +97,6 @@ func TestUnmarshalConnections(t *testing.T) {
}}, }},
} }
actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody))) actual, err := parseConnectionsDetails(bytes.NewReader([]byte(jsonBody)))
require.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, []*ActiveClient{&expected}, actual) assert.Equal(t, []*ActiveClient{&expected}, actual)
} }

2
cfapi/virtual_network.go
View File

@ -16,7 +16,7 @@ import (
type NewVirtualNetwork struct { type NewVirtualNetwork struct {
Name string `json:"name"` Name string `json:"name"`
Comment string `json:"comment"` Comment string `json:"comment"`
IsDefault bool `json:"is_default_network"` IsDefault bool `json:"is_default"`
} }
type VirtualNetwork struct { type VirtualNetwork struct {

252
cfsetup.yaml
View File

@ -1,2 +1,250 @@
# A valid cfsetup.yaml is required but we dont have any real config to specify pinned_go: &pinned_go go-boring=1.22.5-1
dummy_key: true
build_dir: &build_dir /cfsetup_build
default-flavor: bullseye
buster: &buster
build-linux:
build_dir: *build_dir
builddeps: &build_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
pre-cache: &build_pre_cache
- export GOCACHE=/cfsetup_build/.cache/go-build
- go install golang.org/x/tools/cmd/goimports@latest
post-cache:
# Build binary for component test
- GOOS=linux GOARCH=amd64 make cloudflared
build-linux-fips:
build_dir: *build_dir
builddeps: *build_deps
pre-cache: *build_pre_cache
post-cache:
- export FIPS=true
# Build binary for component test
- GOOS=linux GOARCH=amd64 make cloudflared
cover:
build_dir: *build_dir
builddeps: *build_deps
pre-cache: *build_pre_cache
post-cache:
- make cover
# except FIPS and macos
build-linux-release:
build_dir: *build_dir
builddeps: &build_deps_release
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
- python3-dev
- python3-pip
- python3-setuptools
- wget
pre-cache: &build_release_pre_cache
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
- pip3 install boto3==1.22.9
- pip3 install python-gnupg==0.4.9
post-cache:
# build all packages (except macos and FIPS) and move them to /cfsetup/built_artifacts
- ./build-packages.sh
# handle FIPS separately so that we built with gofips compiler
build-linux-fips-release:
build_dir: *build_dir
builddeps: *build_deps_release
pre-cache: *build_release_pre_cache
post-cache:
# same logic as above, but for FIPS packages only
- ./build-packages-fips.sh
generate-versions-file:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
post-cache:
- make generate-docker-version
build-deb:
build_dir: *build_dir
builddeps: &build_deb_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- make cloudflared-deb
build-fips-internal-deb:
build_dir: *build_dir
builddeps: &build_fips_deb_deps
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export FIPS=true
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-internal-deb-nightly-amd64:
build_dir: *build_dir
builddeps: *build_fips_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export NIGHTLY=true
- export FIPS=true
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-internal-deb-nightly-arm64:
build_dir: *build_dir
builddeps: *build_fips_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=arm64
- export NIGHTLY=true
#- export FIPS=true # TUN-7595
- export ORIGINAL_NAME=true
- make cloudflared-deb
build-deb-arm64:
build_dir: *build_dir
builddeps: *build_deb_deps
post-cache:
- export GOOS=linux
- export GOARCH=arm64
- make cloudflared-deb
package-windows:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- wget
# libmsi and libgcab are libraries the wixl binary depends on.
- libmsi-dev
- libgcab-dev
pre-cache:
- wget https://github.com/sudarshan-reddy/msitools/releases/download/v0.101b/wixl -P /usr/local/bin
- chmod a+x /usr/local/bin/wixl
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
post-cache:
- .teamcity/package-windows.sh
test:
build_dir: *build_dir
builddeps: &build_deps_tests
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- libffi-dev
- gotest-to-teamcity
pre-cache: *build_pre_cache
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export PATH="$HOME/go/bin:$PATH"
- ./fmt-check.sh
- make test | gotest-to-teamcity
test-fips:
build_dir: *build_dir
builddeps: *build_deps_tests
pre-cache: *build_pre_cache
post-cache:
- export GOOS=linux
- export GOARCH=amd64
- export FIPS=true
- export PATH="$HOME/go/bin:$PATH"
- ./fmt-check.sh
- make test | gotest-to-teamcity
component-test:
build_dir: *build_dir
builddeps: &build_deps_component_test
- *pinned_go
- python3.7
- python3-pip
- python3-setuptools
# procps installs the ps command which is needed in test_sysv_service because the init script
# uses ps pid to determine if the agent is running
- procps
pre-cache-copy-paths:
- component-tests/requirements.txt
pre-cache: &component_test_pre_cache
- sudo pip3 install --upgrade -r component-tests/requirements.txt
post-cache: &component_test_post_cache
# Creates and routes a Named Tunnel for this build. Also constructs config file from env vars.
- python3 component-tests/setup.py --type create
- pytest component-tests -o log_cli=true --log-cli-level=INFO
# The Named Tunnel is deleted and its route unprovisioned here.
- python3 component-tests/setup.py --type cleanup
component-test-fips:
build_dir: *build_dir
builddeps: *build_deps_component_test
pre-cache-copy-paths:
- component-tests/requirements.txt
pre-cache: *component_test_pre_cache
post-cache: *component_test_post_cache
github-release-dryrun:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
pre-cache:
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
post-cache:
- make github-release-dryrun
github-release:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
pre-cache:
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
post-cache:
- make github-release
r2-linux-release:
build_dir: *build_dir
builddeps:
- *pinned_go
- build-essential
- fakeroot
- rubygem-fpm
- rpm
- wget
- python3-dev
- libffi-dev
- python3-setuptools
- python3-pip
- reprepro
- createrepo
pre-cache:
- pip3 install pynacl==1.4.0
- pip3 install pygithub==1.55
- pip3 install boto3==1.22.9
- pip3 install python-gnupg==0.4.9
post-cache:
- make r2-linux-release
bullseye: *buster
bookworm: *buster

74
client/config.go
View File

@ -1,74 +0,0 @@
package client
import (
"fmt"
"net"
"github.com/google/uuid"
"github.com/rs/zerolog"
"github.com/cloudflare/cloudflared/features"
"github.com/cloudflare/cloudflared/tunnelrpc/pogs"
)
// Config captures the local client runtime configuration.
type Config struct {
ConnectorID uuid.UUID
Version string
Arch string
featureSelector features.FeatureSelector
}
func NewConfig(version string, arch string, featureSelector features.FeatureSelector) (*Config, error) {
connectorID, err := uuid.NewRandom()
if err != nil {
return nil, fmt.Errorf("unable to generate a connector UUID: %w", err)
}
return &Config{
ConnectorID: connectorID,
Version: version,
Arch: arch,
featureSelector: featureSelector,
}, nil
}
// ConnectionOptionsSnapshot is a snapshot of the current client information used to initialize a connection.
//
// The FeatureSnapshot is the features that are available for this connection. At the client level they may
// change, but they will not change within the scope of this struct.
type ConnectionOptionsSnapshot struct {
client pogs.ClientInfo
originLocalIP net.IP
numPreviousAttempts uint8
FeatureSnapshot features.FeatureSnapshot
}
func (c *Config) ConnectionOptionsSnapshot(originIP net.IP, previousAttempts uint8) *ConnectionOptionsSnapshot {
snapshot := c.featureSelector.Snapshot()
return &ConnectionOptionsSnapshot{
client: pogs.ClientInfo{
ClientID: c.ConnectorID[:],
Version: c.Version,
Arch: c.Arch,
Features: snapshot.FeaturesList,
},
originLocalIP: originIP,
numPreviousAttempts: previousAttempts,
FeatureSnapshot: snapshot,
}
}
func (c ConnectionOptionsSnapshot) ConnectionOptions() *pogs.ConnectionOptions {
return &pogs.ConnectionOptions{
Client: c.client,
OriginLocalIP: c.originLocalIP,
ReplaceExisting: false,
CompressionQuality: 0,
NumPreviousAttempts: c.numPreviousAttempts,
}
}
func (c ConnectionOptionsSnapshot) LogFields(event *zerolog.Event) *zerolog.Event {
return event.Strs("features", c.client.Features)
}

50
client/config_test.go
View File

@ -1,50 +0,0 @@
package client
import (
"net"
"testing"
"github.com/stretchr/testify/require"
"github.com/cloudflare/cloudflared/features"
)
func TestGenerateConnectionOptions(t *testing.T) {
version := "1234"
arch := "linux_amd64"
originIP := net.ParseIP("192.168.1.1")
var previousAttempts uint8 = 4
config, err := NewConfig(version, arch, &mockFeatureSelector{})
require.NoError(t, err)
require.Equal(t, version, config.Version)
require.Equal(t, arch, config.Arch)
// Validate ConnectionOptionsSnapshot fields
connOptions := config.ConnectionOptionsSnapshot(originIP, previousAttempts)
require.Equal(t, version, connOptions.client.Version)
require.Equal(t, arch, connOptions.client.Arch)
require.Equal(t, config.ConnectorID[:], connOptions.client.ClientID)
// Vaidate snapshot feature fields against the connOptions generated
snapshot := config.featureSelector.Snapshot()
require.Equal(t, features.DatagramV3, snapshot.DatagramVersion)
require.Equal(t, features.DatagramV3, connOptions.FeatureSnapshot.DatagramVersion)
pogsConnOptions := connOptions.ConnectionOptions()
require.Equal(t, connOptions.client, pogsConnOptions.Client)
require.Equal(t, originIP, pogsConnOptions.OriginLocalIP)
require.False(t, pogsConnOptions.ReplaceExisting)
require.Equal(t, uint8(0), pogsConnOptions.CompressionQuality)
require.Equal(t, previousAttempts, pogsConnOptions.NumPreviousAttempts)
}
type mockFeatureSelector struct{}
func (m *mockFeatureSelector) Snapshot() features.FeatureSnapshot {
return features.FeatureSnapshot{
PostQuantum: features.PostQuantumPrefer,
DatagramVersion: features.DatagramV3,
FeaturesList: []string{features.FeaturePostQuantum, features.FeatureDatagramV3_2},
}
}

7
cmd/cloudflared/access/carrier.go
View File

@ -47,7 +47,6 @@ func StartForwarder(forwarder config.Forwarder, shutdown <-chan struct{}, log *z
options := &carrier.StartOptions{ options := &carrier.StartOptions{
OriginURL: forwarder.URL, OriginURL: forwarder.URL,
Headers: headers, //TODO: TUN-2688 support custom headers from config file Headers: headers, //TODO: TUN-2688 support custom headers from config file
IsFedramp: forwarder.IsFedramp,
} }
// we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side // we could add a cmd line variable for this bool if we want the SOCK5 server to be on the client side
@ -93,7 +92,6 @@ func ssh(c *cli.Context) error {
OriginURL: url.String(), OriginURL: url.String(),
Headers: headers, Headers: headers,
Host: url.Host, Host: url.Host,
IsFedramp: c.Bool(fedrampFlag),
} }
if connectTo := c.String(sshConnectTo); connectTo != "" { if connectTo := c.String(sshConnectTo); connectTo != "" {
@ -106,7 +104,7 @@ func ssh(c *cli.Context) error {
case 3: case 3:
options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1]) options.OriginURL = fmt.Sprintf("https://%s:%s", parts[2], parts[1])
options.TLSClientConfig = &tls.Config{ options.TLSClientConfig = &tls.Config{
InsecureSkipVerify: true, // #nosec G402 InsecureSkipVerify: true,
ServerName: parts[0], ServerName: parts[0],
} }
log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0]) log.Warn().Msgf("Using insecure SSL connection because SNI overridden to %s", parts[0])
@ -143,5 +141,6 @@ func ssh(c *cli.Context) error {
logger := log.With().Str("host", url.Host).Logger() logger := log.With().Str("host", url.Host).Logger()
s = stream.NewDebugStream(s, &logger, maxMessages) s = stream.NewDebugStream(s, &logger, maxMessages)
} }
return carrier.StartClient(wsConn, s, options) carrier.StartClient(wsConn, s, options)
return nil
} }

28
cmd/cloudflared/access/cmd.go
View File

@ -19,7 +19,6 @@ import (
"github.com/cloudflare/cloudflared/carrier" "github.com/cloudflare/cloudflared/carrier"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
"github.com/cloudflare/cloudflared/sshgen" "github.com/cloudflare/cloudflared/sshgen"
"github.com/cloudflare/cloudflared/token" "github.com/cloudflare/cloudflared/token"
@ -51,7 +50,6 @@ Host {{.Hostname}}
ProxyCommand {{.Cloudflared}} access ssh --hostname %h ProxyCommand {{.Cloudflared}} access ssh --hostname %h
{{end}} {{end}}
` `
fedrampFlag = "fedramp"
) )
const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878" const sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b@sentry.io/189878"
@ -80,10 +78,6 @@ func Commands() []*cli.Command {
Aliases: []string{"forward"}, Aliases: []string{"forward"},
Category: "Access", Category: "Access",
Usage: "access <subcommand>", Usage: "access <subcommand>",
Flags: []cli.Flag{&cli.BoolFlag{
Name: fedrampFlag,
Usage: "use when performing operations in fedramp account",
}},
Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access Description: `Cloudflare Access protects internal resources by securing, authenticating and monitoring access
per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are per-user and by application. With Cloudflare Access, only authenticated users with the required permissions are
able to reach sensitive resources. The commands provided here allow you to interact with Access protected able to reach sensitive resources. The commands provided here allow you to interact with Access protected
@ -109,10 +103,6 @@ func Commands() []*cli.Command {
Name: "no-verbose", Name: "no-verbose",
Usage: "print only the jwt to stdout", Usage: "print only the jwt to stdout",
}, },
&cli.BoolFlag{
Name: "auto-close",
Usage: "automatically close the auth interstitial after action",
},
&cli.StringFlag{ &cli.StringFlag{
Name: appURLFlag, Name: appURLFlag,
}, },
@ -182,15 +172,15 @@ func Commands() []*cli.Command {
EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"}, EnvVars: []string{"TUNNEL_SERVICE_TOKEN_SECRET"},
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.LogFile, Name: logger.LogFileFlag,
Usage: "Save application log to this file for reporting issues.", Usage: "Save application log to this file for reporting issues.",
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.LogDirectory, Name: logger.LogSSHDirectoryFlag,
Usage: "Save application log to this directory for reporting issues.", Usage: "Save application log to this directory for reporting issues.",
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.LogLevelSSH, Name: logger.LogSSHLevelFlag,
Aliases: []string{"loglevel"}, //added to match the tunnel side Aliases: []string{"loglevel"}, //added to match the tunnel side
Usage: "Application logging level {debug, info, warn, error, fatal}. ", Usage: "Application logging level {debug, info, warn, error, fatal}. ",
}, },
@ -331,7 +321,7 @@ func curl(c *cli.Context) error {
log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.") log.Info().Msg("You don't have an Access token set. Please run access token <access application> to fetch one.")
return run("curl", cmdArgs...) return run("curl", cmdArgs...)
} }
tok, err = token.FetchToken(appURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log) tok, err = token.FetchToken(appURL, appInfo, log)
if err != nil { if err != nil {
log.Err(err).Msg("Failed to refresh token") log.Err(err).Msg("Failed to refresh token")
return err return err
@ -352,7 +342,7 @@ func run(cmd string, args ...string) error {
return err return err
} }
go func() { go func() {
_, _ = io.Copy(os.Stderr, stderr) io.Copy(os.Stderr, stderr)
}() }()
stdout, err := c.StdoutPipe() stdout, err := c.StdoutPipe()
@ -360,7 +350,7 @@ func run(cmd string, args ...string) error {
return err return err
} }
go func() { go func() {
_, _ = io.Copy(os.Stdout, stdout) io.Copy(os.Stdout, stdout)
}() }()
return c.Run() return c.Run()
} }
@ -451,7 +441,7 @@ func sshGen(c *cli.Context) error {
if err != nil { if err != nil {
return err return err
} }
cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, c.Bool(cfdflags.AutoCloseInterstitial), c.Bool(fedrampFlag), log) cfdToken, err := token.FetchTokenWithRedirect(fetchTokenURL, appInfo, log)
if err != nil { if err != nil {
return err return err
} }
@ -541,7 +531,7 @@ func isFileThere(candidate string) bool {
} }
// verifyTokenAtEdge checks for a token on disk, or generates a new one. // verifyTokenAtEdge checks for a token on disk, or generates a new one.
// Then makes a request to the origin with the token to ensure it is valid. // Then makes a request to to the origin with the token to ensure it is valid.
// Returns nil if token is valid. // Returns nil if token is valid.
func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error { func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context, log *zerolog.Logger) error {
headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag)) headers := parseRequestHeaders(c.StringSlice(sshHeaderFlag))
@ -551,7 +541,7 @@ func verifyTokenAtEdge(appUrl *url.URL, appInfo *token.AppInfo, c *cli.Context,
if c.IsSet(sshTokenSecretFlag) { if c.IsSet(sshTokenSecretFlag) {
headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag)) headers.Add(cfAccessClientSecretHeader, c.String(sshTokenSecretFlag))
} }
options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers, AutoCloseInterstitial: c.Bool(cfdflags.AutoCloseInterstitial), IsFedramp: c.Bool(fedrampFlag)} options := &carrier.StartOptions{AppInfo: appInfo, OriginURL: appUrl.String(), Headers: headers}
if valid, err := isTokenValid(options, log); err != nil { if valid, err := isTokenValid(options, log); err != nil {
return err return err

87
cmd/cloudflared/app_resolver_service.go Normal file
View File

@ -0,0 +1,87 @@
package main
import (
"github.com/rs/zerolog"
"github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/tunneldns"
)
const (
// ResolverServiceType is used to identify what kind of overwatch service this is
ResolverServiceType = "resolver"
LogFieldResolverAddress = "resolverAddress"
LogFieldResolverPort = "resolverPort"
LogFieldResolverMaxUpstreamConns = "resolverMaxUpstreamConns"
)
// ResolverService is used to wrap the tunneldns package's DNS over HTTP
// into a service model for the overwatch package.
// it also holds a reference to the config object that represents its state
type ResolverService struct {
resolver config.DNSResolver
shutdown chan struct{}
log *zerolog.Logger
}
// NewResolverService creates a new resolver service
func NewResolverService(r config.DNSResolver, log *zerolog.Logger) *ResolverService {
return &ResolverService{resolver: r,
shutdown: make(chan struct{}),
log: log,
}
}
// Name is used to figure out this service is related to the others (normally the addr it binds to)
// this is just "resolver" since there can only be one DNS resolver running
func (s *ResolverService) Name() string {
return ResolverServiceType
}
// Type is used to identify what kind of overwatch service this is
func (s *ResolverService) Type() string {
return ResolverServiceType
}
// Hash is used to figure out if this forwarder is the unchanged or not from the config file updates
func (s *ResolverService) Hash() string {
return s.resolver.Hash()
}
// Shutdown stops the tunneldns listener
func (s *ResolverService) Shutdown() {
s.shutdown <- struct{}{}
}
// Run is the run loop that is started by the overwatch service
func (s *ResolverService) Run() error {
// create a listener
l, err := tunneldns.CreateListener(s.resolver.AddressOrDefault(), s.resolver.PortOrDefault(),
s.resolver.UpstreamsOrDefault(), s.resolver.BootstrapsOrDefault(), s.resolver.MaxUpstreamConnectionsOrDefault(), s.log)
if err != nil {
return err
}
// start the listener.
readySignal := make(chan struct{})
err = l.Start(readySignal)
if err != nil {
_ = l.Stop()
return err
}
<-readySignal
resolverLog := s.log.With().
Str(LogFieldResolverAddress, s.resolver.AddressOrDefault()).
Uint16(LogFieldResolverPort, s.resolver.PortOrDefault()).
Int(LogFieldResolverMaxUpstreamConns, s.resolver.MaxUpstreamConnectionsOrDefault()).
Logger()
resolverLog.Info().Msg("Starting resolver")
// wait for shutdown signal
<-s.shutdown
resolverLog.Info().Msg("Shutting down resolver")
return l.Stop()
}

10
cmd/cloudflared/app_service.go
View File

@ -8,7 +8,7 @@ import (
) )
// AppService is the main service that runs when no command lines flags are passed to cloudflared // AppService is the main service that runs when no command lines flags are passed to cloudflared
// it manages all the running services such as tunnels, forwarders, etc // it manages all the running services such as tunnels, forwarders, DNS resolver, etc
type AppService struct { type AppService struct {
configManager config.Manager configManager config.Manager
serviceManager overwatch.Manager serviceManager overwatch.Manager
@ -73,6 +73,14 @@ func (s *AppService) handleConfigUpdate(c config.Root) {
activeServices[service.Name()] = struct{}{} activeServices[service.Name()] = struct{}{}
} }
// handle resolver changes
if c.Resolver.Enabled {
service := NewResolverService(c.Resolver, s.log)
s.serviceManager.Add(service)
activeServices[service.Name()] = struct{}{}
}
// TODO: TUN-1451 - tunnels // TODO: TUN-1451 - tunnels
// remove any services that are no longer active // remove any services that are no longer active

20
cmd/cloudflared/cliutil/logger.go
View File

@ -4,32 +4,25 @@ import (
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc" "github.com/urfave/cli/v2/altsrc"
"github.com/cloudflare/cloudflared/cmd/cloudflared/flags" "github.com/cloudflare/cloudflared/logger"
) )
var ( var (
debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " + debugLevelWarning = "At debug level cloudflared will log request URL, method, protocol, content length, as well as, all request and response headers. " +
"This can expose sensitive information in your logs." "This can expose sensitive information in your logs."
FlagLogOutput = &cli.StringFlag{
Name: flags.LogFormatOutput,
Usage: "Output format for the logs (default, json)",
Value: flags.LogFormatOutputValueDefault,
EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT", "TUNNEL_LOG_OUTPUT"},
}
) )
func ConfigureLoggingFlags(shouldHide bool) []cli.Flag { func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
return []cli.Flag{ return []cli.Flag{
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.LogLevel, Name: logger.LogLevelFlag,
Value: "info", Value: "info",
Usage: "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning, Usage: "Application logging level {debug, info, warn, error, fatal}. " + debugLevelWarning,
EnvVars: []string{"TUNNEL_LOGLEVEL"}, EnvVars: []string{"TUNNEL_LOGLEVEL"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.TransportLogLevel, Name: logger.LogTransportLevelFlag,
Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel Aliases: []string{"proto-loglevel"}, // This flag used to be called proto-loglevel
Value: "info", Value: "info",
Usage: "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}", Usage: "Transport logging level(previously called protocol logging level) {debug, info, warn, error, fatal}",
@ -37,23 +30,22 @@ func ConfigureLoggingFlags(shouldHide bool) []cli.Flag {
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.LogFile, Name: logger.LogFileFlag,
Usage: "Save application log to this file for reporting issues.", Usage: "Save application log to this file for reporting issues.",
EnvVars: []string{"TUNNEL_LOGFILE"}, EnvVars: []string{"TUNNEL_LOGFILE"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.LogDirectory, Name: logger.LogDirectoryFlag,
Usage: "Save application log to this directory for reporting issues.", Usage: "Save application log to this directory for reporting issues.",
EnvVars: []string{"TUNNEL_LOGDIRECTORY"}, EnvVars: []string{"TUNNEL_LOGDIRECTORY"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.TraceOutput, Name: "trace-output",
Usage: "Name of trace output file, generated when cloudflared stops.", Usage: "Name of trace output file, generated when cloudflared stops.",
EnvVars: []string{"TUNNEL_TRACE_OUTPUT"}, EnvVars: []string{"TUNNEL_TRACE_OUTPUT"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
FlagLogOutput,
} }
} }

84
cmd/cloudflared/cliutil/management.go
View File

@ -1,84 +0,0 @@
package cliutil
import (
"errors"
"fmt"
"io"
"os"
"time"
"github.com/google/uuid"
"github.com/mattn/go-colorable"
"github.com/rs/zerolog"
"github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cfapi"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/credentials"
)
// Error definitions for management token operations
var (
ErrNoTunnelID = errors.New("no tunnel ID provided")
ErrInvalidTunnelID = errors.New("unable to parse provided tunnel id as a valid UUID")
)
// GetManagementToken acquires a management token from Cloudflare API for the specified resource
func GetManagementToken(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource, buildInfo *BuildInfo) (string, error) {
userCreds, err := credentials.Read(c.String(cfdflags.OriginCert), log)
if err != nil {
return "", err
}
var apiURL string
if userCreds.IsFEDEndpoint() {
apiURL = credentials.FedRampBaseApiURL
} else {
apiURL = c.String(cfdflags.ApiURL)
}
client, err := userCreds.Client(apiURL, buildInfo.UserAgent(), log)
if err != nil {
return "", err
}
tunnelIDString := c.Args().First()
if tunnelIDString == "" {
return "", ErrNoTunnelID
}
tunnelID, err := uuid.Parse(tunnelIDString)
if err != nil {
return "", fmt.Errorf("%w: %v", ErrInvalidTunnelID, err)
}
token, err := client.GetManagementToken(tunnelID, res)
if err != nil {
return "", err
}
return token, nil
}
// CreateStderrLogger creates a logger that outputs to stderr to avoid interfering with stdout
func CreateStderrLogger(c *cli.Context) *zerolog.Logger {
level, levelErr := zerolog.ParseLevel(c.String(cfdflags.LogLevel))
if levelErr != nil {
level = zerolog.InfoLevel
}
var writer io.Writer
switch c.String(cfdflags.LogFormatOutput) {
case cfdflags.LogFormatOutputValueJSON:
// zerolog by default outputs as JSON
writer = os.Stderr
case cfdflags.LogFormatOutputValueDefault:
// "default" and unset use the same logger output format
fallthrough
default:
writer = zerolog.ConsoleWriter{
Out: colorable.NewColorable(os.Stderr),
TimeFormat: time.RFC3339,
}
}
log := zerolog.New(writer).With().Timestamp().Logger().Level(level)
return &log
}

166
cmd/cloudflared/flags/flags.go
View File

@ -1,166 +0,0 @@
package flags
const (
// HaConnections specifies how many connections to make to the edge
HaConnections = "ha-connections"
// SshPort is the port on localhost the cloudflared ssh server will run on
SshPort = "local-ssh-port"
// SshIdleTimeout defines the duration a SSH session can remain idle before being closed
SshIdleTimeout = "ssh-idle-timeout"
// SshMaxTimeout defines the max duration a SSH session can remain open for
SshMaxTimeout = "ssh-max-timeout"
// SshLogUploaderBucketName is the bucket name to use for the SSH log uploader
SshLogUploaderBucketName = "bucket-name"
// SshLogUploaderRegionName is the AWS region name to use for the SSH log uploader
SshLogUploaderRegionName = "region-name"
// SshLogUploaderSecretID is the Secret id of SSH log uploader
SshLogUploaderSecretID = "secret-id"
// SshLogUploaderAccessKeyID is the Access key id of SSH log uploader
SshLogUploaderAccessKeyID = "access-key-id"
// SshLogUploaderSessionTokenID is the Session token of SSH log uploader
SshLogUploaderSessionTokenID = "session-token"
// SshLogUploaderS3URL is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
SshLogUploaderS3URL = "s3-url-host"
// HostKeyPath is the path of the dir to save SSH host keys too
HostKeyPath = "host-key-path"
// RpcTimeout is how long to wait for a Capnp RPC request to the edge
RpcTimeout = "rpc-timeout"
// WriteStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
WriteStreamTimeout = "write-stream-timeout"
// QuicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
QuicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
// QuicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
// but it's blocked by flow control
QuicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
// QuicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
// it will send a STREAM_DATA_BLOCKED frame
QuicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
// Ui is to enable launching cloudflared in interactive UI mode
Ui = "ui"
// ConnectorLabel is the command line flag to give a meaningful label to a specific connector
ConnectorLabel = "label"
// MaxActiveFlows is the command line flag to set the maximum number of flows that cloudflared can be processing at the same time
MaxActiveFlows = "max-active-flows"
// Tag is the command line flag to set custom tags used to identify this tunnel via added HTTP request headers to the origin
Tag = "tag"
// Protocol is the command line flag to set the protocol to use to connect to the Cloudflare Edge
Protocol = "protocol"
// PostQuantum is the command line flag to force the connection to Cloudflare Edge to use Post Quantum cryptography
PostQuantum = "post-quantum"
// Features is the command line flag to opt into various features that are still being developed or tested
Features = "features"
// EdgeIpVersion is the command line flag to set the Cloudflare Edge IP address version to connect with
EdgeIpVersion = "edge-ip-version"
// EdgeBindAddress is the command line flag to bind to IP address for outgoing connections to Cloudflare Edge
EdgeBindAddress = "edge-bind-address"
// Force is the command line flag to specify if you wish to force an action
Force = "force"
// Edge is the command line flag to set the address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment
Edge = "edge"
// Region is the command line flag to set the Cloudflare Edge region to connect to
Region = "region"
// IsAutoUpdated is the command line flag to signal the new process that cloudflared has been autoupdated
IsAutoUpdated = "is-autoupdated"
// LBPool is the command line flag to set the name of the load balancing pool to add this origin to
LBPool = "lb-pool"
// Retries is the command line flag to set the maximum number of retries for connection/protocol errors
Retries = "retries"
// MaxEdgeAddrRetries is the command line flag to set the maximum number of times to retry on edge addrs before falling back to a lower protocol
MaxEdgeAddrRetries = "max-edge-addr-retries"
// GracePeriod is the command line flag to set the maximum amount of time that cloudflared waits to shut down if it is still serving requests
GracePeriod = "grace-period"
// ICMPV4Src is the command line flag to set the source address and the interface name to send/receive ICMPv4 messages
ICMPV4Src = "icmpv4-src"
// ICMPV6Src is the command line flag to set the source address and the interface name to send/receive ICMPv6 messages
ICMPV6Src = "icmpv6-src"
// Name is the command line to set the name of the tunnel
Name = "name"
// AutoUpdateFreq is the command line for setting the frequency that cloudflared checks for updates
AutoUpdateFreq = "autoupdate-freq"
// NoAutoUpdate is the command line flag to disable cloudflared from checking for updates
NoAutoUpdate = "no-autoupdate"
// LogLevel is the command line flag for the cloudflared logging level
LogLevel = "loglevel"
// LogLevelSSH is the command line flag for the cloudflared ssh logging level
LogLevelSSH = "log-level"
// TransportLogLevel is the command line flag for the transport logging level
TransportLogLevel = "transport-loglevel"
// LogFile is the command line flag to define the file where application logs will be stored
LogFile = "logfile"
// LogDirectory is the command line flag to define the directory where application logs will be stored.
LogDirectory = "log-directory"
// LogFormatOutput allows the command line logs to be output as JSON.
LogFormatOutput = "output"
LogFormatOutputValueDefault = "default"
LogFormatOutputValueJSON = "json"
// TraceOutput is the command line flag to set the name of trace output file
TraceOutput = "trace-output"
// OriginCert is the command line flag to define the path for the origin certificate used by cloudflared
OriginCert = "origincert"
// Metrics is the command line flag to define the address of the metrics server
Metrics = "metrics"
// MetricsUpdateFreq is the command line flag to define how frequently tunnel metrics are updated
MetricsUpdateFreq = "metrics-update-freq"
// ApiURL is the command line flag used to define the base URL of the API
ApiURL = "api-url"
// Virtual DNS resolver service resolver addresses to use instead of dynamically fetching them from the OS.
VirtualDNSServiceResolverAddresses = "dns-resolver-addrs"
// Management hostname to signify incoming management requests
ManagementHostname = "management-hostname"
// Automatically close the login interstitial browser window after the user makes a decision.
AutoCloseInterstitial = "auto-close"
)

27
cmd/cloudflared/generic_service.go
View File

@ -3,38 +3,11 @@
package main package main
import ( import (
"fmt"
"os" "os"
cli "github.com/urfave/cli/v2" cli "github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
) )
func runApp(app *cli.App, graceShutdownC chan struct{}) { func runApp(app *cli.App, graceShutdownC chan struct{}) {
app.Commands = append(app.Commands, &cli.Command{
Name: "service",
Usage: "Manages the cloudflared system service (not supported on this operating system)",
Subcommands: []*cli.Command{
{
Name: "install",
Usage: "Install cloudflared as a system service (not supported on this operating system)",
Action: cliutil.ConfiguredAction(installGenericService),
},
{
Name: "uninstall",
Usage: "Uninstall the cloudflared service (not supported on this operating system)",
Action: cliutil.ConfiguredAction(uninstallGenericService),
},
},
})
app.Run(os.Args) app.Run(os.Args)
} }
func installGenericService(c *cli.Context) error {
return fmt.Errorf("service installation is not supported on this operating system")
}
func uninstallGenericService(c *cli.Context) error {
return fmt.Errorf("service uninstallation is not supported on this operating system")
}

55
cmd/cloudflared/linux_service.go
View File

@ -4,7 +4,6 @@ package main
import ( import (
"fmt" "fmt"
"io"
"os" "os"
"github.com/rs/zerolog" "github.com/rs/zerolog"
@ -16,7 +15,7 @@ import (
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
) )
func runApp(app *cli.App, _ chan struct{}) { func runApp(app *cli.App, graceShutdownC chan struct{}) {
app.Commands = append(app.Commands, &cli.Command{ app.Commands = append(app.Commands, &cli.Command{
Name: "service", Name: "service",
Usage: "Manages the cloudflared system service", Usage: "Manages the cloudflared system service",
@ -36,7 +35,7 @@ func runApp(app *cli.App, _ chan struct{}) {
}, },
}, },
}) })
_ = app.Run(os.Args) app.Run(os.Args)
} }
// The directory and files that are used by the service. // The directory and files that are used by the service.
@ -60,7 +59,7 @@ After=network-online.target
Wants=network-online.target Wants=network-online.target
[Service] [Service]
TimeoutStartSec=15 TimeoutStartSec=0
Type=notify Type=notify
ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }} ExecStart={{ .Path }} --no-autoupdate{{ range .ExtraArgs }} {{ . }}{{ end }}
Restart=on-failure Restart=on-failure
@ -98,7 +97,6 @@ WantedBy=timers.target
var sysvTemplate = ServiceTemplate{ var sysvTemplate = ServiceTemplate{
Path: "/etc/init.d/cloudflared", Path: "/etc/init.d/cloudflared",
FileMode: 0755, FileMode: 0755,
// nolint: dupword
Content: `#!/bin/sh Content: `#!/bin/sh
# For RedHat and cousins: # For RedHat and cousins:
# chkconfig: 2345 99 01 # chkconfig: 2345 99 01
@ -186,11 +184,13 @@ exit 0
`, `,
} }
var noUpdateServiceFlag = &cli.BoolFlag{ var (
Name: "no-update-service", noUpdateServiceFlag = &cli.BoolFlag{
Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.", Name: "no-update-service",
Value: false, Usage: "Disable auto-update of the cloudflared linux service, which restarts the server to upgrade for new versions.",
} Value: false,
}
)
func isSystemd() bool { func isSystemd() bool {
if _, err := os.Stat("/run/systemd/system"); err == nil { if _, err := os.Stat("/run/systemd/system"); err == nil {
@ -430,38 +430,3 @@ func uninstallSysv(log *zerolog.Logger) error {
} }
return nil return nil
} }
func ensureConfigDirExists(configDir string) error {
ok, err := config.FileExists(configDir)
if !ok && err == nil {
err = os.Mkdir(configDir, 0755)
}
return err
}
func copyFile(src, dest string) error {
srcFile, err := os.Open(src)
if err != nil {
return err
}
defer srcFile.Close()
destFile, err := os.Create(dest)
if err != nil {
return err
}
ok := false
defer func() {
destFile.Close()
if !ok {
_ = os.Remove(dest)
}
}()
if _, err := io.Copy(destFile, srcFile); err != nil {
return err
}
ok = true
return nil
}

17
cmd/cloudflared/macos_service.go
View File

@ -6,7 +6,6 @@ import (
"fmt" "fmt"
"os" "os"
homedir "github.com/mitchellh/go-homedir"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
@ -18,7 +17,7 @@ const (
launchdIdentifier = "com.cloudflare.cloudflared" launchdIdentifier = "com.cloudflare.cloudflared"
) )
func runApp(app *cli.App, _ chan struct{}) { func runApp(app *cli.App, graceShutdownC chan struct{}) {
app.Commands = append(app.Commands, &cli.Command{ app.Commands = append(app.Commands, &cli.Command{
Name: "service", Name: "service",
Usage: "Manages the cloudflared launch agent", Usage: "Manages the cloudflared launch agent",
@ -120,7 +119,7 @@ func installLaunchd(c *cli.Context) error {
log.Info().Msg("Installing cloudflared client as an user launch agent. " + log.Info().Msg("Installing cloudflared client as an user launch agent. " +
"Note that cloudflared client will only run when the user is logged in. " + "Note that cloudflared client will only run when the user is logged in. " +
"If you want to run cloudflared client at boot, install with root permission. " + "If you want to run cloudflared client at boot, install with root permission. " +
"For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/macos/") "For more information, visit https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/run-as-service")
} }
etPath, err := os.Executable() etPath, err := os.Executable()
if err != nil { if err != nil {
@ -208,15 +207,3 @@ func uninstallLaunchd(c *cli.Context) error {
} }
return err return err
} }
func userHomeDir() (string, error) {
// This returns the home dir of the executing user using OS-specific method
// for discovering the home dir. It's not recommended to call this function
// when the user has root permission as $HOME depends on what options the user
// use with sudo.
homeDir, err := homedir.Dir()
if err != nil {
return "", errors.Wrap(err, "Cannot determine home directory for the user")
}
return homeDir, nil
}

27
cmd/cloudflared/main.go
View File

@ -2,18 +2,19 @@ package main
import ( import (
"fmt" "fmt"
"math/rand"
"os" "os"
"strings" "strings"
"time" "time"
"github.com/getsentry/sentry-go" "github.com/getsentry/sentry-go"
homedir "github.com/mitchellh/go-homedir"
"github.com/pkg/errors"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"go.uber.org/automaxprocs/maxprocs" "go.uber.org/automaxprocs/maxprocs"
"github.com/cloudflare/cloudflared/cmd/cloudflared/access" "github.com/cloudflare/cloudflared/cmd/cloudflared/access"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/cmd/cloudflared/management"
"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns" "github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
"github.com/cloudflare/cloudflared/cmd/cloudflared/tail" "github.com/cloudflare/cloudflared/cmd/cloudflared/tail"
"github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel" "github.com/cloudflare/cloudflared/cmd/cloudflared/tunnel"
@ -51,8 +52,10 @@ var (
func main() { func main() {
// FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported // FIXME: TUN-8148: Disable QUIC_GO ECN due to bugs in proper detection if supported
os.Setenv("QUIC_GO_DISABLE_ECN", "1") os.Setenv("QUIC_GO_DISABLE_ECN", "1")
rand.Seed(time.Now().UnixNano())
metrics.RegisterBuildInfo(BuildType, BuildTime, Version) metrics.RegisterBuildInfo(BuildType, BuildTime, Version)
_, _ = maxprocs.Set() maxprocs.Set()
bInfo := cliutil.GetBuildInfo(BuildType, Version) bInfo := cliutil.GetBuildInfo(BuildType, Version)
// Graceful shutdown channel used by the app. When closed, app must terminate gracefully. // Graceful shutdown channel used by the app. When closed, app must terminate gracefully.
@ -92,7 +95,6 @@ func main() {
tracing.Init(Version) tracing.Init(Version)
token.Init(Version) token.Init(Version)
tail.Init(bInfo) tail.Init(bInfo)
management.Init(bInfo)
runApp(app, graceShutdownC) runApp(app, graceShutdownC)
} }
@ -108,7 +110,7 @@ func commands(version func(c *cli.Context)) []*cli.Command {
Usage: "specify if you wish to update to the latest beta version", Usage: "specify if you wish to update to the latest beta version",
}, },
&cli.BoolFlag{ &cli.BoolFlag{
Name: cfdflags.Force, Name: "force",
Usage: "specify if you wish to force an upgrade to the latest version regardless of the current version", Usage: "specify if you wish to force an upgrade to the latest version regardless of the current version",
Hidden: true, Hidden: true,
}, },
@ -151,10 +153,9 @@ To determine if an update happened in a script, check for error code 11.`,
}, },
} }
cmds = append(cmds, tunnel.Commands()...) cmds = append(cmds, tunnel.Commands()...)
cmds = append(cmds, proxydns.Command()) // removed feature, only here for error message cmds = append(cmds, proxydns.Command(false))
cmds = append(cmds, access.Commands()...) cmds = append(cmds, access.Commands()...)
cmds = append(cmds, tail.Command()) cmds = append(cmds, tail.Command())
cmds = append(cmds, management.Command())
return cmds return cmds
} }
@ -183,6 +184,18 @@ func action(graceShutdownC chan struct{}) cli.ActionFunc {
}) })
} }
func userHomeDir() (string, error) {
// This returns the home dir of the executing user using OS-specific method
// for discovering the home dir. It's not recommended to call this function
// when the user has root permission as $HOME depends on what options the user
// use with sudo.
homeDir, err := homedir.Dir()
if err != nil {
return "", errors.Wrap(err, "Cannot determine home directory for the user")
}
return homeDir, nil
}
// In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match. // In order to keep the amount of noise sent to Sentry low, typical network errors can be filtered out here by a substring match.
func captureError(err error) { func captureError(err error) {
errorMessage := err.Error() errorMessage := err.Error()

105
cmd/cloudflared/management/cmd.go
View File

@ -1,105 +0,0 @@
package management
import (
"encoding/json"
"fmt"
"os"
"github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cfapi"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/credentials"
)
var buildInfo *cliutil.BuildInfo
// Init initializes the management package with build info
func Init(bi *cliutil.BuildInfo) {
buildInfo = bi
}
// Command returns the management command with its subcommands
func Command() *cli.Command {
return &cli.Command{
Name: "management",
Usage: "Monitor cloudflared tunnels via management API",
Category: "Management",
Hidden: true,
Subcommands: []*cli.Command{
buildTokenSubcommand(),
},
}
}
// buildTokenSubcommand creates the token subcommand
func buildTokenSubcommand() *cli.Command {
return &cli.Command{
Name: "token",
Action: cliutil.ConfiguredAction(tokenCommand),
Usage: "Get management access jwt for a specific resource",
UsageText: "cloudflared management token --resource <resource> TUNNEL_ID",
Description: "Get management access jwt for a tunnel with specified resource permissions (logs, admin, host_details)",
Hidden: true,
Flags: []cli.Flag{
&cli.StringFlag{
Name: "resource",
Usage: "Resource type for token permissions: logs, admin, or host_details",
Required: true,
},
&cli.StringFlag{
Name: cfdflags.OriginCert,
Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
Value: credentials.FindDefaultOriginCertPath(),
},
&cli.StringFlag{
Name: cfdflags.LogLevel,
Value: "info",
Usage: "Application logging level {debug, info, warn, error, fatal}",
EnvVars: []string{"TUNNEL_LOGLEVEL"},
},
cliutil.FlagLogOutput,
},
}
}
// tokenCommand handles the token subcommand execution
func tokenCommand(c *cli.Context) error {
log := cliutil.CreateStderrLogger(c)
// Parse and validate resource flag
resourceStr := c.String("resource")
resource, err := parseResource(resourceStr)
if err != nil {
return fmt.Errorf("invalid resource '%s': %w", resourceStr, err)
}
// Get management token
token, err := cliutil.GetManagementToken(c, log, resource, buildInfo)
if err != nil {
return err
}
// Output JSON to stdout
tokenResponse := struct {
Token string `json:"token"`
}{Token: token}
return json.NewEncoder(os.Stdout).Encode(tokenResponse)
}
// parseResource converts resource string to ManagementResource enum
func parseResource(resource string) (cfapi.ManagementResource, error) {
switch resource {
case "logs":
return cfapi.Logs, nil
case "admin":
return cfapi.Admin, nil
case "host_details":
return cfapi.HostDetails, nil
default:
return 0, fmt.Errorf("must be one of: logs, admin, host_details")
}
}

71
cmd/cloudflared/management/cmd_test.go
View File

@ -1,71 +0,0 @@
package management
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/cloudflare/cloudflared/cfapi"
)
func TestParseResource_ValidResources(t *testing.T) {
t.Parallel()
tests := []struct {
input string
expected cfapi.ManagementResource
}{
{"logs", cfapi.Logs},
{"admin", cfapi.Admin},
{"host_details", cfapi.HostDetails},
}
for _, tt := range tests {
t.Run(tt.input, func(t *testing.T) {
t.Parallel()
result, err := parseResource(tt.input)
require.NoError(t, err)
assert.Equal(t, tt.expected, result)
})
}
}
func TestParseResource_InvalidResource(t *testing.T) {
t.Parallel()
invalid := []string{"invalid", "LOGS", "Admin", "", "metrics", "host-details"}
for _, input := range invalid {
t.Run(input, func(t *testing.T) {
t.Parallel()
_, err := parseResource(input)
require.Error(t, err)
assert.Contains(t, err.Error(), "must be one of")
})
}
}
func TestCommandStructure(t *testing.T) {
t.Parallel()
cmd := Command()
assert.Equal(t, "management", cmd.Name)
assert.True(t, cmd.Hidden)
assert.Len(t, cmd.Subcommands, 1)
tokenCmd := cmd.Subcommands[0]
assert.Equal(t, "token", tokenCmd.Name)
assert.True(t, tokenCmd.Hidden)
// Verify required flags exist
var hasResourceFlag bool
for _, flag := range tokenCmd.Flags {
if flag.Names()[0] == "resource" {
hasResourceFlag = true
break
}
}
assert.True(t, hasResourceFlag, "token command should have --resource flag")
}

131
cmd/cloudflared/proxydns/cmd.go
View File

@ -1,54 +1,115 @@
package proxydns package proxydns
import ( import (
"errors" "context"
"net"
"os"
"os/signal"
"syscall"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
"github.com/cloudflare/cloudflared/metrics"
"github.com/cloudflare/cloudflared/tunneldns"
) )
const removedMessage = "dns-proxy feature is no longer supported" func Command(hidden bool) *cli.Command {
func Command() *cli.Command {
return &cli.Command{ return &cli.Command{
Name: "proxy-dns", Name: "proxy-dns",
Action: cliutil.ConfiguredAction(Run), Action: cliutil.ConfiguredAction(Run),
Usage: removedMessage,
SkipFlagParsing: true, Usage: "Run a DNS over HTTPS proxy server.",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "metrics",
Value: "localhost:",
Usage: "Listen address for metrics reporting.",
EnvVars: []string{"TUNNEL_METRICS"},
},
&cli.StringFlag{
Name: "address",
Usage: "Listen address for the DNS over HTTPS proxy server.",
Value: "localhost",
EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
},
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
&cli.IntFlag{
Name: "port",
Usage: "Listen on given port for the DNS over HTTPS proxy server.",
Value: 53,
EnvVars: []string{"TUNNEL_DNS_PORT"},
},
&cli.StringSliceFlag{
Name: "upstream",
Usage: "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
Value: cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
},
&cli.StringSliceFlag{
Name: "bootstrap",
Usage: "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
Value: cli.NewStringSlice("https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"),
EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
},
&cli.IntFlag{
Name: "max-upstream-conns",
Usage: "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
Value: tunneldns.MaxUpstreamConnsDefault,
EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
},
},
ArgsUsage: " ", // can't be the empty string or we get the default output
Hidden: hidden,
} }
} }
// Run implements a foreground runner
func Run(c *cli.Context) error { func Run(c *cli.Context) error {
log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog) log := logger.CreateLoggerFromContext(c, logger.EnableTerminalLog)
err := errors.New(removedMessage)
log.Error().Msg("DNS Proxy is no longer supported since version 2026.2.0 (https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/). As an alternative consider using https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/dns-over-https-client/")
metricsListener, err := net.Listen("tcp", c.String("metrics"))
if err != nil {
log.Fatal().Err(err).Msg("Failed to open the metrics listener")
}
go metrics.ServeMetrics(metricsListener, context.Background(), metrics.Config{}, log)
listener, err := tunneldns.CreateListener(
c.String("address"),
// Note TUN-3758 , we use Int because UInt is not supported with altsrc
uint16(c.Int("port")),
c.StringSlice("upstream"),
c.StringSlice("bootstrap"),
c.Int("max-upstream-conns"),
log,
)
if err != nil {
log.Err(err).Msg("Failed to create the listeners")
return err
}
// Try to start the server
readySignal := make(chan struct{})
err = listener.Start(readySignal)
if err != nil {
log.Err(err).Msg("Failed to start the listeners")
return listener.Stop()
}
<-readySignal
// Wait for signal
signals := make(chan os.Signal, 10)
signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
defer signal.Stop(signals)
<-signals
// Shut down server
err = listener.Stop()
if err != nil {
log.Err(err).Msg("failed to stop")
}
return err return err
} }
// Old flags used by the proxy-dns command, only kept to not break any script that might be setting these flags
func ConfigureProxyDNSFlags(shouldHide bool) []cli.Flag {
return []cli.Flag{
altsrc.NewBoolFlag(&cli.BoolFlag{
Name: "proxy-dns",
}),
altsrc.NewIntFlag(&cli.IntFlag{
Name: "proxy-dns-port",
}),
altsrc.NewStringFlag(&cli.StringFlag{
Name: "proxy-dns-address",
}),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: "proxy-dns-upstream",
}),
altsrc.NewIntFlag(&cli.IntFlag{
Name: "proxy-dns-max-upstream-conns",
}),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: "proxy-dns-bootstrap",
}),
}
}

121
cmd/cloudflared/service_template.go
View File

@ -1,16 +1,18 @@
package main package main
import ( import (
"bufio"
"bytes" "bytes"
"errors"
"fmt" "fmt"
"io" "io"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path"
"text/template" "text/template"
homedir "github.com/mitchellh/go-homedir" homedir "github.com/mitchellh/go-homedir"
"github.com/cloudflare/cloudflared/config"
) )
type ServiceTemplate struct { type ServiceTemplate struct {
@ -42,7 +44,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
return err return err
} }
if _, err = os.Stat(resolvedPath); err == nil { if _, err = os.Stat(resolvedPath); err == nil {
return errors.New(serviceAlreadyExistsWarn(resolvedPath)) return fmt.Errorf(serviceAlreadyExistsWarn(resolvedPath))
} }
var buffer bytes.Buffer var buffer bytes.Buffer
@ -55,7 +57,7 @@ func (st *ServiceTemplate) Generate(args *ServiceTemplateArgs) error {
fileMode = st.FileMode fileMode = st.FileMode
} }
plistFolder := filepath.Dir(resolvedPath) plistFolder := path.Dir(resolvedPath)
err = os.MkdirAll(plistFolder, 0o755) err = os.MkdirAll(plistFolder, 0o755)
if err != nil { if err != nil {
return fmt.Errorf("error creating %s: %v", plistFolder, err) return fmt.Errorf("error creating %s: %v", plistFolder, err)
@ -107,3 +109,114 @@ func runCommand(command string, args ...string) error {
} }
return nil return nil
} }
func ensureConfigDirExists(configDir string) error {
ok, err := config.FileExists(configDir)
if !ok && err == nil {
err = os.Mkdir(configDir, 0755)
}
return err
}
// openFile opens the file at path. If create is set and the file exists, returns nil, true, nil
func openFile(path string, create bool) (file *os.File, exists bool, err error) {
expandedPath, err := homedir.Expand(path)
if err != nil {
return nil, false, err
}
if create {
fileInfo, err := os.Stat(expandedPath)
if err == nil && fileInfo.Size() > 0 {
return nil, true, nil
}
file, err = os.OpenFile(expandedPath, os.O_RDWR|os.O_CREATE, 0600)
} else {
file, err = os.Open(expandedPath)
}
return file, false, err
}
func copyCredential(srcCredentialPath, destCredentialPath string) error {
destFile, exists, err := openFile(destCredentialPath, true)
if err != nil {
return err
} else if exists {
// credentials already exist, do nothing
return nil
}
defer destFile.Close()
srcFile, _, err := openFile(srcCredentialPath, false)
if err != nil {
return err
}
defer srcFile.Close()
// Copy certificate
_, err = io.Copy(destFile, srcFile)
if err != nil {
return fmt.Errorf("unable to copy %s to %s: %v", srcCredentialPath, destCredentialPath, err)
}
return nil
}
func copyFile(src, dest string) error {
srcFile, err := os.Open(src)
if err != nil {
return err
}
defer srcFile.Close()
destFile, err := os.Create(dest)
if err != nil {
return err
}
ok := false
defer func() {
destFile.Close()
if !ok {
_ = os.Remove(dest)
}
}()
if _, err := io.Copy(destFile, srcFile); err != nil {
return err
}
ok = true
return nil
}
func copyConfig(srcConfigPath, destConfigPath string) error {
// Copy or create config
destFile, exists, err := openFile(destConfigPath, true)
if err != nil {
return fmt.Errorf("cannot open %s with error: %s", destConfigPath, err)
} else if exists {
// config already exists, do nothing
return nil
}
defer destFile.Close()
srcFile, _, err := openFile(srcConfigPath, false)
if err != nil {
fmt.Println("Your service needs a config file that at least specifies the hostname option.")
fmt.Println("Type in a hostname now, or leave it blank and create the config file later.")
fmt.Print("Hostname: ")
reader := bufio.NewReader(os.Stdin)
input, _ := reader.ReadString('\n')
if input == "" {
return err
}
fmt.Fprintf(destFile, "hostname: %s\n", input)
} else {
defer srcFile.Close()
_, err = io.Copy(destFile, srcFile)
if err != nil {
return fmt.Errorf("unable to copy %s to %s: %v", srcConfigPath, destConfigPath, err)
}
}
return nil
}

100
cmd/cloudflared/tail/cmd.go
View File

@ -12,18 +12,20 @@ import (
"time" "time"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/mattn/go-colorable"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"nhooyr.io/websocket" "nhooyr.io/websocket"
"github.com/cloudflare/cloudflared/cfapi"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/credentials" "github.com/cloudflare/cloudflared/credentials"
"github.com/cloudflare/cloudflared/logger"
"github.com/cloudflare/cloudflared/management" "github.com/cloudflare/cloudflared/management"
) )
var buildInfo *cliutil.BuildInfo var (
buildInfo *cliutil.BuildInfo
)
func Init(bi *cliutil.BuildInfo) { func Init(bi *cliutil.BuildInfo) {
buildInfo = bi buildInfo = bi
@ -49,13 +51,12 @@ func buildTailManagementTokenSubcommand() *cli.Command {
} }
func managementTokenCommand(c *cli.Context) error { func managementTokenCommand(c *cli.Context) error {
log := cliutil.CreateStderrLogger(c) log := createLogger(c)
token, err := getManagementToken(c, log)
token, err := cliutil.GetManagementToken(c, log, cfapi.Logs, buildInfo)
if err != nil { if err != nil {
return err return err
} }
tokenResponse := struct { var tokenResponse = struct {
Token string `json:"token"` Token string `json:"token"`
}{Token: token} }{Token: token}
@ -99,7 +100,13 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"}, EnvVars: []string{"TUNNEL_MANAGEMENT_TOKEN"},
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.ManagementHostname, Name: "output",
Usage: "Output format for the logs (default, json)",
Value: "default",
EnvVars: []string{"TUNNEL_MANAGEMENT_OUTPUT"},
},
&cli.StringFlag{
Name: "management-hostname",
Usage: "Management hostname to signify incoming management requests", Usage: "Management hostname to signify incoming management requests",
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"}, EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
Hidden: true, Hidden: true,
@ -112,18 +119,17 @@ func buildTailCommand(subcommands []*cli.Command) *cli.Command {
Value: "", Value: "",
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.LogLevel, Name: logger.LogLevelFlag,
Value: "info", Value: "info",
Usage: "Application logging level {debug, info, warn, error, fatal}", Usage: "Application logging level {debug, info, warn, error, fatal}",
EnvVars: []string{"TUNNEL_LOGLEVEL"}, EnvVars: []string{"TUNNEL_LOGLEVEL"},
}, },
&cli.StringFlag{ &cli.StringFlag{
Name: cfdflags.OriginCert, Name: credentials.OriginCertFlag,
Usage: "Path to the certificate generated for your origin when you run cloudflared login.", Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
EnvVars: []string{"TUNNEL_ORIGIN_CERT"}, EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
Value: credentials.FindDefaultOriginCertPath(), Value: credentials.FindDefaultOriginCertPath(),
}, },
cliutil.FlagLogOutput,
}, },
Subcommands: subcommands, Subcommands: subcommands,
} }
@ -160,13 +166,26 @@ func handleValidationError(resp *http.Response, log *zerolog.Logger) {
} }
} }
// logger will be created to emit only against the os.Stderr as to not obstruct with normal output from
// management requests
func createLogger(c *cli.Context) *zerolog.Logger {
level, levelErr := zerolog.ParseLevel(c.String(logger.LogLevelFlag))
if levelErr != nil {
level = zerolog.InfoLevel
}
log := zerolog.New(zerolog.ConsoleWriter{
Out: colorable.NewColorable(os.Stderr),
TimeFormat: time.RFC3339,
}).With().Timestamp().Logger().Level(level)
return &log
}
// parseFilters will attempt to parse provided filters to send to with the EventStartStreaming // parseFilters will attempt to parse provided filters to send to with the EventStartStreaming
func parseFilters(c *cli.Context) (*management.StreamingFilters, error) { func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
var level *management.LogLevel var level *management.LogLevel
var events []management.LogEventType
var sample float64 var sample float64
events := make([]management.LogEventType, 0)
argLevel := c.String("level") argLevel := c.String("level")
argEvents := c.StringSlice("event") argEvents := c.StringSlice("event")
argSample := c.Float64("sample") argSample := c.Float64("sample")
@ -204,30 +223,46 @@ func parseFilters(c *cli.Context) (*management.StreamingFilters, error) {
}, nil }, nil
} }
// buildURL will build the management url to contain the required query parameters to authenticate the request. // getManagementToken will make a call to the Cloudflare API to acquire a management token for the requested tunnel.
func buildURL(c *cli.Context, log *zerolog.Logger, res cfapi.ManagementResource) (url.URL, error) { func getManagementToken(c *cli.Context, log *zerolog.Logger) (string, error) {
var err error userCreds, err := credentials.Read(c.String(credentials.OriginCertFlag), log)
if err != nil {
return "", err
}
client, err := userCreds.Client(c.String("api-url"), buildInfo.UserAgent(), log)
if err != nil {
return "", err
}
tunnelIDString := c.Args().First()
if tunnelIDString == "" {
return "", errors.New("no tunnel ID provided")
}
tunnelID, err := uuid.Parse(tunnelIDString)
if err != nil {
return "", errors.New("unable to parse provided tunnel id as a valid UUID")
}
token, err := client.GetManagementToken(tunnelID)
if err != nil {
return "", err
}
return token, nil
}
// buildURL will build the management url to contain the required query parameters to authenticate the request.
func buildURL(c *cli.Context, log *zerolog.Logger) (url.URL, error) {
var err error
managementHostname := c.String("management-hostname")
token := c.String("token") token := c.String("token")
if token == "" { if token == "" {
token, err = cliutil.GetManagementToken(c, log, res, buildInfo) token, err = getManagementToken(c, log)
if err != nil { if err != nil {
return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err) return url.URL{}, fmt.Errorf("unable to acquire management token for requested tunnel id: %w", err)
} }
} }
claims, err := management.ParseToken(token)
if err != nil {
return url.URL{}, fmt.Errorf("failed to determine if token is FED: %w", err)
}
var managementHostname string
if claims.IsFed() {
managementHostname = credentials.FedRampHostname
} else {
managementHostname = c.String(cfdflags.ManagementHostname)
}
query := url.Values{} query := url.Values{}
query.Add("access_token", token) query.Add("access_token", token)
connector := c.String("connector-id") connector := c.String("connector-id")
@ -261,7 +296,7 @@ func printJSON(log *management.Log, logger *zerolog.Logger) {
// Run implements a foreground runner // Run implements a foreground runner
func Run(c *cli.Context) error { func Run(c *cli.Context) error {
log := cliutil.CreateStderrLogger(c) log := createLogger(c)
signals := make(chan os.Signal, 10) signals := make(chan os.Signal, 10)
signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT) signal.Notify(signals, syscall.SIGTERM, syscall.SIGINT)
@ -283,7 +318,7 @@ func Run(c *cli.Context) error {
return nil return nil
} }
u, err := buildURL(c, log, cfapi.Logs) u, err := buildURL(c, log)
if err != nil { if err != nil {
log.Err(err).Msg("unable to construct management request URL") log.Err(err).Msg("unable to construct management request URL")
return nil return nil
@ -296,7 +331,6 @@ func Run(c *cli.Context) error {
header["cf-trace-id"] = []string{trace} header["cf-trace-id"] = []string{trace}
} }
ctx := c.Context ctx := c.Context
// nolint: bodyclose
conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{ conn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
HTTPHeader: header, HTTPHeader: header,
}) })

479
cmd/cloudflared/tunnel/cmd.go
View File

@ -6,7 +6,6 @@ import (
"fmt" "fmt"
"net/url" "net/url"
"os" "os"
"path/filepath"
"runtime/trace" "runtime/trace"
"strings" "strings"
"sync" "sync"
@ -15,7 +14,8 @@ import (
"github.com/coreos/go-systemd/v22/daemon" "github.com/coreos/go-systemd/v22/daemon"
"github.com/facebookgo/grace/gracenet" "github.com/facebookgo/grace/gracenet"
"github.com/getsentry/sentry-go" "github.com/getsentry/sentry-go"
"github.com/mitchellh/go-homedir" "github.com/google/uuid"
homedir "github.com/mitchellh/go-homedir"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
@ -23,14 +23,13 @@ import (
"github.com/cloudflare/cloudflared/cfapi" "github.com/cloudflare/cloudflared/cfapi"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns" "github.com/cloudflare/cloudflared/cmd/cloudflared/proxydns"
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater" "github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/connection" "github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/credentials" "github.com/cloudflare/cloudflared/credentials"
"github.com/cloudflare/cloudflared/diagnostic"
"github.com/cloudflare/cloudflared/edgediscovery" "github.com/cloudflare/cloudflared/edgediscovery"
"github.com/cloudflare/cloudflared/features"
"github.com/cloudflare/cloudflared/ingress" "github.com/cloudflare/cloudflared/ingress"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
"github.com/cloudflare/cloudflared/management" "github.com/cloudflare/cloudflared/management"
@ -39,13 +38,68 @@ import (
"github.com/cloudflare/cloudflared/signal" "github.com/cloudflare/cloudflared/signal"
"github.com/cloudflare/cloudflared/supervisor" "github.com/cloudflare/cloudflared/supervisor"
"github.com/cloudflare/cloudflared/tlsconfig" "github.com/cloudflare/cloudflared/tlsconfig"
"github.com/cloudflare/cloudflared/tunnelstate" "github.com/cloudflare/cloudflared/tunneldns"
"github.com/cloudflare/cloudflared/validation" "github.com/cloudflare/cloudflared/validation"
) )
const ( const (
sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878" sentryDSN = "https://56a9c9fa5c364ab28f34b14f35ea0f1b:3e8827f6f9f740738eb11138f7bebb68@sentry.io/189878"
// ha-Connections specifies how many connections to make to the edge
haConnectionsFlag = "ha-connections"
// sshPortFlag is the port on localhost the cloudflared ssh server will run on
sshPortFlag = "local-ssh-port"
// sshIdleTimeoutFlag defines the duration a SSH session can remain idle before being closed
sshIdleTimeoutFlag = "ssh-idle-timeout"
// sshMaxTimeoutFlag defines the max duration a SSH session can remain open for
sshMaxTimeoutFlag = "ssh-max-timeout"
// bucketNameFlag is the bucket name to use for the SSH log uploader
bucketNameFlag = "bucket-name"
// regionNameFlag is the AWS region name to use for the SSH log uploader
regionNameFlag = "region-name"
// secretIDFlag is the Secret id of SSH log uploader
secretIDFlag = "secret-id"
// accessKeyIDFlag is the Access key id of SSH log uploader
accessKeyIDFlag = "access-key-id"
// sessionTokenIDFlag is the Session token of SSH log uploader
sessionTokenIDFlag = "session-token"
// s3URLFlag is the S3 URL of SSH log uploader (e.g. don't use AWS s3 and use google storage bucket instead)
s3URLFlag = "s3-url-host"
// hostKeyPath is the path of the dir to save SSH host keys too
hostKeyPath = "host-key-path"
// rpcTimeout is how long to wait for a Capnp RPC request to the edge
rpcTimeout = "rpc-timeout"
// writeStreamTimeout sets if we should have a timeout when writing data to a stream towards the destination (edge/origin).
writeStreamTimeout = "write-stream-timeout"
// quicDisablePathMTUDiscovery sets if QUIC should not perform PTMU discovery and use a smaller (safe) packet size.
// Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
// Note that this may result in packet drops for UDP proxying, since we expect being able to send at least 1280 bytes of inner packets.
quicDisablePathMTUDiscovery = "quic-disable-pmtu-discovery"
// quicConnLevelFlowControlLimit controls the max flow control limit allocated for a QUIC connection. This controls how much data is the
// receiver willing to buffer. Once the limit is reached, the sender will send a DATA_BLOCKED frame to indicate it has more data to write,
// but it's blocked by flow control
quicConnLevelFlowControlLimit = "quic-connection-level-flow-control-limit"
// quicStreamLevelFlowControlLimit is similar to quicConnLevelFlowControlLimit but for each QUIC stream. When the sender is blocked,
// it will send a STREAM_DATA_BLOCKED frame
quicStreamLevelFlowControlLimit = "quic-stream-level-flow-control-limit"
// uiFlag is to enable launching cloudflared in interactive UI mode
uiFlag = "ui"
LogFieldCommand = "command" LogFieldCommand = "command"
LogFieldExpandedPath = "expandedPath" LogFieldExpandedPath = "expandedPath"
LogFieldPIDPathname = "pidPathname" LogFieldPIDPathname = "pidPathname"
@ -60,6 +114,7 @@ Eg. cloudflared tunnel --url localhost:8080/.
Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes. Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes.
For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/) For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)
` `
connectorLabelFlag = "label"
) )
var ( var (
@ -69,90 +124,7 @@ var (
routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+ routeFailMsg = fmt.Sprintf("failed to provision routing, please create it manually via Cloudflare dashboard or UI; "+
"most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+ "most likely you already have a conflicting record there. You can also rerun this command with --%s to overwrite "+
"any existing DNS records for this hostname.", overwriteDNSFlag) "any existing DNS records for this hostname.", overwriteDNSFlag)
errDeprecatedClassicTunnel = errors.New("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)") deprecatedClassicTunnelErr = fmt.Errorf("Classic tunnels have been deprecated, please use Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)")
// TODO: TUN-8756 the list below denotes the flags that do not possess any kind of sensitive information
// however this approach is not maintainble in the long-term.
nonSecretFlagsList = []string{
"config",
cfdflags.AutoUpdateFreq,
cfdflags.NoAutoUpdate,
cfdflags.Metrics,
"pidfile",
"url",
"hello-world",
"socks5",
"proxy-connect-timeout",
"proxy-tls-timeout",
"proxy-tcp-keepalive",
"proxy-no-happy-eyeballs",
"proxy-keepalive-connections",
"proxy-keepalive-timeout",
"proxy-connection-timeout",
"proxy-expect-continue-timeout",
"http-host-header",
"origin-server-name",
"unix-socket",
"origin-ca-pool",
"no-tls-verify",
"no-chunked-encoding",
"http2-origin",
cfdflags.ManagementHostname,
"service-op-ip",
"local-ssh-port",
"ssh-idle-timeout",
"ssh-max-timeout",
"bucket-name",
"region-name",
"s3-url-host",
"host-key-path",
"ssh-server",
"bastion",
"proxy-address",
"proxy-port",
cfdflags.LogLevel,
cfdflags.TransportLogLevel,
cfdflags.LogFile,
cfdflags.LogDirectory,
cfdflags.TraceOutput,
cfdflags.IsAutoUpdated,
cfdflags.Edge,
cfdflags.Region,
cfdflags.EdgeIpVersion,
cfdflags.EdgeBindAddress,
"cacert",
"hostname",
"id",
cfdflags.LBPool,
cfdflags.ApiURL,
cfdflags.MetricsUpdateFreq,
cfdflags.Tag,
"heartbeat-interval",
"heartbeat-count",
cfdflags.MaxEdgeAddrRetries,
cfdflags.Retries,
"ha-connections",
"rpc-timeout",
"write-stream-timeout",
"quic-disable-pmtu-discovery",
"quic-connection-level-flow-control-limit",
"quic-stream-level-flow-control-limit",
cfdflags.ConnectorLabel,
cfdflags.GracePeriod,
"compression-quality",
"use-reconnect-token",
"dial-edge-timeout",
"stdin-control",
cfdflags.Name,
cfdflags.Ui,
"quick-service",
"max-fetch-size",
cfdflags.PostQuantum,
"management-diagnostics",
cfdflags.Protocol,
"overwrite-dns",
"help",
cfdflags.MaxActiveFlows,
}
) )
func Flags() []cli.Flag { func Flags() []cli.Flag {
@ -173,8 +145,8 @@ func Commands() []*cli.Command {
buildDeleteCommand(), buildDeleteCommand(),
buildCleanupCommand(), buildCleanupCommand(),
buildTokenCommand(), buildTokenCommand(),
buildDiagCommand(), // for compatibility, allow following as tunnel subcommands
proxydns.Command(), // removed feature, only here for error message proxydns.Command(true),
cliutil.RemovedCommand("db-connect"), cliutil.RemovedCommand("db-connect"),
} }
@ -199,7 +171,7 @@ then protect with Cloudflare Access).
B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g., B) Locally reachable TCP/UDP-based private services to Cloudflare connected private users in the same account, e.g.,
those enrolled to a Zero Trust WARP Client. those enrolled to a Zero Trust WARP Client.
You can manage your Tunnels via one.dash.cloudflare.com. This approach will only require you to run a single command You can manage your Tunnels via dash.teams.cloudflare.com. This approach will only require you to run a single command
later in each machine where you wish to run a Tunnel. later in each machine where you wish to run a Tunnel.
Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so: Alternatively, you can manage your Tunnels via the command line. Begin by obtaining a certificate to be able to do so:
@ -235,7 +207,7 @@ func TunnelCommand(c *cli.Context) error {
// --name required // --name required
// --url or --hello-world required // --url or --hello-world required
// --hostname optional // --hostname optional
if name := c.String(cfdflags.Name); name != "" { if name := c.String("name"); name != "" {
hostname, err := validation.ValidateHostname(c.String("hostname")) hostname, err := validation.ValidateHostname(c.String("hostname"))
if err != nil { if err != nil {
return errors.Wrap(err, "Invalid hostname provided") return errors.Wrap(err, "Invalid hostname provided")
@ -250,8 +222,9 @@ func TunnelCommand(c *cli.Context) error {
// Run a quick tunnel // Run a quick tunnel
// A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com // A unauthenticated named tunnel hosted on <random>.<quick-tunnels-service>.com
// We don't support running proxy-dns and a quick tunnel at the same time as the same process
shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag) shouldRunQuickTunnel := c.IsSet("url") || c.IsSet(ingress.HelloWorldFlag)
if c.String("quick-service") != "" && shouldRunQuickTunnel { if !c.IsSet("proxy-dns") && c.String("quick-service") != "" && shouldRunQuickTunnel {
return RunQuickTunnel(sc) return RunQuickTunnel(sc)
} }
@ -262,7 +235,17 @@ func TunnelCommand(c *cli.Context) error {
// Classic tunnel usage is no longer supported // Classic tunnel usage is no longer supported
if c.String("hostname") != "" { if c.String("hostname") != "" {
return errDeprecatedClassicTunnel return deprecatedClassicTunnelErr
}
if c.IsSet("proxy-dns") {
if shouldRunQuickTunnel {
return fmt.Errorf("running a quick tunnel with `proxy-dns` is not supported")
}
// NamedTunnelProperties are nil since proxy dns server does not need it.
// This is supported for legacy reasons: dns proxy server is not a tunnel and ideally should
// not run as part of cloudflared tunnel.
return StartServer(sc.c, buildInfo, nil, sc.log)
} }
return errors.New(tunnelCmdErrorMessage) return errors.New(tunnelCmdErrorMessage)
@ -302,7 +285,7 @@ func runAdhocNamedTunnel(sc *subcommandContext, name, credentialsOutputPath stri
func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) { func routeFromFlag(c *cli.Context) (route cfapi.HostnameRoute, ok bool) {
if hostname := c.String("hostname"); hostname != "" { if hostname := c.String("hostname"); hostname != "" {
if lbPool := c.String(cfdflags.LBPool); lbPool != "" { if lbPool := c.String("lb-pool"); lbPool != "" {
return cfapi.NewLBRoute(hostname, lbPool), true return cfapi.NewLBRoute(hostname, lbPool), true
} }
return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true return cfapi.NewDNSRoute(hostname, c.Bool(overwriteDNSFlagName)), true
@ -332,7 +315,7 @@ func StartServer(
log.Info().Msg(config.ErrNoConfigFile.Error()) log.Info().Msg(config.ErrNoConfigFile.Error())
} }
if c.IsSet(cfdflags.TraceOutput) { if c.IsSet("trace-output") {
tmpTraceFile, err := os.CreateTemp("", "trace") tmpTraceFile, err := os.CreateTemp("", "trace")
if err != nil { if err != nil {
log.Err(err).Msg("Failed to create new temporary file to save trace output") log.Err(err).Msg("Failed to create new temporary file to save trace output")
@ -344,7 +327,7 @@ func StartServer(
if err := tmpTraceFile.Close(); err != nil { if err := tmpTraceFile.Close(); err != nil {
traceLog.Err(err).Msg("Failed to close temporary trace output file") traceLog.Err(err).Msg("Failed to close temporary trace output file")
} }
traceOutputFilepath := c.String(cfdflags.TraceOutput) traceOutputFilepath := c.String("trace-output")
if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil { if err := os.Rename(tmpTraceFile.Name(), traceOutputFilepath); err != nil {
traceLog. traceLog.
Err(err). Err(err).
@ -374,23 +357,38 @@ func StartServer(
go waitForSignal(graceShutdownC, log) go waitForSignal(graceShutdownC, log)
if c.IsSet("proxy-dns") {
dnsReadySignal := make(chan struct{})
wg.Add(1)
go func() {
defer wg.Done()
errC <- runDNSProxyServer(c, dnsReadySignal, ctx.Done(), log)
}()
// Wait for proxy-dns to come up (if used)
<-dnsReadySignal
}
connectedSignal := signal.New(make(chan struct{})) connectedSignal := signal.New(make(chan struct{}))
go notifySystemd(connectedSignal) go notifySystemd(connectedSignal)
if c.IsSet("pidfile") { if c.IsSet("pidfile") {
go writePidFile(connectedSignal, c.String("pidfile"), log) go writePidFile(connectedSignal, c.String("pidfile"), log)
} }
// update needs to be after DNS proxy is up to resolve equinox server address
wg.Add(1) wg.Add(1)
go func() { go func() {
defer wg.Done() defer wg.Done()
autoupdater := updater.NewAutoUpdater( autoupdater := updater.NewAutoUpdater(
c.Bool(cfdflags.NoAutoUpdate), c.Duration(cfdflags.AutoUpdateFreq), &listeners, log, c.Bool("no-autoupdate"), c.Duration("autoupdate-freq"), &listeners, log,
) )
errC <- autoupdater.Run(ctx) errC <- autoupdater.Run(ctx)
}() }()
if namedTunnel == nil { // Serve DNS proxy stand-alone if no tunnel type (quick, adhoc, named) is going to run
return fmt.Errorf("namedTunnel is nil") if dnsProxyStandAlone(c, namedTunnel) {
connectedSignal.Notify()
// no grace period, handle SIGINT/SIGTERM immediately
return waitToShutdown(&wg, cancel, errC, graceShutdownC, 0, log)
} }
logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog) logTransport := logger.CreateTransportLoggerFromContext(c, logger.EnableTerminalLog)
@ -398,7 +396,10 @@ func StartServer(
observer := connection.NewObserver(log, logTransport) observer := connection.NewObserver(log, logTransport)
// Send Quick Tunnel URL to UI if applicable // Send Quick Tunnel URL to UI if applicable
quickTunnelURL := namedTunnel.QuickTunnelUrl var quickTunnelURL string
if namedTunnel != nil {
quickTunnelURL = namedTunnel.QuickTunnelUrl
}
if quickTunnelURL != "" { if quickTunnelURL != "" {
observer.SendURL(quickTunnelURL) observer.SendURL(quickTunnelURL)
} }
@ -408,86 +409,65 @@ func StartServer(
log.Err(err).Msg("Couldn't start tunnel") log.Err(err).Msg("Couldn't start tunnel")
return err return err
} }
connectorID := tunnelConfig.ClientConfig.ConnectorID var clientID uuid.UUID
if tunnelConfig.NamedTunnel != nil {
// Disable ICMP packet routing for quick tunnels clientID, err = uuid.FromBytes(tunnelConfig.NamedTunnel.Client.ClientID)
if quickTunnelURL != "" { if err != nil {
tunnelConfig.ICMPRouterServer = nil // set to nil for classic tunnels
} clientID = uuid.Nil
serviceIP := c.String("service-op-ip")
if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
serviceIP = serviceAddr.TCP.String()
} }
} }
isFEDEndpoint := namedTunnel.Credentials.Endpoint == credentials.FedEndpoint // Disable ICMP packet routing for quick tunnels
var managementHostname string if quickTunnelURL != "" {
if isFEDEndpoint { tunnelConfig.PacketConfig = nil
managementHostname = credentials.FedRampHostname
} else {
managementHostname = c.String(cfdflags.ManagementHostname)
} }
mgmt := management.New( internalRules := []ingress.Rule{}
managementHostname, if features.Contains(features.FeatureManagementLogs) {
c.Bool("management-diagnostics"), serviceIP := c.String("service-op-ip")
serviceIP, if edgeAddrs, err := edgediscovery.ResolveEdge(log, tunnelConfig.Region, tunnelConfig.EdgeIPVersion); err == nil {
connectorID, if serviceAddr, err := edgeAddrs.GetAddrForRPC(); err == nil {
c.String(cfdflags.ConnectorLabel), serviceIP = serviceAddr.TCP.String()
logger.ManagementLogger.Log, }
logger.ManagementLogger, }
)
internalRules := []ingress.Rule{ingress.NewManagementRule(mgmt)} mgmt := management.New(
c.String("management-hostname"),
c.Bool("management-diagnostics"),
serviceIP,
clientID,
c.String(connectorLabelFlag),
logger.ManagementLogger.Log,
logger.ManagementLogger,
)
internalRules = []ingress.Rule{ingress.NewManagementRule(mgmt)}
}
orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log) orchestrator, err := orchestration.NewOrchestrator(ctx, orchestratorConfig, tunnelConfig.Tags, internalRules, tunnelConfig.Log)
if err != nil { if err != nil {
return err return err
} }
metricsListener, err := metrics.CreateMetricsListener(&listeners, c.String("metrics")) metricsListener, err := listeners.Listen("tcp", c.String("metrics"))
if err != nil { if err != nil {
log.Err(err).Msg("Error opening metrics server listener") log.Err(err).Msg("Error opening metrics server listener")
return errors.Wrap(err, "Error opening metrics server listener") return errors.Wrap(err, "Error opening metrics server listener")
} }
defer metricsListener.Close() defer metricsListener.Close()
wg.Add(1) wg.Add(1)
go func() { go func() {
defer wg.Done() defer wg.Done()
tracker := tunnelstate.NewConnTracker(log) readinessServer := metrics.NewReadyServer(log, clientID)
observer.RegisterSink(tracker) observer.RegisterSink(readinessServer)
ipv4, ipv6, err := determineICMPSources(c, log)
sources := make([]string, 0)
if err == nil {
sources = append(sources, ipv4.String())
sources = append(sources, ipv6.String())
}
readinessServer := metrics.NewReadyServer(connectorID, tracker)
cliFlags := nonSecretCliFlags(log, c, nonSecretFlagsList)
diagnosticHandler := diagnostic.NewDiagnosticHandler(
log,
0,
diagnostic.NewSystemCollectorImpl(buildInfo.CloudflaredVersion),
tunnelConfig.NamedTunnel.Credentials.TunnelID,
connectorID,
tracker,
cliFlags,
sources,
)
metricsConfig := metrics.Config{ metricsConfig := metrics.Config{
ReadyServer: readinessServer, ReadyServer: readinessServer,
DiagnosticHandler: diagnosticHandler,
QuickTunnelHostname: quickTunnelURL, QuickTunnelHostname: quickTunnelURL,
Orchestrator: orchestrator, Orchestrator: orchestrator,
} }
errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log) errC <- metrics.ServeMetrics(metricsListener, ctx, metricsConfig, log)
}() }()
reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(cfdflags.HaConnections)) reconnectCh := make(chan supervisor.ReconnectSignal, c.Int(haConnectionsFlag))
if c.IsSet("stdin-control") { if c.IsSet("stdin-control") {
log.Info().Msg("Enabling control through stdin") log.Info().Msg("Enabling control through stdin")
go stdinControl(reconnectCh, log) go stdinControl(reconnectCh, log)
@ -524,10 +504,8 @@ func waitToShutdown(wg *sync.WaitGroup,
log.Debug().Msg("Graceful shutdown signalled") log.Debug().Msg("Graceful shutdown signalled")
if gracePeriod > 0 { if gracePeriod > 0 {
// wait for either grace period or service termination // wait for either grace period or service termination
ticker := time.NewTicker(gracePeriod)
defer ticker.Stop()
select { select {
case <-ticker.C: case <-time.Tick(gracePeriod):
case <-errC: case <-errC:
} }
} }
@ -555,7 +533,7 @@ func waitToShutdown(wg *sync.WaitGroup,
func notifySystemd(waitForSignal *signal.Signal) { func notifySystemd(waitForSignal *signal.Signal) {
<-waitForSignal.Wait() <-waitForSignal.Wait()
_, _ = daemon.SdNotify(false, "READY=1") daemon.SdNotify(false, "READY=1")
} }
func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) { func writePidFile(waitForSignal *signal.Signal, pidPathname string, log *zerolog.Logger) {
@ -603,35 +581,35 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
flags := configureCloudflaredFlags(shouldHide) flags := configureCloudflaredFlags(shouldHide)
flags = append(flags, configureProxyFlags(shouldHide)...) flags = append(flags, configureProxyFlags(shouldHide)...)
flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...) flags = append(flags, cliutil.ConfigureLoggingFlags(shouldHide)...)
flags = append(flags, proxydns.ConfigureProxyDNSFlags(shouldHide)...) // removed feature, only kept to not break any script that might be setting these flags flags = append(flags, configureProxyDNSFlags(shouldHide)...)
flags = append(flags, []cli.Flag{ flags = append(flags, []cli.Flag{
credentialsFileFlag, credentialsFileFlag,
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: cfdflags.IsAutoUpdated, Name: "is-autoupdated",
Usage: "Signal the new process that Cloudflare Tunnel connector has been autoupdated", Usage: "Signal the new process that Cloudflare Tunnel connector has been autoupdated",
Value: false, Value: false,
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{ altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: cfdflags.Edge, Name: "edge",
Usage: "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.", Usage: "Address of the Cloudflare tunnel server. Only works in Cloudflare's internal testing environment.",
EnvVars: []string{"TUNNEL_EDGE"}, EnvVars: []string{"TUNNEL_EDGE"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.Region, Name: "region",
Usage: "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.", Usage: "Cloudflare Edge region to connect to. Omit or set to empty to connect to the global region.",
EnvVars: []string{"TUNNEL_REGION"}, EnvVars: []string{"TUNNEL_REGION"},
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.EdgeIpVersion, Name: "edge-ip-version",
Usage: "Cloudflare Edge IP address version to connect with. {4, 6, auto}", Usage: "Cloudflare Edge IP address version to connect with. {4, 6, auto}",
EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"}, EnvVars: []string{"TUNNEL_EDGE_IP_VERSION"},
Value: "4", Value: "4",
Hidden: false, Hidden: false,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.EdgeBindAddress, Name: "edge-bind-address",
Usage: "Bind to IP address for outgoing connections to Cloudflare Edge.", Usage: "Bind to IP address for outgoing connections to Cloudflare Edge.",
EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"}, EnvVars: []string{"TUNNEL_EDGE_BIND_ADDRESS"},
Hidden: false, Hidden: false,
@ -655,7 +633,7 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.LBPool, Name: "lb-pool",
Usage: "The name of a (new/existing) load balancing pool to add this origin to.", Usage: "The name of a (new/existing) load balancing pool to add this origin to.",
EnvVars: []string{"TUNNEL_LB_POOL"}, EnvVars: []string{"TUNNEL_LB_POOL"},
Hidden: shouldHide, Hidden: shouldHide,
@ -679,21 +657,21 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.ApiURL, Name: "api-url",
Usage: "Base URL for Cloudflare API v4", Usage: "Base URL for Cloudflare API v4",
EnvVars: []string{"TUNNEL_API_URL"}, EnvVars: []string{"TUNNEL_API_URL"},
Value: "https://api.cloudflare.com/client/v4", Value: "https://api.cloudflare.com/client/v4",
Hidden: true, Hidden: true,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.MetricsUpdateFreq, Name: "metrics-update-freq",
Usage: "Frequency to update tunnel metrics", Usage: "Frequency to update tunnel metrics",
Value: time.Second * 5, Value: time.Second * 5,
EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"}, EnvVars: []string{"TUNNEL_METRICS_UPDATE_FREQ"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{ altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: cfdflags.Tag, Name: "tag",
Usage: "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.", Usage: "Custom tags used to identify this tunnel via added HTTP request headers to the origin, in format `KEY=VALUE`. Multiple tags may be specified.",
EnvVars: []string{"TUNNEL_TAG"}, EnvVars: []string{"TUNNEL_TAG"},
Hidden: true, Hidden: true,
@ -712,64 +690,64 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
Hidden: true, Hidden: true,
}), }),
altsrc.NewIntFlag(&cli.IntFlag{ altsrc.NewIntFlag(&cli.IntFlag{
Name: cfdflags.MaxEdgeAddrRetries, Name: "max-edge-addr-retries",
Usage: "Maximum number of times to retry on edge addrs before falling back to a lower protocol", Usage: "Maximum number of times to retry on edge addrs before falling back to a lower protocol",
Value: 8, Value: 8,
Hidden: true, Hidden: true,
}), }),
// Note TUN-3758 , we use Int because UInt is not supported with altsrc // Note TUN-3758 , we use Int because UInt is not supported with altsrc
altsrc.NewIntFlag(&cli.IntFlag{ altsrc.NewIntFlag(&cli.IntFlag{
Name: cfdflags.Retries, Name: "retries",
Value: 5, Value: 5,
Usage: "Maximum number of retries for connection/protocol errors.", Usage: "Maximum number of retries for connection/protocol errors.",
EnvVars: []string{"TUNNEL_RETRIES"}, EnvVars: []string{"TUNNEL_RETRIES"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewIntFlag(&cli.IntFlag{ altsrc.NewIntFlag(&cli.IntFlag{
Name: cfdflags.HaConnections, Name: haConnectionsFlag,
Value: 4, Value: 4,
Hidden: true, Hidden: true,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.RpcTimeout, Name: rpcTimeout,
Value: 5 * time.Second, Value: 5 * time.Second,
Hidden: true, Hidden: true,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.WriteStreamTimeout, Name: writeStreamTimeout,
EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"}, EnvVars: []string{"TUNNEL_STREAM_WRITE_TIMEOUT"},
Usage: "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.", Usage: "Use this option to add a stream write timeout for connections when writing towards the origin or edge. Default is 0 which disables the write timeout.",
Value: 0 * time.Second, Value: 0 * time.Second,
Hidden: true, Hidden: true,
}), }),
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: cfdflags.QuicDisablePathMTUDiscovery, Name: quicDisablePathMTUDiscovery,
EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"}, EnvVars: []string{"TUNNEL_DISABLE_QUIC_PMTU"},
Usage: "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.", Usage: "Use this option to disable PTMU discovery for QUIC connections. This will result in lower packet sizes. Not however, that this may cause instability for UDP proxying.",
Value: false, Value: false,
Hidden: true, Hidden: true,
}), }),
altsrc.NewIntFlag(&cli.IntFlag{ altsrc.NewIntFlag(&cli.IntFlag{
Name: cfdflags.QuicConnLevelFlowControlLimit, Name: quicConnLevelFlowControlLimit,
EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"}, EnvVars: []string{"TUNNEL_QUIC_CONN_LEVEL_FLOW_CONTROL_LIMIT"},
Usage: "Use this option to change the connection-level flow control limit for QUIC transport.", Usage: "Use this option to change the connection-level flow control limit for QUIC transport.",
Value: 30 * (1 << 20), // 30 MB Value: 30 * (1 << 20), // 30 MB
Hidden: true, Hidden: true,
}), }),
altsrc.NewIntFlag(&cli.IntFlag{ altsrc.NewIntFlag(&cli.IntFlag{
Name: cfdflags.QuicStreamLevelFlowControlLimit, Name: quicStreamLevelFlowControlLimit,
EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"}, EnvVars: []string{"TUNNEL_QUIC_STREAM_LEVEL_FLOW_CONTROL_LIMIT"},
Usage: "Use this option to change the connection-level flow control limit for QUIC transport.", Usage: "Use this option to change the connection-level flow control limit for QUIC transport.",
Value: 6 * (1 << 20), // 6 MB Value: 6 * (1 << 20), // 6 MB
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.ConnectorLabel, Name: connectorLabelFlag,
Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.", Usage: "Use this option to give a meaningful label to a specific connector. When a tunnel starts up, a connector id unique to the tunnel is generated. This is a uuid. To make it easier to identify a connector, we will use the hostname of the machine the tunnel is running on along with the connector ID. This option exists if one wants to have more control over what their individual connectors are called.",
Value: "", Value: "",
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.GracePeriod, Name: "grace-period",
Usage: "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.", Usage: "When cloudflared receives SIGINT/SIGTERM it will stop accepting new requests, wait for in-progress requests to terminate, then shutdown. Waiting for in-progress requests will timeout after this grace period, or when a second SIGTERM/SIGINT is received.",
Value: time.Second * 30, Value: time.Second * 30,
EnvVars: []string{"TUNNEL_GRACE_PERIOD"}, EnvVars: []string{"TUNNEL_GRACE_PERIOD"},
@ -805,14 +783,14 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
Value: false, Value: false,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.Name, Name: "name",
Aliases: []string{"n"}, Aliases: []string{"n"},
EnvVars: []string{"TUNNEL_NAME"}, EnvVars: []string{"TUNNEL_NAME"},
Usage: "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately", Usage: "Stable name to identify the tunnel. Using this flag will create, route and run a tunnel. For production usage, execute each command separately",
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: cfdflags.Ui, Name: uiFlag,
Usage: "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.", Usage: "(depreciated) Launch tunnel UI. Tunnel logs are scrollable via 'j', 'k', or arrow keys.",
Value: false, Value: false,
Hidden: true, Hidden: true,
@ -830,10 +808,11 @@ func tunnelFlags(shouldHide bool) []cli.Flag {
Hidden: true, Hidden: true,
}), }),
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: cfdflags.PostQuantum, Name: "post-quantum",
Usage: "When given creates an experimental post-quantum secure tunnel", Usage: "When given creates an experimental post-quantum secure tunnel",
Aliases: []string{"pq"}, Aliases: []string{"pq"},
EnvVars: []string{"TUNNEL_POST_QUANTUM"}, EnvVars: []string{"TUNNEL_POST_QUANTUM"},
Hidden: FipsEnabled,
}), }),
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: "management-diagnostics", Name: "management-diagnostics",
@ -858,35 +837,29 @@ func configureCloudflaredFlags(shouldHide bool) []cli.Flag {
Hidden: shouldHide, Hidden: shouldHide,
}, },
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.OriginCert, Name: credentials.OriginCertFlag,
Usage: "Path to the certificate generated for your origin when you run cloudflared login.", Usage: "Path to the certificate generated for your origin when you run cloudflared login.",
EnvVars: []string{"TUNNEL_ORIGIN_CERT"}, EnvVars: []string{"TUNNEL_ORIGIN_CERT"},
Value: credentials.FindDefaultOriginCertPath(), Value: credentials.FindDefaultOriginCertPath(),
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.AutoUpdateFreq, Name: "autoupdate-freq",
Usage: fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq), Usage: fmt.Sprintf("Autoupdate frequency. Default is %v.", updater.DefaultCheckUpdateFreq),
Value: updater.DefaultCheckUpdateFreq, Value: updater.DefaultCheckUpdateFreq,
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewBoolFlag(&cli.BoolFlag{ altsrc.NewBoolFlag(&cli.BoolFlag{
Name: cfdflags.NoAutoUpdate, Name: "no-autoupdate",
Usage: "Disable periodic check for updates, restarting the server with the new version.", Usage: "Disable periodic check for updates, restarting the server with the new version.",
EnvVars: []string{"NO_AUTOUPDATE"}, EnvVars: []string{"NO_AUTOUPDATE"},
Value: false, Value: false,
Hidden: shouldHide, Hidden: shouldHide,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.Metrics, Name: "metrics",
Value: metrics.GetMetricsDefaultAddress(metrics.Runtime), Value: "localhost:",
Usage: fmt.Sprintf( Usage: "Listen address for metrics reporting.",
`Listen address for metrics reporting. If no address is passed cloudflared will try to bind to %v.
If all are unavailable, a random port will be used. Note that when running cloudflared from an virtual
environment the default address binds to all interfaces, hence, it is important to isolate the host
and virtualized host network stacks from each other`,
metrics.GetMetricsKnownAddresses(metrics.Runtime),
),
EnvVars: []string{"TUNNEL_METRICS"}, EnvVars: []string{"TUNNEL_METRICS"},
Hidden: shouldHide, Hidden: shouldHide,
}), }),
@ -1013,7 +986,7 @@ func configureProxyFlags(shouldHide bool) []cli.Flag {
Value: false, Value: false,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.ManagementHostname, Name: "management-hostname",
Usage: "Management hostname to signify incoming management requests", Usage: "Management hostname to signify incoming management requests",
EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"}, EnvVars: []string{"TUNNEL_MANAGEMENT_HOSTNAME"},
Hidden: true, Hidden: true,
@ -1042,62 +1015,62 @@ func legacyTunnelFlag(msg string) string {
func sshFlags(shouldHide bool) []cli.Flag { func sshFlags(shouldHide bool) []cli.Flag {
return []cli.Flag{ return []cli.Flag{
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshPort, Name: sshPortFlag,
Usage: "Localhost port that cloudflared SSH server will run on", Usage: "Localhost port that cloudflared SSH server will run on",
Value: "2222", Value: "2222",
EnvVars: []string{"LOCAL_SSH_PORT"}, EnvVars: []string{"LOCAL_SSH_PORT"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.SshIdleTimeout, Name: sshIdleTimeoutFlag,
Usage: "Connection timeout after no activity", Usage: "Connection timeout after no activity",
EnvVars: []string{"SSH_IDLE_TIMEOUT"}, EnvVars: []string{"SSH_IDLE_TIMEOUT"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewDurationFlag(&cli.DurationFlag{ altsrc.NewDurationFlag(&cli.DurationFlag{
Name: cfdflags.SshMaxTimeout, Name: sshMaxTimeoutFlag,
Usage: "Absolute connection timeout", Usage: "Absolute connection timeout",
EnvVars: []string{"SSH_MAX_TIMEOUT"}, EnvVars: []string{"SSH_MAX_TIMEOUT"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderBucketName, Name: bucketNameFlag,
Usage: "Bucket name of where to upload SSH logs", Usage: "Bucket name of where to upload SSH logs",
EnvVars: []string{"BUCKET_ID"}, EnvVars: []string{"BUCKET_ID"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderRegionName, Name: regionNameFlag,
Usage: "Region name of where to upload SSH logs", Usage: "Region name of where to upload SSH logs",
EnvVars: []string{"REGION_ID"}, EnvVars: []string{"REGION_ID"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderSecretID, Name: secretIDFlag,
Usage: "Secret ID of where to upload SSH logs", Usage: "Secret ID of where to upload SSH logs",
EnvVars: []string{"SECRET_ID"}, EnvVars: []string{"SECRET_ID"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderAccessKeyID, Name: accessKeyIDFlag,
Usage: "Access Key ID of where to upload SSH logs", Usage: "Access Key ID of where to upload SSH logs",
EnvVars: []string{"ACCESS_CLIENT_ID"}, EnvVars: []string{"ACCESS_CLIENT_ID"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderSessionTokenID, Name: sessionTokenIDFlag,
Usage: "Session Token to use in the configuration of SSH logs uploading", Usage: "Session Token to use in the configuration of SSH logs uploading",
EnvVars: []string{"SESSION_TOKEN_ID"}, EnvVars: []string{"SESSION_TOKEN_ID"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewStringFlag(&cli.StringFlag{ altsrc.NewStringFlag(&cli.StringFlag{
Name: cfdflags.SshLogUploaderS3URL, Name: s3URLFlag,
Usage: "S3 url of where to upload SSH logs", Usage: "S3 url of where to upload SSH logs",
EnvVars: []string{"S3_URL"}, EnvVars: []string{"S3_URL"},
Hidden: true, Hidden: true,
}), }),
altsrc.NewPathFlag(&cli.PathFlag{ altsrc.NewPathFlag(&cli.PathFlag{
Name: cfdflags.HostKeyPath, Name: hostKeyPath,
Usage: "Absolute path of directory to save SSH host keys in", Usage: "Absolute path of directory to save SSH host keys in",
EnvVars: []string{"HOST_KEY_PATH"}, EnvVars: []string{"HOST_KEY_PATH"},
Hidden: true, Hidden: true,
@ -1134,6 +1107,57 @@ func sshFlags(shouldHide bool) []cli.Flag {
} }
} }
func configureProxyDNSFlags(shouldHide bool) []cli.Flag {
return []cli.Flag{
altsrc.NewBoolFlag(&cli.BoolFlag{
Name: "proxy-dns",
Usage: "Run a DNS over HTTPS proxy server.",
EnvVars: []string{"TUNNEL_DNS"},
Hidden: shouldHide,
}),
altsrc.NewIntFlag(&cli.IntFlag{
Name: "proxy-dns-port",
Value: 53,
Usage: "Listen on given port for the DNS over HTTPS proxy server.",
EnvVars: []string{"TUNNEL_DNS_PORT"},
Hidden: shouldHide,
}),
altsrc.NewStringFlag(&cli.StringFlag{
Name: "proxy-dns-address",
Usage: "Listen address for the DNS over HTTPS proxy server.",
Value: "localhost",
EnvVars: []string{"TUNNEL_DNS_ADDRESS"},
Hidden: shouldHide,
}),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: "proxy-dns-upstream",
Usage: "Upstream endpoint URL, you can specify multiple endpoints for redundancy.",
Value: cli.NewStringSlice("https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"),
EnvVars: []string{"TUNNEL_DNS_UPSTREAM"},
Hidden: shouldHide,
}),
altsrc.NewIntFlag(&cli.IntFlag{
Name: "proxy-dns-max-upstream-conns",
Usage: "Maximum concurrent connections to upstream. Setting to 0 means unlimited.",
Value: tunneldns.MaxUpstreamConnsDefault,
Hidden: shouldHide,
EnvVars: []string{"TUNNEL_DNS_MAX_UPSTREAM_CONNS"},
}),
altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: "proxy-dns-bootstrap",
Usage: "bootstrap endpoint URL, you can specify multiple endpoints for redundancy.",
Value: cli.NewStringSlice(
"https://162.159.36.1/dns-query",
"https://162.159.46.1/dns-query",
"https://[2606:4700:4700::1111]/dns-query",
"https://[2606:4700:4700::1001]/dns-query",
),
EnvVars: []string{"TUNNEL_DNS_BOOTSTRAP"},
Hidden: shouldHide,
}),
}
}
func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) { func stdinControl(reconnectCh chan supervisor.ReconnectSignal, log *zerolog.Logger) {
for { for {
scanner := bufio.NewScanner(os.Stdin) scanner := bufio.NewScanner(os.Stdin)
@ -1166,46 +1190,3 @@ reconnect [delay]
} }
} }
} }
func nonSecretCliFlags(log *zerolog.Logger, cli *cli.Context, flagInclusionList []string) map[string]string {
flagsNames := cli.FlagNames()
flags := make(map[string]string, len(flagsNames))
for _, flag := range flagsNames {
value := cli.String(flag)
if value == "" {
continue
}
isIncluded := isFlagIncluded(flagInclusionList, flag)
if !isIncluded {
continue
}
switch flag {
case cfdflags.LogDirectory, cfdflags.LogFile:
{
absolute, err := filepath.Abs(value)
if err != nil {
log.Error().Err(err).Msgf("could not convert %s path to absolute", flag)
} else {
flags[flag] = absolute
}
}
default:
flags[flag] = value
}
}
return flags
}
func isFlagIncluded(flagInclusionList []string, flag string) bool {
for _, include := range flagInclusionList {
if include == flag {
return true
}
}
return false
}

15
cmd/cloudflared/tunnel/config_test.go Normal file
View File

@ -0,0 +1,15 @@
package tunnel
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/cloudflare/cloudflared/features"
)
func TestDedup(t *testing.T) {
expected := []string{"a", "b"}
actual := features.Dedup([]string{"a", "b", "a"})
require.ElementsMatch(t, expected, actual)
}

235
cmd/cloudflared/tunnel/configuration.go
View File

@ -10,23 +10,20 @@ import (
"strings" "strings"
"time" "time"
"github.com/google/uuid"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/prometheus/client_golang/prometheus"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc" "github.com/urfave/cli/v2/altsrc"
"golang.org/x/term" "golang.org/x/term"
"github.com/cloudflare/cloudflared/client"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/connection" "github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/edgediscovery" "github.com/cloudflare/cloudflared/edgediscovery"
"github.com/cloudflare/cloudflared/edgediscovery/allregions" "github.com/cloudflare/cloudflared/edgediscovery/allregions"
"github.com/cloudflare/cloudflared/features" "github.com/cloudflare/cloudflared/features"
"github.com/cloudflare/cloudflared/ingress" "github.com/cloudflare/cloudflared/ingress"
"github.com/cloudflare/cloudflared/ingress/origins"
"github.com/cloudflare/cloudflared/orchestration" "github.com/cloudflare/cloudflared/orchestration"
"github.com/cloudflare/cloudflared/supervisor" "github.com/cloudflare/cloudflared/supervisor"
"github.com/cloudflare/cloudflared/tlsconfig" "github.com/cloudflare/cloudflared/tlsconfig"
@ -39,24 +36,24 @@ const (
) )
var ( var (
developerPortal = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup"
serviceUrl = developerPortal + "/tunnel-guide/local/as-a-service/"
argumentsUrl = developerPortal + "/tunnel-guide/local/local-management/arguments/"
secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag} secretFlags = [2]*altsrc.StringFlag{credentialsContentsFlag, tunnelTokenFlag}
configFlags = []string{ configFlags = []string{"autoupdate-freq", "no-autoupdate", "retries", "protocol", "loglevel", "transport-loglevel", "origincert", "metrics", "metrics-update-freq", "edge-ip-version", "edge-bind-address"}
flags.AutoUpdateFreq,
flags.NoAutoUpdate,
flags.Retries,
flags.Protocol,
flags.LogLevel,
flags.TransportLogLevel,
flags.OriginCert,
flags.Metrics,
flags.MetricsUpdateFreq,
flags.EdgeIpVersion,
flags.EdgeBindAddress,
flags.MaxActiveFlows,
}
) )
func generateRandomClientID(log *zerolog.Logger) (string, error) {
u, err := uuid.NewRandom()
if err != nil {
log.Error().Msgf("couldn't create UUID for client ID %s", err)
return "", err
}
return u.String(), nil
}
func logClientOptions(c *cli.Context, log *zerolog.Logger) { func logClientOptions(c *cli.Context, log *zerolog.Logger) {
flags := make(map[string]interface{}) flags := make(map[string]interface{})
for _, flag := range c.FlagNames() { for _, flag := range c.FlagNames() {
@ -111,6 +108,13 @@ func isSecretEnvVar(key string) bool {
return false return false
} }
func dnsProxyStandAlone(c *cli.Context, namedTunnel *connection.TunnelProperties) bool {
return c.IsSet("proxy-dns") &&
!(c.IsSet("name") || // adhoc-named tunnel
c.IsSet(ingress.HelloWorldFlag) || // quick or named tunnel
namedTunnel != nil) // named tunnel
}
func prepareTunnelConfig( func prepareTunnelConfig(
ctx context.Context, ctx context.Context,
c *cli.Context, c *cli.Context,
@ -119,44 +123,62 @@ func prepareTunnelConfig(
observer *connection.Observer, observer *connection.Observer,
namedTunnel *connection.TunnelProperties, namedTunnel *connection.TunnelProperties,
) (*supervisor.TunnelConfig, *orchestration.Config, error) { ) (*supervisor.TunnelConfig, *orchestration.Config, error) {
transportProtocol := c.String(flags.Protocol) clientID, err := uuid.NewRandom()
isPostQuantumEnforced := c.Bool(flags.PostQuantum)
featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, c.StringSlice(flags.Features), isPostQuantumEnforced, log)
if err != nil { if err != nil {
return nil, nil, errors.Wrap(err, "Failed to create feature selector") return nil, nil, errors.Wrap(err, "can't generate connector UUID")
} }
log.Info().Msgf("Generated Connector ID: %s", clientID)
clientConfig, err := client.NewConfig(info.Version(), info.OSArch(), featureSelector) tags, err := NewTagSliceFromCLI(c.StringSlice("tag"))
if err != nil {
return nil, nil, err
}
log.Info().Msgf("Generated Connector ID: %s", clientConfig.ConnectorID)
tags, err := NewTagSliceFromCLI(c.StringSlice(flags.Tag))
if err != nil { if err != nil {
log.Err(err).Msg("Tag parse failure") log.Err(err).Msg("Tag parse failure")
return nil, nil, errors.Wrap(err, "Tag parse failure") return nil, nil, errors.Wrap(err, "Tag parse failure")
} }
tags = append(tags, pogs.Tag{Name: "ID", Value: clientConfig.ConnectorID.String()}) tags = append(tags, pogs.Tag{Name: "ID", Value: clientID.String()})
clientFeatures := featureSelector.Snapshot() transportProtocol := c.String("protocol")
pqMode := clientFeatures.PostQuantum
clientFeatures := features.Dedup(append(c.StringSlice("features"), features.DefaultFeatures...))
staticFeatures := features.StaticFeatures{}
if c.Bool("post-quantum") {
if FipsEnabled {
return nil, nil, fmt.Errorf("post-quantum not supported in FIPS mode")
}
pqMode := features.PostQuantumStrict
staticFeatures.PostQuantumMode = &pqMode
}
featureSelector, err := features.NewFeatureSelector(ctx, namedTunnel.Credentials.AccountTag, staticFeatures, log)
if err != nil {
return nil, nil, errors.Wrap(err, "Failed to create feature selector")
}
pqMode := featureSelector.PostQuantumMode()
if pqMode == features.PostQuantumStrict { if pqMode == features.PostQuantumStrict {
// Error if the user tries to force a non-quic transport protocol // Error if the user tries to force a non-quic transport protocol
if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() { if transportProtocol != connection.AutoSelectFlag && transportProtocol != connection.QUIC.String() {
return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport") return nil, nil, fmt.Errorf("post-quantum is only supported with the quic transport")
} }
transportProtocol = connection.QUIC.String() transportProtocol = connection.QUIC.String()
clientFeatures = append(clientFeatures, features.FeaturePostQuantum)
log.Info().Msgf(
"Using hybrid post-quantum key agreement %s",
supervisor.PQKexName,
)
} }
namedTunnel.Client = pogs.ClientInfo{
ClientID: clientID[:],
Features: clientFeatures,
Version: info.Version(),
Arch: info.OSArch(),
}
cfg := config.GetConfiguration() cfg := config.GetConfiguration()
ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log) ingressRules, err := ingress.ParseIngressFromConfigAndCLI(cfg, c, log)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), isPostQuantumEnforced, edgediscovery.ProtocolPercentage, connection.ResolveTTL, log) protocolSelector, err := connection.NewProtocolSelector(transportProtocol, namedTunnel.Credentials.AccountTag, c.IsSet(TunnelTokenFlag), c.Bool("post-quantum"), edgediscovery.ProtocolPercentage, connection.ResolveTTL, log)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
@ -182,11 +204,11 @@ func prepareTunnelConfig(
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
edgeIPVersion, err := parseConfigIPVersion(c.String(flags.EdgeIpVersion)) edgeIPVersion, err := parseConfigIPVersion(c.String("edge-ip-version"))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
edgeBindAddr, err := parseConfigBindAddress(c.String(flags.EdgeBindAddress)) edgeBindAddr, err := parseConfigBindAddress(c.String("edge-bind-address"))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
@ -199,82 +221,48 @@ func prepareTunnelConfig(
log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version") log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
} }
region := c.String(flags.Region)
endpoint := namedTunnel.Credentials.Endpoint
var resolvedRegion string
// set resolvedRegion to either the region passed as argument
// or to the endpoint in the credentials.
// Region and endpoint are interchangeable
if region != "" && endpoint != "" {
return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
} else if region != "" {
resolvedRegion = region
} else if endpoint != "" {
resolvedRegion = endpoint
}
warpRoutingConfig := ingress.NewWarpRoutingConfig(&cfg.WarpRouting)
// Setup origin dialer service and virtual services
originDialerService := ingress.NewOriginDialer(ingress.OriginConfig{
DefaultDialer: ingress.NewDialer(warpRoutingConfig),
TCPWriteTimeout: c.Duration(flags.WriteStreamTimeout),
}, log)
// Setup DNS Resolver Service
originMetrics := origins.NewMetrics(prometheus.DefaultRegisterer)
dnsResolverAddrs := c.StringSlice(flags.VirtualDNSServiceResolverAddresses)
dnsService := origins.NewDNSResolverService(origins.NewDNSDialer(), log, originMetrics)
if len(dnsResolverAddrs) > 0 {
addrs, err := parseResolverAddrPorts(dnsResolverAddrs)
if err != nil {
return nil, nil, fmt.Errorf("invalid %s provided: %w", flags.VirtualDNSServiceResolverAddresses, err)
}
dnsService = origins.NewStaticDNSResolverService(addrs, origins.NewDNSDialer(), log, originMetrics)
}
originDialerService.AddReservedService(dnsService, []netip.AddrPort{origins.VirtualDNSServiceAddr})
tunnelConfig := &supervisor.TunnelConfig{ tunnelConfig := &supervisor.TunnelConfig{
ClientConfig: clientConfig,
GracePeriod: gracePeriod, GracePeriod: gracePeriod,
EdgeAddrs: c.StringSlice(flags.Edge), ReplaceExisting: c.Bool("force"),
Region: resolvedRegion, OSArch: info.OSArch(),
ClientID: clientID.String(),
EdgeAddrs: c.StringSlice("edge"),
Region: c.String("region"),
EdgeIPVersion: edgeIPVersion, EdgeIPVersion: edgeIPVersion,
EdgeBindAddr: edgeBindAddr, EdgeBindAddr: edgeBindAddr,
HAConnections: c.Int(flags.HaConnections), HAConnections: c.Int(haConnectionsFlag),
IsAutoupdated: c.Bool(flags.IsAutoUpdated), IsAutoupdated: c.Bool("is-autoupdated"),
LBPool: c.String(flags.LBPool), LBPool: c.String("lb-pool"),
Tags: tags, Tags: tags,
Log: log, Log: log,
LogTransport: logTransport, LogTransport: logTransport,
Observer: observer, Observer: observer,
ReportedVersion: info.Version(), ReportedVersion: info.Version(),
// Note TUN-3758 , we use Int because UInt is not supported with altsrc // Note TUN-3758 , we use Int because UInt is not supported with altsrc
Retries: uint(c.Int(flags.Retries)), // nolint: gosec Retries: uint(c.Int("retries")),
RunFromTerminal: isRunningFromTerminal(), RunFromTerminal: isRunningFromTerminal(),
NamedTunnel: namedTunnel, NamedTunnel: namedTunnel,
ProtocolSelector: protocolSelector, ProtocolSelector: protocolSelector,
EdgeTLSConfigs: edgeTLSConfigs, EdgeTLSConfigs: edgeTLSConfigs,
MaxEdgeAddrRetries: uint8(c.Int(flags.MaxEdgeAddrRetries)), // nolint: gosec FeatureSelector: featureSelector,
RPCTimeout: c.Duration(flags.RpcTimeout), MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")),
WriteStreamTimeout: c.Duration(flags.WriteStreamTimeout), RPCTimeout: c.Duration(rpcTimeout),
DisableQUICPathMTUDiscovery: c.Bool(flags.QuicDisablePathMTUDiscovery), WriteStreamTimeout: c.Duration(writeStreamTimeout),
QUICConnectionLevelFlowControlLimit: c.Uint64(flags.QuicConnLevelFlowControlLimit), DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),
QUICStreamLevelFlowControlLimit: c.Uint64(flags.QuicStreamLevelFlowControlLimit), QUICConnectionLevelFlowControlLimit: c.Uint64(quicConnLevelFlowControlLimit),
OriginDNSService: dnsService, QUICStreamLevelFlowControlLimit: c.Uint64(quicStreamLevelFlowControlLimit),
OriginDialerService: originDialerService,
} }
icmpRouter, err := newICMPRouter(c, log) packetConfig, err := newPacketConfig(c, log)
if err != nil { if err != nil {
log.Warn().Err(err).Msg("ICMP proxy feature is disabled") log.Warn().Err(err).Msg("ICMP proxy feature is disabled")
} else { } else {
tunnelConfig.ICMPRouterServer = icmpRouter tunnelConfig.PacketConfig = packetConfig
} }
orchestratorConfig := &orchestration.Config{ orchestratorConfig := &orchestration.Config{
Ingress: &ingressRules, Ingress: &ingressRules,
WarpRouting: warpRoutingConfig, WarpRouting: ingress.NewWarpRoutingConfig(&cfg.WarpRouting),
OriginDialerService: originDialerService, ConfigurationFlags: parseConfigFlags(c),
ConfigurationFlags: parseConfigFlags(c), WriteTimeout: c.Duration(writeStreamTimeout),
} }
return tunnelConfig, orchestratorConfig, nil return tunnelConfig, orchestratorConfig, nil
} }
@ -292,9 +280,9 @@ func parseConfigFlags(c *cli.Context) map[string]string {
} }
func gracePeriod(c *cli.Context) (time.Duration, error) { func gracePeriod(c *cli.Context) (time.Duration, error) {
period := c.Duration(flags.GracePeriod) period := c.Duration("grace-period")
if period > connection.MaxGracePeriod { if period > connection.MaxGracePeriod {
return time.Duration(0), fmt.Errorf("%s must be equal or less than %v", flags.GracePeriod, connection.MaxGracePeriod) return time.Duration(0), fmt.Errorf("grace-period must be equal or less than %v", connection.MaxGracePeriod)
} }
return period, nil return period, nil
} }
@ -363,39 +351,33 @@ func adjustIPVersionByBindAddress(ipVersion allregions.ConfigIPVersion, ip net.I
} }
} }
func newICMPRouter(c *cli.Context, logger *zerolog.Logger) (ingress.ICMPRouterServer, error) { func newPacketConfig(c *cli.Context, logger *zerolog.Logger) (*ingress.GlobalRouterConfig, error) {
ipv4Src, ipv6Src, err := determineICMPSources(c, logger) ipv4Src, err := determineICMPv4Src(c.String("icmpv4-src"), logger)
if err != nil { if err != nil {
return nil, err return nil, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
} }
icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, logger, icmpFunnelTimeout)
if err != nil {
return nil, err
}
return icmpRouter, nil
}
func determineICMPSources(c *cli.Context, logger *zerolog.Logger) (netip.Addr, netip.Addr, error) {
ipv4Src, err := determineICMPv4Src(c.String(flags.ICMPV4Src), logger)
if err != nil {
return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv4 source address for ICMP proxy")
}
logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src) logger.Info().Msgf("ICMP proxy will use %s as source for IPv4", ipv4Src)
ipv6Src, zone, err := determineICMPv6Src(c.String(flags.ICMPV6Src), logger, ipv4Src) ipv6Src, zone, err := determineICMPv6Src(c.String("icmpv6-src"), logger, ipv4Src)
if err != nil { if err != nil {
return netip.Addr{}, netip.Addr{}, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy") return nil, errors.Wrap(err, "failed to determine IPv6 source address for ICMP proxy")
} }
if zone != "" { if zone != "" {
logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone) logger.Info().Msgf("ICMP proxy will use %s in zone %s as source for IPv6", ipv6Src, zone)
} else { } else {
logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src) logger.Info().Msgf("ICMP proxy will use %s as source for IPv6", ipv6Src)
} }
return ipv4Src, ipv6Src, nil icmpRouter, err := ingress.NewICMPRouter(ipv4Src, ipv6Src, zone, logger, icmpFunnelTimeout)
if err != nil {
return nil, err
}
return &ingress.GlobalRouterConfig{
ICMPRouter: icmpRouter,
IPv4Src: ipv4Src,
IPv6Src: ipv6Src,
Zone: zone,
}, nil
} }
func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) { func determineICMPv4Src(userDefinedSrc string, logger *zerolog.Logger) (netip.Addr, error) {
@ -425,12 +407,13 @@ type interfaceIP struct {
func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) { func determineICMPv6Src(userDefinedSrc string, logger *zerolog.Logger, ipv4Src netip.Addr) (addr netip.Addr, zone string, err error) {
if userDefinedSrc != "" { if userDefinedSrc != "" {
addr, err := netip.ParseAddr(userDefinedSrc) userDefinedIP, zone, _ := strings.Cut(userDefinedSrc, "%")
addr, err := netip.ParseAddr(userDefinedIP)
if err != nil { if err != nil {
return netip.Addr{}, "", err return netip.Addr{}, "", err
} }
if addr.Is6() { if addr.Is6() {
return addr, addr.Zone(), nil return addr, zone, nil
} }
return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc) return netip.Addr{}, "", fmt.Errorf("expect IPv6, but %s is IPv4", userDefinedSrc)
} }
@ -511,19 +494,3 @@ func findLocalAddr(dst net.IP, port int) (netip.Addr, error) {
localAddr := localAddrPort.Addr() localAddr := localAddrPort.Addr()
return localAddr, nil return localAddr, nil
} }
func parseResolverAddrPorts(input []string) ([]netip.AddrPort, error) {
// We don't allow more than 10 resolvers to be provided statically for the resolver service.
if len(input) > 10 {
return nil, errors.New("too many addresses provided, max: 10")
}
addrs := make([]netip.AddrPort, 0, len(input))
for _, val := range input {
addr, err := netip.ParseAddrPort(val)
if err != nil {
return nil, err
}
addrs = append(addrs, addr)
}
return addrs, nil
}

17
cmd/cloudflared/tunnel/credential_finder.go
View File

@ -4,7 +4,6 @@ import (
"fmt" "fmt"
"path/filepath" "path/filepath"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/credentials" "github.com/cloudflare/cloudflared/credentials"
@ -58,19 +57,17 @@ func newSearchByID(id uuid.UUID, c *cli.Context, log *zerolog.Logger, fs fileSys
} }
func (s searchByID) Path() (string, error) { func (s searchByID) Path() (string, error) {
originCertPath := s.c.String(cfdflags.OriginCert) originCertPath := s.c.String(credentials.OriginCertFlag)
originCertLog := s.log.With(). originCertLog := s.log.With().
Str("originCertPath", originCertPath). Str("originCertPath", originCertPath).
Logger() Logger()
if originCertPath != "" { // Fallback to look for tunnel credentials in the origin cert directory
// Look for tunnel credentials in the origin cert directory if the flag is provided if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil {
if originCertPath, err := credentials.FindOriginCert(originCertPath, &originCertLog); err == nil { originCertDir := filepath.Dir(originCertPath)
originCertDir := filepath.Dir(originCertPath) if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil {
if filePath, err := tunnelFilePath(s.id, originCertDir); err == nil { if s.fs.validFilePath(filePath) {
if s.fs.validFilePath(filePath) { return filePath, nil
return filePath, nil
}
} }
} }
} }

3
cmd/cloudflared/tunnel/fips.go Normal file
View File

@ -0,0 +1,3 @@
package tunnel
var FipsEnabled bool

71
cmd/cloudflared/tunnel/login.go
View File

@ -12,7 +12,6 @@ import (
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/credentials" "github.com/cloudflare/cloudflared/credentials"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
@ -20,31 +19,8 @@ import (
) )
const ( const (
baseLoginURL = "https://dash.cloudflare.com/argotunnel" baseLoginURL = "https://dash.cloudflare.com/argotunnel"
callbackURL = "https://login.cloudflareaccess.org/" callbackStoreURL = "https://login.cloudflareaccess.org/"
fedBaseLoginURL = "https://dash.fed.cloudflare.com/argotunnel"
fedCallbackStoreURL = "https://login.fed.cloudflareaccess.org/"
fedRAMPParamName = "fedramp"
loginURLParamName = "loginURL"
callbackURLParamName = "callbackURL"
)
var (
loginURL = &cli.StringFlag{
Name: loginURLParamName,
Value: baseLoginURL,
Usage: "The URL used to login (default is https://dash.cloudflare.com/argotunnel)",
}
callbackStore = &cli.StringFlag{
Name: callbackURLParamName,
Value: callbackURL,
Usage: "The URL used for the callback (default is https://login.cloudflareaccess.org/)",
}
fedramp = &cli.BoolFlag{
Name: fedRAMPParamName,
Aliases: []string{"f"},
Usage: "Login with FedRAMP High environment.",
}
) )
func buildLoginSubcommand(hidden bool) *cli.Command { func buildLoginSubcommand(hidden bool) *cli.Command {
@ -54,11 +30,6 @@ func buildLoginSubcommand(hidden bool) *cli.Command {
Usage: "Generate a configuration file with your login details", Usage: "Generate a configuration file with your login details",
ArgsUsage: " ", ArgsUsage: " ",
Hidden: hidden, Hidden: hidden,
Flags: []cli.Flag{
loginURL,
callbackStore,
fedramp,
},
} }
} }
@ -67,25 +38,15 @@ func login(c *cli.Context) error {
path, ok, err := checkForExistingCert() path, ok, err := checkForExistingCert()
if ok { if ok {
log.Error().Err(err).Msgf("You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path) fmt.Fprintf(os.Stdout, "You have an existing certificate at %s which login would overwrite.\nIf this is intentional, please move or delete that file then run this command again.\n", path)
return nil return nil
} else if err != nil { } else if err != nil {
return err return err
} }
var ( loginURL, err := url.Parse(baseLoginURL)
baseloginURL = c.String(loginURLParamName)
callbackStoreURL = c.String(callbackURLParamName)
)
isFEDRamp := c.Bool(fedRAMPParamName)
if isFEDRamp {
baseloginURL = fedBaseLoginURL
callbackStoreURL = fedCallbackStoreURL
}
loginURL, err := url.Parse(baseloginURL)
if err != nil { if err != nil {
// shouldn't happen, URL is hardcoded
return err return err
} }
@ -97,28 +58,10 @@ func login(c *cli.Context) error {
callbackStoreURL, callbackStoreURL,
false, false,
false, false,
c.Bool(cfdflags.AutoCloseInterstitial),
isFEDRamp,
log, log,
) )
if err != nil { if err != nil {
log.Error().Err(err).Msgf("Failed to write the certificate.\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", path) fmt.Fprintf(os.Stderr, "Failed to write the certificate due to the following error:\n%v\n\nYour browser will download the certificate instead. You will have to manually\ncopy it to the following path:\n\n%s\n", err, path)
return err
}
cert, err := credentials.DecodeOriginCert(resourceData)
if err != nil {
log.Error().Err(err).Msg("failed to decode origin certificate")
return err
}
if isFEDRamp {
cert.Endpoint = credentials.FedEndpoint
}
resourceData, err = cert.EncodeOriginCert()
if err != nil {
log.Error().Err(err).Msg("failed to encode origin certificate")
return err return err
} }
@ -126,7 +69,7 @@ func login(c *cli.Context) error {
return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path)) return errors.Wrap(err, fmt.Sprintf("error writing cert to %s", path))
} }
log.Info().Msgf("You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path) fmt.Fprintf(os.Stdout, "You have successfully logged in.\nIf you wish to copy your credentials to a server, they have been saved to:\n%s\n", path)
return nil return nil
} }

7
cmd/cloudflared/tunnel/quick_tunnel.go
View File

@ -11,7 +11,6 @@ import (
"github.com/google/uuid" "github.com/google/uuid"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/connection" "github.com/cloudflare/cloudflared/connection"
) )
@ -83,13 +82,13 @@ func RunQuickTunnel(sc *subcommandContext) error {
sc.log.Info().Msg(line) sc.log.Info().Msg(line)
} }
if !sc.c.IsSet(flags.Protocol) { if !sc.c.IsSet("protocol") {
_ = sc.c.Set(flags.Protocol, "quic") sc.c.Set("protocol", "quic")
} }
// Override the number of connections used. Quick tunnels shouldn't be used for production usage, // Override the number of connections used. Quick tunnels shouldn't be used for production usage,
// so, use a single connection instead. // so, use a single connection instead.
_ = sc.c.Set(flags.HaConnections, "1") sc.c.Set(haConnectionsFlag, "1")
return StartServer( return StartServer(
sc.c, sc.c,
buildInfo, buildInfo,

37
cmd/cloudflared/tunnel/server.go Normal file
View File

@ -0,0 +1,37 @@
package tunnel
import (
"fmt"
"github.com/cloudflare/cloudflared/tunneldns"
"github.com/pkg/errors"
"github.com/rs/zerolog"
"github.com/urfave/cli/v2"
)
func runDNSProxyServer(c *cli.Context, dnsReadySignal chan struct{}, shutdownC <-chan struct{}, log *zerolog.Logger) error {
port := c.Int("proxy-dns-port")
if port <= 0 || port > 65535 {
return errors.New("The 'proxy-dns-port' must be a valid port number in <1, 65535> range.")
}
maxUpstreamConnections := c.Int("proxy-dns-max-upstream-conns")
if maxUpstreamConnections < 0 {
return fmt.Errorf("'%s' must be 0 or higher", "proxy-dns-max-upstream-conns")
}
listener, err := tunneldns.CreateListener(c.String("proxy-dns-address"), uint16(port), c.StringSlice("proxy-dns-upstream"), c.StringSlice("proxy-dns-bootstrap"), maxUpstreamConnections, log)
if err != nil {
close(dnsReadySignal)
listener.Stop()
return errors.Wrap(err, "Cannot create the DNS over HTTPS proxy server")
}
err = listener.Start(dnsReadySignal)
if err != nil {
return errors.Wrap(err, "Cannot start the DNS over HTTPS proxy server")
}
<-shutdownC
_ = listener.Stop()
log.Info().Msg("DNS server stopped")
return nil
}

44
cmd/cloudflared/tunnel/subcommand_context.go
View File

@ -9,26 +9,22 @@ import (
"strings" "strings"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/mitchellh/go-homedir"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/cfapi" "github.com/cloudflare/cloudflared/cfapi"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/connection" "github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/credentials" "github.com/cloudflare/cloudflared/credentials"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
) )
const fedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4" type errInvalidJSONCredential struct {
type invalidJSONCredentialError struct {
err error err error
path string path string
} }
func (e invalidJSONCredentialError) Error() string { func (e errInvalidJSONCredential) Error() string {
return "Invalid JSON when parsing tunnel credentials file" return "Invalid JSON when parsing tunnel credentials file"
} }
@ -55,12 +51,7 @@ func newSubcommandContext(c *cli.Context) (*subcommandContext, error) {
// Returns something that can find the given tunnel's credentials file. // Returns something that can find the given tunnel's credentials file.
func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder { func (sc *subcommandContext) credentialFinder(tunnelID uuid.UUID) CredFinder {
if path := sc.c.String(CredFileFlag); path != "" { if path := sc.c.String(CredFileFlag); path != "" {
// Expand path if CredFileFlag contains `~` return newStaticPath(path, sc.fs)
absPath, err := homedir.Expand(path)
if err != nil {
return newStaticPath(path, sc.fs)
}
return newStaticPath(absPath, sc.fs)
} }
return newSearchByID(tunnelID, sc.c, sc.log, sc.fs) return newSearchByID(tunnelID, sc.c, sc.log, sc.fs)
} }
@ -73,16 +64,7 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
sc.tunnelstoreClient, err = cred.Client(sc.c.String("api-url"), buildInfo.UserAgent(), sc.log)
var apiURL string
if cred.IsFEDEndpoint() {
sc.log.Info().Str("api-url", fedRampBaseApiURL).Msg("using fedramp base api")
apiURL = fedRampBaseApiURL
} else {
apiURL = sc.c.String(cfdflags.ApiURL)
}
sc.tunnelstoreClient, err = cred.Client(apiURL, buildInfo.UserAgent(), sc.log)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -91,7 +73,7 @@ func (sc *subcommandContext) client() (cfapi.Client, error) {
func (sc *subcommandContext) credential() (*credentials.User, error) { func (sc *subcommandContext) credential() (*credentials.User, error) {
if sc.userCredential == nil { if sc.userCredential == nil {
uc, err := credentials.Read(sc.c.String(cfdflags.OriginCert), sc.log) uc, err := credentials.Read(sc.c.String(credentials.OriginCertFlag), sc.log)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -112,13 +94,13 @@ func (sc *subcommandContext) readTunnelCredentials(credFinder CredFinder) (conne
var credentials connection.Credentials var credentials connection.Credentials
if err = json.Unmarshal(body, &credentials); err != nil { if err = json.Unmarshal(body, &credentials); err != nil {
if filepath.Ext(filePath) == ".pem" { if strings.HasSuffix(filePath, ".pem") {
return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " + return connection.Credentials{}, fmt.Errorf("The tunnel credentials file should be .json but you gave a .pem. " +
"The tunnel credentials file was originally created by `cloudflared tunnel create`. " + "The tunnel credentials file was originally created by `cloudflared tunnel create`. " +
"You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " + "You may have accidentally used the filepath to cert.pem, which is generated by `cloudflared tunnel " +
"login`.") "login`.")
} }
return connection.Credentials{}, invalidJSONCredentialError{path: filePath, err: err} return connection.Credentials{}, errInvalidJSONCredential{path: filePath, err: err}
} }
return credentials, nil return credentials, nil
} }
@ -140,7 +122,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
if err != nil { if err != nil {
return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64") return nil, errors.Wrap(err, "Couldn't decode tunnel secret from base64")
} }
tunnelSecret = decodedSecret tunnelSecret = []byte(decodedSecret)
if len(tunnelSecret) < 32 { if len(tunnelSecret) < 32 {
return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long") return nil, errors.New("Decoded tunnel secret must be at least 32 bytes long")
} }
@ -155,12 +137,10 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
if err != nil { if err != nil {
return nil, err return nil, err
} }
tunnelCredentials := connection.Credentials{ tunnelCredentials := connection.Credentials{
AccountTag: credential.AccountID(), AccountTag: credential.AccountID(),
TunnelSecret: tunnelSecret, TunnelSecret: tunnelSecret,
TunnelID: tunnel.ID, TunnelID: tunnel.ID,
Endpoint: credential.Endpoint(),
} }
usedCertPath := false usedCertPath := false
if credentialsFilePath == "" { if credentialsFilePath == "" {
@ -180,7 +160,7 @@ func (sc *subcommandContext) create(name string, credentialsFilePath string, sec
errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID)) errorLines = append(errorLines, fmt.Sprintf("Cloudflared tried to delete the tunnel for you, but encountered an error. You should use `cloudflared tunnel delete %v` to delete the tunnel yourself, because the tunnel can't be run without the tunnelfile.", tunnel.ID))
errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr)) errorLines = append(errorLines, fmt.Sprintf("The delete tunnel error is: %v", deleteErr))
} else { } else {
errorLines = append(errorLines, "The tunnel was deleted, because the tunnel can't be run without the credentials file") errorLines = append(errorLines, fmt.Sprintf("The tunnel was deleted, because the tunnel can't be run without the credentials file"))
} }
errorMsg := strings.Join(errorLines, "\n") errorMsg := strings.Join(errorLines, "\n")
return nil, errors.New(errorMsg) return nil, errors.New(errorMsg)
@ -209,7 +189,7 @@ func (sc *subcommandContext) list(filter *cfapi.TunnelFilter) ([]*cfapi.Tunnel,
} }
func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error { func (sc *subcommandContext) delete(tunnelIDs []uuid.UUID) error {
forceFlagSet := sc.c.Bool(cfdflags.Force) forceFlagSet := sc.c.Bool("force")
client, err := sc.client() client, err := sc.client()
if err != nil { if err != nil {
@ -249,7 +229,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
var err error var err error
if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" { if credentialsContents := sc.c.String(CredContentsFlag); credentialsContents != "" {
if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil { if err = json.Unmarshal([]byte(credentialsContents), &credentials); err != nil {
err = invalidJSONCredentialError{path: "TUNNEL_CRED_CONTENTS", err: err} err = errInvalidJSONCredential{path: "TUNNEL_CRED_CONTENTS", err: err}
} }
} else { } else {
credFinder := sc.credentialFinder(tunnelID) credFinder := sc.credentialFinder(tunnelID)
@ -265,7 +245,7 @@ func (sc *subcommandContext) findCredentials(tunnelID uuid.UUID) (connection.Cre
func (sc *subcommandContext) run(tunnelID uuid.UUID) error { func (sc *subcommandContext) run(tunnelID uuid.UUID) error {
credentials, err := sc.findCredentials(tunnelID) credentials, err := sc.findCredentials(tunnelID)
if err != nil { if err != nil {
if e, ok := err.(invalidJSONCredentialError); ok { if e, ok := err.(errInvalidJSONCredential); ok {
sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path) sc.log.Error().Msgf("The credentials file at %s contained invalid JSON. This is probably caused by passing the wrong filepath. Reminder: the credentials file is a .json file created via `cloudflared tunnel create`.", e.path)
sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error()) sc.log.Error().Msgf("Invalid JSON when parsing credentials file: %s", e.err.Error())
} }

219
cmd/cloudflared/tunnel/subcommands.go
View File

@ -16,40 +16,28 @@ import (
"time" "time"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/mitchellh/go-homedir" homedir "github.com/mitchellh/go-homedir"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/urfave/cli/v2" "github.com/urfave/cli/v2"
"github.com/urfave/cli/v2/altsrc" "github.com/urfave/cli/v2/altsrc"
"golang.org/x/net/idna" "golang.org/x/net/idna"
"gopkg.in/yaml.v3" yaml "gopkg.in/yaml.v3"
"github.com/cloudflare/cloudflared/cfapi" "github.com/cloudflare/cloudflared/cfapi"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
"github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/cmd/cloudflared/updater" "github.com/cloudflare/cloudflared/cmd/cloudflared/updater"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/connection" "github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/diagnostic"
"github.com/cloudflare/cloudflared/fips"
"github.com/cloudflare/cloudflared/metrics"
) )
const ( const (
allSortByOptions = "name, id, createdAt, deletedAt, numConnections" allSortByOptions = "name, id, createdAt, deletedAt, numConnections"
connsSortByOptions = "id, startedAt, numConnections, version" connsSortByOptions = "id, startedAt, numConnections, version"
CredFileFlagAlias = "cred-file" CredFileFlagAlias = "cred-file"
CredFileFlag = "credentials-file" CredFileFlag = "credentials-file"
CredContentsFlag = "credentials-contents" CredContentsFlag = "credentials-contents"
TunnelTokenFlag = "token" TunnelTokenFlag = "token"
TunnelTokenFileFlag = "token-file" overwriteDNSFlagName = "overwrite-dns"
overwriteDNSFlagName = "overwrite-dns"
noDiagLogsFlagName = "no-diag-logs"
noDiagMetricsFlagName = "no-diag-metrics"
noDiagSystemFlagName = "no-diag-system"
noDiagRuntimeFlagName = "no-diag-runtime"
noDiagNetworkFlagName = "no-diag-network"
diagContainerIDFlagName = "diag-container-id"
diagPodFlagName = "diag-pod-id"
LogFieldTunnelID = "tunnelID" LogFieldTunnelID = "tunnelID"
) )
@ -61,7 +49,7 @@ var (
Usage: "Include deleted tunnels in the list", Usage: "Include deleted tunnels in the list",
} }
listNameFlag = &cli.StringFlag{ listNameFlag = &cli.StringFlag{
Name: flags.Name, Name: "name",
Aliases: []string{"n"}, Aliases: []string{"n"},
Usage: "List tunnels with the given `NAME`", Usage: "List tunnels with the given `NAME`",
} }
@ -109,7 +97,7 @@ var (
EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"}, EnvVars: []string{"TUNNEL_LIST_INVERT_SORT"},
} }
featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{ featuresFlag = altsrc.NewStringSliceFlag(&cli.StringSliceFlag{
Name: flags.Features, Name: "features",
Aliases: []string{"F"}, Aliases: []string{"F"},
Usage: "Opt into various features that are still being developed or tested.", Usage: "Opt into various features that are still being developed or tested.",
}) })
@ -127,23 +115,18 @@ var (
}) })
tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{ tunnelTokenFlag = altsrc.NewStringFlag(&cli.StringFlag{
Name: TunnelTokenFlag, Name: TunnelTokenFlag,
Usage: "The Tunnel token. When provided along with credentials, this will take precedence. Also takes precedence over token-file", Usage: "The Tunnel token. When provided along with credentials, this will take precedence.",
EnvVars: []string{"TUNNEL_TOKEN"}, EnvVars: []string{"TUNNEL_TOKEN"},
}) })
tunnelTokenFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
Name: TunnelTokenFileFlag,
Usage: "Filepath at which to read the tunnel token. When provided along with credentials, this will take precedence.",
EnvVars: []string{"TUNNEL_TOKEN_FILE"},
})
forceDeleteFlag = &cli.BoolFlag{ forceDeleteFlag = &cli.BoolFlag{
Name: flags.Force, Name: "force",
Aliases: []string{"f"}, Aliases: []string{"f"},
Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." + Usage: "Deletes a tunnel even if tunnel is connected and it has dependencies associated to it. (eg. IP routes)." +
" It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.", " It is not possible to delete tunnels that have connections or non-deleted dependencies, without this flag.",
EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"}, EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
} }
selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{ selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
Name: flags.Protocol, Name: "protocol",
Value: connection.AutoSelectFlag, Value: connection.AutoSelectFlag,
Aliases: []string{"p"}, Aliases: []string{"p"},
Usage: fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage), Usage: fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
@ -151,11 +134,11 @@ var (
Hidden: true, Hidden: true,
}) })
postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{ postQuantumFlag = altsrc.NewBoolFlag(&cli.BoolFlag{
Name: flags.PostQuantum, Name: "post-quantum",
Usage: "When given creates an experimental post-quantum secure tunnel", Usage: "When given creates an experimental post-quantum secure tunnel",
Aliases: []string{"pq"}, Aliases: []string{"pq"},
EnvVars: []string{"TUNNEL_POST_QUANTUM"}, EnvVars: []string{"TUNNEL_POST_QUANTUM"},
Hidden: fips.IsFipsEnabled(), Hidden: FipsEnabled,
}) })
sortInfoByFlag = &cli.StringFlag{ sortInfoByFlag = &cli.StringFlag{
Name: "sort-by", Name: "sort-by",
@ -187,65 +170,15 @@ var (
EnvVars: []string{"TUNNEL_CREATE_SECRET"}, EnvVars: []string{"TUNNEL_CREATE_SECRET"},
} }
icmpv4SrcFlag = &cli.StringFlag{ icmpv4SrcFlag = &cli.StringFlag{
Name: flags.ICMPV4Src, Name: "icmpv4-src",
Usage: "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.", Usage: "Source address to send/receive ICMPv4 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to 0.0.0.0.",
EnvVars: []string{"TUNNEL_ICMPV4_SRC"}, EnvVars: []string{"TUNNEL_ICMPV4_SRC"},
} }
icmpv6SrcFlag = &cli.StringFlag{ icmpv6SrcFlag = &cli.StringFlag{
Name: flags.ICMPV6Src, Name: "icmpv6-src",
Usage: "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.", Usage: "Source address and the interface name to send/receive ICMPv6 messages. If not provided cloudflared will dial a local address to determine the source IP or fallback to ::.",
EnvVars: []string{"TUNNEL_ICMPV6_SRC"}, EnvVars: []string{"TUNNEL_ICMPV6_SRC"},
} }
metricsFlag = &cli.StringFlag{
Name: flags.Metrics,
Usage: "The metrics server address i.e.: 127.0.0.1:12345. If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.",
Value: "",
}
diagContainerFlag = &cli.StringFlag{
Name: diagContainerIDFlagName,
Usage: "Container ID or Name to collect logs from",
Value: "",
}
diagPodFlag = &cli.StringFlag{
Name: diagPodFlagName,
Usage: "Kubernetes POD to collect logs from",
Value: "",
}
noDiagLogsFlag = &cli.BoolFlag{
Name: noDiagLogsFlagName,
Usage: "Log collection will not be performed",
Value: false,
}
noDiagMetricsFlag = &cli.BoolFlag{
Name: noDiagMetricsFlagName,
Usage: "Metric collection will not be performed",
Value: false,
}
noDiagSystemFlag = &cli.BoolFlag{
Name: noDiagSystemFlagName,
Usage: "System information collection will not be performed",
Value: false,
}
noDiagRuntimeFlag = &cli.BoolFlag{
Name: noDiagRuntimeFlagName,
Usage: "Runtime information collection will not be performed",
Value: false,
}
noDiagNetworkFlag = &cli.BoolFlag{
Name: noDiagNetworkFlagName,
Usage: "Network diagnostics won't be performed",
Value: false,
}
maxActiveFlowsFlag = &cli.Uint64Flag{
Name: flags.MaxActiveFlows,
Usage: "Overrides the remote configuration for max active private network flows (TCP/UDP) that this cloudflared instance supports",
EnvVars: []string{"TUNNEL_MAX_ACTIVE_FLOWS"},
}
dnsResolverAddrsFlag = &cli.StringSliceFlag{
Name: flags.VirtualDNSServiceResolverAddresses,
Usage: "Overrides the dynamic DNS resolver resolution to use these address:port's instead.",
EnvVars: []string{"TUNNEL_DNS_RESOLVER_ADDRS"},
}
) )
func buildCreateCommand() *cli.Command { func buildCreateCommand() *cli.Command {
@ -348,7 +281,7 @@ func listCommand(c *cli.Context) error {
if !c.Bool("show-deleted") { if !c.Bool("show-deleted") {
filter.NoDeleted() filter.NoDeleted()
} }
if name := c.String(flags.Name); name != "" { if name := c.String("name"); name != "" {
filter.ByName(name) filter.ByName(name)
} }
if namePrefix := c.String("name-prefix"); namePrefix != "" { if namePrefix := c.String("name-prefix"); namePrefix != "" {
@ -442,6 +375,7 @@ func formatAndPrintTunnelList(tunnels []*cfapi.Tunnel, showRecentlyDisconnected
} }
func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string { func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected bool) string {
// Count connections per colo // Count connections per colo
numConnsPerColo := make(map[string]uint, len(connections)) numConnsPerColo := make(map[string]uint, len(connections))
for _, connection := range connections { for _, connection := range connections {
@ -458,7 +392,7 @@ func fmtConnections(connections []cfapi.Connection, showRecentlyDisconnected boo
sort.Strings(sortedColos) sort.Strings(sortedColos)
// Map each colo to its frequency, combine into output string. // Map each colo to its frequency, combine into output string.
output := make([]string, 0, len(sortedColos)) var output []string
for _, coloName := range sortedColos { for _, coloName := range sortedColos {
output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName)) output = append(output, fmt.Sprintf("%dx%s", numConnsPerColo[coloName], coloName))
} }
@ -478,21 +412,16 @@ func buildReadyCommand() *cli.Command {
} }
func readyCommand(c *cli.Context) error { func readyCommand(c *cli.Context) error {
metricsOpts := c.String(flags.Metrics) metricsOpts := c.String("metrics")
if !c.IsSet(flags.Metrics) { if !c.IsSet("metrics") {
return errors.New("--metrics has to be provided") return fmt.Errorf("--metrics has to be provided")
} }
requestURL := fmt.Sprintf("http://%s/ready", metricsOpts) requestURL := fmt.Sprintf("http://%s/ready", metricsOpts)
req, err := http.NewRequest(http.MethodGet, requestURL, nil) res, err := http.Get(requestURL)
if err != nil { if err != nil {
return err return err
} }
res, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
defer res.Body.Close()
if res.StatusCode != 200 { if res.StatusCode != 200 {
body, err := io.ReadAll(res.Body) body, err := io.ReadAll(res.Body)
if err != nil { if err != nil {
@ -719,11 +648,8 @@ func buildRunCommand() *cli.Command {
selectProtocolFlag, selectProtocolFlag,
featuresFlag, featuresFlag,
tunnelTokenFlag, tunnelTokenFlag,
tunnelTokenFileFlag,
icmpv4SrcFlag, icmpv4SrcFlag,
icmpv6SrcFlag, icmpv6SrcFlag,
maxActiveFlowsFlag,
dnsResolverAddrsFlag,
} }
flags = append(flags, configureProxyFlags(false)...) flags = append(flags, configureProxyFlags(false)...)
return &cli.Command{ return &cli.Command{
@ -761,22 +687,12 @@ func runCommand(c *cli.Context) error {
"your origin will not be reachable. You should remove the `hostname` property to avoid this warning.") "your origin will not be reachable. You should remove the `hostname` property to avoid this warning.")
} }
tokenStr := c.String(TunnelTokenFlag)
// Check if tokenStr is blank before checking for tokenFile
if tokenStr == "" {
if tokenFile := c.String(TunnelTokenFileFlag); tokenFile != "" {
data, err := os.ReadFile(tokenFile)
if err != nil {
return cliutil.UsageError("Failed to read token file: %s", err.Error())
}
tokenStr = strings.TrimSpace(string(data))
}
}
// Check if token is provided and if not use default tunnelID flag method // Check if token is provided and if not use default tunnelID flag method
if tokenStr != "" { if tokenStr := c.String(TunnelTokenFlag); tokenStr != "" {
if token, err := ParseToken(tokenStr); err == nil { if token, err := ParseToken(tokenStr); err == nil {
return sc.runWithCredentials(token.Credentials()) return sc.runWithCredentials(token.Credentials())
} }
return cliutil.UsageError("Provided Tunnel token is not valid.") return cliutil.UsageError("Provided Tunnel token is not valid.")
} else { } else {
tunnelRef := c.Args().First() tunnelRef := c.Args().First()
@ -981,10 +897,8 @@ func lbRouteFromArg(c *cli.Context) (cfapi.HostnameRoute, error) {
return cfapi.NewLBRoute(lbName, lbPool), nil return cfapi.NewLBRoute(lbName, lbPool), nil
} }
var ( var nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
nameRegex = regexp.MustCompile("^[_a-zA-Z0-9][-_.a-zA-Z0-9]*$") var hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
hostNameRegex = regexp.MustCompile("^[*_a-zA-Z0-9][-_.a-zA-Z0-9]*$")
)
func validateName(s string, allowWildcardSubdomain bool) bool { func validateName(s string, allowWildcardSubdomain bool) bool {
if allowWildcardSubdomain { if allowWildcardSubdomain {
@ -1072,78 +986,3 @@ SUBCOMMAND OPTIONS:
` `
return fmt.Sprintf(template, parentFlagsHelp) return fmt.Sprintf(template, parentFlagsHelp)
} }
func buildDiagCommand() *cli.Command {
return &cli.Command{
Name: "diag",
Action: cliutil.ConfiguredAction(diagCommand),
Usage: "Creates a diagnostic report from a local cloudflared instance",
UsageText: "cloudflared tunnel [tunnel command options] diag [subcommand options]",
Description: "cloudflared tunnel diag will create a diagnostic report of a local cloudflared instance. The diagnostic procedure collects: logs, metrics, system information, traceroute to Cloudflare Edge, and runtime information. Since there may be multiple instances of cloudflared running the --metrics option may be provided to target a specific instance.",
Flags: []cli.Flag{
metricsFlag,
diagContainerFlag,
diagPodFlag,
noDiagLogsFlag,
noDiagMetricsFlag,
noDiagSystemFlag,
noDiagRuntimeFlag,
noDiagNetworkFlag,
},
CustomHelpTemplate: commandHelpTemplate(),
}
}
func diagCommand(ctx *cli.Context) error {
sctx, err := newSubcommandContext(ctx)
if err != nil {
return err
}
log := sctx.log
options := diagnostic.Options{
KnownAddresses: metrics.GetMetricsKnownAddresses(metrics.Runtime),
Address: sctx.c.String(flags.Metrics),
ContainerID: sctx.c.String(diagContainerIDFlagName),
PodID: sctx.c.String(diagPodFlagName),
Toggles: diagnostic.Toggles{
NoDiagLogs: sctx.c.Bool(noDiagLogsFlagName),
NoDiagMetrics: sctx.c.Bool(noDiagMetricsFlagName),
NoDiagSystem: sctx.c.Bool(noDiagSystemFlagName),
NoDiagRuntime: sctx.c.Bool(noDiagRuntimeFlagName),
NoDiagNetwork: sctx.c.Bool(noDiagNetworkFlagName),
},
}
if options.Address == "" {
log.Info().Msg("If your instance is running in a Docker/Kubernetes environment you need to setup port forwarding for your application.")
}
states, err := diagnostic.RunDiagnostic(log, options)
if errors.Is(err, diagnostic.ErrMetricsServerNotFound) {
log.Warn().Msg("No instances found")
return nil
}
if errors.Is(err, diagnostic.ErrMultipleMetricsServerFound) {
if states != nil {
log.Info().Msgf("Found multiple instances running:")
for _, state := range states {
log.Info().Msgf("Instance: tunnel-id=%s connector-id=%s metrics-address=%s", state.TunnelID, state.ConnectorID, state.URL.String())
}
log.Info().Msgf("To select one instance use the option --metrics")
}
return nil
}
if errors.Is(err, diagnostic.ErrLogConfigurationIsInvalid) {
log.Info().Msg("Couldn't extract logs from the instance. If the instance is running in a containerized environment use the option --diag-container-id or --diag-pod-id. If there is no logging configuration use --no-diag-logs.")
}
if err != nil {
log.Warn().Msg("Diagnostic completed with one or more errors")
} else {
log.Info().Msg("Diagnostic completed")
}
return nil
}

8
cmd/cloudflared/tunnel/teamnet_subcommands.go
View File

@ -22,7 +22,7 @@ var (
Usage: "The ID or name of the virtual network to which the route is associated to.", Usage: "The ID or name of the virtual network to which the route is associated to.",
} }
errAddRoute = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete") routeAddError = errors.New("You must supply exactly one argument, the ID or CIDR of the route you want to delete")
) )
func buildRouteIPSubcommand() *cli.Command { func buildRouteIPSubcommand() *cli.Command {
@ -32,7 +32,7 @@ func buildRouteIPSubcommand() *cli.Command {
UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]", UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
client. You can then configure L7/L4 filtering on https://one.dash.cloudflare.com to client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
determine who can reach certain routes. determine who can reach certain routes.
By default IP routes all exist within a single virtual network. If you use the same IP By default IP routes all exist within a single virtual network. If you use the same IP
space(s) in different physical private networks, all meant to be reachable via IP routes, space(s) in different physical private networks, all meant to be reachable via IP routes,
@ -187,7 +187,7 @@ func deleteRouteCommand(c *cli.Context) error {
} }
if c.NArg() != 1 { if c.NArg() != 1 {
return errAddRoute return routeAddError
} }
var routeId uuid.UUID var routeId uuid.UUID
@ -195,7 +195,7 @@ func deleteRouteCommand(c *cli.Context) error {
if err != nil { if err != nil {
_, network, err := net.ParseCIDR(c.Args().First()) _, network, err := net.ParseCIDR(c.Args().First())
if err != nil || network == nil { if err != nil || network == nil {
return errAddRoute return routeAddError
} }
var vnetId *uuid.UUID var vnetId *uuid.UUID

20
cmd/cloudflared/updater/update.go
View File

@ -15,14 +15,13 @@ import (
"golang.org/x/term" "golang.org/x/term"
"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil" "github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
cfdflags "github.com/cloudflare/cloudflared/cmd/cloudflared/flags"
"github.com/cloudflare/cloudflared/config" "github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/logger" "github.com/cloudflare/cloudflared/logger"
) )
const ( const (
DefaultCheckUpdateFreq = time.Hour * 24 DefaultCheckUpdateFreq = time.Hour * 24
noUpdateInShellMessage = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/" noUpdateInShellMessage = "cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/"
noUpdateOnWindowsMessage = "cloudflared will not automatically update on Windows systems." noUpdateOnWindowsMessage = "cloudflared will not automatically update on Windows systems."
noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager." noUpdateManagedPackageMessage = "cloudflared will not automatically update if installed by a package manager."
isManagedInstallFile = ".installedFromPackageManager" isManagedInstallFile = ".installedFromPackageManager"
@ -39,7 +38,6 @@ var (
// BinaryUpdated implements ExitCoder interface, the app will exit with status code 11 // BinaryUpdated implements ExitCoder interface, the app will exit with status code 11
// https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder // https://pkg.go.dev/github.com/urfave/cli/v2?tab=doc#ExitCoder
// nolint: errname
type statusSuccess struct { type statusSuccess struct {
newVersion string newVersion string
} }
@ -52,16 +50,16 @@ func (u *statusSuccess) ExitCode() int {
return 11 return 11
} }
// statusError implements ExitCoder interface, the app will exit with status code 10 // UpdateErr implements ExitCoder interface, the app will exit with status code 10
type statusError struct { type statusErr struct {
err error err error
} }
func (e *statusError) Error() string { func (e *statusErr) Error() string {
return fmt.Sprintf("failed to update cloudflared: %v", e.err) return fmt.Sprintf("failed to update cloudflared: %v", e.err)
} }
func (e *statusError) ExitCode() int { func (e *statusErr) ExitCode() int {
return 10 return 10
} }
@ -81,7 +79,7 @@ type UpdateOutcome struct {
} }
func (uo *UpdateOutcome) noUpdate() bool { func (uo *UpdateOutcome) noUpdate() bool {
return uo.Error == nil && !uo.Updated return uo.Error == nil && uo.Updated == false
} }
func Init(info *cliutil.BuildInfo) { func Init(info *cliutil.BuildInfo) {
@ -155,7 +153,7 @@ func Update(c *cli.Context) error {
log.Info().Msg("cloudflared is set to update from staging") log.Info().Msg("cloudflared is set to update from staging")
} }
isForced := c.Bool(cfdflags.Force) isForced := c.Bool("force")
if isForced { if isForced {
log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version") log.Info().Msg("cloudflared is set to upgrade to the latest publish version regardless of the current version")
} }
@ -168,7 +166,7 @@ func Update(c *cli.Context) error {
intendedVersion: c.String("version"), intendedVersion: c.String("version"),
}) })
if updateOutcome.Error != nil { if updateOutcome.Error != nil {
return &statusError{updateOutcome.Error} return &statusErr{updateOutcome.Error}
} }
if updateOutcome.noUpdate() { if updateOutcome.noUpdate() {
@ -254,7 +252,7 @@ func (a *AutoUpdater) Run(ctx context.Context) error {
pid, err := a.listeners.StartProcess() pid, err := a.listeners.StartProcess()
if err != nil { if err != nil {
a.log.Err(err).Msg("Unable to restart server automatically") a.log.Err(err).Msg("Unable to restart server automatically")
return &statusError{err: err} return &statusErr{err: err}
} }
// stop old process after autoupdate. Otherwise we create a new process // stop old process after autoupdate. Otherwise we create a new process
// after each update // after each update

11
cmd/cloudflared/updater/workers_update.go
View File

@ -10,9 +10,9 @@ import (
"net/url" "net/url"
"os" "os"
"os/exec" "os/exec"
"path"
"path/filepath" "path/filepath"
"runtime" "runtime"
"strings"
"text/template" "text/template"
"time" "time"
@ -134,7 +134,7 @@ func (v *WorkersVersion) Apply() error {
if err := os.Rename(newFilePath, v.targetPath); err != nil { if err := os.Rename(newFilePath, v.targetPath); err != nil {
//attempt rollback //attempt rollback
_ = os.Rename(oldFilePath, v.targetPath) os.Rename(oldFilePath, v.targetPath)
return err return err
} }
os.Remove(oldFilePath) os.Remove(oldFilePath)
@ -181,7 +181,7 @@ func download(url, filepath string, isCompressed bool) error {
tr := tar.NewReader(gr) tr := tar.NewReader(gr)
// advance the reader pass the header, which will be the single binary file // advance the reader pass the header, which will be the single binary file
_, _ = tr.Next() tr.Next()
r = tr r = tr
} }
@ -198,7 +198,7 @@ func download(url, filepath string, isCompressed bool) error {
// isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped // isCompressedFile is a really simple file extension check to see if this is a macos tar and gzipped
func isCompressedFile(urlstring string) bool { func isCompressedFile(urlstring string) bool {
if path.Ext(urlstring) == ".tgz" { if strings.HasSuffix(urlstring, ".tgz") {
return true return true
} }
@ -206,7 +206,7 @@ func isCompressedFile(urlstring string) bool {
if err != nil { if err != nil {
return false return false
} }
return path.Ext(u.Path) == ".tgz" return strings.HasSuffix(u.Path, ".tgz")
} }
// writeBatchFile writes a batch file out to disk // writeBatchFile writes a batch file out to disk
@ -249,6 +249,7 @@ func runWindowsBatch(batchFile string) error {
if exitError, ok := err.(*exec.ExitError); ok { if exitError, ok := err.(*exec.ExitError); ok {
return fmt.Errorf("Error during update : %s;", string(exitError.Stderr)) return fmt.Errorf("Error during update : %s;", string(exitError.Stderr))
} }
} }
return err return err
} }

6
cmd/cloudflared/windows_service.go
View File

@ -26,7 +26,7 @@ import (
const ( const (
windowsServiceName = "Cloudflared" windowsServiceName = "Cloudflared"
windowsServiceDescription = "Cloudflared agent" windowsServiceDescription = "Cloudflared agent"
windowsServiceUrl = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configure-tunnels/local-management/as-a-service/windows/" windowsServiceUrl = "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/as-a-service/windows/"
recoverActionDelay = time.Second * 20 recoverActionDelay = time.Second * 20
failureCountResetPeriod = time.Hour * 24 failureCountResetPeriod = time.Hour * 24
@ -190,7 +190,7 @@ func installWindowsService(c *cli.Context) error {
log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger() log := zeroLogger.With().Str(LogFieldWindowsServiceName, windowsServiceName).Logger()
if err == nil { if err == nil {
s.Close() s.Close()
return errors.New(serviceAlreadyExistsWarn(windowsServiceName)) return fmt.Errorf(serviceAlreadyExistsWarn(windowsServiceName))
} }
extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log) extraArgs, err := getServiceExtraArgsFromCliArgs(c, &log)
if err != nil { if err != nil {
@ -238,7 +238,7 @@ func uninstallWindowsService(c *cli.Context) error {
defer m.Disconnect() defer m.Disconnect()
s, err := m.OpenService(windowsServiceName) s, err := m.OpenService(windowsServiceName)
if err != nil { if err != nil {
return fmt.Errorf("agent service %s is not installed, so it could not be uninstalled", windowsServiceName) return fmt.Errorf("Agent service %s is not installed, so it could not be uninstalled", windowsServiceName)
} }
defer s.Close() defer s.Close()

29
component-tests/cli.py
View File

@ -30,7 +30,7 @@ class CloudflaredCli:
listed = self._run_command(cmd_args, "list") listed = self._run_command(cmd_args, "list")
return json.loads(listed.stdout) return json.loads(listed.stdout)
def get_management_token(self, config, config_path, resource): def get_management_token(self, config, config_path):
basecmd = [config.cloudflared_binary] basecmd = [config.cloudflared_binary]
if config_path is not None: if config_path is not None:
basecmd += ["--config", str(config_path)] basecmd += ["--config", str(config_path)]
@ -38,35 +38,18 @@ class CloudflaredCli:
if origincert: if origincert:
basecmd += ["--origincert", origincert] basecmd += ["--origincert", origincert]
cmd_args = ["management", "token", "--resource", resource, config.get_tunnel_id()] cmd_args = ["tail", "token", config.get_tunnel_id()]
cmd = basecmd + cmd_args cmd = basecmd + cmd_args
result = run_subprocess(cmd, "token", self.logger, check=True, capture_output=True, timeout=15) result = run_subprocess(cmd, "token", self.logger, check=True, capture_output=True, timeout=15)
return json.loads(result.stdout.decode("utf-8").strip())["token"] return json.loads(result.stdout.decode("utf-8").strip())["token"]
def get_tail_token(self, config, config_path): def get_management_url(self, path, config, config_path):
""" access_jwt = self.get_management_token(config, config_path)
Get management token using the 'tail token' command.
Returns a token scoped for 'logs' resource.
"""
basecmd = [config.cloudflared_binary]
if config_path is not None:
basecmd += ["--config", str(config_path)]
origincert = get_config_from_file()["origincert"]
if origincert:
basecmd += ["--origincert", origincert]
cmd_args = ["tail", "token", config.get_tunnel_id()]
cmd = basecmd + cmd_args
result = run_subprocess(cmd, "tail-token", self.logger, check=True, capture_output=True, timeout=15)
return json.loads(result.stdout.decode("utf-8").strip())["token"]
def get_management_url(self, path, config, config_path, resource):
access_jwt = self.get_management_token(config, config_path, resource)
connector_id = get_tunnel_connector_id() connector_id = get_tunnel_connector_id()
return f"https://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}" return f"https://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"
def get_management_wsurl(self, path, config, config_path, resource): def get_management_wsurl(self, path, config, config_path):
access_jwt = self.get_management_token(config, config_path, resource) access_jwt = self.get_management_token(config, config_path)
connector_id = get_tunnel_connector_id() connector_id = get_tunnel_connector_id()
return f"wss://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}" return f"wss://{MANAGEMENT_HOST_NAME}/{path}?connector_id={connector_id}&access_token={access_jwt}"

9
component-tests/config.py
View File

@ -5,7 +5,7 @@ import base64
from dataclasses import dataclass, InitVar from dataclasses import dataclass, InitVar
from constants import METRICS_PORT from constants import METRICS_PORT, PROXY_DNS_PORT
# frozen=True raises exception when assigning to fields. This emulates immutability # frozen=True raises exception when assigning to fields. This emulates immutability
@ -99,3 +99,10 @@ class QuickTunnelConfig(BaseConfig):
object.__setattr__(self, 'full_config', object.__setattr__(self, 'full_config',
self.merge_config(additional_config)) self.merge_config(additional_config))
@dataclass(frozen=True)
class ProxyDnsConfig(BaseConfig):
full_config = {
"port": PROXY_DNS_PORT,
"no-autoupdate": True,
}

18
component-tests/conftest.py
View File

@ -5,14 +5,15 @@ from time import sleep
import pytest import pytest
import yaml import yaml
from config import NamedTunnelConfig, QuickTunnelConfig from config import NamedTunnelConfig, ProxyDnsConfig, QuickTunnelConfig
from constants import BACKOFF_SECS from constants import BACKOFF_SECS, PROXY_DNS_PORT
from util import LOGGER from util import LOGGER
class CfdModes(Enum): class CfdModes(Enum):
NAMED = auto() NAMED = auto()
QUICK = auto() QUICK = auto()
PROXY_DNS = auto()
@pytest.fixture(scope="session") @pytest.fixture(scope="session")
@ -25,7 +26,16 @@ def component_tests_config():
config = yaml.safe_load(stream) config = yaml.safe_load(stream)
LOGGER.info(f"component tests base config {config}") LOGGER.info(f"component tests base config {config}")
def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, provide_ingress=True): def _component_tests_config(additional_config={}, cfd_mode=CfdModes.NAMED, run_proxy_dns=True, provide_ingress=True):
if run_proxy_dns:
# Regression test for TUN-4177, running with proxy-dns should not prevent tunnels from running.
# So we run all tests with it.
additional_config["proxy-dns"] = True
additional_config["proxy-dns-port"] = PROXY_DNS_PORT
else:
additional_config.pop("proxy-dns", None)
additional_config.pop("proxy-dns-port", None)
# Allows the ingress rules to be omitted from the provided config # Allows the ingress rules to be omitted from the provided config
ingress = [] ingress = []
if provide_ingress: if provide_ingress:
@ -41,6 +51,8 @@ def component_tests_config():
credentials_file=config['credentials_file'], credentials_file=config['credentials_file'],
ingress=ingress, ingress=ingress,
hostname=hostname) hostname=hostname)
elif cfd_mode is CfdModes.PROXY_DNS:
return ProxyDnsConfig(cloudflared_binary=config['cloudflared_binary'])
elif cfd_mode is CfdModes.QUICK: elif cfd_mode is CfdModes.QUICK:
return QuickTunnelConfig(additional_config=additional_config, cloudflared_binary=config['cloudflared_binary']) return QuickTunnelConfig(additional_config=additional_config, cloudflared_binary=config['cloudflared_binary'])
else: else:

1
component-tests/constants.py
View File

@ -3,6 +3,7 @@ MAX_RETRIES = 5
BACKOFF_SECS = 7 BACKOFF_SECS = 7
MAX_LOG_LINES = 50 MAX_LOG_LINES = 50
PROXY_DNS_PORT = 9053
MANAGEMENT_HOST_NAME = "management.argotunnel.com" MANAGEMENT_HOST_NAME = "management.argotunnel.com"

60
component-tests/test_management.py
View File

@ -1,11 +1,10 @@
#!/usr/bin/env python #!/usr/bin/env python
import json
import requests import requests
from conftest import CfdModes from conftest import CfdModes
from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
from retrying import retry from retrying import retry
from cli import CloudflaredCli from cli import CloudflaredCli
from util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests, decode_jwt_payload from util import LOGGER, write_config, start_cloudflared, wait_tunnel_ready, send_requests
import platform import platform
""" """
@ -26,7 +25,7 @@ class TestManagement:
# Skipping this test for windows for now and will address it as part of tun-7377 # Skipping this test for windows for now and will address it as part of tun-7377
if platform.system() == "Windows": if platform.system() == "Windows":
return return
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
headers = {} headers = {}
headers["Content-Type"] = "application/json" headers["Content-Type"] = "application/json"
@ -36,7 +35,7 @@ class TestManagement:
require_min_connections=1) require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
connector_id = cfd_cli.get_connector_id(config)[0] connector_id = cfd_cli.get_connector_id(config)[0]
url = cfd_cli.get_management_url("host_details", config, config_path, resource="host_details") url = cfd_cli.get_management_url("host_details", config, config_path)
resp = send_request(url, headers=headers) resp = send_request(url, headers=headers)
# Assert response json. # Assert response json.
@ -53,13 +52,13 @@ class TestManagement:
# Skipping this test for windows for now and will address it as part of tun-7377 # Skipping this test for windows for now and will address it as part of tun-7377
if platform.system() == "Windows": if platform.system() == "Windows":
return return
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_url("metrics", config, config_path, resource="admin") url = cfd_cli.get_management_url("metrics", config, config_path)
resp = send_request(url) resp = send_request(url)
# Assert response. # Assert response.
@ -74,13 +73,13 @@ class TestManagement:
# Skipping this test for windows for now and will address it as part of tun-7377 # Skipping this test for windows for now and will address it as part of tun-7377
if platform.system() == "Windows": if platform.system() == "Windows":
return return
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_url("debug/pprof/heap", config, config_path, resource="admin") url = cfd_cli.get_management_url("debug/pprof/heap", config, config_path)
resp = send_request(url) resp = send_request(url)
# Assert response. # Assert response.
@ -95,59 +94,20 @@ class TestManagement:
# Skipping this test for windows for now and will address it as part of tun-7377 # Skipping this test for windows for now and will address it as part of tun-7377
if platform.system() == "Windows": if platform.system() == "Windows":
return return
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics=false"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1", "--management-diagnostics=false"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_url("metrics", config, config_path, resource="admin") url = cfd_cli.get_management_url("metrics", config, config_path)
resp = send_request(url) resp = send_request(url)
# Assert response. # Assert response.
assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics" assert resp.status_code == 404, "Expected cloudflared to return 404 for /metrics"
def test_tail_token_command(self, tmp_path, component_tests_config):
"""
Validates that 'cloudflared tail token' command returns a token
scoped for 'logs' and 'ping' resources.
"""
# TUN-7377: wait_tunnel_ready does not work properly in windows
if platform.system() == "Windows":
return
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False)
LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config)
cfd_cli = CloudflaredCli(config, config_path, LOGGER)
token = cfd_cli.get_tail_token(config, config_path)
# Verify token was returned
assert token, "Expected non-empty token to be returned"
# Decode JWT payload to verify resource claims
claims = decode_jwt_payload(token)
resource_tag = 'res'
# Verify the token has 'logs' and 'ping' in resource array
assert resource_tag in claims, f"Expected {resource_tag} claim in token"
assert isinstance(claims['res'], list), f"Expected {resource_tag} to be an array"
assert 'logs' in claims[resource_tag], \
f"Expected 'logs' in resource array, got: {claims[resource_tag]}"
assert 'ping' in claims[resource_tag], \
f"Expected 'ping' in resource array, got: {claims[resource_tag]}"
LOGGER.info(f"Tail token successfully verified with resources: {claims[resource_tag]}")
@retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000) @retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
def send_request(url, headers={}): def send_request(url, headers={}):
with requests.Session() as s: with requests.Session() as s:
resp = s.get(url, timeout=BACKOFF_SECS, headers=headers) return s.get(url, timeout=BACKOFF_SECS, headers=headers)
if resp.status_code == 530:
LOGGER.debug(f"Received 530 status, retrying request to {url}")
raise Exception(f"Received 530 status code from {url}")
return resp

14
component-tests/test_pq.py
View File

@ -1,6 +1,7 @@
from util import LOGGER, start_cloudflared, wait_tunnel_ready from util import LOGGER, nofips, start_cloudflared, wait_tunnel_ready
@nofips
class TestPostQuantum: class TestPostQuantum:
def _extra_config(self): def _extra_config(self):
config = { config = {
@ -11,11 +12,6 @@ class TestPostQuantum:
def test_post_quantum(self, tmp_path, component_tests_config): def test_post_quantum(self, tmp_path, component_tests_config):
config = component_tests_config(self._extra_config()) config = component_tests_config(self._extra_config())
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared( with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--post-quantum"], new_process=True):
tmp_path, wait_tunnel_ready(tunnel_url=config.get_url(),
config, require_min_connections=1)
cfd_pre_args=["tunnel", "--ha-connections", "1"],
cfd_args=["run", "--post-quantum"],
new_process=True,
):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)

62
component-tests/test_proxy_dns.py Normal file
View File

@ -0,0 +1,62 @@
#!/usr/bin/env python
import socket
from time import sleep
import constants
from conftest import CfdModes
from util import start_cloudflared, wait_tunnel_ready, check_tunnel_not_connected
# Sanity checks that test that we only run Proxy DNS and Tunnel when we really expect them to be there.
class TestProxyDns:
def test_proxy_dns_with_named_tunnel(self, tmp_path, component_tests_config):
run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=True)
def test_proxy_dns_alone(self, tmp_path, component_tests_config):
run_test_scenario(tmp_path, component_tests_config, CfdModes.PROXY_DNS, run_proxy_dns=True)
def test_named_tunnel_alone(self, tmp_path, component_tests_config):
run_test_scenario(tmp_path, component_tests_config, CfdModes.NAMED, run_proxy_dns=False)
def run_test_scenario(tmp_path, component_tests_config, cfd_mode, run_proxy_dns):
expect_proxy_dns = run_proxy_dns
expect_tunnel = False
if cfd_mode == CfdModes.NAMED:
expect_tunnel = True
pre_args = ["tunnel", "--ha-connections", "1"]
args = ["run"]
elif cfd_mode == CfdModes.PROXY_DNS:
expect_proxy_dns = True
pre_args = []
args = ["proxy-dns", "--port", str(constants.PROXY_DNS_PORT)]
else:
assert False, f"Unknown cfd_mode {cfd_mode}"
config = component_tests_config(cfd_mode=cfd_mode, run_proxy_dns=run_proxy_dns)
with start_cloudflared(tmp_path, config, cfd_pre_args=pre_args, cfd_args=args, new_process=True, capture_output=False):
if expect_tunnel:
wait_tunnel_ready()
else:
check_tunnel_not_connected()
verify_proxy_dns(expect_proxy_dns)
def verify_proxy_dns(should_be_running):
# Wait for the Proxy DNS listener to come up.
sleep(constants.BACKOFF_SECS)
had_failure = False
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.connect(('localhost', constants.PROXY_DNS_PORT))
sock.send(b"anything")
except:
if should_be_running:
assert False, "Expected Proxy DNS to be running, but it was not."
had_failure = True
finally:
sock.close()
if not should_be_running and not had_failure:
assert False, "Proxy DNS should not have been running, but it was."

16
component-tests/test_quicktunnels.py
View File

@ -6,7 +6,7 @@ from util import LOGGER, start_cloudflared, wait_tunnel_ready, get_quicktunnel_u
class TestQuickTunnels: class TestQuickTunnels:
def test_quick_tunnel(self, tmp_path, component_tests_config): def test_quick_tunnel(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.QUICK) config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=False)
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--hello-world"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
@ -15,10 +15,22 @@ class TestQuickTunnels:
send_requests(url, 3, True) send_requests(url, 3, True)
def test_quick_tunnel_url(self, tmp_path, component_tests_config): def test_quick_tunnel_url(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.QUICK) config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=False)
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--url", f"http://localhost:{METRICS_PORT}/"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["--url", f"http://localhost:{METRICS_PORT}/"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
time.sleep(10) time.sleep(10)
url = get_quicktunnel_url() url = get_quicktunnel_url()
send_requests(url+"/ready", 3, True) send_requests(url+"/ready", 3, True)
def test_quick_tunnel_proxy_dns_url(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=True)
LOGGER.debug(config)
failed_start = start_cloudflared(tmp_path, config, cfd_args=["--url", f"http://localhost:{METRICS_PORT}/"], expect_success=False)
assert failed_start.returncode == 1, "Expected cloudflared to fail to run with `proxy-dns` and `hello-world`"
def test_quick_tunnel_proxy_dns_hello_world(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.QUICK, run_proxy_dns=True)
LOGGER.debug(config)
failed_start = start_cloudflared(tmp_path, config, cfd_args=["--hello-world"], expect_success=False)
assert failed_start.returncode == 1, "Expected cloudflared to fail to run with `proxy-dns` and `url`"

5
component-tests/test_service.py
View File

@ -9,7 +9,7 @@ import pytest
import test_logging import test_logging
from conftest import CfdModes from conftest import CfdModes
from util import select_platform, skip_on_ci, start_cloudflared, wait_tunnel_ready, write_config from util import select_platform, start_cloudflared, wait_tunnel_ready, write_config
def default_config_dir(): def default_config_dir():
@ -82,7 +82,6 @@ class TestServiceMode:
os.remove(default_config_file()) os.remove(default_config_file())
self.launchctl_cmd("list", success=False) self.launchctl_cmd("list", success=False)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux") @select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"), @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path") reason=f"There is already a config file in default path")
@ -99,7 +98,6 @@ class TestServiceMode:
self.sysv_service_scenario(config, tmp_path, assert_log_file) self.sysv_service_scenario(config, tmp_path, assert_log_file)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux") @select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"), @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path") reason=f"There is already a config file in default path")
@ -118,7 +116,6 @@ class TestServiceMode:
self.sysv_service_scenario(config, tmp_path, assert_rotating_log) self.sysv_service_scenario(config, tmp_path, assert_rotating_log)
@skip_on_ci("we can't run sudo command on CI")
@select_platform("Linux") @select_platform("Linux")
@pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"), @pytest.mark.skipif(os.path.exists("/etc/cloudflared/config.yml"),
reason=f"There is already a config file in default path") reason=f"There is already a config file in default path")

20
component-tests/test_tail.py
View File

@ -19,13 +19,13 @@ class TestTail:
with the access token and start and stop streaming on-demand. with the access token and start and stop streaming on-demand.
""" """
print("test_start_stop_streaming") print("test_start_stop_streaming")
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1) wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs") url = cfd_cli.get_management_wsurl("logs", config, config_path)
async with connect(url, open_timeout=5, close_timeout=3) as websocket: async with connect(url, open_timeout=5, close_timeout=3) as websocket:
await websocket.send('{"type": "start_streaming"}') await websocket.send('{"type": "start_streaming"}')
await websocket.send('{"type": "stop_streaming"}') await websocket.send('{"type": "stop_streaming"}')
@ -38,13 +38,13 @@ class TestTail:
Validates that a streaming logs connection will stream logs Validates that a streaming logs connection will stream logs
""" """
print("test_streaming_logs") print("test_streaming_logs")
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1) wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs") url = cfd_cli.get_management_wsurl("logs", config, config_path)
async with connect(url, open_timeout=5, close_timeout=5) as websocket: async with connect(url, open_timeout=5, close_timeout=5) as websocket:
# send start_streaming # send start_streaming
await websocket.send(json.dumps({ await websocket.send(json.dumps({
@ -65,13 +65,13 @@ class TestTail:
but not http when filters applied. but not http when filters applied.
""" """
print("test_streaming_logs_filters") print("test_streaming_logs_filters")
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1) wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs") url = cfd_cli.get_management_wsurl("logs", config, config_path)
async with connect(url, open_timeout=5, close_timeout=5) as websocket: async with connect(url, open_timeout=5, close_timeout=5) as websocket:
# send start_streaming with tcp logs only # send start_streaming with tcp logs only
await websocket.send(json.dumps({ await websocket.send(json.dumps({
@ -92,13 +92,13 @@ class TestTail:
Validates that a streaming logs connection will stream logs with sampling. Validates that a streaming logs connection will stream logs with sampling.
""" """
print("test_streaming_logs_sampling") print("test_streaming_logs_sampling")
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1) wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs") url = cfd_cli.get_management_wsurl("logs", config, config_path)
async with connect(url, open_timeout=5, close_timeout=5) as websocket: async with connect(url, open_timeout=5, close_timeout=5) as websocket:
# send start_streaming with info logs only # send start_streaming with info logs only
await websocket.send(json.dumps({ await websocket.send(json.dumps({
@ -120,13 +120,13 @@ class TestTail:
Validates that a streaming logs session can be overriden by the same actor Validates that a streaming logs session can be overriden by the same actor
""" """
print("test_streaming_logs_actor_override") print("test_streaming_logs_actor_override")
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
config_path = write_config(tmp_path, config.full_config) config_path = write_config(tmp_path, config.full_config)
with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1) wait_tunnel_ready(tunnel_url=config.get_url(), require_min_connections=1)
cfd_cli = CloudflaredCli(config, config_path, LOGGER) cfd_cli = CloudflaredCli(config, config_path, LOGGER)
url = cfd_cli.get_management_wsurl("logs", config, config_path, resource="logs") url = cfd_cli.get_management_wsurl("logs", config, config_path)
task = asyncio.ensure_future(start_streaming_to_be_remotely_closed(url)) task = asyncio.ensure_future(start_streaming_to_be_remotely_closed(url))
override_task = asyncio.ensure_future(start_streaming_override(url)) override_task = asyncio.ensure_future(start_streaming_override(url))
await asyncio.wait([task, override_task]) await asyncio.wait([task, override_task])

2
component-tests/test_token.py
View File

@ -1,7 +1,7 @@
import base64 import base64
import json import json
from setup import get_config_from_file from setup import get_config_from_file, persist_origin_cert
from util import start_cloudflared from util import start_cloudflared

27
component-tests/test_tunnel.py
View File

@ -11,14 +11,14 @@ class TestTunnel:
'''Test tunnels with no ingress rules from config.yaml but ingress rules from CLI only''' '''Test tunnels with no ingress rules from config.yaml but ingress rules from CLI only'''
def test_tunnel_hello_world(self, tmp_path, component_tests_config): def test_tunnel_hello_world(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--hello-world"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--hello-world"], new_process=True):
wait_tunnel_ready(tunnel_url=config.get_url(), wait_tunnel_ready(tunnel_url=config.get_url(),
require_min_connections=1) require_min_connections=1)
def test_tunnel_url(self, tmp_path, component_tests_config): def test_tunnel_url(self, tmp_path, component_tests_config):
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--url", f"http://localhost:{METRICS_PORT}/"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run", "--url", f"http://localhost:{METRICS_PORT}/"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
@ -29,24 +29,17 @@ class TestTunnel:
Running a tunnel with no ingress rules provided from either config.yaml or CLI will still work but return 503 Running a tunnel with no ingress rules provided from either config.yaml or CLI will still work but return 503
for all incoming requests. for all incoming requests.
''' '''
config = component_tests_config(cfd_mode=CfdModes.NAMED, provide_ingress=False) config = component_tests_config(cfd_mode=CfdModes.NAMED, run_proxy_dns=False, provide_ingress=False)
LOGGER.debug(config) LOGGER.debug(config)
with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run"], new_process=True): with start_cloudflared(tmp_path, config, cfd_pre_args=["tunnel", "--ha-connections", "1"], cfd_args=["run"], new_process=True):
wait_tunnel_ready(require_min_connections=1) wait_tunnel_ready(require_min_connections=1)
expected_status_code = 503 resp = send_request(config.get_url()+"/")
resp = send_request(config.get_url()+"/", expected_status_code) assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined" resp = send_request(config.get_url()+"/test")
resp = send_request(config.get_url()+"/test", expected_status_code) assert resp.status_code == 503, "Expected cloudflared to return 503 for all requests with no ingress defined"
assert resp.status_code == expected_status_code, "Expected cloudflared to return 503 for all requests with no ingress defined"
def retry_if_result_none(result):
'''
Returns True if the result is None, indicating that the function should be retried.
'''
return result is None
@retry(retry_on_result=retry_if_result_none, stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000) @retry(stop_max_attempt_number=MAX_RETRIES, wait_fixed=BACKOFF_SECS * 1000)
def send_request(url, expected_status_code=200): def send_request(url, headers={}):
with requests.Session() as s: with requests.Session() as s:
resp = s.get(url, timeout=BACKOFF_SECS) return s.get(url, timeout=BACKOFF_SECS, headers=headers)
return resp if resp.status_code == expected_status_code else None

54
component-tests/util.py
View File

@ -10,6 +10,7 @@ import pytest
import requests import requests
import yaml import yaml
import json
from retrying import retry from retrying import retry
from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS from constants import METRICS_PORT, MAX_RETRIES, BACKOFF_SECS
@ -34,12 +35,6 @@ def fips_enabled():
nofips = pytest.mark.skipif( nofips = pytest.mark.skipif(
fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)") fips_enabled(), reason=f"Only runs without FIPS (COMPONENT_TESTS_FIPS=0)")
def skip_on_ci(reason):
env_ci = os.getenv("CI")
running_in_ci = env_ci is not None and env_ci != "0"
return pytest.mark.skipif(
running_in_ci, reason=f"This test can't run on CI due to: {reason}")
def write_config(directory, config): def write_config(directory, config):
config_path = directory / "config.yml" config_path = directory / "config.yml"
with open(config_path, 'w') as outfile: with open(config_path, 'w') as outfile:
@ -116,7 +111,6 @@ def inner_wait_tunnel_ready(tunnel_url=None, require_min_connections=1):
metrics_url = f'http://localhost:{METRICS_PORT}/ready' metrics_url = f'http://localhost:{METRICS_PORT}/ready'
with requests.Session() as s: with requests.Session() as s:
LOGGER.debug("Waiting for tunnel to be ready...")
resp = send_request(s, metrics_url, True) resp = send_request(s, metrics_url, True)
ready_connections = resp.json()["readyConnections"] ready_connections = resp.json()["readyConnections"]
@ -185,49 +179,3 @@ def send_request(session, url, require_ok):
if require_ok: if require_ok:
assert resp.status_code == 200, f"{url} returned {resp}" assert resp.status_code == 200, f"{url} returned {resp}"
return resp if resp.status_code == 200 else None return resp if resp.status_code == 200 else None
def decode_jwt_payload(token):
"""
Decode the payload section of a JWT token without signature verification.
JWT Structure:
==============
A JWT consists of three Base64URL-encoded parts separated by dots:
HEADER.PAYLOAD.SIGNATURE
The payload contains the JWT claims (the actual data/permissions).
Args:
token (str): The complete JWT token string
Returns:
dict: The decoded payload as a dictionary containing JWT claims
Raises:
ValueError: If the token doesn't have exactly 3 parts
Note:
This function does NOT verify the signature - it only decodes the payload.
Use this only when you trust the token source (e.g., tokens you just generated).
"""
import base64
import json
# Split JWT into its three components
parts = token.split('.')
if len(parts) != 3:
raise ValueError(f"Invalid JWT format: expected 3 parts, got {len(parts)}")
# Extract and decode the payload (middle section)
# Base64 requires padding to be a multiple of 4 characters
payload_encoded = parts[1]
remainder = len(payload_encoded) % 4
if remainder != 0:
payload_padded = payload_encoded + '=' * (4 - remainder)
else:
payload_padded = payload_encoded
# Decode from Base64URL format and parse JSON
decoded_payload = base64.urlsafe_b64decode(payload_padded)
return json.loads(decoded_payload)

5
config/configuration.go
View File

@ -155,7 +155,7 @@ func FindOrCreateConfigPath() string {
// i.e. it fails if a user specifies both --url and --unix-socket // i.e. it fails if a user specifies both --url and --unix-socket
func ValidateUnixSocket(c *cli.Context) (string, error) { func ValidateUnixSocket(c *cli.Context) (string, error) {
if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) { if c.IsSet("unix-socket") && (c.IsSet("url") || c.NArg() > 0) {
return "", errors.New("--unix-socket must be used exclusively.") return "", errors.New("--unix-socket must be used exclusivly.")
} }
return c.String("unix-socket"), nil return c.String("unix-socket"), nil
} }
@ -242,8 +242,6 @@ type AccessConfig struct {
// AudTag is the AudTag to verify access JWT against. // AudTag is the AudTag to verify access JWT against.
AudTag []string `yaml:"audTag" json:"audTag"` AudTag []string `yaml:"audTag" json:"audTag"`
Environment string `yaml:"environment" json:"environment,omitempty"`
} }
type IngressIPRule struct { type IngressIPRule struct {
@ -262,7 +260,6 @@ type Configuration struct {
type WarpRoutingConfig struct { type WarpRoutingConfig struct {
ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"` ConnectTimeout *CustomDuration `yaml:"connectTimeout" json:"connectTimeout,omitempty"`
MaxActiveFlows *uint64 `yaml:"maxActiveFlows" json:"maxActiveFlows,omitempty"`
TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"` TCPKeepAlive *CustomDuration `yaml:"tcpKeepAlive" json:"tcpKeepAlive,omitempty"`
} }

89
config/model.go
View File

@ -1,9 +1,12 @@
package config package config
import ( import (
"crypto/sha256" "crypto/md5"
"fmt" "fmt"
"io" "io"
"strings"
"github.com/cloudflare/cloudflared/tunneldns"
) )
// Forwarder represents a client side listener to forward traffic to the edge // Forwarder represents a client side listener to forward traffic to the edge
@ -13,7 +16,6 @@ type Forwarder struct {
TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"` TokenClientID string `json:"service_token_id" yaml:"serviceTokenID"`
TokenSecret string `json:"secret_token_id" yaml:"serviceTokenSecret"` TokenSecret string `json:"secret_token_id" yaml:"serviceTokenSecret"`
Destination string `json:"destination"` Destination string `json:"destination"`
IsFedramp bool `json:"is_fedramp" yaml:"isFedramp"`
} }
// Tunnel represents a tunnel that should be started // Tunnel represents a tunnel that should be started
@ -23,22 +25,89 @@ type Tunnel struct {
ProtocolType string `json:"type"` ProtocolType string `json:"type"`
} }
// Root is the base options to configure the service. // DNSResolver represents a client side DNS resolver
type DNSResolver struct {
Enabled bool `json:"enabled"`
Address string `json:"address,omitempty"`
Port uint16 `json:"port,omitempty"`
Upstreams []string `json:"upstreams,omitempty"`
Bootstraps []string `json:"bootstraps,omitempty"`
MaxUpstreamConnections int `json:"max_upstream_connections,omitempty"`
}
// Root is the base options to configure the service
type Root struct { type Root struct {
LogDirectory string `json:"log_directory" yaml:"logDirectory,omitempty"` LogDirectory string `json:"log_directory" yaml:"logDirectory,omitempty"`
LogLevel string `json:"log_level" yaml:"logLevel,omitempty"` LogLevel string `json:"log_level" yaml:"logLevel,omitempty"`
Forwarders []Forwarder `json:"forwarders,omitempty" yaml:"forwarders,omitempty"` Forwarders []Forwarder `json:"forwarders,omitempty" yaml:"forwarders,omitempty"`
Tunnels []Tunnel `json:"tunnels,omitempty" yaml:"tunnels,omitempty"` Tunnels []Tunnel `json:"tunnels,omitempty" yaml:"tunnels,omitempty"`
// `resolver` key is reserved for a removed feature (proxy-dns) and should not be used. Resolver DNSResolver `json:"resolver,omitempty" yaml:"resolver,omitempty"`
} }
// Hash returns the computed values to see if the forwarder values change // Hash returns the computed values to see if the forwarder values change
func (f *Forwarder) Hash() string { func (f *Forwarder) Hash() string {
h := sha256.New() h := md5.New()
_, _ = io.WriteString(h, f.URL) io.WriteString(h, f.URL)
_, _ = io.WriteString(h, f.Listener) io.WriteString(h, f.Listener)
_, _ = io.WriteString(h, f.TokenClientID) io.WriteString(h, f.TokenClientID)
_, _ = io.WriteString(h, f.TokenSecret) io.WriteString(h, f.TokenSecret)
_, _ = io.WriteString(h, f.Destination) io.WriteString(h, f.Destination)
return fmt.Sprintf("%x", h.Sum(nil)) return fmt.Sprintf("%x", h.Sum(nil))
} }
// Hash returns the computed values to see if the forwarder values change
func (r *DNSResolver) Hash() string {
h := md5.New()
io.WriteString(h, r.Address)
io.WriteString(h, strings.Join(r.Bootstraps, ","))
io.WriteString(h, strings.Join(r.Upstreams, ","))
io.WriteString(h, fmt.Sprintf("%d", r.Port))
io.WriteString(h, fmt.Sprintf("%d", r.MaxUpstreamConnections))
io.WriteString(h, fmt.Sprintf("%v", r.Enabled))
return fmt.Sprintf("%x", h.Sum(nil))
}
// EnabledOrDefault returns the enabled property
func (r *DNSResolver) EnabledOrDefault() bool {
return r.Enabled
}
// AddressOrDefault returns the address or returns the default if empty
func (r *DNSResolver) AddressOrDefault() string {
if r.Address != "" {
return r.Address
}
return "localhost"
}
// PortOrDefault return the port or returns the default if 0
func (r *DNSResolver) PortOrDefault() uint16 {
if r.Port > 0 {
return r.Port
}
return 53
}
// UpstreamsOrDefault returns the upstreams or returns the default if empty
func (r *DNSResolver) UpstreamsOrDefault() []string {
if len(r.Upstreams) > 0 {
return r.Upstreams
}
return []string{"https://1.1.1.1/dns-query", "https://1.0.0.1/dns-query"}
}
// BootstrapsOrDefault returns the bootstraps or returns the default if empty
func (r *DNSResolver) BootstrapsOrDefault() []string {
if len(r.Bootstraps) > 0 {
return r.Bootstraps
}
return []string{"https://162.159.36.1/dns-query", "https://162.159.46.1/dns-query", "https://[2606:4700:4700::1111]/dns-query", "https://[2606:4700:4700::1001]/dns-query"}
}
// MaxUpstreamConnectionsOrDefault return the max upstream connections or returns the default if negative
func (r *DNSResolver) MaxUpstreamConnectionsOrDefault() int {
if r.MaxUpstreamConnections >= 0 {
return r.MaxUpstreamConnections
}
return tunneldns.MaxUpstreamConnsDefault
}

36
connection/connection.go
View File

@ -26,20 +26,14 @@ const (
MaxGracePeriod = time.Minute * 3 MaxGracePeriod = time.Minute * 3
MaxConcurrentStreams = math.MaxUint32 MaxConcurrentStreams = math.MaxUint32
contentTypeHeader = "content-type" contentTypeHeader = "content-type"
contentLengthHeader = "content-length" sseContentType = "text/event-stream"
transferEncodingHeader = "transfer-encoding" grpcContentType = "application/grpc"
sseContentType = "text/event-stream"
grpcContentType = "application/grpc"
sseJsonContentType = "application/x-ndjson"
chunkTransferEncoding = "chunked"
) )
var ( var (
switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols)) switchingProtocolText = fmt.Sprintf("%d %s", http.StatusSwitchingProtocols, http.StatusText(http.StatusSwitchingProtocols))
flushableContentTypes = []string{sseContentType, grpcContentType, sseJsonContentType} flushableContentTypes = []string{sseContentType, grpcContentType}
) )
// TunnelConnection represents the connection to the edge. // TunnelConnection represents the connection to the edge.
@ -57,6 +51,7 @@ type Orchestrator interface {
type TunnelProperties struct { type TunnelProperties struct {
Credentials Credentials Credentials Credentials
Client pogs.ClientInfo
QuickTunnelUrl string QuickTunnelUrl string
} }
@ -65,7 +60,6 @@ type Credentials struct {
AccountTag string AccountTag string
TunnelSecret []byte TunnelSecret []byte
TunnelID uuid.UUID TunnelID uuid.UUID
Endpoint string
} }
func (c *Credentials) Auth() pogs.TunnelAuth { func (c *Credentials) Auth() pogs.TunnelAuth {
@ -80,16 +74,13 @@ type TunnelToken struct {
AccountTag string `json:"a"` AccountTag string `json:"a"`
TunnelSecret []byte `json:"s"` TunnelSecret []byte `json:"s"`
TunnelID uuid.UUID `json:"t"` TunnelID uuid.UUID `json:"t"`
Endpoint string `json:"e,omitempty"`
} }
func (t TunnelToken) Credentials() Credentials { func (t TunnelToken) Credentials() Credentials {
// nolint: gosimple
return Credentials{ return Credentials{
AccountTag: t.AccountTag, AccountTag: t.AccountTag,
TunnelSecret: t.TunnelSecret, TunnelSecret: t.TunnelSecret,
TunnelID: t.TunnelID, TunnelID: t.TunnelID,
Endpoint: t.Endpoint,
} }
} }
@ -279,22 +270,6 @@ type ConnectedFuse interface {
// Helper method to let the caller know what content-types should require a flush on every // Helper method to let the caller know what content-types should require a flush on every
// write to a ResponseWriter. // write to a ResponseWriter.
func shouldFlush(headers http.Header) bool { func shouldFlush(headers http.Header) bool {
// When doing Server Side Events (SSE), some frameworks don't respect the `Content-Type` header.
// Therefore, we need to rely on other ways to know whether we should flush on write or not. A good
// approach is to assume that responses without `Content-Length` or with `Transfer-Encoding: chunked`
// are streams, and therefore, should be flushed right away to the eyeball.
// References:
// - https://datatracker.ietf.org/doc/html/rfc7230#section-4.1
// - https://datatracker.ietf.org/doc/html/rfc9112#section-6.1
if contentLength := headers.Get(contentLengthHeader); contentLength == "" {
return true
}
if transferEncoding := headers.Get(transferEncodingHeader); transferEncoding != "" {
transferEncoding = strings.ToLower(transferEncoding)
if strings.Contains(transferEncoding, chunkTransferEncoding) {
return true
}
}
if contentType := headers.Get(contentTypeHeader); contentType != "" { if contentType := headers.Get(contentTypeHeader); contentType != "" {
contentType = strings.ToLower(contentType) contentType = strings.ToLower(contentType)
for _, c := range flushableContentTypes { for _, c := range flushableContentTypes {
@ -303,6 +278,7 @@ func shouldFlush(headers http.Header) bool {
} }
} }
} }
return false return false
} }

Some files were not shown because too many files have changed in this diff Show More